ASA 与路由器在NAT-T环境下建立ipsec -v-p-n ( ikev2 )配置及排错过程


实验目的:为了验证防火墙在NAT-T的环境能和对方出口路由器成功建立IPSec -v-p-n并实现公司两地内网通信实验环境介绍:ASA在内网; R1,R2为出口、做NAT并指默认路由到Internetipsec 版本:ikev2报错:虽然照着网上找的一个ikev2的路由器对路由器非NAT-T版本配的,但是问题也出现不少——cisco ikev2 profile not found——Exchange type: Informational (5)——Exchange type: NO PAYLOAD——specify IKE identity to use——rec’d IPSEC packet ha——IKEv2-PROTO-1: (167): The peer’s KE payload contained the wrong DH group//如果一边启用pfs完美向前保密(ipse免费云主机域名c sa阶段的时候再次协商密钥),一边未启用pfs,就会报这个错,但不影响加密通信先贴出正确的关键配置
ASA:route outside 0.0.0.0 0.0.0.0 10.249.188.254//定义感兴趣流access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0ipsec部分://定义ipsec第一阶段 ikev2协商策略,主要是为了安全的交换密钥crypto ikev2 policy 10 encryption 3des integrity sha512 group 2 prf sha512 lifetime seconds 86400//定义ipsec第二阶段转换集加密策略
crypto ipsec ikev2 ipsec-proposal l2ltrans protocol esp encryption 3des protocol esp integrity sha-1//匹配到感兴趣流时,调用加密图l2lmapcrypto map l2lmap 1 match address l2laclcrypto map l2lmap 1 set pfscrypto map l2lmap 1 set peer 202.134.122.2crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans //ipsec类型为点到点L2L, ipsec的双方认证密钥(人为干预的) tunnel-group 202.134.122.2 type ipsec-l2l tunnel-group 202.134.122.2 ipsec-attributes ikev2 remote-authentication pre-shared-key cisco ikev2 local-authentication pre-shared-key cisco //在接口下调用 crypto ikev2 enable outside crypto map l2lmap interface outside
R1ip route 0.0.0.0 0.0.0.0 202.134.121.2ip nat inside source list natacl interface Ethernet0/1 overload//若不写以下端口映射,在内网 NAT-T环境下是可以主动与对方出口路由器建立ipsec ***的,反之不行ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendableip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendableip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendableip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable//从此路由出口的流量全部为访问异地内网所需,所以所有流量都加密ip access-list extended nataclpermit ip any any
R2//定义ipsec第一阶段 ikev2协商策略crypto ikev2 proposal ikev2-proposalencryption 3desintegrity sha512group 2//定义ikev2的策略crypto ikev2 policy ikev2-policyproposal ikev2-proposal//定义加密认证参数(对方名、对方公网地址、预共享密钥)crypto ikev2 keyring ikev2-keyringpeer ASA2 address 202.134.121.1 pre-shared-key cisco//定义ikev2的认证框架(远端设备的真实内网地址,本地公网地址,预共享认证方式,认证参数)这个内网地址不正确,就会停留在ikev2协商的第一阶段SA-INIT,然后IKE-AUTH阶段就一直报错,crypto ikev2 profile IKEV2-profilematch identity remote address 10.249.190.253 255.255.255.0identity local address 202.134.122.2authentication remote pre-shareauthentication local pre-sharekeyring local ikev2-keyring//定义第二阶段转换集参数crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac mode tunnel//定义加密图crypto map l2lmap 10 ipsec-isakmpset peer 202.134.121.1set transform-set l2ltransset ikev2-profile IKEV2-profileset pfsmatch address l2lacl//分离出要加密的流量ip access-list extended l2laclpermit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255ip access-list extended natacldeny ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255deny ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255deny ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255deny ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255permit ip any any//接口调用ip nat inside source list natacl interface Ethernet0/0 overloadip route 0.0.0.0 0.0.0.0 202.134.122.1interface Ethernet0/0ip address 202.134.122.2 255.255.255.0ip nat outsideip virtual-reassembly incrypto map l2lmap

报错内容图片及描述,有空再码,未完待续。。。。

相关推荐: linux如何查看文件包含内容

本文小编为大家详细介绍“linux如何查看文件包含内容”,内容详细,步骤清晰,细节处理妥当,希望这篇“linux如何查看文件包含内容”文章能帮助大家解决疑惑,下面跟着小编的思路慢慢深入,一起来学习新知识吧。 在linux中,可以利用grep命令查看文件包含内容…

免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。

(0)
打赏 微信扫一扫 微信扫一扫
上一篇 01/25 11:50
下一篇 01/25 11:50