HTML/JavaScript

2017年5月23日星期二

【Cisco】【安全】【CCNA】IPsec VPN RRI(Reverse Route Injection)

IPSec VPN RRI

IPSec VPN RRI(Reverse Route Injection)

介绍

RRI(Reverse route injection)是为需要通过IPsec 隧道来加密传输的流量自动创建下一跳指向相应VPN 对端的静态路由。当配置的crypto map是静态crypto map时,RRI是根据crypto map中的ACL所定义的流量来自动创建静态路由。12

应用场景

loopback1  +-----+12.1.1.1          +-----+23.1.1.2          +-----+34.1.1.3          +-----+loopback1  
-----------|  R1 |-------F0/0-------|  R2 |-------F0/1-------|  R3 |-------F0/0-------|  R4 |-----------
10.1.1.1/32+-----+          12.1.1.2+-----+          23.1.1.3+-----+          34.1.1.4+-----+40.1.1.1/32
如上所示,R2与R3建立Site-to-Site IPSec VPN ,数据流 10.1.1.1<——>40.1.1.1。 通常情况下需要在R1,R2,R3,R4上分别配置10.1.1.1和40.1.1.1 在路由层面可达。有没有一种方法在R2和R3建立IPSec VPN之后产生一条静态路由,再将静态路由重分发到ospf进程中保证内网设备R1和R4能够正常学习到 10.1.1.1和40.1.1.1的路由呢?这里我们就需要用到RRI(Reverse route injection) 这项功能了。
R1和R2,R3和R4分别建立ospf邻居,当配置完成IPSec VPN,并且在接口下使能之后,RRI会依据配置的“感兴趣的数据流”去产生一条静态路由指向IPSec VPN peer ,产生了静态路由之后,再将静态路由重分发到ospf进程中,这样R1和R4就可以学习到彼此的内网路由,保证了路由层面完整性。

配置命令说明

reverse-route [static | tag tag-id [static] | remote-peer [static] | remote-peer ip-address [static]]
Router (config-crypto-map)# reverse-route
Creates source proxy information for a crypto map entry. 
Note The gateway keyword can be added to enable the dual route functionality for default gateway support.

R2(config-crypto-map)#reverse-route static 
RRI is added on the static crypto map, which creates routes on the basis of the source network and source netmask that are defined in the crypto access control list (ACL):
In Cisco IOS Release 12.3(14)T and later releases, for the static map to retain this same behavior of creating routes on the basis of crypto ACL content, the static keyword is required, that is, reverse-route static.

Router (config-crypto-map)# set reverse-route distance 20
Specifies a distance metric to be used or a tag value to be associated with these routes.

Router (config-crypto-map)# reverse-route remote peer 10.1.1.1 gateway
Creates source proxy information for a crypto map entry.

配置

R1配置:
!
router ospf 1
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 12.1.1.1 255.255.255.0
 ip ospf 1 area 0
!
R2配置:
!
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.3
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.3 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 23.1.1.3
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
 reverse-route static
!
ip access-list extended vpn
 permit ip 10.1.1.0 0.0.0.255 40.1.1.0 0.0.0.255
!
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 23.1.1.2 255.255.255.0
 crypto map ikev2-map
!
router ospf 1
 redistribute static subnets
!
R3配置:
!
crypto ikev2 proposal ikev2-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 16
!
crypto ikev2 policy ikev2-policy 
 match fvrf any
 proposal ikev2-proposal
!
crypto ikev2 keyring ikev2-keyring
 peer ccie43413
  address 23.1.1.2
  pre-shared-key local ccie43413
  pre-shared-key remote ccie43413
 !
!
crypto ikev2 profile ikev2-profile
 match identity remote address 23.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-keyring
!
crypto ipsec transform-set ikev2-transform-set esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map ikev2-map 10 ipsec-isakmp 
 set peer 23.1.1.2
 set transform-set ikev2-transform-set 
 set ikev2-profile ikev2-profile
 match address vpn
 reverse-route static
!
ip access-list extended vpn
 permit ip host 40.1.1.1 host 10.1.1.1
!
interface FastEthernet0/0
 ip address 34.1.1.3 255.255.255.0
 ip ospf 1 area 0
!
interface FastEthernet0/1
 ip address 23.1.1.3 255.255.255.0
 crypto map ikev2-map
!
router ospf 1
 redistribute static subnets
!
R4配置:
!
router ospf 1
!
interface Loopback1
 ip address 40.1.1.1 255.255.255.255
 ip ospf 1 area 0
!
interface FastEthernet0/0
 ip address 34.1.1.4 255.255.255.0
 ip ospf 1 area 0
!

