HTML/JavaScript

2017年4月26日星期三

【Cisco】【安全】【CCNA】加密设备NAT对IPSec VPN的影响

加密设备NAT对IPSec VPN的影响

IPsec VPN Private-to-Private Network with NAT and a Static

介绍

在NAT网络中运行IPSec VPN会面临各种各样的问题,本文仅拿 NAT 与crypto map 处理顺序的问题来进行讨论。12

拓扑图如下:
     +-----+12.1.1.1           +--\--+23.1.1.2           +--\--+34.1.1.3           +-----+
     | R1  |--------F0/0-------| R2  |--------F0/1-------| R3  |--------F0/0-------| R4  |
     +-----+           12.1.1.2+-----+           23.1.1.3+-----+           34.1.1.4+-----+

R2与R3是两个站点的网关设备,负责建立VPN和NAT地址转换的工作。R1与R4是客户端设备。
需求:
1.R1-to-R4 走IPSec VPN流量。
2.不能影响现有NAT转换。
之前有介绍过GRE over IPSec VPN的技术,此方法可以完美解决此问题,但不在本文讨论范围内。

首先需要了解的就是NAT操作顺序(NAT Order of Operation3)见下表。

NAT Overview Inside-to-Outside Outside-to-Inside
1 If IPSec then check input access list If IPSec then check input access list
2 decryption - for CET (Cisco Encryption Technology) or IPSec decryption - for CET or IPSec
3 check input access list check input access list
4 check input rate limits check input rate limits
5 input accounting input accounting
6 redirect to web cache redirect to web cache
7 policy routing NAT outside to inside (global to local translation)
8 routing policy routing
9 NAT inside to outside (local to global translation) routing
10 crypto (check map and mark for encryption) crypto (check map and mark for encryption)
11 check output access list check output access list
12 inspect (Context-based Access Control (CBAC)) inspect CBAC
13 TCP intercept TCP intercept
14 encryption encryption
15 Queueing Queueing

观察可以发现,从“内到外”先执行 NAT的操作步骤。那么12.1.1.1 to 34.1.1.4,会先被转换成 23.1.1.2 to 34.1.1.4 ,使得之前配置的感兴趣流无法匹配而导致IPSec VPN无法建立。

所以知道了问题的原因,那么解决的办法就是,在NAT 的access-list中剔除 IPSec VPN的感兴趣的流,使得感兴趣的数据流不进行NAT转换,而执行IPSec VPN的工作流程。关键配置如下。

ip nat inside source list 100 interface FastEthernet0/1 overload
access-list 100 deny   ip host 12.1.1.1 host 34.1.1.4
access-list 100 permit ip 12.1.1.0 0.0.0.255 34.1.1.0 0.0.0.255

配置(关键配置)

R2#show running-config 
!--------------------------------------------------------------- crypto configuration
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.3
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.3 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 23.1.1.3
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
!--------------------------------------------------------------- crypto configuration
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip nat inside
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 23.1.1.2 255.255.255.0
 ip nat outside
 ip ospf 1 area 0
 crypto map ikev2-map
!
router ospf 1
!--------------------------------------------------------------- NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended vpn
 permit ip host 12.1.1.1 host 34.1.1.4
!--------------------------------------------------------------- 不对ipsec vpn 感兴趣的数据流进行NAT转换操作
access-list 100 deny   ip host 12.1.1.1 host 34.1.1.4
access-list 100 permit ip 12.1.1.0 0.0.0.255 34.1.1.0 0.0.0.255
!
end
R2# 



R3#show running-config 
!
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.2
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 23.1.1.2
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
!
interface FastEthernet0/0
 ip address 34.1.1.3 255.255.255.0
 ip nat inside
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 23.1.1.3 255.255.255.0
 ip nat outside
 ip ospf 1 area 0
 crypto map ikev2-map
!
router ospf 1
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static 34.1.1.4 12.1.1.1 route-map not-nat
!
ip access-list extended vpn
 permit ip host 34.1.1.4 host 12.1.1.1
!
access-list 100 deny   ip host 34.1.1.4 host 12.1.1.1
access-list 100 permit ip 34.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
access-list 101 deny   ip host 34.1.1.4 host 12.1.1.1
access-list 101 permit ip 34.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
!
route-map not-nat permit 10
 match ip address 101
!
end
R3#

参考文献

  1. Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
  2. 《IPSec VPN实战指南》5.3 加密设备NAT对IPSec VPN的影响N
  3. NAT Order of Operation
发帖者 时间: 没有评论:
标签:

2017年4月23日星期日

【Cisco】【安全】【CCNA】IKEv2 GRE over IPSec VPN

GRE over IPSec VPN

GRE over IPSec VPN

介绍

GRE over IPSec VPN主要用来解决传统 Site to Site面临的一些问题。

  1. 站点和站点之间不能运行路由协议。
  2. 没有“接口”概念使得QOS,ACL无法应用在IPsec VPN上。
  3. 当网络变的复杂的时候需要配置很多个“感兴趣数据流”使得ACL配置复杂。

