标签:vpn

一看必会系列:aliyunvpn 与 strongswan s2s对接配置

No Comments Linux

一定成功

 

阿里云vpn 网关与 strongswan s2s对接配置

 

{
  "LocalSubnet": "对端内网IP段/24",
  "RemoteSubnet": "阿里内网IP段/24",
  "IpsecConfig": {
    "IpsecPfs": "group2",
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "sha1",
    "IpsecLifetime": 86400
  },
  "Local": "对端公网IP",
  "Remote": "阿里端公网IP",
  "IkeConfig": {
    "IkeAuthAlg": "sha1",
    "LocalId": "对端VM内网IP",
    "IkeEncAlg": "aes256",
    "IkeVersion": "ikev1",
    "IkeMode": "aggressive",
    "IkeLifetime": 86400,
    "RemoteId": "阿里端公网IP",
    "Psk": "g24J$%#$",
    "IkePfs": "group2"
  }
}

 

------中间广告---------

config setup
     uniqueids=no
conn %default
     authby=psk
     type=tunnel
conn tomyidc
     keyexchange=ikev1
     left=对端VM内网IP
     leftsubnet=本端内网IP段/24
     leftid=对端VM内网IP
     right=阿里端公网IP
     rightsubnet=阿里内网IP段/24
     rightid=阿里端公网IP
     auto=route
     ike=aes256-sha1-modp1024
     ikelifetime=86400s
     esp=aes-sha1-modp1024
     lifetime=86400s
     type=tunnel
     aggressive=yes

 

Listening IP addresses:
  对端VM内网IP
Connections:
     tomyidc:  对端VM内网IP…阿里端公网IP  IKEv1 Aggressive
     tomyidc:   local:  [对端VM内网IP] uses pre-shared key authentication
     tomyidc:   remote: [阿里端公网IP] uses pre-shared key authentication
     tomyidc:   child:  对端内网IP段/24 === 阿里内网IP段/24 TUNNEL
Routed Connections:
     tomyidc{1}:  ROUTED, TUNNEL, reqid 1
     tomyidc{1}:   对端内网IP段/24 === 阿里内网IP段/24
Security Associations (1 up, 0 connecting):
     tomyidc[1]: ESTABLISHED 4 minutes ago, 对端VM内网IP[对端VM内网IP]…阿里端公网IP[阿里端公网IP]
     tomyidc[1]: IKEv1 SPIs: 13f2e09ad624bad8_i* af1d8f540aef12d3_r, pre-shared key reauthentication in 23 hours
     tomyidc[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     tomyidc{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce59cad4_i c0ed3fcf_o
     tomyidc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 4272 bytes_o (60 pkts, 200s ago), rekeying in 23 hours
     tomyidc{2}:   对端内网IP段/24 === 阿里内网IP段/24
[root@hk-cdn-server-ipsecvpn-001 strongswan]#

https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/moon.statusall

 

中间出现的故障

"Error writing to socket: Invalid argument".
 
原因为 left 相关信息需要写成VM的IP 不是公网的IP

fortinet vpn client 故障汇总

No Comments IT必备工具

 

linux sslvpn client验证成功,无法建遂道

 

02/21/2019 11:29:00 [2328] dns suffix:

02/21/2019 11:29:00 [2328] xml parsing split tunnel info

02/21/2019 11:29:00 [2328] xml parse split tunnel info success. Buffer length: 899 bytes

 

 

http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=454  客户端下载地址

Linux  SSL VPN Client:
2336     trunk     Released with FortiOS 6.0.0
forticlientsslvpn_linux_4.4.2336.tar.gz
https://fortinet.egnyte.com/dl/ZGUGMw1Xxh/forticlientsslvpn_linux_4.4.2336.tar.gz_
2335     trunk     Released with FortiOS 5.4.7   
forticlientsslvpn_linux_4.4.2335.tar.gz
https://fortinet.egnyte.com/dl/6lfEOyq3FE/forticlientsslvpn_linux_4.4.2335.tar.gz_
2333     trunk     Released with FortiOS 5.2.11, 5.4.5, and 5.4.6   
forticlientsslvpn_linux_4.4.2333.tar.gz
https://fortinet.egnyte.com/dl/pu4V7P2bp8/forticlientsslvpn_linux_4.4.2333.tar.gz_

 

 

解决方法

 

1056  cat forticlientsslvpn.install.log
1058  yum install -y epel-release
1060  yum install -y ppp
Cd  /usr/local/src/forticlientsslvpn/64bit/helper #进入目录
1061  ./setup
1065  touch pppd.log
1062  ./waitppp.sh

 

效果

02/21/2019 11:42:08 [2761] dns suffix:

02/21/2019 11:42:08 [2761] xml parsing split tunnel info
02/21/2019 11:42:08 [2761] xml parse split tunnel info success. Buffer length: 899 bytes
02/21/2019 11:42:09 [2761] Got local address from ppp, interface will be  up
02/21/2019 11:42:12 [2761] ppp interface is up
02/21/2019 11:42:12 [2761] run_scutil 0 0…
02/21/2019 11:42:12 [2761] write argument OK.
Generating pppd.resolv.conf…Done
02/21/2019 11:42:13 [2794] begin sysconfig linux

使用openvpn打通两个异地网络

No Comments Linux

章节

  • 概述
  • 部署openvpn服务端
  • 部署openvpn客户端
  • 测试
  • 总结

一、概述


在实际的IT环境中会有这样的需求:想让两个异地网络层面互通,能够互相访问。常见的场景有:

  • 两个分支机构网络互通,如分支机构实时将传数据给总部处理
  • 办公室网络与IDC机房互通,如运维或技术人员要远程管理IDC机房内的服务器,IDC内的服务器也要访问办公室内网的服务器
  • 两个IDC机房内网互通,如两边同步数据、互相访问等

当然,这样的需求你可以拉专线但太贵,我们用openvpn来做

下面的例子:使用openvpn搭建vpn服务器打通A和B两个异地网络,让A局域网中的172.16.10.0/24段可以和B局域网中的172.16.20.0/24段可以网络互通,就好像在一个局域网一样.