附录

R2#show crypto route 

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
        S - Static Map ACLs

Routes created in table GLOBAL DEFAULT
40.1.1.0/255.255.255.0 [1/0] via 23.1.1.3 tag 0 count 1 rtid 5
                                on FastEthernet0/1 RRI  S
R2#show ip rou
R2#show ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/32 is subnetted, 1 subnets
O        10.1.1.1 [110/2] via 12.1.1.1, 06:24:32, FastEthernet0/0
      12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        12.1.1.0/24 is directly connected, FastEthernet0/0
L        12.1.1.2/32 is directly connected, FastEthernet0/0
      23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        23.1.1.0/24 is directly connected, FastEthernet0/1
L        23.1.1.2/32 is directly connected, FastEthernet0/1
      40.0.0.0/24 is subnetted, 1 subnets
S        40.1.1.0 [1/0] via 23.1.1.3
R2#show run | s ip route
R2#

参考文献

  1. china-ccie,Reverse route injection (RRI)
  2. cisco,Reverse Route Injection
发帖者 时间: 没有评论:
标签:

2017年5月17日星期三

【Cisco】【安全】【CCNA】IPsec NAT Traversal(NAT-T)

IPsec NAT Traversal

IPsec NAT Traversal

介绍

本文的大部分内容来自RFC5996 2.23. NAT Traversal1IPsec NAT Transparency2,若存在不准确表述和理解请告知,谢谢。

NAT(PAT)是一种解决IP地址短缺的技术手段,负责将内部地址翻译成公网地址,因为修改了源地址,公网在回复数据包的时候会将数据包发送到NAT网关,网关需要将目的地址翻译成内部地址将数据包路由到正确设备上。

AH封装(AH Encapsulation)

Transport mode and Tunnel mode

    AH Transport
    +--------------------++---------++-------------+
    |Original IPv4 Header||AH Header||Original Data|
    +--------------------++---------++-------------+
    AH Tunnel 
    +-------------------------++---------++--------------------++-------------+
    |New IPv4 Header for IPsec||AH Header||Original IPv4 Header||Original Data|
    +-------------------------++---------++--------------------++-------------+

AH 提供源认证和完整性校验,但是不提供加密服务,所以数据包会计算一个哈希值填写在AH Header中,但是数据包经过NAT 设备之后,会修改报文中的源IP地址,对端收到数据包之后进行反向哈希计算,因为报文被修改而导致哈希值不匹配,所以会导致校验失败而丢弃。

ESP封装(ESP Encapsulation)

Transport mode 

    ESP Transport
    +--------------------++----------++-------------++-----------++-------+
    |Original IPv4 Header||ESP Header||Original Data||ESP Trailer||ESP ICV|
    +--------------------++----------++-------------++-----------++-------+

当用户传递数据包是TCP或UDP报文的时候,TCP会强制计算伪头部(Pseudo Header)3 。伪头部计算的内容是,Source Address 、Destination Address 、Reserved 、Protocol、TCP Length。

正常情况下,TCP报文通过NAT设备,转换源地址,NAT设备会重新计算一次伪头部,将重新计算的值填在TCP Checksum 中。但是因为ESP数据包是被加密的,这部分关键数据因为加密而无法获得。因此NAT设备无法获取信息计算校验和,从而导致接收方TCP 校验失败而丢弃包。

说明: Changing the IP addresses in the IP header means the IP header checksum must be calculated. Since both UDP or TCP also have checksums, and these checksums are computed over a pseudo header that contains the IP source and destination address as well, they too must be recalculated each time a translation is made.4

Tunnel mode

    ESP Tunnel
    +-------------------------++----------++--------------------++-------------++-----------++-------+
    |New IPv4 Header for IPsec||ESP Header||Original IPv4 Header||Original Data||ESP Trailer||ESP ICV|
    +-------------------------++----------++--------------------++-------------++-----------++-------+

只有ESP tunnel mode 可以应用在NAT-T的环境中。在通过NAT转换的时候修改的是外部的源IP地址(New IPv4 Header for IPsec),在进行完整性校验的时候校验的也是内部的数据Original IPv4 Header + Original Data 。所以不会修改TCP的校验和,TCP也就能正常通过校验。

ESP 数据包NAT转发

NAT可以大致分为两类,一种是静态一对一的NAT转换,另外一种是多对一转换。在一对一的转换中ESP数据包转发并没有任何问题,但是结合实际情况,使用较多的是多对一转换方式,PAT方式。