解决上面3个棘手的问题方法是通过GRE over IPSec VPN或VTI(SVTI、DVTI),VTI不在本文讨论范围之内,本文主要解释GRE over IPSec VPN。
GRE我们都了解是一种三层的隧道技术,GRE可以很好的传递组播数据流,使得站点和站点之间运行动态路由协议成为可能。另外GRE提供了 interface tunnel ,使得QOS、ACL这些基于接口应用的服务得以实现。GRE提供接口,我们只需要把流量引入到tunnel接口里面即可,而不需要逐条配置感兴趣数据流,使得配置得到了简化,网络更易控制。

配置(关键配置)

拓扑图如下:
                                192.168.1.2          192.168.1.3    
                                  ----------Tunnel 1---------
                                  |                         |
    10.1.1.1                      |                         |                     40.1.1.1
     +-----+12.1.1.1           +--\--+23.1.1.2           +--\--+34.1.1.3           +-----+
     | R1  |--------F0/0-------| R2  |--------F0/1-------| R3  |--------F0/0-------| R4  |
     +-----+           12.1.1.2+-----+           23.1.1.3+-----+           34.1.1.4+-----+
R2配置:
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.3
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.3 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
interface Tunnel1
 ip address 192.168.1.2 255.255.255.0
 ip ospf 1 area 0
 tunnel source FastEthernet0/1
 tunnel destination 23.1.1.3
!
!
interface FastEthernet0/1
 ip address 23.1.1.2 255.255.255.0
 speed auto
 duplex auto
 crypto map ikev2-map
!

GRE over IPSecVPN流程分析

流程图来自于此1

                                             Packet Flow Though Tunnel Interface                                               
                                                             R2                                                                  
                       +---------------------------------------------------------------------------+                           
                       |                                                                           |                           
FastEthernet0/0        |         +----------------+                    +----------------+          |   FastEthernet0/1         
IP Addr:12.1.1.2/24 /--|--\      |Route Lookup    |                    |Route Lookup    |      /---|--\IP Addr:23.1.1.2/24     
------------------->|Input|----->|                |                    |                |----->|Output|-------------------     
                    \--|--/      |Yields ifc: Tun1|                    |Yields ifc: Tun1|      \---|--/                       
                       |         +------|---------+                    +----------------+          |                           
                       |                |                                                          |                           
                       |                |                                      |                   |                           
                       |               /-\                                     |                   |                           
                       |               |T|  +-----------------------+          |                   |                           
                       |               |u|  |Tunnel1                |          |                   |                           
                       |               |n|  |IP addr: 192.168.1.2/24|          |                   |                           
                       |               |n|  |Source: FastEthernet0/1|          |                   |                           
                       |               |e|  |Destination: 23.1.1.3  |          |                   |                           
                       |               |l|  +-----------------------+          |                   |                           
                       |               \-/                                     |                   |                           
                       |                |                              +-------------+             |                           
                       |                |----------------------------->|Encapsulation|             |                           
                       |                                               +-------------+             |                           
                       +---------------------------------------------------------------------------+

1.数据包通过FastEthernet0/0接口进入。
【IP.Dst40.1.1.1】【IP.Src10.1.1.1】【Date】

2.目的路由查找,去往40.1.1.1目的地址的路由下一跳是tunnel接口。

3.数据包移交给tunnel接口进行封装操作。

4.在封装期间产生新的IP数据包。
Original Packet:【IP.Dst40.1.1.1】【IP.Src10.1.1.1】【Date】
                    ||
                    V
Encapsulated Packet:【IP.Dst23.1.1.3】【IP.Src23.1.1.2】【GRE】【IP.Dst40.1.1.1】【IP.Src10.1.1.1】【Date】

5.新的数据包再次执行路由查找。

6.目的路由查找,去往23.1.1.3目的路由的下一跳是FastEthernet0/1接口,###匹配crypto map策略执行ipsec vpn流程

7.执行完成ipsec vpn的数据包将从FastEthernet0/1接口转发出去。

注:如果crypto map 应用在tunnel接口上,那么当完成GRE封装之后就直接匹配crypto map直接进行ipsec vpn流程。

附录

除了之前介绍的GRE over IPSec VPN的配置方法,如下的配置方法也能完成同样的效果。 这种被称之为“Tunnel Protection and Crypto Sockets”,可参见23,在此不涉及。

crypto ikev2 proposal ikev2-proposal 
  encryption aes-cbc-256
  integrity sha512
  group 16
 !
 crypto ikev2 policy ikev2-policy 
  match fvrf any
  proposal ikev2-proposal
 !
 crypto ikev2 keyring ikev2-keyring
 peer 23.1.1.3
 address 23.1.1.3
 pre-shared-key local ccie43413
 pre-shared-key remote ccie43413
 !
 crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.3 255.255.255.255
 identity local address 23.1.1.2
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
 !
 crypto ipsec transform-set ipsec-transform esp-aes 256 esp-sha512-hmac
 mode tunnel
 !
 crypto ipsec profile ipsec-profile 
 set transform-set ipsec-transform
 set ikev2-profile ikev2-profile
 !
 interface Tunnel1
 tunnel protection ipsec profile ipsec-profile

参考文献

  1. IKEv2 IPsec Virtual Private Networks Understanding and Deploying:Figure 4-7 Packet Flow Though Tunnel Interface
  2. Sharing IPSec with Tunnel Protection
  3. Dynamic Multipoint VPN Configuration Guide, Cisco IOS XE Release 3S Sharing IPsec with Tunnel Protection
发帖者 时间: 没有评论:
标签:
订阅: 博文 (Atom)