环境说明:

角色
ip

OPENVPN服务器

192.168.0.124/24(模拟外网)

172.16.10.206/24(内网)

10.8.0.1  10.8.0.2 (vpn虚拟网卡地址)

OPENVPN客户端

192.16.0.200/24

172.16.20.201/24(内网)

10.8.0.6 10.8.0.5 (vpn虚拟网卡地址)

A局域网主机
172.16.10.207/24

B局域网主机
172.16.20.201/24

二、部署openvpn服务端(192.168.0.124)


关闭selinux

# setenforce 0
setenforce: SELinux is disabled

开启路由转发

编辑  /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为  net.ipv4.ip_forward = 1,然后执行

# sysctl -p

安装openvpn

# curl http://mirrors.aliyun.com/repo/epel-6.repo  -o  /etc/yum.repos.d/epel-6.repo --silent   # 添加阿里的EPEL源
# yum install openssl openvpn easy-rsa lzo -y 

创建相关目录及配置

# mkdir /var/log/openvpn                      # 放openvpn相关日志文件
# mkdir /etc/openvpn/easy-rsa                 # 放easy-rsa包提供的相关工具
# mkdir /etc/openvpn/ccd                      # openvpn客户端的配置目录,后面会用到
# mkdir /var/run/openvpn                      # 放openvpn的pid文件

将easy-ras包提供的工具复制到 /etc/openvpn/easy-rsa

# cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ -r 

编辑 /etc/openvpn/easy-rsa/vars 文件,找到下面的变量修改成你指定的值,后面生成证书的时候会应用这些变量值

export KEY_COUNTRY="CN"        # 国家
export KEY_PROVINCE="GD"       # 省份
export KEY_CITY="GZ"           # 城市
export KEY_ORG="MY_ORG"        # 组织/公司
export KEY_EMAIL="vpn@qq.com"  # 邮箱
export KEY_OU="vpn"            # 单位  
export KEY_NAME="openvpn"      # 服务器名称

然后执行

# source vars      # 导入vars文件中的变量作为当前的环境变量
# ./clean-all      # 清除keys目录下的文件

生成CA

也就是证书颁发机构,用来颁发证书

# cd /etc/openvpn/easy-rsa
# ./build-ca   

生成服务器证书

# ./build-key-server vpnserver               # 起个名字叫vpnserver
Generating a 2048 bit RSA private key
................................+++
.....+++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [MY_ORG]:
Organizational Unit Name (eg, section) [vpn]:
Common Name (eg, your name or your server's hostname) [vpnserver]:
Name [vpn]:
Email Address [vpn@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                 
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'GZ'
organizationName      :PRINTABLE:'MY_ORG'
organizationalUnitName:PRINTABLE:'vpn'
commonName            :PRINTABLE:'vpnserver'
name                  :PRINTABLE:'vpn'
emailAddress          :IA5STRING:'vpn@qq.com'
Certificate is to be certified until Apr 29 06:26:49 2026 GMT (3650 days)
Sign the certificate? [y/n]:y         # 输入y

1 out of 1 certificate requests certified, commit? [y/n]y   # 输入y
Write out database with 1 new entries
Data Base Updated

生成客户端证书

# ./build-key vpnclient                  # 起个名字叫vpnclient,表示为vpnclient这个客户端生成证书
Generating a 2048 bit RSA private key
.......+++
....................+++
writing new private key to 'vpnclient.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [MY_ORG]:
Organizational Unit Name (eg, section) [vpn]:
Common Name (eg, your name or your server's hostname) [vpnclient]:
Name [vpn]:
Email Address [vpn@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'GZ'
organizationName      :PRINTABLE:'MY_ORG'
organizationalUnitName:PRINTABLE:'vpn'
commonName            :PRINTABLE:'vpnclient'
name                  :PRINTABLE:'vpn'
emailAddress          :IA5STRING:'vpn@qq.com'
Certificate is to be certified until Apr 29 06:30:42 2026 GMT (3650 days)
Sign the certificate? [y/n]:y    # 输入y


1 out of 1 certificate requests certified, commit? [y/n]y   # 输入y
Write out database with 1 new entries
Data Base Updated

创建Diffie Hellman密钥文件

需要一点时间

# ./build-dh

配置openvpn

编辑/etc/openvpn/server.conf文件,内容如下

local 192.168.0.124
port 1999        
proto tcp-server       
dev tun        
ca   /etc/openvpn/easy-rsa/keys/ca.crt       
cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
key  /etc/openvpn/easy-rsa/keys/vpnserver.key  
dh   /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt              
client-config-dir /etc/openvpn/ccd                   
push "route 172.16.10.0 255.255.255.0"  # 推送给客户端的路由,告诉客户端添加静态路由,让去172.16.10.10/24网段的都走vpn服务器,vpn服务器后端又几个网段就写几个
route 172.16.20.0 255.255.255.0         # 启动时给openvpn服务器添加路由,告诉服务器去172.16.20.0/24网段的都走虚拟机网卡(tun0),相当于静态路由.
keepalive 10 120                       
comp-lzo                              
max-clients 100                      
user nobody                         
group nobody
client-to-client                   
duplicate-cn                      
persist-key
persist-tun                     
status    /var/log/openvpn/openvpn-status.log        
log       /var/log/openvpn/openvpn.log
writepid  /var/run/openvpn/server.pid
verb 3
mute 20

启动openvpn服务端

# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on

查看tun0接口和路由

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# route -n | grep tun0 
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0   # 主机路由
172.16.20.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去172.16.20.0段下一跳是10.8.0.2
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去10.8.0.2.0段下一跳是10.8.0.2

指定客户端配置

指定vpnclient这个客户端的配置,编辑 /etc/openvpn/ccd/vpnclient ,内容如下

ifconfig-push 10.8.0.6 10.8.0.5      # 配置客户端的IP
iroute 172.16.20.0 255.255.255.0     # 忽略的路由,因为客户端本身就是172.16.20.0/24端

三、部署openvpn客户端(192.168.0.200)


关闭selinux

# setenforce 0
setenforce: SELinux is disabled

开启路由转发

编辑  /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为  net.ipv4.ip_forward = 1,然后执行

# sysctl -p

安装openvpn

# curl http://mirrors.aliyun.com/repo/epel-6.repo  -o  /etc/yum.repos.d/epel-6.repo --silent   # 添加阿里的EPEL源
# yum install openssl openvpn easy-rsa lzo -y 

创建相关目录及配置

# mkdir /etc/openvpn/keys          # 放客户端的相关证书
# mkdir /var/log/openvpn           # 放日志的目录

将openvpn服务器上 /etc/openvpn/easy-rsa/keys 下的 ca.crt、vpnclient.crt、vpnclient.key 这些证书文件拉下来放到 /etc/openvpn/keys

# ls /etc/openvpn/keys
ca.crt  vpnclient.crt  vpnclient.key

配置openvpn客户端

编辑客户端的配置文件/etc/openvpn/client.conf,内容如下

client
dev tun
proto tcp-client
remote 192.168.0.124 1999
resolv-retry infinite
nobind
persist-key
persist-tun
ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpnclient.crt
key  /etc/openvpn/keys/vpnclient.key
remote-cert-tls server
auth-nocache user nobody group nobody status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log comp-lzo verb 3 mute 20

启动openvpn客户端

# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on

客户端启动后只有进程,因为它作为客户端去连服务端,不需要提供端口

# ps aux | grep vpn
nobody    4236  0.1  0.3  46916  3232 ?        Ss   01:36   0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/client.pid 
--cd /etc/openvpn --config client.conf --script-security 2

