Trafiłem na niezłą zagwozdkę. Potrzebuję zestawić S2S VPN pomiędzy firewallem SSG a ruterem Cisco. Generalne w sieci jest sporo receptur jak zestawić VPN ale wszystkie w "starym" stylu, tj. czysty IPSEC na SSG i crypto map przypięty do interfejsu wanowego na Cisco. Ja jednak wolałbym zestawić na VTI po stronie Cisco. I tu zagadka. Na SSG na interfejsie tunnel jest tylko encapsulacja GRE. Po skonfigurowaniu VPNu, zbindowaniu go do interfejsu tunnel mam fajną sytuację:
Po stronie Cisco wszystko wygląda OK, tj. IPSEC P1 i P2 - OK interfejs tunel up/up.
Kod: Zaznacz cały
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
77.x.y.z 31.x.y.z QM_IDLE 1087 ACTIVE
#sh crypto ipsec sa
interface: Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 31.x.y.z
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 77.x.y.z port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 187, #pkts decrypt: 187, #pkts verify: 187
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 31.x.y.z, remote crypto endpt.: 77.x.y.z
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x3172C542(829605186)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x7525764E(1965389390)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2075, flow_id: Onboard VPN:75, sibling_flags 80000046, crypto map: Tunnel100-head-0
sa timing: remaining key lifetime (k/sec): (4494339/2670)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3172C542(829605186)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2076, flow_id: Onboard VPN:76, sibling_flags 80000046, crypto map: Tunnel100-head-0
sa timing: remaining key lifetime (k/sec): (4494360/2670)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Kod: Zaznacz cały
plfw01-> get log even
2011-09-20 22:11:18 system info 00536 IKE 31.x.y.z Phase 2 msg ID
3aa98e48: Completed negotiations with
SPI 3172c542, tunnel ID 3, and
lifetime 3600 seconds/4194303 KB.
2011-09-20 22:11:18 system info 00536 IKE 31.x.y.z phase 2:The symmetric
crypto key has been generated
successfully.
plfw01-> get ike cookies
IKEv1 SA -- Active: 1, Dead: 0, Total 1
81182f/0003, 31.x.y.z:500->77.x.y.z:500, PRESHR/grp2/3DES/SHA, xchg(2) (MVPN/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 27754 cert-expire 0
responder, err cnt 0, send dir 1, cond 0xc0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0
IKEv2 SA -- Active: 0, Dead: 0, Total 0
plfw01-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000003< 31.x.y.z 500 esp:a128/sha1 3172c542 2551 4095M A/U -1 0
00000003> 31.x.y.z 500 esp:a128/sha1 7525764e 2551 4095M A/U -1 0
plfw01->
plfw01-> get vpn
Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
MVP MVPN tunl Yes g2-esp-aes128-sha on 0 eth0/0
Total Auto VPN: 1
Total Pure Transport Mode IPSEC VPN: 0
Kod: Zaznacz cały
plfw01-> get inter
tun.1 192.168.0.5/30 Trust N/A - D -
2011-09-20 22:11:19 critical VPN 'MVP' from 31.x.y.z is up.
Konfig interfejsu i vpn na SSG
Kod: Zaznacz cały
set interface "tunnel.1" zone "Trust"
set interface tunnel.1 ip 192.168.0.5/30
set interface tunnel.1 tunnel encap gre
set interface tunnel.1 tunnel local-if ethernet0/0 dst-ip 31.x.y.z
set interface tunnel.1 tunnel keep-alive interval 10 threshold 3
set interface tunnel.1 mtu 1400
set route 10.1.0.0/21 interface tunnel.1 gateway 192.168.0.6 permanent
set route 10.7.5.0/24 interface tunnel.1 gateway 192.168.0.6 permanent
set route 10.1.8.10/24 interface tunnel.1 gateway 192.168.0.6 permanent
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
set ike gateway "MVPN" address 31.x.y.z Main local-id "SSG5FW" outgoing-interface "ethernet0/0" preshare "abcde123456" proposal "pre-g2-3des-sha"
set vpn "MVP" gateway "MVPN" replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "MVP" monitor
set vpn "MVP" id 0x3 bind interface tunnel.1
Cisco skonfigurowane klasycznie:
Kod: Zaznacz cały
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key abcde123456 address 77.x.y.z
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
!
crypto ipsec profile VPN_to_home
set transform-set AES_SHA
set pfs group2
set identity SSG5FW
!
interface Tunnel100
description *** VPN do home-net (SSG5) ***
ip address 192.168.0.6 255.255.255.252
ip mtu 1400
ip virtual-reassembly
zone-member security INSIDE
ip tcp adjust-mss 1360
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 77.x.y.z
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN_to_home
ip route 192.168.1.0 255.255.255.0 Tunnel100 name VPN_to_home