1.拓扑图:

 

 

GRE over IPSEC 同时NAT-T(Profile PAT)_第1张图片


 
参考:http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=002501
2.基本接口配置:
R1:
int e0/0
 ip add 10.1.1.1 255.255.255.0
 no sh
int l0
 ip add 1.1.1.1 255.255.255.0
FW1:
int e0
 ip add 10.1.1.10 255.255.255.0
 nameif inside
 no sh
int e1
 ip add 202.100.1.10 255.255.255.0
 nameif outside
 no sh
R2:
int E0/0
 ip add 202.100.1.2 255.255.255.0
 no sh
int e0/1
 ip add 202.100.2.2 255.255.255.0
 no sh
R3:
int e0/0
 ip add 202.100.2.3 255.255.255.0
 no sh
int l0
 ip add 3.3.3.3 255.255.255.0
3.路由配置:
R1:
 ip route 0.0.0.0 0.0.0.0 10.1.1.10
pixfirewall:
route outside 0.0.0.0 0.0.0.0 202.100.1.2
R3:
ip route 0.0.0.0 0.0.0.0 202.100.2.2
4.防火墙NAT及策略配置:
access-list 10 permit ip 10.1.1.0 255.255.255.0 any
nat (inside) 1 access-list 10
global (outside) 1 interface
access-list outside extended permit icmp any any
access-group outside in interface outside
备注:配置icmp测试只是为了方便测试,可以不需要。
5.GRE及动态路由配置:
R1:
int tunnel 0
ip add 192.168.0.1 255.255.255.0
tunnel source ethernet 0/0
tunnel destination 202.100.2.3
router ospf 1
router-id 1.1.1.1
network 1.1.1.0 0.0.0.255 a 0
network 192.168.0.0 0.0.0.255 a 0
R3:
int tunnel 0
ip add 192.168.0.3 255.255.255.0
tunnel source ethernet 0/0
tunnel destination 202.100.1.10
备注:此处tunnel目标地址与传统配置方式不同,需要配置为NAT后的地址。
router ospf 1
router-id 3.3.3.3
network 3.3.3.0 0.0.0.255 a 0
network 192.168.0.0 0.0.0.255 a 0
备注:此时ospf邻居还无法建立,因为防火墙不会将到达其外部接口的GRE流量转发到内部路由器。
6.×××配置(profile方式):
A.配置第一阶段策略:
R1:
crypto isakmp policy 10
 group 2
 ha md
 en de
 au pr
crypto isakmp key 0 cisco address 202.100.2.3
R3:
crypto isakmp policy 10
 group 2
 ha md
 en de
 au pr
crypto isakmp key 0 cisco address 202.100.1.10
B.配置第二阶段策略:
R1、R3:
crypto ipsec transform-set transet esp-des esp-md5-hmac
 mode transport
C.配置Ipsec Profile,关联转换集:
R1、R3:

crypto ipsec profile myprofile
 set transform-set transet
D.tunnel接口调用profile:
R1、R3:

int tunnel 0
tunnel protection ipsec profile myprofile
7.设置路由器tunnel 接口参数:
R1、R3:

int tunnel 0
 tunnel mode ipsec ipv4
备注:配置完成后,OSPF邻居会自动建立,如果不配置的话,无法完成quick mode,会报如下错误:
*Mar  1 00:31:05.887: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 202.100.1.10 
并且debug crypto ipsec  会有如下信息:

Crypto IPSEC debugging is on
R3#
*Mar  1 00:31:43.807: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 202.100.2.3, remote= 202.100.1.10,
    local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1),
    remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1)
*Mar  1 00:31:43.831: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 00:31:43.839: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 202.100.2.3, remote= 202.100.1.10,
    local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1),
    remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xC6C45BEE(3334757358), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  1 00:31:43.891: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 00:32:11.455: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 00:32:11.631: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 202.100.2.3, remote= 202.100.1.10,
    local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1),
    remote_proxy= 10.1.1.1/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  1 00:32:11.647: map_db_find_best did not find matching map
*Mar  1 00:32:11.651: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 202.100.2.3
*Mar  1 00:32:11.663: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 202.100.1.10 
*Mar  1 00:32:13.839: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 202.100.2.3, remote= 202.100.1.10,
    local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1),
    remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1)
*Mar  1 00:32:13.851: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 202.100.2.3, remote= 202.100.1.10,
    local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1),
    remote_proxy= 202.100.1.10/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x90CF1F1D(2429493021), conn_id= 0, keysize= 0, flags= 0x400A
*Mar  1 00:32:41.031: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 202.100.2.3, remote= 202.100.1.10,
    local_proxy= 202.100.2.3/255.255.255.255/47/0 (type=1),
    remote_proxy= 10.1.1.1/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  1 00:32:41.047: map_db_find_best did not find matching map
*Mar  1 00:32:41.051: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 202.100.2.3
*Mar  1 00:32:43.847: IPSEC(key_engine): request timer fired: count = 2,
8.验证IPSEC:
A.两台路由器都有ospf触发的加解密数据流:

R1#show crypto engine conn active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   4 Tunnel0              192.168.0.1     set    HMAC_MD5+DES_56_CB        0        0
2001 Tunnel0              10.1.1.1        set    DES+MD5                   0       51
2002 Tunnel0              10.1.1.1        set    DES+MD5                  52        0

R3#show crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   4 Ethernet0/0          202.100.2.3     set    HMAC_MD5+DES_56_CB        0        0
2001 Ethernet0/0          202.100.2.3     set    DES+MD5                   0       54
2002 Ethernet0/0          202.100.2.3     set    DES+MD5                  53        0
B.ospf邻居成功建立:
R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -        00:00:35    192.168.0.2     Tunnel0

R3#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           0   FULL/  -        00:00:37    192.168.0.1     Tunnel0
C.双方都通过OSPF学到对方路由:
R1#show ip route ospf
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/11112] via 192.168.0.2, 00:07:58, Tunnel0
R3#show ip route ospf
     1.0.0.0/32 is subnetted, 1 subnets
O       1.1.1.1 [110/11112] via 192.168.0.1, 00:08:17, Tunne
D.PING测试:
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/75/228 ms
9.总结(与传统IPsec配置的差别):
相同的网络环境,传统方式与profile方式的差别:
A.传统方式是物理口配置加密图,profile方式指定tunnel接口ipsec保护。
B.传统方式tunnel目标地址为对方的实际地址,而profile方式目标地址为NAT之后的地址。
C.profile方式tunnel接口需要输入tunnel mode ipsec ipv4。

  -----后面学CCNP 安全的课程,这种方式有一个新名词:静态VTI方式的×××。