查看tun0接口和路由

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# route -n | grep tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0   # 主机路由
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去10.8.0.0/24网段下一跳10.8.0.5
172.16.10.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去172.16.10.0/24网段下一跳10.8.0.5

四、测试(172.16.10.207、172.16.20.201)


在A局域网主机172.16.10.207上添加路由

ip route add 172.16.20.0/24 via 172.16.10.206            // 如果是linux
route add 172.16.20.0 mask 255.255.255.0 172.16.10.206   // 如果是windows

上面的路由表示A去B局域网172.16.20.0段的下一跳是172.16.10.206,也就是把包转发给vpnserver

在B局域网主机172.16.20.201上添加路由

ip route add 172.16.10.0/24 via 172.16.20.200           // 如果是linux
route add 172.16.10.0 mask 255.255.255.0 172.16.20.200  // 如果是windows

上面的路由表示B去A局域网172.16.10.0端的下一跳是172.16.20.200,也就是把包转发给vpnclient

最后,在A局域网主机 172.16.10.207 上ping 172.16.20.201

# ping 172.16.20.201
PING 172.16.20.201 (172.16.20.201) 56(84) bytes of data.
64 bytes from 172.16.20.201: icmp_seq=1 ttl=62 time=1.44 ms
64 bytes from 172.16.20.201: icmp_seq=2 ttl=62 time=0.752 ms
64 bytes from 172.16.20.201: icmp_seq=3 ttl=62 time=0.674 ms
64 bytes from 172.16.20.201: icmp_seq=4 ttl=62 time=0.785 ms
^C
--- 172.16.20.201 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 0.674/0.913/1.441/0.307 ms

在B局域网主机 172.16.20.201上ping 172.16.10.207

# ping 172.16.10.207
PING 172.16.10.207 (172.16.10.207) 56(84) bytes of data.
64 bytes from 172.16.10.207: icmp_seq=1 ttl=62 time=5.72 ms
64 bytes from 172.16.10.207: icmp_seq=2 ttl=62 time=0.674 ms
^C
--- 172.16.10.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1400ms
rtt min/avg/max/mdev = 0.674/3.200/5.727/2.527 ms

两边可以ping通,表示OK

可以改进的地方

如果A和B局域网内很有多主机,那么每台机都要加很多次路由,比较麻烦,在实际的环境中可以在内网的路由器上做,这样就不需要在主机上配,比较省事.

五、总结

vpn的目的和作用就是从网络层面打通两个或以上异地网络,就好像在同一个局域网

vpnserver和vpnclient做好之后可以看成路由

如果要用vpn互相传数据的话,带宽尽可能大,有必要的话可以做端口绑定,高可用

https://www.cnblogs.com/huangweimin/articles/7700892.html

890路由器EZVPN+CA认证

No Comments VPN

笔者做easy vpn实验,配置如下,已验证成功。client是891路由器,版本12.4,VPN Server是ASA,版本8.1。

aaa authentication login rtr-remote local
aaa authorization network rtr-remote local

clock timezone HKST 8  //时间需正确

crypto pki trustpoint testca  //证书名
enrollment mode ra
enrollment url http://1.1.1.1:80/certsrv/mscep/mscep.dll //在线注册CA
revocation-check none 
rsakeypair test.domain.com  //密钥对,hostname是test,域名是domain.com,大小最好1024

crypto pki certificate chain testca
ip domain name domain.com

username user privilege 15 password 0 passwd

crypto isakmp policy 1  //必需和server一致
encr aes 256
group 2
crypto isakmp keepalive 100
!
crypto isakmp client configuration group testgroup
key 123
domain domain.com
crypto isakmp profile pro  //profile
ca trust-point testca  //指定证书
match identity group testgroup 
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac  //和policy对应

crypto ipsec client ezvpn ezvpn
connect auto
mode network-extension
peer 10.10.10.10  //VPN Server地址
xauth userid mode interactive
!
!
crypto dynamic-map dymap 1
set transform-set set1
set isakmp-profile pro
reverse-route
!
!
crypto map mymap isakmp authorization list rtr-remote
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dymap

interface Loopback0
description inside
ip address 192.168.1.1 255.255.255.0
crypto ipsec client ezvpn ezvpn inside  //inside接口必须指定,而且是双up

interface GigabitEthernet0  //outside接口
ip address dhcp
duplex auto
speed auto
crypto map mymap
crypto ipsec client ezvpn ezvpn

 

来自http://blog.sina.com.cn/s/blog_5e4115b501013foj.html

ADSL与IPsec/IKE相结合的组网应用

No Comments 网络技术 , ,

1. 组网需求

本例将IPsec和ADSL相结合,是目前实际中广泛应用的典型案例。

l Router B通过ADSL卡直接连接公网的DSLAM接入端,作为PPPoE的client端。RouterB从ISP动态获得的IP地址为私网地址,故Router A、Router B都需要配置NAT穿越。

l 总公司局域网通过Router A接入到ATM网络。

l 为了保证信息安全采用IPsec/IKE方式创建安全隧道。

2. 组网图

图2-5 ADSL与IPsec/IKE相结合的组网应用

clip_image002

3. 配置步骤

(1) 配置Router A

# 配置本端安全网关设备名称。

<RouterA> system-view

[RouterA] ike local-name routera

# 配置ACL。

[RouterA] acl number 3101

[RouterA-acl-adv-3101] rule 0 permit ip source 172.16.0.0 0.0.0.255 destination 192.168.0.0 0.0.0.255

