HTML/JavaScript

2017年4月26日星期三

【Cisco】【安全】【CCNA】加密设备NAT对IPSec VPN的影响

加密设备NAT对IPSec VPN的影响

IPsec VPN Private-to-Private Network with NAT and a Static

介绍

在NAT网络中运行IPSec VPN会面临各种各样的问题,本文仅拿 NAT 与crypto map 处理顺序的问题来进行讨论。12

拓扑图如下:
     +-----+12.1.1.1           +--\--+23.1.1.2           +--\--+34.1.1.3           +-----+
     | R1  |--------F0/0-------| R2  |--------F0/1-------| R3  |--------F0/0-------| R4  |
     +-----+           12.1.1.2+-----+           23.1.1.3+-----+           34.1.1.4+-----+

R2与R3是两个站点的网关设备,负责建立VPN和NAT地址转换的工作。R1与R4是客户端设备。
需求:
1.R1-to-R4 走IPSec VPN流量。
2.不能影响现有NAT转换。
之前有介绍过GRE over IPSec VPN的技术,此方法可以完美解决此问题,但不在本文讨论范围内。

首先需要了解的就是NAT操作顺序(NAT Order of Operation3)见下表。

NAT Overview Inside-to-Outside Outside-to-Inside
1 If IPSec then check input access list If IPSec then check input access list
2 decryption - for CET (Cisco Encryption Technology) or IPSec decryption - for CET or IPSec
3 check input access list check input access list
4 check input rate limits check input rate limits
5 input accounting input accounting
6 redirect to web cache redirect to web cache
7 policy routing NAT outside to inside (global to local translation)
8 routing policy routing
9 NAT inside to outside (local to global translation) routing
10 crypto (check map and mark for encryption) crypto (check map and mark for encryption)
11 check output access list check output access list
12 inspect (Context-based Access Control (CBAC)) inspect CBAC
13 TCP intercept TCP intercept
14 encryption encryption
15 Queueing Queueing

观察可以发现,从“内到外”先执行 NAT的操作步骤。那么12.1.1.1 to 34.1.1.4,会先被转换成 23.1.1.2 to 34.1.1.4 ,使得之前配置的感兴趣流无法匹配而导致IPSec VPN无法建立。

所以知道了问题的原因,那么解决的办法就是,在NAT 的access-list中剔除 IPSec VPN的感兴趣的流,使得感兴趣的数据流不进行NAT转换,而执行IPSec VPN的工作流程。关键配置如下。

ip nat inside source list 100 interface FastEthernet0/1 overload
access-list 100 deny   ip host 12.1.1.1 host 34.1.1.4
access-list 100 permit ip 12.1.1.0 0.0.0.255 34.1.1.0 0.0.0.255

配置(关键配置)

R2#show running-config 
!--------------------------------------------------------------- crypto configuration
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.3
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.3 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 23.1.1.3
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
!--------------------------------------------------------------- crypto configuration
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip nat inside
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 23.1.1.2 255.255.255.0
 ip nat outside
 ip ospf 1 area 0
 crypto map ikev2-map
!
router ospf 1
!--------------------------------------------------------------- NAT配置
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended vpn
 permit ip host 12.1.1.1 host 34.1.1.4
!--------------------------------------------------------------- 不对ipsec vpn 感兴趣的数据流进行NAT转换操作
access-list 100 deny   ip host 12.1.1.1 host 34.1.1.4
access-list 100 permit ip 12.1.1.0 0.0.0.255 34.1.1.0 0.0.0.255
!
end
R2# 



R3#show running-config 
!
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.2
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 23.1.1.2
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
!
interface FastEthernet0/0
 ip address 34.1.1.3 255.255.255.0
 ip nat inside
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 23.1.1.3 255.255.255.0
 ip nat outside
 ip ospf 1 area 0
 crypto map ikev2-map
!
router ospf 1
!
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static 34.1.1.4 12.1.1.1 route-map not-nat
!
ip access-list extended vpn
 permit ip host 34.1.1.4 host 12.1.1.1
!
access-list 100 deny   ip host 34.1.1.4 host 12.1.1.1
access-list 100 permit ip 34.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
access-list 101 deny   ip host 34.1.1.4 host 12.1.1.1
access-list 101 permit ip 34.1.1.0 0.0.0.255 12.1.1.0 0.0.0.255
!
route-map not-nat permit 10
 match ip address 101
!
end
R3#

参考文献

  1. Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
  2. 《IPSec VPN实战指南》5.3 加密设备NAT对IPSec VPN的影响N
  3. NAT Order of Operation
发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)