PAT是以传输层端口号来进行工作的,但是由于ESP没有传输层端口号,所以ESP在PAT环境中转发的时候就需要使用到NAT-T的方式,来进行工作。

出于这个原因,IPSec将使用UDP封装ESP 数据包。当IPSec 检测到数据包沿途转发中存在NAT设备的时候,IPSec 将采用4500端口重新封装数据包。另外需要注意的是即使IKE初次建立的时候 启动器(initiator)可以直接使用IKE和ESP的端口4500,不管NAT是否存在 。 这种编码效率稍低,但对于NAT设备来说更容易处理。

Original Date       
+--------------------++-------------+       
|Original IPv4 Header||Original Data|
+--------------------++-------------+   

Not Enabled NAT-T       
+-------------------------++----------++--------------------++-------------++-----------++-------+
|New IPv4 Header for IPsec||ESP Header||Original IPv4 Header||Original Data||ESP Trailer||ESP ICV|
+-------------------------++----------++--------------------++-------------++-----------++-------+

Enabled NAT-T       
+-------------------------++----------++----------++--------------------++-------------++-----------++-------+
|New IPv4 Header for IPsec||UDP Header||ESP Header||Original IPv4 Header||Original Data||ESP Trailer||ESP ICV|
+-------------------------++----------++----------++--------------------++-------------++-----------++-------+
                                       ^           ^                                   ^            ^         
                                       |           |                                   |            |         
                                       |           +------------Encrypted -------------+            |               
                                       |                                                            |         
                                       +----------------------Authenticate--------------------------+         

For NAT devices
+-------------------------++----------++----+
|New IPv4 Header for IPsec||UDP Header||Data|
+-------------------------++----------++----+

NAT Traversal实现

  • IKE启动器(initiator )和响应者(responder )都必须在其IKE_SA_INIT数据包中包含通知类型为NAT_DETECTION_SOURCE_IP和NAT_DETECTION_DESTINATION_IP的有效载荷。 这些有效载荷可用于检测主机之间是否存在NAT, IKE_SA_INIT数据包中有效负载的位置恰好在Ni(Nonce)和Nr(Nonce)有效载荷之后(在可选的CERTREQ(Certificate Request)有效载荷之前)。

     Type Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
    Next payload: Notify (41)
    0... .... = Critical Bit: Not Critical
    Payload length: 28
    Protocol ID: IKE (1)
    SPI Size: 0
    Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
    Notification DATA: ac69e386514bfd7f1ea2d768ae8dc90d0a20c6bd
Type Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
    Next payload: NONE / No Next Payload  (0)
    0... .... = Critical Bit: Not Critical
    Payload length: 28
    Protocol ID: IKE (1)
    SPI Size: 0
    Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
    Notification DATA: 1d87902599a1773c12e606834bf1c1310df3b556

  • NAT_DETECTION_SOURCE_IP通知相关联的数据是SPI的SHA-1摘要, IP地址和发送此数据包的端口。可能会有多个NAT_DETECTION_SOURCE_IP消息有效负载。

  • NAT_DETECTION_DESTINATION_IP通知相关联的数据是SPI发送的SHA-1摘要(按照它们出现在标题中的顺序),发送此数据包的IP地址和端口。

  • NAT_DETECTION_SOURCE_IP或NAT_DETECTION_DESTINATION_IP通知的响应者(responder )可以将提供的值与SPI的SHA-1哈希进行比较。源或接收者ip地址,地址和端口,如果不匹配,那么将启用NAT Traversal。这种情况下NAT_DETECTION_SOURCE_IP散列值与接收到的NAT_DETECTION_SOURCE_IP有效载荷不匹配, 如果不支持NAT穿越,响应者(responder )可能会拒绝连接 。NAT_DETECTION_DESTINATION_IP散列的情况下, 这意味着接收NAT_DETECTION_DESTINATION_IP有效载荷的系统在NAT后面,该系统应该开始发送如[UDPENCAPS rfc3948]中定义的keepalive数据包; 或者,如果不支持NAT穿越,则可以拒绝连接。

  • IKE启动器(initiator )必须检查NAT_DETECTION_SOURCE_IP或NAT_DETECTION_DESTINATION_IP有效载荷(如果存在), 并且如果它们不匹配外部分组中的地址, 必须通过UDP端口4500隧道与该IKE SA相关联的所有将来的IKE和ESP数据包。