[RouterA-acl-adv-3101] quit

# 配置IKE安全提议。

[RouterA] ike proposal 1

[RouterA-ike-proposal-1] authentication-algorithm sha

[RouterA-ike-proposal-1] authentication-method pre-share

[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc

[RouterA-ike-proposal-1] dh group2

# 配置IKE对等体peer。

[RouterA] ike peer peer

[RouterA-ike-peer-peer] exchange-mode aggressive

[RouterA-ike-peer-peer] pre-shared-key abc

[RouterA-ike-peer-peer] id-type name

[RouterA-ike-peer-peer] remote-name routerb

[RouterA-ike-peer-peer] nat traversal

[RouterA-ike-peer-peer] quit

# 创建IPsec安全提议prop。

[RouterA] ipsec proposal prop

[RouterA-ipsec-proposal-prop] encapsulation-mode tunnel

[RouterA-ipsec-proposal-prop] transform esp

[RouterA-ipsec-proposal-prop] esp encryption-algorithm 3des

[RouterA-ipsec-proposal-prop] esp authentication-algorithm sha1

[RouterA-ipsec-proposal-prop] quit

# 创建安全策略policy并指定通过IKE协商建立SA。

[RouterA] ipsec policy policy 10 isakmp

# 配置安全策略policy引用IKE对等体peer。

[RouterA-ipsec-policy-isakmp-policy-10] ike-peer peer

# 配置安全策略policy引用访问控制列表3101。

[RouterA-ipsec-policy-isakmp-policy-10] security acl 3101

# 配置安全策略policy引用IPsec安全提议prop。

[RouterA-ipsec-policy-isakmp-policy-10] proposal prop

[RouterA-ipsec-policy-isakmp-policy-10] quit

# 配置IP地址。

[RouterA] interface serial 2/0/1

[RouterA-Serial2/0/1] ip address 100.1.1.1 255.255.255.0

[RouterA-Serial2/0/1] ipsec policy policy

[RouterA-Serial2/0/1] quit

# 配置以太网口。

[RouterA] interface gigabitethernet 1/0/1

[RouterA-GigabitEthernet1/0/1] ip address 172.16.0.1 255.255.255.0

[RouterA-GigabitEthernet1/0/1] quit

# 配置到分公司局域网的静态路由。

[RouterA] ip route-static 192.168.0.0 255.255.255.0 serial 2/0/1

(2) 配置Router B

# 配置本端安全网关的名称。

<RouterB> system-view

[RouterB] ike local-name routerb

# 配置ACL。

[RouterB] acl number 3101

[RouterB-acl-adv-3101] rule 0 permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

[RouterB-acl-adv-3101] quit

# 配置IKE安全提议。

[RouterB] ike proposal 1

[RouterB-ike-proposal-1] authentication-algorithm sha

[RouterB-ike-proposal-1] authentication-method pre-share

[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc

[RouterB-ike-proposal-1] dh group2

# 配置IKE对等体peer。

[RouterB] ike peer peer

[RouterB-ike-peer-peer] exchange-mode aggressive

[RouterB-ike-peer-peer] pre-shared-key abc

[RouterB-ike-peer-peer] id-type name

[RouterB-ike-peer-peer] remote-name routera

[RouterB-ike-peer-peer] remote-address 100.1.1.1

[RouterB-ike-peer-peer] nat traversal

[RouterB-ike-peer-peer] quit

# 创建IPsec安全提议prop。

[RouterB] ipsec proposal prop

[RouterB-ipsec-proposal-prop] encapsulation-mode tunnel

[RouterB-ipsec-proposal-prop] transform esp

[RouterB-ipsec-proposal-prop] esp encryption-algorithm 3des

[RouterB-ipsec-proposal-prop] esp authentication-algorithm sha1

[RouterB-ipsec-proposal-prop] quit

# 创建安全策略policy并指定通过IKE协商建立SA。

[RouterB] ipsec policy policy 10 isakmp

# 配置安全策略policy引用IKE对等体peer。

[RouterB-ipsec-policy-isakmp-policy-10] ike-peer peer

# 配置安全策略policy引用访问控制列表3101。

[RouterB-ipsec-policy-isakmp-policy-10] security acl 3101

# 配置安全策略policy引用IPsec安全提议prop。

[RouterB-ipsec-policy-isakmp-policy-10] proposal prop

[RouterB-ipsec-policy-isakmp-policy-10] quit

# 配置拨号访问控制列表。

[RouterB] dialer-rule 1 ip permit

# 创建Dialer0,使用由ISP分配的用户名和密码进行拨号和PPP认证的相关配置,并配置MTU。

[RouterB] interface dialer 0

[RouterB-Dialer0] link-protocol ppp

[RouterB-Dialer0] ppp pap local-user test password simple 123456

[RouterB-Dialer0] ip address ppp-negotiate

[RouterB-Dialer0] dialer user 1

[RouterB-Dialer0] dialer-group 1

[RouterB-Dialer0] dialer bundle 1

[RouterB-Dialer0] ipsec policy policy

[RouterB-Dialer0] mtu 1492

[RouterB-Dialer0] quit

# 配置到总公司局域网的静态路由。

[RouterB] ip route-static 172.16.0.0 255.255.255.0 dialer 0

# 配置以太网口。

[RouterB] interface gigabitethernet 1/0/1

[RouterB-GigabitEthernet1/0/1] tcp mss 1450

[RouterB-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0

[RouterB-GigabitEthernet1/0/1] quit

# 对ADSL卡的ATM口进行配置。

[RouterB] interface atm 1/0/1

[RouterB-Atm1/01/] pvc 0/100

[RouterB-atm-pvc-Atm1/0/1-0/100] map bridge virtual-ethernet 0

[RouterB-atm-pvc-Atm1/0/1-0/100] quit

# 配置VE口。

[RouterB] interface virtual-ethernet 0

[RouterB-Virtual-Ethernet0] pppoe-client dial-bundle-number 1

[RouterB-Virtual-Ethernet0] mac-address 0011-0022-0012

2.12  常见错误配置举例

配置参数建立IPsec安全隧道时,可以打开IKE的Error调试开关,帮助我们查找配置问题。其命令是:

<Router> debugging ike error

2.12.1  非法用户身份信息

1. 故障现象

非法用户身份信息

2. 故障分析

用户身份信息是发起IPsec通信的用户用来标识自己的数据。在实际应用中我们可以通过用户身份标识实现对不同的数据流建立不同的安全隧道进行保护。目前我们是通过用户的IP地址和名字来标识用户。

可以看到调试信息:

got NOTIFY of type INVALID_ID_INFORMATION

或者

drop message from A.B.C.D due to notification type INVALID_ID_INFORMATION

3. 处理过程

检查协商两端接口上配置的安全策略中的ACL内容是否相容。建议用户将两端的ACL配置成互为镜像的。ACL镜像的含义请参考IPsec配置中“配置访问控制列表”内容。

2.12.2  提议不匹配

1. 故障现象

提议不匹配

2. 故障分析

可以看到调试信息:

got NOTIFY of type NO_PROPOSAL_CHOSEN

或者:

drop message from A.B.C.D due to notification type NO_PROPOSAL_CHOSEN

协商双方没有可以匹配的提议。

3. 处理过程

对于阶段1,检查IKE proposal是否有与对方匹配的。对于阶段2协商,检查双方接口上应用的IPsec安全策略的参数是否匹配,引用的IPsec安全提议的协议、加密算法和认证算法是否有匹配的。

