一.测试拓扑
参考链接:
二.配置步骤
1.基本配置
A.PC1:
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
B.Site1:
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 172.16.1.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
C.Internet:
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
no shutdown
D.strongSwan:
ip route add 172.16.1.0/24 via 61.128.1.10 dev ens37
ip route add 202.100.1.1/32 via 61.128.1.10 dev ens37
echo 1 > /proc/sys/net/ipv4/ip_forward
yum install -y strongSwan
E.VyOS:
set interfaces ethernet eth0 address 172.16.2.1/24
set protocols static 0.0.0.0/0 next-hop 172.16.2.254
commit
save
2.IKEv1配置
A.Site1:
第一阶段策略:
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakm key 0 Cisc0123 address 61.128.1.1
第二阶段转换集:
crypto ipsec transform-set transet esp-aes esp-md5-hmac
配置感兴趣流:
ip access-list extended VPN
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set transet
match address VPN
interface Ethernet0/0
crypto map crymap
B.strongSwan:
vi /etc/strongswan/ipsec.conf 添加如下内容
conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn ciscoios left=61.128.1.1 #strongswan outside address leftsubnet=172.16.2.0/24 #network behind strongswan leftid=61.128.1.1 #IKEID sent by strongswan leftfirewall=yes right=202.100.1.1 #IOS outside address rightsubnet=172.16.1.0/24 #network behind IOS rightid=202.100.1.1 #IKEID sent by IOS auto=add ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5 esp=aes128-md5 #P2 |
vi /etc/strongswan/ipsec.secrets 添加如下内容
61.128.1.1 202.100.1.1 : PSK cisco |
从如下日志来看,strongswan应该不支持2des
[root@localhost /]# tail -f /var/log/messages
Dec 25 00:17:31 localhost charon: 11[CFG] received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
Dec 25 00:17:31 localhost charon: 11[CFG] configured proposals: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 25 00:17:31 localhost charon: 11[IKE] no proposal found
Dec 25 00:29:36 localhost charon: 11[CFG] received proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Dec 25 00:29:36 localhost charon: 11[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Dec 25 00:29:36 localhost charon: 11[IKE] received 4608000000 lifebytes, configur
3.IKEv2配置
A.Site1:
第一阶段策略:
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-128
integrity md5
group 5
crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
crypto ikev2 keyring keys
peer strongswan
address 61.128.1.1
pre-shared-key local cisco
pre-shared-key remote cisco
crypto ikev2 profile ikev2profile
match identity remote address 61.128.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
第二阶段转换集:
crypto ipsec transform-set transet esp-aes esp-md5-hmac
配置感兴趣流:
ip access-list extended VPN
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 61.128.1.1
set transform-set transet
set ikev2-profile ikev2profile
match address VPN
interface Ethernet0/0
crypto map crymap
B.strongSwan:
vi /etc/strongswan/ipsec.conf 添加如下内容
conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn ciscoiosIKEv2 left=61.128.1.1 #strongswan outside address leftsubnet=172.16.2.0/24 #network behind strongswan leftid=61.128.1.1 #IKEID sent by strongswan leftfirewall=yes right=202.100.1.1 #IOS outside address rightsubnet=172.16.1.0/24 #network behind IOS rightid=202.100.1.1 #IKEID sent by IOS auto=add ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5 esp=aes128-md5 #P2 keyexchange=ikev2 |
vi /etc/strongswan/ipsec.secrets 添加如下内容
61.128.1.1: PSK "cisco" 61202.100.1.1 : PSK "cisco" |
备注:更改完配置文件,需要systemctl restart strongswan重启服务
三.验证
1.验证IKEV1
A.PC1ping对端地址,可以ping通
PC1#ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
PC1#
B.从strongSwan所在Centos7主机上能看到VPN建立的日志
Dec 25 00:35:34 localhost charon: 15[CFG] selected proposal: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
Dec 25 00:35:34 localhost charon: 15[ENC] generating ID_PROT response 0 [ SA V V V ]
Dec 25 00:35:34 localhost charon: 15[NET] sending packet: from 61.128.1.1[500] to 202.100.1.1[500] (140 bytes)
Dec 25 00:35:34 localhost charon: 11[NET] received packet: from 202.100.1.1[500] to 61.128.1.1[500] (340 bytes)
Dec 25 00:35:34 localhost charon: 11[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]
Dec 25 00:35:34 localhost charon: 11[IKE] received DPD vendor ID
Dec 25 00:35:34 localhost charon: 11[ENC] received unknown vendor ID: a6:94:1b:58:56:15:39:a8:e9:00:2f:56:20:af:7a:5b
Dec 25 00:35:34 localhost charon: 11[IKE] received XAuth vendor ID
Dec 25 00:35:34 localhost charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 25 00:35:34 localhost charon: 11[NET] sending packet: from 61.128.1.1[500] to 202.100.1.1[500] (300 bytes)
Dec 25 00:35:34 localhost charon: 16[NET] received packet: from 202.100.1.1[500] to 61.128.1.1[500] (92 bytes)
Dec 25 00:35:34 localhost charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 25 00:35:34 localhost charon: 16[CFG] looking for pre-shared key peer configs matching 61.128.1.1...202.100.1.1[202.100.1.1]
Dec 25 00:35:34 localhost charon: 16[CFG] selected peer config "ciscoios"
Dec 25 00:35:34 localhost charon: 16[IKE] IKE_SA ciscoios[31] established between 61.128.1.1[61.128.1.1]...202.100.1.1[202.100.1.1]
2.验证IKEV2
A.PC1ping对端地址,可以ping通
PC1#ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
B.Site1查看IKEv2会话
Site1#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 202.100.1.1/500 61.128.1.1/500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: MD5, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/206 sec
Child sa: local selector 172.16.1.0/0 - 172.16.1.255/65535
remote selector 172.16.2.0/0 - 172.16.2.255/65535
ESP spi in/out: 0xE1B16AEF/0xCB05F5FA
IPv6 Crypto IKEv2 Session
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://www.hqyman.cn/post/8617.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~