ASA 5520(IOS version 8.4) IKEv2 IPSEC ×××实验配置
1.实验TOP图如下:
2.实验目的:
使用IKEv2实现点到点的IPSEC×××通信,即本示例中192.168.1.100和172.16.1.100之间实现×××通信。
3.具体配置如下:
ASA1配置
interfaceGigabitEthernet0
nameif outside
security-level 0
ip address 11.1.1.2 255.255.255.0
!
interfaceGigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
//以下是定义object,方便后面调用
objectnetwork Inside_network
subnet 192.168.1.0 255.255.255.0
objectnetwork ***_address //定义×××远端点的具体ip地址,即要实现点到点×××的点ip
host 172.16.1.100
objectnetwork Inside_address //定义×××本端点的具体ip地址,即要实现点到点×××的点ip
host 192.168.1.100
access-list110 extended permit ip any any
access-list××× extended permit ip object Inside_address object ***_address //定义×××兴趣流
nat(inside,outside) source static Inside_address Inside_address destination static***_address ***_address //将×××数据流和NAT分离
!
objectnetwork Inside_network
nat (inside,outside) dynamic interface //设置PAT
access-group110 in interface outside
routeoutside 0.0.0.0 0.0.0.0 11.1.1.1 1
cryptoipsec ikev2 ipsec-proposal TRAN //定义ipsec转换集
protocol esp encryption aes-256
protocol esp integrity md5
cryptomap TEST 10 match address ××× //定义crypto map,此处的“×××”便是刚才创建的×××兴趣流的ACL的名称
cryptomap TEST 10 set peer 12.1.1.2 //设置×××对端出口ip
cryptomap TEST 10 set ikev2 ipsec-proposal TRAN //调用刚才创建的ipsec转换集
cryptomap TEST interface outside //将其运用到outside端口
cryptoikev2 policy 10 //定义ikev2策略
encryption aes-256
integrity sha256 md5
group 2
prf sha256 md5
lifetime seconds 86400
cryptoikev2 enable outside //在outside端口启用ikev2,这个很重要,如果不启用,其余都是浮云
tunnel-group12.1.1.2 type ipsec-l2l //定义×××隧道,类型为ipsec-l2l
tunnel-group12.1.1.2 ipsec-attributes //定义×××隧道属性
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
ASA2配置:
interfaceGigabitEthernet0
nameif outside
security-level 0
ip address 12.1.1.2 255.255.255.0
!
interfaceGigabitEthernet1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
objectnetwork Inside_network
subnet 172.16.1.0 255.255.255.0
objectnetwork Inside_address
host 172.16.1.100
objectnetwork ***_address
host 192.168.1.100
access-list110 extended permit ip any any
access-list××× extended permit ip object Inside_address object ***_address
nat(inside,outside) source static Inside_address Inside_address destination static***_address ***_address
!
objectnetwork Inside_network
nat (inside,outside) dynamic interface
access-group110 in interface outside
routeoutside 0.0.0.0 0.0.0.0 12.1.1.1 1
cryptoipsec ikev2 ipsec-proposal TRAN
protocol esp encryption aes-256
protocol esp integrity md5
cryptomap TEST 10 match address ×××
cryptomap TEST 10 set peer 11.1.1.2
cryptomap TEST 10 set ikev2 ipsec-proposal TRAN
cryptomap TEST interface outside
cryptoikev2 policy 10
encryption aes-256
integrity sha256 md5
group 2
prf sha256 md5
lifetime seconds 86400
cryptoikev2 enable outside
tunnel-group11.1.1.2 type ipsec-l2l
tunnel-group11.1.1.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
!
4.验证:从192.168.1.100上ping的结果,和172.16.1.100可以通,和172.16.1.200不通。
showcrypto ipsec sa的结果