2.12.3  无法建立安全隧道

1. 故障现象

无法建立安全隧道

2. 故障分析

实际应用中有时会发现在不稳定的网络状态下,安全隧道无法建立或者存在安全隧道却无法通信,而且检查双方的ACL的配置正确,也有匹配的提议。

这种情况一般是安全隧道建立好以后,有一方的设备重启造成的。

3. 处理过程

l 使用display ike sa命令检查双方是否都已建立阶段1的SA。

l 使用display ipsec sa policy命令查看接口上的安全策略是否已建立了IPsec SA。

l 根据以上两步的结果查看,如果有一方存在的SA在另一方不存在的情况,使用reset ike sa命令清除错误存在的SA,重新发起协商。

2.12.4  ACL配置错误

1. 故障现象

ACL配置错误,导致协商成功之后数据流不通

2. 故障分析

多台设备之间先后建立不同的安全隧道,出现同一设备有不同对端的情况。若此设备不配置ACL规则,则分别由对端发起报文来与之建立保护粒度不同的安全隧道。由于安全隧道的优先级由它们创建的顺序决定,当这一设备的出方向报文首先匹配到较粗粒度的安全隧道时,将导致此设备无法与其它较细粒度对端互通。

3. 处理过程

为避免这种情况发生,当同一设备有不同对端时,建议用户在此设备上配置ACL来区别数据流,且与不同对端尽量避免配置有重复范围的ACL子规则。若需要有重复范围的子规则,应该将细粒度的子规则配置为较高的优先级。

IPSec over GRE隧道

No Comments VPN , ,

实验背景:

单独配置基于预共享密钥的IPSec VPN,可以实现不同站点之间的网络互联,但是IPSec工作于网络层,是不能和NAT一起使用的,否则就会造成数据源和目的地址的混乱;而且不能形成内网之间的路由协议。这就需要将IPSec运行在GRE(tunnel)隧道之上,真实物理接口运行NAT进行网络地址转换,这就避免了IPSec VPN和NAT之间的冲突。使用GRE隧道的另外一个好处是可以在各个站点的隧道之间学习路由协议。GRE是通用路由封装协议,可以实现任意一种网络层协议在另一种网络层协议上的封装。

实验目的:

1、 在模拟公网上配置OSPF路由协议,在各个站点之间配置EIGRP路由协议。

2、 了解GRE隧道的建立过程

3、 将IPSec VPN应用于GRE隧道之上实现安全的通信

4、 在出口路由器上做NAT实现私有地址到公有地址的转换

5、 测试各个过程的运行结果

实验网络拓扑:

clip_image002[8]

实验步骤

1. 配置网络互联的基本参数

1.1配置R2和R3网络之间的基本参数,并启用OSPF路由协议

注意:在R2和R3上各配置了一条默认路由指向两边的末梢网络,这样公网就可以访问内网的数据了。

image

image

1.2使用show ip route查看R2和R3是否学习到了OSPF路由条目(OSPF路由条目以O IA显示)

image

1.3配置私网出口路由R1和R4的基本参数,并配置一条默认路由指向公网

clip_image006[8]

clip_image007[8]

2. 配置GRE隧道,并启用EIGRP路由协议

2.1在R1和R4上配置tunnel 1,并启用EIGRP路由协议。注意:只宣告内网网段和tunnel隧道的网段。

clip_image008[8]

clip_image009[8]

2.2使用show ip route查看内网之间学习的EIGRP路由条目(EIGRP的路由条目以D显示)

image

image

3. 配置IPSec,并将其应用到GRE隧道上

3.1在R1和R4上分别配置IPSec VPN,并应用Crypto MAP到GRE隧道上(Tunnel 1)。

image

image

image

image

image image

4. 测试站点之间的连通性

4.1下面是ping之前和ping之后加密的数据

clip_image014[9]

`$LFS@4Q6HIS0HA4SS[UC}A

5. 配置NAT实现网络地址转换

5.1在R1和R4上配置NAT(PAT),将私网地址全部转换成路由出口公网的IP地址

clip_image016[9]

clip_image017[9]

5.2然后在PC1上分别ping私网的IP地址和公网的IP地址,可以发现ping公网的IP地址都进行了NAT地址转换,而ping私网的IP地址都经过了隧道加密。

clip_image018[9]

clip_image019[9]

[CCIE那点事]原创:第三集:手把手交你配置ADSL+IPSEC VPN

No Comments VPN ,

第三集来了,潮爆了有没有.

回顾

本文标题:[CCIE那点事]原创:第一集:手把手交你配置VPN之L2L站点到站点VPN

本文链接:http://www.jdccie.com/?p=1862转载请注明转自CCIE那点事

本文标题:[CCIE那点事]原创:第二集:手把手交你配置VPN之L2L+ezvpn

本文链接:http://www.jdccie.com/?p=3020转载请注明转自CCIE那点事

为毛要写这篇呢,因为有人问了.分公司是ADSL拔号上网的怎么配置VPN与总部互联.我相信这也是很多网络工程师碰到的问题.

在企业呆过的IT都知道,ADSL和LAN企业用的话便宜,2M一月估计也就是个2000多块.EPON光纤这种就不一样了.价格要翻几翻

所以大部分企业都是选用ADSL和总公司,总部的IDC或机房具有固定IP的设备来互联了.扯太远了哈哈.

测试目的

分公司 r4 4.4.4.0 网段能与总部server 8.8.8.0互通

测试环境

GNS3  2961 c2691-advsecurityk9-mz[1].124-11.T2.bin

话不多话,上图

clipboard[3]

图在这里了有点复杂,我介绍一个

1.图中包含一个ADSL SERVER 用于模据ISP

2.一个IPSEC VPN server  R8

3.ADSL + vpn client  vpnadsl

4.模拟内网服务器R4 与 VPN REMOTE

5.模拟总部服务器 server

本来想用cisco packet tracer做的,测试了好长时间发现不支持.所以只能找GNS3了.

精简配置,其他的全删

adsl server的配置

vpdn enable    /*启用VPDN

!

vpdn-group 1   /*配置VPDN组

! Default L2TP VPDN group

accept-dialin       /*允许呼入

  protocol pppoe /*协议封装为pppoe

  virtual-template 1    /*应用虚模版1

username cisco password 0 cisco   /*拔号用户名和密码

!

bba-group pppoe global       /*启用全局bba组

virtual-template 1                 /*绑定虚模版1

!

!

interface Loopback1             /*作地址借用

ip address 223.1.1.1 255.255.255.0

!

interface FastEthernet0/0   

ip address 8.8.8.1 255.255.255.0

speed auto

full-duplex

!

interface FastEthernet0/1

pppoe enable group global    /*端口起用pppoe

!

interface Virtual-Template1     /*配置虚模版

ip unnumbered Loopback1    /*借用lo1接口地址

peer default ip address pool cisco     /*指定IP 地址池

ppp authentication chap                   /*验证为chap模式

!

ip local pool cisco 223.1.1.2 223.1.1.100  /*分配地址池

!

总部VPN配置 R8

配置我不解释 了,请看前两集

hostname R8

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto dynamic-map map1 10

set transform-set newset

!

crypto dynamic-map mymap1 10

set transform-set newset

!

!

crypto map map1 100 ipsec-isakmp dynamic mymap1 discover

!

