База знаний #CloudMTS
Page tree
Skip to end of metadata
Go to start of metadata

Настройка Policy-based IPsec на NSX Edge Services Gateway

Настройка в рамках IKEv1

Enable perfect forward secrecy: On

Authentication: PSK 

IKE Option : IKEv1

Настройка в рамках IKEv2

Enable perfect forward secrecy: On

Authentication: PSK 

IKE Option : IKEv2

Конфигурация Policy-based IPsec на Cisco CSR1000v

Настройка в рамках IKEv1

  1. Настроим IKE политику:

    crypto isakmp policy 10
	encryption aes
	group 5
	hash sha
	lifetime 28800
	authentication pre-share

  2. Настроим связку PSK ключа с Peer адресом:

    crypto isakmp key Changeme123 address 213.108.129.202

  3. Настроим IPsec transform-set:

    crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac

  4. Создадим IPsec access list:

    access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255

  5. Создадим Crypto Map и свяжем ее с политикой:

    crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
	set transform-set TS-EDGE-ESP-AES-SHA
	set pfs group5
	set peer 213.108.129.202
	match address 101

  6. Настроим внешний интерфейс на работу с созданной Crypto Map:

    interface GigabitEthernet1
	crypto map VTI-EDGE-CMAP

  7. Запустим ping до удаленной сети с использованием локальных сетей, объявленных в настройках туннеля:

    Router# ping 192.168.101.1 source gigabitEthernet 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/13 ms

Итого вся конфигурация , относящаяся к настройке Policy-based IPsec на Cisco CSR1000v с использованием IKEv1 выглядит следующим образом:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp key Changeme123 address 213.108.129.202

crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel

crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
 set peer 213.108.129.202
 set transform-set TS-EDGE-ESP-AES-SHA
 set pfs group5
 match address 101

interface GigabitEthernet1
 crypto map VTI-EDGE-CMAP

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255

Настройка в рамках IKEv2

  1. Создаем ISAKMP proposal:

    crypto ikev2 proposal VTI-EDGE-PROPOSAL
	encryption aes-cbc-128
	integrity sha1
	group 5

  2. Создаем ISAKMP политику:

    crypto ikev2 policy VTI-EDGE-POLICY
	proposal VTI-EDGE-PROPOSAL

  3. Настроим связку ключей IKEv2:

    crypto ikev2 keyring VTI-EDGE-KEYRING
peer EDGE
	address 213.108.129.202
	pre-shared-key local Changeme123
	pre-shared-key remote Changeme123

  4. Настраиваем IKEv2 профиль:

    crypto ikev2 profile VTI-EDGE-PROFILE
	match identity remote address 213.108.129.202 255.255.255.0
	identity local address 176.118.31.163
	authentication remote pre-share
	authentication local pre-share
	keyring local VTI-EDGE-KEYRING

  5. Настраиваем IPsec Transform Set:

    crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
  mode tunnel

  6. Создадим IPsec access list:

    access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255

  7. Создадим Crypto Map и свяжем ее с политикой:

    crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
	set transform-set TS-EDGE-ESP-AES-SHA
	set ikev2-profile VTI-EDGE-PROFILE
	set peer 213.108.129.202
	match address 101

  8. Настроим внешний интерфейс на работу с созданной Crypto Map:

    interface GigabitEthernet1
	crypto map VTI-EDGE-CMAP

  9. Запустим ping до удаленной сети с использованием локальных сетей, объявленных в настройках туннеля:

    Router# ping 192.168.101.1 source gigabitEthernet 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/12/13 ms

Итого вся конфигурация , относящаяся к настройке Policy-based IPsec на Cisco CSR1000v с использованием IKEv2 выглядит следующим образом:

crypto ikev2 proposal VTI-EDGE-PROPOSAL
 encryption aes-cbc-128
 integrity sha1
 group 5

crypto ikev2 policy VTI-EDGE-POLICY
 proposal VTI-EDGE-PROPOSAL

crypto ikev2 keyring VTI-EDGE-KEYRING
 peer EDGE
  address 213.108.129.202
  pre-shared-key local Changeme123
  pre-shared-key remote Changeme123

crypto ikev2 profile VTI-EDGE-PROFILE
 match identity remote address 213.108.129.202 255.255.255.0
 identity local address 176.118.31.163
 authentication remote pre-share
 authentication local pre-share
 keyring local VTI-EDGE-KEYRING

crypto ipsec transform-set TS-EDGE-ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel

crypto map VTI-EDGE-CMAP 1 ipsec-isakmp
 set peer 213.108.129.202
 set transform-set TS-EDGE-ESP-AES-SHA
 set ikev2-profile VTI-EDGE-PROFILE
 match address 101

interface GigabitEthernet1
 crypto map VTI-EDGE-CMAP

access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.101.0 0.0.0.255
  • No labels