Page tree
Skip to end of metadata
Go to start of metadata

Настройка Policy-based IPsec на NSX Edge Services Gateway

Настройка в рамках IKEv1


Enable perfect forward secrecy: On

Authentication: PSK 

IKE Option : IKEv1

Настройка в рамках IKEv2


Enable perfect forward secrecy: On

Authentication: PSK 

IKE Option : IKEv2

Конфигурация Policy-based IPsec на Cisco CSR1000v

Настройка в рамках IKEv1

  1. Настроим IKE политику:

    crypto isakmp policy 10
    	encryption aes
    	group 5
    	hash sha
    	lifetime 28800
    	authentication pre-share
  2. Настроим связку PSK ключа с Peer адресом:

    crypto isakmp key Changeme123 address 213.108.129.202
  3. Настроим IPsec transform-set:

    crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
  4. Создадим IPsec access list:

    access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255
  5. Создадим Crypto Map и свяжем ее с политикой:

    crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
    	set transform-set TS-EDGE-ESP-AES-SHA
    	set pfs group5
    	set peer 213.108.129.202
    	match address 101
  6. Настроим внешний интерфейс на работу с созданной Crypto Map:

    interface GigabitEthernet1
    	crypto map VTI-EDGE-CMAP
  7. Запустим ping до удаленной сети с использованием локальных сетей, объявленных в настройках туннеля:

    Router# ping 192.168.101.1 source gigabitEthernet 2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.200.1
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/13 ms

Итого вся конфигурация , относящаяся к настройке Policy-based IPsec на Cisco CSR1000v с использованием IKEv1 выглядит следующим образом:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp key Changeme123 address 213.108.129.202

crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel

crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
 set peer 213.108.129.202
 set transform-set TS-EDGE-ESP-AES-SHA
 set pfs group5
 match address 101

interface GigabitEthernet1
 crypto map VTI-EDGE-CMAP

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255

Настройка в рамках IKEv2

  1. Создаем ISAKMP proposal:

    crypto ikev2 proposal VTI-EDGE-PROPOSAL
    	encryption aes-cbc-128
    	integrity sha1
    	group 5
  2. Создаем ISAKMP политику:

    crypto ikev2 policy VTI-EDGE-POLICY
    	proposal VTI-EDGE-PROPOSAL
  3. Настроим связку ключей IKEv2:

    crypto ikev2 keyring VTI-EDGE-KEYRING
    peer EDGE
    	address 213.108.129.202
    	pre-shared-key local Changeme123
    	pre-shared-key remote Changeme123
  4. Настраиваем IKEv2 профиль:

    crypto ikev2 profile VTI-EDGE-PROFILE
    	match identity remote address 213.108.129.202 255.255.255.0
    	identity local address 176.118.31.163
    	authentication remote pre-share
    	authentication local pre-share
    	keyring local VTI-EDGE-KEYRING
  5. Настраиваем IPsec Transform Set:

    crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
      mode tunnel
  6. Создадим IPsec access list:

    access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255
  7. Создадим Crypto Map и свяжем ее с политикой:

    crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
    	set transform-set TS-EDGE-ESP-AES-SHA
    	set ikev2-profile VTI-EDGE-PROFILE
    	set peer 213.108.129.202
    	match address 101
  8. Настроим внешний интерфейс на работу с созданной Crypto Map:

    interface GigabitEthernet1
    	crypto map VTI-EDGE-CMAP
  9. Запустим ping до удаленной сети с использованием локальных сетей, объявленных в настройках туннеля:

    Router# ping 192.168.101.1 source gigabitEthernet 2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
    Packet sent with a source address of 192.168.200.1
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/13 ms

Итого вся конфигурация , относящаяся к настройке Policy-based IPsec на Cisco CSR1000v с использованием IKEv2 выглядит следующим образом:

crypto ikev2 proposal VTI-EDGE-PROPOSAL
 encryption aes-cbc-128
 integrity sha1
 group 5

crypto ikev2 policy VTI-EDGE-POLICY
 proposal VTI-EDGE-PROPOSAL

crypto ikev2 keyring VTI-EDGE-KEYRING
 peer EDGE
  address 213.108.129.202
  pre-shared-key local Changeme123
  pre-shared-key remote Changeme123

crypto ikev2 profile VTI-EDGE-PROFILE
 match identity remote address 213.108.129.202 255.255.255.0
 identity local address 176.118.31.163
 authentication remote pre-share
 authentication local pre-share
 keyring local VTI-EDGE-KEYRING

crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel

crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
 set peer 213.108.129.202
 set transform-set TS-EDGE-ESP-AES-SHA
 set ikev2-profile VTI-EDGE-PROFILE
 match address 101

interface GigabitEthernet1
 crypto map VTI-EDGE-CMAP

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255
  • No labels