!

!

!

interface FastEthernet0/0

ip address 8.8.8.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map map1

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 8.8.8.1

!

!

no ip http server

no ip http secure-server

ip nat inside source list nonat interface FastEthernet0/0 overload

!

ip access-list extended VPN_B01

permit ip 10.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

ip access-list extended nonat

deny   ip 10.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

permit ip any any

最点来了 vpn+adsl 路由器配置

hostname vpnadsl

vpdn enable

!

vpdn-group 1

request-dialin

  protocol pppoe

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 8.8.8.2

!

!

crypto ipsec transform-set newset esp-3des esp-md5-hmac

!

crypto map map1 5 ipsec-isakmp

set peer 8.8.8.2

set transform-set newset

match address VPN_HUB

!

bba-group pppoe global

!

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

!

interface FastEthernet0/1

no ip address

speed auto

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer0

ip address negotiated

ip nat outside                       /*所有的特性都是做在这里哦,注意

ip virtual-reassembly

encapsulation ppp             

dialer pool 1

dialer-group 1

ppp authentication chap pap callin   /*pap的写法是  ppp pap hostname xxx pass xxx

ppp chap hostname cisco

ppp chap password 0 cisco

crypto map map1                     /*应用ipsec

!

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 4.4.4.0 255.255.255.0 1.1.1.2

!

ip nat inside source list nonat interface Dialer0 overload

!

ip access-list extended VPN_HUB

permit ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255

ip access-list extended nonat

deny   ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip any any

!

dialer-list 1 protocol ip permit

测试结果,很OK,达到实验目的,测试完成

*Mar  1 01:36:02.007: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Mar  1 01:36:10.779: ISAKMP:(0): SA request profile is (NULL)

*Mar  1 01:36:10.779: ISAKMP: Created a peer struct for 8.8.8.2, peer port 500

*Mar  1 01:36:10.783: ISAKMP: New peer created peer = 0x648CE15C peer_handle = 0x80000005

*Mar  1 01:36:10.783: ISAKMP: Locking peer struct 0x648CE15C, refcount 1 for isakmp_initiator

*Mar  1 01:36:10.783: ISAKMP: local port 500, remote port 500

*Mar  1 01:36:10.783: ISAKMP: set new node 0 to QM_IDLE     

*Mar  1 01:36:10.787: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64186BF4

*Mar  1 01:36:10.787: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar  1 01:36:10.787: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  1 01:36:10.791: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar  1 01:36:10.795: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar  1 01:36:10.795: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 01:36:10.795: ISAKMP:(0): beginning Main Mode exchange

*Mar  1 01:36:10.799: ISAKMP:(0): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar  1 01:36:10.799: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:36:11.283: ISAKMP (0:0): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar  1 01:36:11.287: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:11.287: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 01:36:11.291: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  1 01:36:11.295: ISAKMP:(0): processing vendor id payload

*Mar  1 01:36:11.295: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 01:36:11.295: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 01:36:11.295: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:11.299: ISAKMP:(0): local preshared key found

*Mar  1 01:36:11.299: ISAKMP : Scanning profiles for xauth …

*Mar  1 01:36:11.299: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar  1 01:36:11.299: ISAKMP:      encryption 3DES-CBC

*Mar  1 01:36:11.303: ISAKMP:      hash SHA

*Mar  1 01:36:11.303: ISAKMP:      default group 2

*Mar  1 01:36:11.303: ISAKMP:      auth pre-share

*Mar  1 01:36:11.303: ISAKMP:      life type in seconds

*Mar  1 01:36:11.303: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar  1 01:36:11.307: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  1 01:36:11.307: ISAKMP:(0): processing vendor id payload

*Mar  1 01:36:11.307: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*Mar  1 01:36:11.311: ISAKMP (0:0): vendor ID is NAT-T v7

*Mar  1 01:36:11.311: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:11.311: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 01:36:11.323: ISAKMP:(0): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*Mar  1 01:36:11.323: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:36:11.327: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:11.327: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 01:36:11.967: ISAKMP (0:0): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_SA_SETUP

*Mar  1 01:36:11.971: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:11.971: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 01:36:11.979: ISAKMP:(0): processing KE payload. message ID = 0

*Mar  1 01:36:12.087: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar  1 01:36:12.087: ISAKMP:(0):found peer pre-shared key matching 8.8.8.2

*Mar  1 01:36:12.095: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.095: ISAKMP:(1005): vendor ID is Unity

*Mar  1 01:36:12.099: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.099: ISAKMP:(1005): vendor ID is DPD

*Mar  1 01:36:12.099: ISAKMP:(1005): processing vendor id payload

*Mar  1 01:36:12.103: ISAKMP:(1005): speaking to another IOS box!

*Mar  1 01:36:12.103: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:12.103: ISAKMP:(1005):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 01:36:12.111: ISAKMP:(1005):Send initial contact

*Mar  1 01:36:12.111: ISAKMP:(1005):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar  1 01:36:12.115: ISAKMP (0:1005): ID payload

next-payload : 8

type         : 1

address      : 223.1.1.2

protocol     : 17

port         : 500

length       : 12

*Mar  1 01:36:12.115: ISAKMP:(1005):Total payload length: 12

*Mar  1 01:36:12.119: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Mar  1 01:36:12.123: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:12.123: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:12.127: ISAKMP:(1005):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 01:36:12.579: ISAKMP (0:1005): received packet from 8.8.8.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Mar  1 01:36:12.583: ISAKMP:(1005): processing ID payload. message ID = 0

*Mar  1 01:36:12.583: ISAKMP (0:1005): ID payload

next-payload : 8

type         : 1

address      : 8.8.8.2

protocol     : 17

port         : 500

length       : 12

*Mar  1 01:36:12.587: ISAKMP:(0):: peer matches *none* of the profiles

*Mar  1 01:36:12.587: ISAKMP:(1005): processing HASH payload. message ID = 0

*Mar  1 01:36:12.591: ISAKMP:(1005):SA authentication status:

authenticated

*Mar  1 01:36:12.591: ISAKMP:(1005):SA has been authenticated with 8.8.8.2

*Mar  1 01:36:12.591: ISAKMP: Trying to insert a peer 223.1.1.2/8.8.8.2/500/,  and inserted successfully 648CE15C.

