Cấu hình VPN site-to-site giữa router và Pix potx

Cấu hình VPN Router-To-PIXMô tả: Xem hình Dựa vào sơ đồ trên ta thấy, bài lab thực hiện tạo một tunnel private giữa 2 LAN qua một môi trường truyền public, ta sử dụng một router RI làm I

Cấu hình VPN Router-To-PIX

Mô tả:

Xem hình

Dựa vào sơ đồ trên ta thấy, bài lab thực hiện tạo một tunnel private giữa 2 LAN qua một môi trường truyền public, ta sử dụng một router RI làm ISP router, để các PC trong LAN

ra được internet, ta sử dụng NAT overload để ra ngoài, trừ những traffic trong nội bộ tunnel Bài lab không đi sâu vào cách cấu hỉnh PIX như thế nào

Cấu hình:

RA:

Building configuration

*Mar 1 00:34:25.701: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1205 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RA

!

!

memory-size iomem 10

ip subnet-zero

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 172.17.63.213

!

!

crypto ipsec transform-set vnpro esp-des

!

crypto map lee 10 ipsec-isakmp

set peer 172.17.63.213

set transform-set vnpro

match address 115

!

!

voice call carrier capacity active

!

!

!

!

!

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface Ethernet0/0

ip address 10.2.2.1 255.255.255.0

ip nat inside

half-duplex

!

interface Serial0/0

ip address 172.17.63.230 255.255.255.240

ip nat outside

no fair-queue

crypto map lee

!

ip nat inside source route-map nonat interface Serial0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 172.17.63.225

ip http server

!

!

access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 110 permit ip any any

access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

route-map nonat permit 10

match ip address 110

!

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

PIX:

PIX Version 6.3(1)

interface ethernet0 auto ßup interface lên

interface ethernet1 auto

nameif ethernet0 outside security0 ßđặt tên cho interface, mặc định e0 là outside

nameif ethernet1 inside security100 ße1 là inside

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ß cấu hình ACL

để xác định traffic được mã hoá bảo vệ

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ßxác định traffic được miễn NAT

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 172.17.63.213 255.255.255.240 ßcấu hình địa chỉ IP cho interface

ip address inside 10.1.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 172.17.63.210 ßxác định tầm IP được NAT

nat (inside) 0 access-list nonat ßxác định là traffic trong tunnel được miễn NAT

nat (inside) 1 10.1.1.0 255.255.255.0 0 0 ßxác định các IP được NAT

conduit permit icmp any any ßcho phép ping ra ngoài mạng

route outside 0.0.0.0 0.0.0.0 172.17.63.209 1 ßcấu hình default gateway ra ngoài internet timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set vnpro esp-des ßcấu hình VPN như bên router

crypto map lee 10 ipsec-isakmp

crypto map lee 10 match address ipsec

crypto map lee 10 set peer 172.17.63.230

crypto map lee 10 set transform-set vnpro

crypto map lee interface outside

isakmp enable outside

isakmp key ******** address 172.17.63.230 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:e52c775e9c04687097ae170f546a111b

: end

RI(gateway):

Building configuration

Current configuration : 841 bytes

!

version 12.2

service timestamps debug datetime msec service timestamps log datetime msec

no service password-encryption

!

hostname RI

!

!

memory-size iomem 10

ip subnet-zero

!

!

!

!

!

!

voice call carrier capacity active

!

!

!

!

!

!

!

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

ip address 172.17.63.209 255.255.255.240 duplex auto

speed auto

!

interface Serial0/0

ip address 172.17.63.225 255.255.255.240

no fair-queue

clockrate 64000

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

ip classless

ip route 10.1.1.0 255.255.255.0 172.17.63.213

ip route 10.2.2.0 255.255.255.0 172.17.63.230

ip http server

!

!

!

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

Thực hiện:

Trước hết, ta phải cấu hình cho PIX hoạt động được, do PIX ở bài lab này được thiết kế

có 2 cổng Ethernet để kết nối mạng nội bộ với mạng public, nên ta phải cấu hình cho 2 cổng này hoạt động được:

pixfirewall# conf t

pixfirewall(config)# ho PIX

PIX(config)# nameif ethernet0 outside security0

PIX(config)# nameif ethernet1 inside security100

PIX(config)# ip address outside 172.17.63.213 255.255.255.240

PIX(config)# ip address inside 10.1.1.1 255.255.255.0

PIX(config)# interface e0 auto

PIX(config)# interface e1 auto

PIX(config)# conduit permit icmp any any

PIX(config)# route outside 0.0.0.0 0.0.0.0 172.17.63.209

Sau khi đã cấu hình cho các interface của PIX up lên, ta thực hiện NAT và cấu hình

PIX(config)# access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 PIX(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 PIX(config)# global (outside) 1 172.17.63.210

Global 172.17.63.210 will be Port Address Translated

PIX(config)# nat (inside) 0 access-list nonat

PIX(config)# nat (inside) 1 10.1.1.0 255.255.255.0 0 0

PIX(config)# sysopt connection permit-ipsec

PIX(config)# crypto ipsec transform-set vnpro esp-des

PIX(config)# crypto map lee 10 ipsec-isakmp

PIX(config)# crypto map lee 10 match address ipsec

PIX(config)# crypto map lee 10 set peer 172.17.63.230

PIX(config)# crypto map lee 10 set transform-set vnpro

PIX(config)# crypto map lee interface outside

PIX(config)# isakmp enable outside

PIX(config)# isakmp key cisco address 172.17.63.230 netmask 255.255.255.255

PIX(config)# isakmp identity address

PIX(config)# isakmp policy 10 authentication pre-share

PIX(config)# isakmp policy 10 hash md5

PIX(config)#

Chú ý: khi cấu hình ACL trên PIX, ta sử dụng Subnet mask chứ không sử dụng wildcard mask, và trên PIX chỉ có thể cấu hình mọi thứ trên mode global config

Trên router A ta cũng cấu hình VPN như sau:

RA(config)#crypto isakmp policy 10

RA(config-isakmp)#hash md5

RA(config-isakmp)#authentication pre-share

RA(config-isakmp)#exit

RA(config)#crypto isakmp key cisco address 172.17.63.213

RA(config)#crypto ipsec transform-set vnpro esp-des

RA(cfg-crypto-trans)#exit

RA(config)#crypto map lee 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured

RA(config-crypto-map)#set peer 172.17.63.213

RA(config-crypto-map)#set transform-set vnpro

RA(config-crypto-map)#match address 115

RA(config-crypto-map)#exit

RA(config)#int s0/0

RA(config-if)#ip nat out

RA(config-if)#ip nat outside

RA(config-if)#crypto map lee

RA(config-if)#exit

RA(config)#int e0/0

RA(config-if)#ip nat in

RA(config-if)#ip nat inside

RA(config-if)#exit

RA(config)#ip nat inside source route-map nonat interface s0/0 overload RA(config)#access-list 110 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 RA(config)#access-list 110 permit ip any any

RA(config)#access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 RA(config)#route-map nonat permit 10

RA(config-route-map)#match ip address 110

Kiểm tra:

Ta thực hiện các lệnh show ở 2 bên và thực hiện debug:

RA#sh crypto map

Crypto Map "lee" 10 ipsec-isakmp

Peer = 172.17.63.213

Extended IP access list 115

access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Current peer: 172.17.63.213

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ vnpro, }

Interfaces using crypto map lee:

Serial0/0

RA#sh crypto isakmp policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

RA#sh crypto ipsec transform-set

Transform set vnpro: { esp-des }

will negotiate = { Tunnel, },

PIX# sh crypto map

Crypto Map: "lee" interfaces: { outside }

Crypto Map "lee" 10 ipsec-isakmp

Peer = 172.17.63.230

access-list ipsec; 1 elements

access-list ipsec line 1 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 hitcnt=0) Current peer: 172.17.63.230

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ vnpro, }

PIX# sh isakmp policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys)

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys)

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

RA#debug ip nat

IP NAT debugging is on

RA#debug crypto ipsec

Crypto IPSEC debugging is on

RA#debug crypto isakmp

Crypto ISAKMP debugging is on

Sau khi bật debug, ta thực hiện ping thử ra các địa chỉ ở ngoài, và các địa chỉ trong mang LAN bên kia:

RA#

*Mar 1 00:37:43.910: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1888]

*Mar 1 00:37:43.930: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1888]

*Mar 1 00:37:44.916: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1891]

*Mar 1 00:37:44.932: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1891]

*Mar 1 00:37:45.913: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1894]

*Mar 1 00:37:45.933: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1894]

*Mar 1 00:37:46.915: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.225 [1898]

*Mar 1 00:37:46.935: NAT*: s=172.17.63.225, d=172.17.63.230->10.2.2.2 [1898]

*Mar 1 00:37:55.597: NAT: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1917]

*Mar 1 00:37:55.617: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9077]

*Mar 1 00:37:56.603: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1918]

*Mar 1 00:37:56.619: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9078]

*Mar 1 00:37:57.600: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1920]

*Mar 1 00:37:57.620: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9079]

*Mar 1 00:37:58.602: NAT*: s=10.2.2.2->172.17.63.230, d=172.17.63.213 [1922]

