马上注册成为ROSABC会员,随时发帖回复。
您需要 登录 才可以下载或查看,没有账号?会员注册
x
site to site ipsec vpn.
最近一个案例中做了个ROS软路由 和 dlink 808hv做site to site vpn,看了这个论坛不知为什么好像对ipsec 说的比较少,其实做site to site vpn用ipsec才是比较自然的。
如有以下两网络需用vpn互联,
10.10.0.0/16—ROS软路由_a—61.132.118.68———internet——-61.177.7.1—ROS软路由_b—192.168.0.1/24
ROS软路由_a:
ip ipsec peer add address=61.177.7.1 secret=123
ip ipsec policy add src-address=10.10.0.0/16 dst-address=192.168.0.0/24 sa-src-address=61.132.118.68 sa-dst-address=61.177.7.1
ROS软路由_b:
ip ipsec peer add address=61.132.118.68 secret=123
ip ipsec policy add src-address=192.168.0.0/24 dst-address=10.10.0.0/16 sa-src-address=61.177.7.1 sa-dst-address=61.132.118.68
(注意为了方便这里对ipsec 相应一系列协议都使用了默认,但两边一定要一样,具体在ip ipsec 的policies peers proposals中设置。)
这样你就会在两端在log和ipsec installed sas和remote peer中看到已联上的相关信息,但发现还不能互访对方端域网。
这是由于两边内网做到对端内网的访问时如10.10.10.10对192.168.0.4访问,当数据包到ROS软路由_a时面临几个选择,一是直接路由,二是使用默认路由,由于这个目地址不是ROS软路由_a不是直接相联的网络,一定是走的默认路由即对外网的访问,由于我们设对外网访问一定用nat或 masquerade,两且做这个时为了方便一般是在ip firewall中做如下策略0.0.0.0/0或内网段到0.0.0.0/0 action masquerade或nat,这就出问题了,因为路由器对数据是否走ipsec是在之后做出决定的,现在这个数据包到路由器发现源地址目地址匹配ip firewall中的action masquerade或nat的相关源地址目地址,于是这个数据包先被action 了masquerade或nat,于是源地址发生改变,不匹配ip ipsec policy中的源地址目地址,所以不再会用ipsec封装而远入ipsec tunel,而是被默认路由路由到internat 去了,这样去192.168.0.4当然不会到达了。
说了这么罗嗦,其实解决很简单,就是不要让本内网到彼内网的数据包做 nat/masquerade以至改变了源地址,那就是让这种要走ipsec tunel的包不要nat/masquerade,即在ip firewall policy的/masquerade策略前加一个相应数据流的accept,如在ROS软路由_a加ip ipsec policy add src-address=10.10.0.0/16 dst-address=192.168.0.0/24 action=accept。ROS软路由_b加ip ipsec policy add src-address=192.168.0.0/24 dst-address=10.10.0.0/16 action=accept。
今天做了一个RouteROS软路由和Cisco路由器IPSec VPN互连的实验,拓扑结构如下:
10.1.1.0/24----RouteROS软路由--192.168.1.18/24192.168.1.28/24--Cisco1721---10.1.2.0/24
RouteROS软路由通过Ethernet1连接Cisco1721的快速以太网接口,Cisco1721的10M以太网接口作为本地网络接口(模拟内网)。
Cisco 1721的详细配置:
====================================
Cisco1721#sh run
Building configuration...
Current configuration : 1482 bytes
!
! Last configuration change at 17:39:11 Bejing Thu Sep 30 2004
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1721
!
logging buffered 51200 warnings
enable secret 5 **************
!
username sdm privilege 15 password 0 sdm
clock timezone Bejing 8
ip subnet-zero
!
!
ip telnet source-interface Ethernet0
ip domain name yourdomain.com
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.18
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 192.168.1.18
set transform-set myset
set pfs group2
match address 101
!
!
!
interface Ethernet0
ip address 10.1.2.1 255.255.255.0
half-duplex
no keepalive
!
interface FastEthernet0
ip address 192.168.1.28 255.255.255.0
speed auto
crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip http server
ip http authentication local
ip http secure-server
!
!
access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
!
end
RouteROS软路由的大致配置过程:
================================
RouteROS软路由是在Vmware中进行测试了,虚拟了两个接口Ether1和Ethernet2, Ether1 的ip地址为192.168.1.18/24, Ether2的ip地址为10.1.1.1/24。
IPSec部分的配置命令为:
1)设置IKE Phase1的具体参数:
/ip ipsec peer add address=192.168.1.28 secret="cisco123" enc-algorithm=des
2)设置IKE Phase2的具体参数:
主要设置包括加密传输的算法和认证方式,缺省的auth-algorithm是sha1
/ip ipsec proposal set default enc-alogrithms=des
3)详细设置需要加密的数据流及IPSecVPN的方式:Tunnel/Transport Mode等
/ip ipsec policy add src-address=10.1.1.0/24 dst-address=10.1.2.0/24 action=encrypt tunnel=yes sa-src=192.168.1.18 sa-dst=192.168.1.28
另外,如果为了采用更强的加密方式3DES, 修改两者的IKE Phase1和Phase2的参数就可以了,但一定要匹配,才能保证IKE SA和IPSec SA的成功建立。
Cisco路由器的IPSec SA信息:
======================================
Cisco1721#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: mymap, local addr. 192.168.1.28
protected vrf:
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56, #pkts encrypt: 56, #pkts digest 56
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.28, remote crypto endpt.: 192.168.1.18
path mtu 1500, media mtu 1500
current outbound spi: D2B7C901
inbound esp sas:
spi: 0x1FC07E86(532708998)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 200, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD2B7C901(3535259905)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 201, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4424615/1005)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Cisco1721#
RouteROS软路由的IPSec SA信息:
============================================
[admin@MikroTik] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E spi=0x1FC07E86 direction=out src-address=192.168.1.18 dst-address=192.168.1.28 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="88309c224c6ed89360737f9052b8ca3465d73e4a"
enc-key="eef065a84c5ae446" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=5184
1 E spi=0xD2B7C901 direction=in src-address=192.168.1.28 dst-address=192.168.1.18 auth-algorithm=sha1
enc-algorithm=des replay=4 state=mature auth-key="b8b7144e6cbeb3fc1960452c4da244726ef17dd8"
enc-key="9c8fd493ea2da1ec" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=38252052/423624704
current-addtime=oct/07/2004 22:59:28 current-usetime=oct/07/2004 22:59:29 current-bytes=4960
[admin@MikroTik] > |
发表于 2010-6-24 06:41:18