一.概述:
  IPSec ×××有多种穿越NAT的方法,NAT-T就是其中的一种。IPSec ×××通常情况下,无法穿越NAT设备,主要原因是ESP流量不像TCP或UDP那样带有端口号。测试IPSec ×××的第一阶段为aggressive-mode时,无意中发现在PIX/ASA默认没有开启NAT-T的情况下,IPSEC ×××同样能建立,特记录下来。
二.基本思路:
A.路由器默认开启nat-t
B.思科PIX/ASA默认没有开启nat-t
C.如果想要采用NAT-T,需要两个加密点都启用NAT-T,加密点在探测到需要使用NAT-T时,会使用NAT-T
D.没有启用NAT-T ×××能通,貌似是路由器的PAT比较智能,会自动PAT ESP流量
E.如果中间的PAT设备为防火墙,不启用NAT-T或相关的技术,应该穿越不了
三.测试拓扑:
动态PAT穿越路由器没有NAT-T IPSec ×××一样能成功建立_第1张图片
四.基本配置:
A.R1:
interface Ethernet0/0
     ip address 192.168.1.1 255.255.255.0
     no shut
interface Loopback0
     ip address 192.168.2.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.2
B.R2:
interface Ethernet0/0
     ip address 192.168.1.2 255.255.255.0
     ip nat inside
     no shut
interface Ethernet0/1
     ip address 202.100.1.2 255.255.255.0
     ip nat outside
     no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
     permit ip any any
ip nat inside source list PAT interface Ethernet0/1 overload
C.R3:
interface Ethernet0/0
     ip address 202.100.1.3 255.255.255.0
     no shut
interface Ethernet0/1
     ip address 202.100.2.3 255.255.255.0
     no shut
D.PIX80:
interface Ethernet0
     nameif Inside
     security-level 100
     ip address 172.16.1.10 255.255.255.0
     no shut
interface Ethernet1
     nameif Outside
     security-level 0
     ip address 202.100.2.10 255.255.255.0
     no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.3
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
access-list OUTSIDE extended permit icmp any any  
access-group OUTSIDE in interface Outside
E.R4:
interface Ethernet0/0
     ip address 172.16.1.4 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.10
五.×××配置:
A.R1:
①第一阶段策略:
crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp peer address 202.100.2.10
     set aggressive-mode password cisco123
     set aggressive-mode client-endpoint fqdn R1
②第二阶段策略:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
ip access-list extended ×××
     permit ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255
④配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
     set peer 202.100.2.3
     set transform-set transet
     set pfs group2
     match address ×××
     reverse-route
B.PIX80:
①第一阶段策略:
crypto ikev1 policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 2
crypto isakmp identity hostname
tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
     ikev1 pre-shared-key cisco123
---备注:tunnel-group也可以用对方的FQDN
②第二阶段策略:
crypto map crymap 10 set transform-set transet
③配置感兴趣流并做NAT免除:
access-list ××× extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list NONAT
配置crypto map 并在接口调用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
⑤在接口启用isakmp :
crypto isakmp enable Outside
六.测试:
A.只能由PAT侧先触发×××:
R4#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
R1#PING 172.16.1.4 SOUrce 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 ms

B.看到ESP流量直接封装在IP之下:

动态PAT穿越路由器没有NAT-T IPSec ×××一样能成功建立_第2张图片

C.可以看到R2路由器自动进行了ESP的双向NAT:
R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
esp 202.100.1.2:0      192.168.1.1:0      202.100.2.10:0     202.100.2.10:CEC6AC77
udp 202.100.1.2:1      192.168.1.1:500    202.100.2.10:500   202.100.2.10:500
esp 202.100.1.2:0      192.168.1.1:CCA11424 202.100.2.10:0   202.100.2.10:0
udp 202.100.1.2:500    202.100.1.2:500    202.100.2.10:500   202.100.2.10:500
D.在防火墙上启用NAT-T,清除SA重新连接,抓包可以看ESP封装在UDP之下:
---采用命令:crypto isakmp nat-traversal 10
动态PAT穿越路由器没有NAT-T IPSec ×××一样能成功建立_第3张图片
R1#ping 172.16.1.4 source 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 ms