本文为您介绍如何在用户本地VPN网关是思科(cisico)防火墙的场景下,配置本地IPsec连接的配置文件。
说明
同一厂商不同型号防火墙的配置文件可能存在差异,本文仅做示例参考,具体请咨询防火墙厂商。本文使用的预共享密钥均为便于理解的演示目的,实际操作中请配置安全性更高的预共享密钥。
预共享密钥:test@1234
路由模式:感兴趣流
本端网段:1.1.1.1/32、172.1.1.1/32
对端网段:2.2.2.2/32、3.3.3.3/32、4.4.4.4/32
IKE配置
| 策略 | 取值 |
|---|---|
| 认证算法 | md5 |
| 加密算法 | aes192 |
| DH算法 | group1 |
| 协商模式 | main |
| 版本 | ikev2 |
| 生命周期 | 86400 |
| Local ID | 119.XX.XX.94 |
| Remote ID | 180.XX.XX.137 |
IPsec配置
| 策略 | 取值 |
|---|---|
| 认证算法 | md5 |
| 加密算法 | aes192 |
| DH算法 | group1 |
| 生命周期 | 3600 |
说明
此为云上的配置:“本端”、“Local”均指云上VPN侧,“对端”、“Remote”均指用户本地VPN侧。配置文件中刚好相反,“本端”、“Local”均指用户本地VPN侧,“对端”、“Remote”均指云上VPN侧。
crypto ikev2 proposal ikev2proposal #IKE版本密钥交换协议版本 encryption aes #加密算法 integrity md5 #认证算法 group 1 #DH算法 lifetime 86400 #第一阶段协商的生存时间 crypto ikev2 policy ikev2policy proposal ikev2proposal crypto ikev2 keyring keys #配置密钥信息 peer strongswan address 119.XX.XX.94 #云上VPN网关的标识 pre-shared-key local test@1234 #用户本地IPsec连接的预共享密钥 pre-shared-key remote test@1234 #云上IPsec连接的预共享密钥 crypto ikev2 profile ikev2profile identity local address 180.XX.XX.137 #用户网关的标识 match identity remote address 119.XX.XX.94 #云上VPN网关的标识119.XX.XX.94 authentication remote pre-share authentication local pre-share keyring local keys crypto ipsec transform-set vsr esp-aes esp-md5-hmac #用户端策略条目,需要用户本地网段与云上网段一一匹配 access-list 101 permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0 access-list 101 permit ip 2.2.2.2 0.0.0.0 172.1.1.1 0.0.0.0 access-list 101 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0 access-list 101 permit ip 3.3.3.3 0.0.0.0 172.1.1.1 0.0.0.0 access-list 101 permit ip 4.4.4.4 0.0.0.0 1.1.1.1 0.0.0.0 access-list 101 permit ip 4.4.4.4 0.0.0.0 172.1.1.1 0.0.0.0 crypto map cmap 10 ipsec-isakmp set peer 119.XX.XX.94 #云上VPN网关的标识 set transform-set TS set ikev2 -profile ikev2profile match address 101 set pfs group1 #设置IPsec策略的选择DH(Diffie-Hellman)密钥交换算法 set security-association lifetime seconds 3600 #IPsec SA的生命周期(s) interface myport1 ip address 180.XX.XX 255.255.255.0 #用户本地VPN网关的IP地址 crypto map cmap #配置本地路由条目(用户本地防火墙往云上方向) ip route 172.1.1.1 255.255.255.255 119.91.131.94 ip route 1.1.1.1 255.255.255.255 119.91.131.94
`VPC utilizes unique identifiers to manipulate the configuration of a VPN Connection. Each VPN Connection is assigned an identifier and is associated with Virtual Private Gateway Identifier and User Gateway IP. Your VPN Connection ID : 37315 #用户本地防火墙IPsec连接的ID Your Virtual Private Gateway ID : 23850 #用户本地防火墙VPN网关的ID Your User Gateway IP : 180.XX.XX.137 #用户本地网关IP,对应控制台配置IPsec连接中的Remote ID To configure an IKE-based IPsec tunnel, perform the following tasks: #1: Internet Key Exchange (IKE) Configuration #IKE配置 A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman and key parameters. An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. By default, there is an IKE proposal that is used as the default IKE proposal. The default IKE proposal parameters are as follows: Authentication Encryption Diffie-Hellman Duration algorithm algorithm group (seconds) -------------------------------------------------------- SHA DES Group 1 86400 crypto isakmp policy 1 authentication pre-share encryption esp-aes 192 #加密算法 hash esp-md5-hmac #认证算法 group 1 #DH算法 lifetime 86400 #IKE SA的生命周期,单位秒(s) The ISAKMP keyring stores the pre-shared key used to authenticate the tunnel endpoints. crypto keyring 1 pre-shared-key address 119.XX.XX.94 key test@1234 #云上VPN网关的标识和预共享密钥 An ISAKMP profile is used to associate the keyring with a particular endpoint. IKE negotiation mode for phase 1 uses Main mode. #协商模式。main:主模式,aggressive:野蛮模式 Uses the IP address of the user gateway as the local ID. Uses the WAN IP address of the VPN gateway as the remote ID. crypto isakmp profile 1 keyring 1 self-identity address 180.XX.XX.137 #用户本地VPN网关的标识 match identity address 119.XX.XX.94 #云上VPN网关的标识 no initiate mode #2: IPsec Configuration By default, the time-based IPsec SA lifetime is 3600 seconds. The IPsec transform set defines the encryption, authentication, and IPsec mode parameters. IP packets are encapsulated in tunnel mode. crypto ipsec transform-set vsr esp-aes 192 esp-md5-hmac #IPsec的加密算法和认证算法 IPsec uses access lists to identify the traffic to be protected. Configure the access list to identify data flows. #策略条目,需要用户本地网段与云上网段一一匹配 access-list 101 permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0 access-list 101 permit ip 2.2.2.2 0.0.0.0 172.1.1.1 0.0.0.0 access-list 101 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0 access-list 101 permit ip 3.3.3.3 0.0.0.0 172.1.1.1 0.0.0.0 access-list 101 permit ip 4.4.4.4 0.0.0.0 1.1.1.1 0.0.0.0 access-list 101 permit ip 4.4.4.4 0.0.0.0 172.1.1.1 0.0.0.0 ACL for VPN connection probe The IPsec crypto map references the IPsec transform set, the ISAKMP profile and the access list. The PFS feature is disabled for the IPsec crypto map. crypto map 1 1 ipsec-isakmp set peer 119.XX.XX.94 #IPsec peer set transform-set vsr set isakmp-profile 1 match address 101 set pfs group1 #IPsec阶段的DH算法 set security-association lifetime seconds 3600 #生命周期,单位秒(s) #3: Interface Configuration Apply the IPsec crypto map to an interface. All traffic routed to the interface will be encrypted and transmitted to the VPC. Traffic from the VPC will be received on this interface. interface myporttest1 ip address 180.XX.XX.137 255.255.255.0 #配置用户本VPN网关,所有路由到此处的流量都将被加密并传输到云上VPC,云上VPC的流量将下发此处并接收。 crypto map 1 #4: Routing Configuration Configure static routing or a routing protocol for interconnections between the Virtual Private Gateway and your User Gateway. ip route 172.1.1.1/32 119.XX.XX.94 ip route 1.1.1.1/32 119.XX.XX.94