*Mar 1 00:37:58.622: NAT*: s=172.17.63.213, d=172.17.63.230->10.2.2.2 [9080]

*Mar 1 00:38:12.789: IPSEC(sa_request): ,

(key eng msg.) OUTBOUND local= 172.17.63.230, remote= 172.17.63.213,

local_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x3E3F5095(1044336789), conn_id= 0, keysize= 0, flags= 0x400C

*Mar 1 00:38:12.789: ISAKMP: received ke message (1/1)

*Mar 1 00:38:12.789: ISAKMP: local port 500, remote port 500

*Mar 1 00:38:12.793: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,

IKE_SA_REQ_MM

*Mar 1 00:38:12.793: ISAKMP (0:1): Old State = IKE_READY New State =

IKE_I_MM1

*Mar 1 00:38:12.793: ISAKMP (0:1): beginning Main Mode exchange

*Mar 1 00:38:12.797: ISAKMP (0:1): sending packet to 172.17.63.213 (I)

MM_NO_STATE

*Mar 1 00:38:12.873: ISAKMP (0:1): received packet from 172.17.63.213 (I)

MM_NO_STATE

*Mar 1 00:38:12.877: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,

IKE_MM_EXCH

*Mar 1 00:38:12.877: ISAKMP (0:1): Old State = IKE_I_MM1 New State =

IKE_I_MM2

*Mar 1 00:38:12.877: ISAKMP (0:1): processing SA payload message ID = 0

*Mar 1 00:38:12.877: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213

*Mar 1 00:38:12.877: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 00:38:12.882: ISAKMP: encryption DES-CBC

*Mar 1 00:38:12.882: ISAKMP: hash MD5

*Mar 1 00:38:12.882: ISAKMP: default group 1

*Mar 1 00:38:12.882: ISAKMP: auth pre-share

*Mar 1 00:38:12.882: ISAKMP: life type in seconds

*Mar 1 00:38:12.882: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 00:38:12.882: ISAKMP (0:1): atts are acceptable Next payload is 0

*Mar 1 00:38:13.050: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 1 00:38:13.050: ISAKMP (0:1): Old State = IKE_I_MM2 New State =

IKE_I_MM2

*Mar 1 00:38:13.054: ISAKMP (0:1): sending packet to 172.17.63.213 (I)

MM_SA_SETUP

*Mar 1 00:38:13.058: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,

*Mar 1 00:38:13.058: ISAKMP (0:1): Old State = IKE_I_MM2 New State =

IKE_I_MM3

*Mar 1 00:38:13.170: ISAKMP (0:1): received packet from 172.17.63.213 (I)

MM_SA_SETUP

*Mar 1 00:38:13.170: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,

IKE_MM_EXCH

*Mar 1 00:38:13.174: ISAKMP (0:1): Old State = IKE_I_MM3 New State =

IKE_I_MM4

*Mar 1 00:38:13.174: ISAKMP (0:1): processing KE payload message ID = 0

*Mar 1 00:38:13.382: ISAKMP (0:1): processing NONCE payload message ID = 0

*Mar 1 00:38:13.382: ISAKMP (0:1): found peer pre-shared key matching 172.17.63.213

*Mar 1 00:38:13.386: ISAKMP (0:1): SKEYID state generated

*Mar 1 00:38:13.386: ISAKMP (0:1): processing vendor id payload

*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID is XAUTH

*Mar 1 00:38:13.386: ISAKMP (0:1): processing vendor id payload

*Mar 1 00:38:13.386: ISAKMP (0:1): vendor ID is DPD

*Mar 1 00:38:13.390: ISAKMP (0:1): processing vendor id payload

*Mar 1 00:38:13.390: ISAKMP (0:1): vendor ID is Unity

*Mar 1 00:38:13.390: ISAKMP (0:1): processing vendor id payload

*Mar 1 00:38:13.390: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE

*Mar 1 00:38:13.390: ISAKMP (0:1): Old State = IKE_I_MM4 New State =

IKE_I_MM4

*Mar 1 00:38:13.394: ISAKMP (0:1): Send initial contact

*Mar 1 00:38:13.394: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 1 00:38:13.394: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

*Mar 1 00:38:13.394: ISAKMP (1): Total payload length: 12

*Mar 1 00:38:13.398: ISAKMP (0:1): sending packet to 172.17.63.213 (I)

MM_KEY_EXCH

*Mar 1 00:38:13.398: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Mar 1 00:38:13.402: ISAKMP (0:1): Old State = IKE_I_MM4 New State =

IKE_I_MM5

*Mar 1 00:38:13.430: ISAKMP (0:1): received packet from 172.17.63.213 (I)