IKEv2配置说明
IKEv2命令说明
IKEv2 Proposal
IKEv2 proposal是IKE SA中协商转换集(Transforms Collection)在IKE_SA_INIT交换中的一部分。在协商过程中转换类型如下:
- Encryption algorithm
- Integrity algorithm
- Pseudo-Random Function (PRF) algorithm
- Diffie-Hellman (DH) group
R1(config)#crypto ikev2 proposal ikev2-proposal
R1(config-ikev2-proposal)#?
IKEv2 Proposal commands:
encryption Set encryption algorithm(s) for proposal
exit Exit from IKEv2 proposal configuration mode
group Set the Diffie-Hellman group(s)
integrity Set integrity hash algorithm(s) for proposal
no Negate a command or set its defaultsIKEv2 policy
IKEv2 policy包含用于在SA_INIT交换中协商 加密,完整性,PRF算法和DH组。
R1(config)#crypto ikev2 policy ikev2-policy
R1(config-ikev2-policy)#?
IKEv2 Policy commands:
exit Exit from IKEv2 policy configuration mode
match Match values of local fields
no Negate a command or set its defaults
proposal Specify ProposalIKEv2 Keyring
IKEv2 Keyring是对称和非对称预共享密钥的存储库。
R1(config)#crypto ikev2 keyring ikev2-keyring
R1(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no Negate a command or set its defaults
peer Configure a Peer and associated keys
IKEv2 Profile
IKEv2 profile是IKE SA的不可协商(NonNegotiable)参数的存储库,如本地或远程身份和身份验证方法和可用相匹配的配置文件,经过身份验证的对等体提供的服务。
R1(config)#crypto ikev2 profile ikev2-profile
R1(config-ikev2-profile)#?
IKEv2 profile commands:
aaa Specify AAA related configs
authentication Set authentication method
config-exchange config-exchange options
description Specify a description of this profile
dpd Enable IKE liveness check for peers
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use
initial-contact initial-contact processing
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
redirect IKEv2 Redirect Mechanism for load-balancing
virtual-template Specify the virtual-template for dynamic interfaceIPsec Transform-set
crypto ipsec transform-set是定义变换集(To define a transform set),定义适合的安全协议和加密算法。
R1(config)#crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac
Crypto transform configuration commands:
default Set a command to its defaults
exit Exit from crypto transform configuration mode
mode encapsulation mode (transport/tunnel)
no Negate a command or set its defaultscrypto map
crypto 集合,集合内容如下。
- set peer 关联IPsec对等体
- set transform-set 关联转换集
- set ikev2-profile 关联SA_INIT交换中协商参数
- match address 定义感兴趣数据流
R2(config)#crypto map ikev2-map 10 ipsec-isakmp
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption配置步骤
- 通过ikev2 proposal定义 Encryption,Hash Algorithm,Diffie-Hellman group,这一步类似于IKEv1中的“crypto isakmp policy”。
- 通过policy去调用proposal,这样做的好处是,当需要配置多个VPN的时候,不需要每一个VPN去配置Encryption,Hash Algorithm,Diffie-Hellman group这些信息,直接调用之前配置好的proposal即可。
- 配置keying,在keying中配置对等体的IP地址,并且配置预共享密钥。
- 配置profile配置集合,确定认证方式和调用秘钥
- 配置transform-set指定ipsec vpn模式,传输模式or隧道模式。
- 配置感兴趣的数据流,通过ACL。
- 配置crypto map集合,并在接口下应用。
因为配置命令比较麻烦,我经常使用PPKP(proposal->policy->keyring->profile)来简化配置思路。
配置示例
crypto ikev2 proposal ikev2-proposal
encryption1 aes-cbc-256
integrity2 sha512
group3 16
!
crypto ikev2 policy ikev2-policy
match fvrf4 any
proposal5 ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
peer6 ccie43413
address7 12.1.1.1
pre-shared-key8 local ccie43413
pre-shared-key9 remote ccie43413
!
!
crypto ikev2 profile ikev2-profile
match identity remote address 12.1.1.1 255.255.255.255 10
authentication remote pre-share11
authentication local pre-share 12
keyring local ikev2-keyring13
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac
mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set ikev2-transform-set
set ikev2-profile ikev2-profile
match address vpn
!
ip access-list extended vpn
permit ip host 10.1.1.1 host 20.1.1.1
!
参考文献
1.Configuring Internet Key Exchange Version 2 (IKEv2)
2.IKEv1/IKEv2 Between Cisco IOS and strongSwan Configuration Example
3.IPSec Network Security Commands
脚注
- Specifies one or more transforms of the encryption type. ↩
- Specifies one or more transforms of the integrity algorithm type ↩
- Specifies the Diffie-Hellman (DH) group identifier.A generally acccepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Either group 14 or group 24 can be selected to meet this guideline ↩
- (Optional) Matches the policy based on a user-configured FVRF or any FVRF.这部分详细,请参阅Configuring VPNs in VRF Mode ↩
- Specifies the proposals that must be used with the policy. ↩
- Defines the peer or peer group and enters IKEv2 keyring peer configuration mode. ↩
- Specifies an IPv4 or IPv6 address or range for the peer. ↩
- Specifies the preshared key for the peer ↩
- Specifies the preshared key for the peer ↩
- Use the match statements to select an IKEv2 profile for a peer: ↩
- Specifies the local or remote authentication method. ↩
- Specifies the local or remote authentication method. ↩
- Specifies the local or AAA-based keyring that must be used with the local and remote preshared key authentication method ↩
没有评论:
发表评论