*Mar  1 01:36:12.595: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  1 01:36:12.595: ISAKMP:(1005):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 01:36:12.603: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  1 01:36:12.603: ISAKMP:(1005):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 01:36:12.611: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  1 01:36:12.611: ISAKMP:(1005):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 01:36:12.619: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of 1720065028

*Mar  1 01:36:12.619: ISAKMP:(1005):QM Initiator gets spi

*Mar  1 01:36:12.627: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) QM_IDLE     

*Mar  1 01:36:12.627: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:12.631: ISAKMP:(1005):Node 1720065028, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*Mar  1 01:36:12.631: ISAKMP:(1005):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*Mar  1 01:36:12.631: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar  1 01:36:12.635: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE       /*如果不成功注意定位

*Mar  1 01:36:13.487: ISAKMP (0:1005): received packet from 8.8.8.2 dport 500 sport 500 Global (I) QM_IDLE     

*Mar  1 01:36:13.491: ISAKMP:(1005): processing HASH payload. message ID = 1720065028

*Mar  1 01:36:13.495: ISAKMP:(1005): processing SA payload. message ID = 1720065028

*Mar  1 01:36:13.495: ISAKMP:(1005):Checking IPSec proposal 1

*Mar  1 01:36:13.495: ISAKMP: transform 1, ESP_3DES

*Mar  1 01:36:13.495: ISAKMP:   attributes in transform:

*Mar  1 01:36:13.495: ISAKMP:      encaps is 1 (Tunnel)

*Mar  1 01:36:13.499: ISAKMP:      SA life type in seconds

*Mar  1 01:36:13.499: ISAKMP:      SA life duration (basic) of 3600

*Mar  1 01:36:13.499: ISAKMP:      SA life type in kilobytes

*Mar  1 01:36:13.499: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar  1 01:36:13.503: ISAKMP:      authenticator is HMAC-MD5

*Mar  1 01:36:13.503: ISAKMP:(1005):atts are acceptable.

*Mar  1 01:36:13.507: ISAKMP:(1005): processing NONCE payload. message ID = 1720065028

*Mar  1 01:36:13.507: ISAKMP:(1005): processing ID payload. message ID = 1720065028

*Mar  1 01:36:13.507: ISAKMP:(1005): processing ID payload. message ID = 1720065028

*Mar  1 01:36:13.515: ISAKMP:(1005): Creating IPSec SAs

*Mar  1 01:36:13.519:         inbound SA from 8.8.8.2 to 223.1.1.2 (f/i)  0/ 0

        (proxy 10.1.1.0 to 4.4.4.0)

*Mar  1 01:36:13.519:         has spi 0x34C7B52D and conn_id 0

*Mar  1 01:36:13.519:         lifetime of 3600 seconds

*Mar  1 01:36:13.519:         lifetime of 4608000 kilobytes

*Mar  1 01:36:13.519:         outbound SA from 223.1.1.2 to 8.8.8.2 (f/i) 0/0

        (proxy 4.4.4.0 to 10.1.1.0)

*Mar  1 01:36:13.523:         has spi  0xBE4D8EE6 and conn_id 0

*Mar  1 01:36:13.523:         lifetime of 3600 seconds

*Mar  1 01:36:13.523:         lifetime of 4608000 kilobytes

*Mar  1 01:36:13.527: ISAKMP:(1005): sending packet to 8.8.8.2 my_port 500 peer_port 500 (I) QM_IDLE     

*Mar  1 01:36:13.527: ISAKMP:(1005):Sending an IKE IPv4 Packet.

*Mar  1 01:36:13.531: ISAKMP:(1005):deleting node 1720065028 error FALSE reason "No Error"

*Mar  1 01:36:13.531: ISAKMP:(1005):Node 1720065028, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

1 01:36:13.531: ISAKMP:(1005):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE   /*如果不成功注意定位

*Mar  1 01:36:21.867: %SYS-5-CONFIG_I: Configured from console by console

ping 测试

r4#ping 10.1.1.2 repeat 10000

server#

*Mar  1 02:22:38.047: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.423: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.551: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

*Mar  1 02:22:38.799: ICMP: echo reply sent, src 10.1.1.2, dst 4.4.4.2

附原版配置  http://pan.baidu.com/share/link?shareid=2163115506&uk=4144237329

[CCIE那点事]原创:第二集:手把手交你配置VPN之L2L+ezvpn

1 Comment VPN ,

看完第一集有没有神马感觉呢,现在有空了来写第二集.

回顾

本文标题:[CCIE那点事]原创:第一集:手把手交你配置VPN之L2L站点到站点VPN

第二集我们来讲讲 L2L VPN和EZVPN同时使用的情况.

哪些情况会使用到这种结合的VPN呢.哈哈.当然是远程办公了.

现在我们来讲讲

1.怎么配置L2LVPN  这个上篇已经讲了

2.怎么配置EZVPN  

分三阶段看的比较清楚.

第0阶段.

1.配置AAA

2.配置帐号密码

第一阶段

3.配置IKE策略

4.配置IKE组

第二阶段

5.配置交换集 

6.配置动态图

7.配置客户端的静态映射图

8.应用

9.配置EZVPN的地址池    这个最后配没关系,最好是放在最后.

10.配置遂道分离的ACL   这个最后配没关系,最好是放在最后.

上图才是硬道理

拓扑和上期变化不大,主要是加了台laptop模拟远程用户连接到公司内网进行工作.

这个情形几乎覆盖到所有现在的公司.因为出于安全的考虑,所有公司都会采取这种方法.以前的做法是内部OA系统和邮件系统直接放到公

网上,这样是用户方遍了,但其来讲基本就没有安全性了,因为存在一种叫暴力破解的方法.这里不多讲.咱是搞安全的,不是搞黑客的.

clipboard[3]

hub做为总部的主路由器同时配置 L2L VPN 和EZVPN

b01还是L2L到总部.

实验目的

laptop1通过EZVPN 连接到总部并获得 3.1.1.100-200的地址,并且可以访问 1.1.1.0总部内网.这个段的地址.

HUB配置来了,这次只要动这个路由器就OK了.其它的可以不动.

hostname hub

!

aaa new-model   /*开启    AAA不熟的请看 :http://www.jdccie.com/?p=3008  AAA详解

!

aaa authentication login ezauthen local         /*连接的验证方式 本地认证 标识符ezauthen 这个后面会用到.

!

aaa authorization network ezauthor local      /*对访问网络用户的服务请求(包括PPP、SLIP等协议)进行授权

                                                                            /*标识符ezauthor  这个后面会用到.

!

username cisco password 0 cisco

!

————–第一阶段配置IKE协商说白了就是配置建立tunnel的信息———-

crypto isakmp policy 100

encr 3des                                

authentication pre-share

group 2                    /*上次没讲.这个玩意是1024加密

!

!

crypto isakmp client configuration group ezgp               /*配置EZVPN的组, EZVPN拔号需要

key cisco123

pool ezpool

ACL XXX   /*这个模拟器不支持,这个地址可以做遂道分离,所以后面导致只能访问1.1.1.0段.不能访问2.2.2.0段.

!

!

————–第二阶段配置加密方式,对流量进行加密———-

crypto ipsec transform-set newset esp-3des esp-md5-hmac               /*这玩意不变,不清楚的请看上集.

