27
2024
11
16:22:55

Cisco IOS与strongSwan之间配置IKEv1/IKEv2 L2L VPN测试

一.测试拓扑
参考链接:
二.配置步骤
1.基本配置
A.PC1:
interface Ethernet0/0
    ip address 172.16.1.1 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
B.Site1:
interface Ethernet0/0
    ip address 202.100.1.1 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 172.16.1.254 255.255.255.0
    no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
C.Internet:
interface Ethernet0/0
    ip address 202.100.1.10 255.255.255.0
    no shutdown
interface Ethernet0/1
    ip address 61.128.1.10 255.255.255.0
    no shutdown
D.strongSwan:
ip route add 172.16.1.0/24 via 61.128.1.10 dev ens37
ip route add 202.100.1.1/32 via 61.128.1.10 dev ens37
echo 1 > /proc/sys/net/ipv4/ip_forward
yum install -y strongSwan
E.VyOS:
set interfaces ethernet eth0 address 172.16.2.1/24
set protocols static 0.0.0.0/0 next-hop 172.16.2.254
commit
save
2.IKEv1配置
A.Site1:
第一阶段策略:
crypto isakmp policy 10
    encr aes
    hash md5
    authentication pre-share
    group 2
crypto isakm key 0 Cisc0123 address 61.128.1.1
第二阶段转换集:
crypto ipsec transform-set transet esp-aes esp-md5-hmac
配置感兴趣流:
ip access-list extended VPN
    permit ip 1.1.1.0 0.0.0.255 2.2.2.0  0.0.0.255
配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
    set peer 61.128.1.1
    set transform-set transet
    match address VPN
interface Ethernet0/0
    crypto map crymap
B.strongSwan:
vi  /etc/strongswan/ipsec.conf 添加如下内容
conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
conn ciscoios
        left=61.128.1.1                   #strongswan outside address
        leftsubnet=172.16.2.0/24         #network behind strongswan
        leftid=61.128.1.1                #IKEID sent by strongswan
        leftfirewall=yes
        right=202.100.1.1                 #IOS outside address
        rightsubnet=172.16.1.0/24        #network behind IOS
        rightid=202.100.1.1               #IKEID sent by IOS
        auto=add
        ike=aes128-md5-modp1536           #P1: modp1536 = DH group 5
        esp=aes128-md5                    #P2
vi /etc/strongswan/ipsec.secrets 添加如下内容
61.128.1.1 202.100.1.1 : PSK cisco

从如下日志来看,strongswan应该不支持2des
[root@localhost /]# tail -f /var/log/messages
Dec 25 00:17:31 localhost charon: 11[CFG] received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
Dec 25 00:17:31 localhost charon: 11[CFG] configured proposals: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 25 00:17:31 localhost charon: 11[IKE] no proposal found
Dec 25 00:29:36 localhost charon: 11[CFG] received proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Dec 25 00:29:36 localhost charon: 11[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Dec 25 00:29:36 localhost charon: 11[IKE] received 4608000000 lifebytes, configur
3.IKEv2配置
A.Site1:
第一阶段策略:
crypto ikev2 proposal ikev2proposal
    encryption aes-cbc-128
    integrity md5
    group 5
crypto ikev2 policy ikev2policy
    match fvrf any
    proposal ikev2proposal
crypto ikev2 keyring keys
    peer strongswan
      address 61.128.1.1
      pre-shared-key local cisco
      pre-shared-key remote cisco
crypto ikev2 profile ikev2profile
    match identity remote address 61.128.1.1 255.255.255.255
    authentication remote pre-share
    authentication local pre-share
    keyring local keys
第二阶段转换集:
crypto ipsec transform-set transet esp-aes esp-md5-hmac
配置感兴趣流:
ip access-list extended VPN
    permit ip 1.1.1.0 0.0.0.255 2.2.2.0  0.0.0.255
配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
    set peer 61.128.1.1
    set transform-set transet
     set ikev2-profile ikev2profile
    match address VPN
interface Ethernet0/0
    crypto map crymap
B.strongSwan:
vi  /etc/strongswan/ipsec.conf 添加如下内容
conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
conn ciscoiosIKEv2
        left=61.128.1.1                   #strongswan outside address
        leftsubnet=172.16.2.0/24         #network behind strongswan
        leftid=61.128.1.1                #IKEID sent by strongswan
        leftfirewall=yes
        right=202.100.1.1                 #IOS outside address
        rightsubnet=172.16.1.0/24        #network behind IOS
        rightid=202.100.1.1               #IKEID sent by IOS
        auto=add
        ike=aes128-md5-modp1536           #P1: modp1536 = DH group 5
        esp=aes128-md5                    #P2
        keyexchange=ikev2
vi /etc/strongswan/ipsec.secrets 添加如下内容
61.128.1.1: PSK "cisco"
61202.100.1.1 : PSK "cisco"
备注:更改完配置文件,需要systemctl restart strongswan重启服务
三.验证
1.验证IKEV1
A.PC1ping对端地址,可以ping通
PC1#ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
PC1#
B.从strongSwan所在Centos7主机上能看到VPN建立的日志
Dec 25 00:35:34 localhost charon: 15[CFG] selected proposal: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
Dec 25 00:35:34 localhost charon: 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Dec 25 00:35:34 localhost charon: 15[NET] sending packet: from 61.128.1.1[500] to 202.100.1.1[500] (140 bytes)
Dec 25 00:35:34 localhost charon: 11[NET] received packet: from 202.100.1.1[500] to 61.128.1.1[500] (340 bytes)
Dec 25 00:35:34 localhost charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]
Dec 25 00:35:34 localhost charon: 11[IKE] received DPD vendor ID
Dec 25 00:35:34 localhost charon: 11[ENC] received unknown vendor ID: a6:94:1b:58:56:15:39:a8:e9:00:2f:56:20:af:7a:5b
Dec 25 00:35:34 localhost charon: 11[IKE] received XAuth vendor ID
Dec 25 00:35:34 localhost charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 25 00:35:34 localhost charon: 11[NET] sending packet: from 61.128.1.1[500] to 202.100.1.1[500] (300 bytes)
Dec 25 00:35:34 localhost charon: 16[NET] received packet: from 202.100.1.1[500] to 61.128.1.1[500] (92 bytes)
Dec 25 00:35:34 localhost charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 25 00:35:34 localhost charon: 16[CFG] looking for pre-shared key peer configs matching 61.128.1.1...202.100.1.1[202.100.1.1]
Dec 25 00:35:34 localhost charon: 16[CFG] selected peer config "ciscoios"
Dec 25 00:35:34 localhost charon: 16[IKE] IKE_SA ciscoios[31] established between 61.128.1.1[61.128.1.1]...202.100.1.1[202.100.1.1]
2.验证IKEV2
A.PC1ping对端地址,可以ping通
PC1#ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
B.Site1查看IKEv2会话
Site1#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         202.100.1.1/500       61.128.1.1/500        none/none            READY  
      Encr: AES-CBC, keysize: 128, PRF: MD5, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/206 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 172.16.2.0/0 - 172.16.2.255/65535
          ESP spi in/out: 0xE1B16AEF/0xCB05F5FA  
IPv6 Crypto IKEv2 Session




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://www.hqyman.cn/post/8617.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: