![wKiom1jJ74iDuYgbAACC-1xcTP4047.png-wh_50]( "9OHXAGP1`AMO_HD@LP2PI6U.png")
實驗目的:爲了驗證防火牆在NAT-T的環境能和對方出口路由器成功建立IPSec ***
並實現公司兩地內網通信
實驗環境介紹:ASA在內網; R1,R2爲出口、做NAT並指默認路由到Internet
ipsec ***版本:ikev2
報錯:
雖然照着網上找的一個ikev2的路由器對路由器非NAT-T版本配的,但是問題也出現不少
.cisco ikev2 profile not found
.Exchange type: Informational (5)
.Exchange type: NO PAYLOAD
.specify IKE identity to use
.rec'd IPSEC packet ha
.IKEv2-PROTO-1: (167): The peer's KE payload contained the wrong DH group
//如果一邊啓用pfs完美向前保密(ipsec sa階段的時候再次協商密鑰),一邊未啓用pfs,就會報這個錯,但不影響加密通信
先貼出正確的關鍵配置
ASA:
route outside 0.0.0.0 0.0.0.0 10.249.188.254
//定義感興趣流
access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0
ipsec部分:
//定義ipsec第一階段 ikev2協商策略,主要是爲了安全的交換密鑰
crypto ikev2 policy 10
encryption 3des
integrity sha512
group 2
prf sha512
lifetime seconds 86400
//定義ipsec第二階段轉換集加密策略crypto ipsec ikev2 ipsec-proposal l2ltrans
protocol esp encryption 3des
protocol esp integrity sha-1
//匹配到感興趣流時,調用加密圖l2lmap
crypto map l2lmap 1 match address l2lacl
crypto map l2lmap 1 set pfs
crypto map l2lmap 1 set peer 202.134.122.2
crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans
//ipsec類型爲點到點L2L, ipsec的雙方認證密鑰(人爲干預的)
tunnel-group 202.134.122.2 type ipsec-l2l
tunnel-group 202.134.122.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
//在接口下調用
crypto ikev2 enable outside
crypto map l2lmap interface outside
R1
ip route 0.0.0.0 0.0.0.0 202.134.121.2
ip nat inside source list natacl interface Ethernet0/1 overload
//若不寫以下端口映射,在內網 NAT-T環境下是可以主動與對方出口路由器建立ipsec ***的,反之不行
ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable
ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable
ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable
ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable
//從此路由出口的流量全部爲訪問異地內網所需,所以所有流量都加密
ip access-list extended natacl
permit ip any any
R2
//定義ipsec第一階段 ikev2協商策略
crypto ikev2 proposal ikev2-proposal
encryption 3des
integrity sha512
group 2
//定義ikev2的策略
crypto ikev2 policy ikev2-policy
proposal ikev2-proposal
//定義加密認證參數(對方名、對方公網地址、預共享密鑰)
crypto ikev2 keyring ikev2-keyring
peer ASA2
address 202.134.121.1
pre-shared-key cisco
//定義ikev2的認證框架(遠端設備的真實內網地址,本地公網地址,預共享認證方式,認證參數)
這個內網地址不正確,就會停留在ikev2協商的第一階段SA-INIT,然後IKE-AUTH階段就一直報錯,
crypto ikev2 profile IKEV2-profile
match identity remote address 10.249.190.253 255.255.255.0
identity local address 202.134.122.2
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring
//定義第二階段轉換集參數
crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac
mode tunnel
//定義加密圖
crypto map l2lmap 10 ipsec-isakmp
set peer 202.134.121.1
set transform-set l2ltrans
set ikev2-profile IKEV2-profile
set pfs
match address l2lacl
//分離出要加密的流量
ip access-list extended l2lacl
permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255
ip access-list extended natacl
deny ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255
permit ip any any
//接口調用
ip nat inside source list natacl interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 202.134.122.1
interface Ethernet0/0
ip address 202.134.122.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
crypto map l2lmap
報錯內容圖片及描述,有空再碼,未完待續。。。。