!

crypto dynamic-map mymap 10           /*配置动态图  

set transform-set newset

!

crypto map map1 client authentication list ezauthen    /*调用ezauthen 对客户端进行验证

crypto map map1 isakmp authorization list ezauthor   /*调用authorization对客户端进行授权

crypto map map1 client configuration address respond   /*这个配置是让客户端主动请求服务器才回复相应信息.

crypto map map1 100 ipsec-isakmp dynamic mymap   /*将动态映射 mymap 与静态映射 map1关联

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map map1           /*应用静态映射.

!

ip local pool ezpool 3.1.1.100 3.1.1.200     /*EZVPN客户端的地址池.

acl xxx   因为这个版本不支持,所以我也没有写.

效果测试

1.进入PC,配置VPN

clipboard[23]

配置信息 都在配置里面.

clipboard[24]

连接成功.

clipboard[25]clipboard[26]

PC1端PING测试 无问题,哈哈,话说这个软件很好用呢.客户端都不用配直接就有VPN客户端.思科还是很人性化的嘛..

clipboard[27]

clipboard[28]

原理神马的就不讲了,网上的版本好多.自己看吧,真的需求的话我就自己写个好懂的给你们.

第三集预告   adsl + ipsec vpn

ADSL + IPSEC vpn配置

No Comments VPN ,

配置需求:总部是静态ip地址,分部是ADSL拨号的动态ip,而且vpn设备在adsl拨号设备后面,问两端如何做ipsec vpn。

主要涉及到2个vpn的知识:Dynamic map(R4做)和ipsec的两个端口(udp500和udp4500)

拓扑图如下:

配置过程:
1、配置ISP,R3做为PPPOE server,主要命令如下

vpdn enable
vpdn-group 1
accept-dialin
protocol pppoe
virtual-template 1
username cisco password cisco
ip local pool cisco 218.2.2.2 218.2.2.10
int lo0
ip add 218.2.2.1 255.255.255.0
int virtual-template 1
ip unnumber lo0
peer default ip address pool cisco
ppp authentication chap
int e0/0
pppoe enable

2、配置R2做为pppoe接入,主要命令如下

vpdn enablevpdn-group 1
request-dialin
protocol pppoeint e0/3
pppoe enable
pppoe-client dial-pool-number 1

int dialer0
encapsulation ppp
ip address negotiated
ppp authentication chap pap callin
dialer pool 1
dialer-group 1
ppp chap hostname cisco
ppp chap password cisco
dialer-list 1 protocol ip permit
ip route 0.0.0.0 0.0.0.0 dialer 0

配置完成之后R2能看到获取的地址

R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Dialer0 218.2.2.2 YES IPCP up up

3、配置R1-R4 4台路由器的接口和NAT等,保证网络连通

R1#ping 218.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 218.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/108 ms

4、配置VPN
R1正常配置,注意R1没有配置NAT

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 218.1.1.2
!
!
crypto ipsec transform-set test esp-3des
!
crypto map mymap 1000 ipsec-isakmp
set peer 218.1.1.2
set transform-set test
match address 101
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
half-duplex
crypto map mymap
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

R2配置两条端口映射

ip nat inside source static udp 192.168.1.2 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.1.2 500 interface Dialer0 500

R4端配置Dynamic-map,注意R4的NAT配置

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set test esp-3des
!
crypto dynamic-map mymap1 1000
set transform-set test
!
crypto map mymap 1000 ipsec-isakmp dynamic mymap1 discover
!
interface Ethernet0/0
ip address 218.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map mymap
!
ip nat inside source list 101 interface Ethernet0/0 overload
!
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip any any

配置完成之后在R1端发起感兴趣流(R4为动态map,所以只能由R1发起)

R1#ping 192.168.10.1 so 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/69/144 ms

最后查看一下R1和R4端的VPN状态

R1#sh crypto isakmp sa
dst src state conn-id slot status
218.1.1.2 192.168.1.2 QM_IDLE 1 0 ACTIVE

R4#sh crypto isakmp sa

配置结束。

IPSEC VPN 主模式和积极模式详解

No Comments VPN ,

主模式和积极模式的区别:
1、交换消息的数量:主模式为6条,而积极模式只有3条,而且形式上也不同。
主模式中,每两条是对称的,也就是对等体都向对方发送相同类型字段的消息,这样的消息交换共分为三次,一共是6条;
而在积极模式中,首先由sa的发起者发送一条消息给sa的接受者,sa的接受者收到第一条消息以后,会将自己的sa协商消息附上签名认证信息后发回给sa的发起者,这是第二条信息,第三条信息再由sa的发起者发送给sa的接受者,这条信息中包含了sa的发起者的签名认证信息。 这有点类似于TCP的三次握手。
2、对于NAT穿越的支持:这也要视对等体双方的认证方式而定,主要的区别在预共享密钥的情况下。
如果是预共享密钥的情况下,主模式是不支持NAT穿越的,而积极模式可以支持NAT穿越。
而在证书认证的情况下,主模式和积极模式都是支持NAT穿越的。
3、对于对等体标识的使用:对于主模式,在对等体标识的配置使用上,只能使用ip地址进行标识;而对于积极模式,则可以使用ip地址或者域名进行对等体的标识。
这也是由于主模式和积极模式的消息交换机制所决定的。主模式中,第1、2条信息中,双方交换了一些协商信息,如加密算法、认证算法(hash)、DH组、认证机制等;在双方交换的第3、4条消息中,双方交换了公共密钥,在交换了公共密钥之后,就可以根据DH算法生成后续所需的密钥了(SKEYID),其中包括给数据加密的对称密钥。这在DH算法中,需要用到双方定义的预共享密钥。而在一个设备有多个对等体的情况下,设备需要使用ID信息(如域名信息)来判定对应的对等体的预共享密钥,而这个ID信息是在消息5、6中双方才进行交换的,所以设备这时候只能使用IP地址进行对等体预共享密钥的匹配。所以主模式中无法使用域名信息来进行对等体标识。
而对于积极模式,由于其在第一条信息交换时就发送了对应的ID信息,sa的接收方可以根据该ID信息匹配对应的预共享密钥,从而计算对应的SKEYID。故积极模式是可以使用IP地址或者域名来进行对等体标识的。但是由于积极模式中,是在加密身份信息的安全sa建立之前就进行了身份信息的交换,所以交换的消息都是明文的,ID信息也是明文的,这带来了安全隐患。
4、对于DH组的协商:在主模式中,双方使用消息1、2进行了所使用的DH组的协商,但是在积极模式中,双方没有协商就进行了DH信息的交换,所以DH组是确定的。
5、协商速度及协商能力:由于信息交换的数量较少,所以积极模式下,协商的速度更快,但是协商能力不如主模式。