  • 通过UDP端口4500隧道IKE数据包, IKE头部有四个八位字节零前缀,结果紧随UDP头. 通过UDP端口4500隧道传输ESP数据包, ESP头部紧随UDP头。 由于ESP头的前四个八位字节包含SPI, 并且SPI不能有效地为零,总是可以区分ESP和IKE消息。

  • 即使没有检测到NAT,实现也必须处理接收的UDP封装的ESP数据包。

  • 在传输模式NAT穿越的情况下,流量选择器必须包含一个IP地址,然后将其用作原始IP地址。 这在RFC 5996 中 第2.23.1节中有更详细的说明。

配置(关键配置)

拓扑图如下:
 +-----+12.1.1.1          +-----+23.1.1.2          +-----+34.1.1.3          +-----+45.1.1.4          +-----+
 |  R1 |-------F0/0-------|  R2 |-------F0/1-------|  R3 |-------F0/0-------|  R4 |-------F0/1-------|  R5 |
 +-----+          12.1.1.2+-----+          23.1.1.3+-----+          34.1.1.4+-----+          45.1.1.5+-----+

 R1:Server
 R2:Gateway
 R3:Internet
 R4:NAT Device
 R5:Client

由于没能使用IKEv2完成实验,所以如下部分只列举IKEv1 的配置命令。

R1配置:
!
interface FastEthernet0/0
 ip address 12.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2配置:
!
interface FastEthernet0/0
 ip address 12.1.1.2 255.255.255.0
!         
interface FastEthernet0/1
 ip address 23.1.1.2 255.255.255.0
 crypto map ikev1-map
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key ccie43413 address 34.1.1.4       
!
crypto ipsec transform-set ikev1-transform-set esp-des esp-md5-hmac 
 mode tunnel
!
crypto map ikev1-map 10 ipsec-isakmp 
 set peer 34.1.1.4
 set transform-set ikev1-transform-set 
 match address vpn
!
ip access-list extended vpn
 permit ip host 12.1.1.1 host 45.1.1.5
!
ip route 0.0.0.0 0.0.0.0 23.1.1.3
!
R3配置:
!
interface FastEthernet0/0
 ip address 34.1.1.3 255.255.255.0
!
interface FastEthernet0/1
 ip address 23.1.1.3 255.255.255.0
!
R4配置:
!
interface FastEthernet0/0
 no switchport
 ip address 34.1.1.4 255.255.255.0
 ip nat outside
!
interface FastEthernet0/1
 no switchport
 ip address 45.1.1.4 255.255.255.0
 ip nat inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static udp 1.1.1.1 4500 interface FastEthernet0/0 4500
ip nat inside source static udp 1.1.1.1 500 interface FastEthernet0/0 500
!
access-list 1 permit 45.1.1.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 34.1.1.3
!
R5配置:
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key ccie43413 address 23.1.1.2       
!
crypto ipsec transform-set ikev1-transform-set esp-des esp-md5-hmac 
 mode tunnel
!
crypto map ikev1-map 10 ipsec-isakmp 
 set peer 23.1.1.2
 set transform-set ikev1-transform-set 
 match address vpn
!
ip access-list extended vpn
 permit ip host 45.1.1.5 host 12.1.1.1
!
interface FastEthernet0/1
 ip address 45.1.1.5 255.255.255.0
 crypto map ikev1-map
!
ip route 0.0.0.0 0.0.0.0 45.1.1.4
!

附录

Frame 12: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits) on interface 0
Ethernet II, Src: ca:08:15:0c:00:06 (ca:08:15:0c:00:06), Dst: ca:07:1f:8c:00:06 (ca:07:1f:8c:00:06)
Internet Protocol Version 4, Src: 34.1.1.4, Dst: 23.1.1.2
User Datagram Protocol, Src Port: 1025, Dst Port: 4500
    Source Port: 1025
    Destination Port: 4500
    Length: 140
    [Checksum: [missing]]
    [Checksum Status: Not present]
    [Stream index: 1]
UDP Encapsulation of IPsec Packets
Encapsulating Security Payload
    ESP SPI: 0x7fd1fc5d (2144468061)
    ESP Sequence: 2

NAT-T Capturing packets

参考文献

  1. RFC5996 2.23. NAT Traversal
  2. IPsec NAT Transparency
  3. TCP Checksum Calculation and the TCP “Pseudo Header”
  4. IP NAT Compatibility Issues and Special Handling Requirements
发帖者 时间: 没有评论:
标签:
订阅: 博文 (Atom)