VPN (下)
{Back to Index}  

Table of Contents

1 IKEv2 1

1.1 配置示例

ikev2.png

Figure 1: 实验拓扑

初始配置
查看 Branch 信息 
Branch#sh crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set My_Transform_Set_1: { esp-des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

Transform set My_Transform_Set_2: { esp-3des esp-sha256-hmac  }
   will negotiate = { Tunnel,  },
Branch#sh crypto ikev2 policy

 IKEv2 policy : My_Policy
      Match fvrf  : global
      Match address local : any
      Proposal    : My_Proposal

 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default
Branch#sh crypto ikev2 proposal
 IKEv2 proposal: My_Proposal
     Encryption : 3DES AES-CBC-256
     Integrity  : SHA256 SHA512
     PRF        : SHA256 SHA512  ! 自动补全的,和完整性算法保持一致
     DH Group   : DH_GROUP_1024_MODP/Group 2 DH_GROUP_1536_MODP/Group 5 DH_GROUP_2048_MODP/Group 14
 IKEv2 proposal: default  ! 默认自带
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

2 IPSec 流量穿越注意点

2.1 防火墙

firewall.png

Figure 2: 实验拓扑

初始配置

此时如果从 R2 发起去往 R1 的流量,通信失败。在 R2 上观察,发现可以正常加密数据(说明 ISAKMP 协商阶段已经完成了),而在 R1 上观察,却发现 数据可以正常加解密,说明 R1 的响应流量无法到达 R2 。同时,从 ASAv 上看,发现有流量被 Drop 掉了: 

R2#sh cry engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   19  IPsec   DES+MD5                   0        0        0 202.100.2.1
   20  IPsec   DES+MD5                   4        0        0 202.100.2.1
 1010  IKE     SHA+DES                   0        0        0 202.100.2.1
R1#sh cry eng conn a
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   15  IPsec   DES+MD5                   0        4        4
   16  IPsec   DES+MD5                   4        0        0 202.100.1.1
 1008  IKE     SHA+DES                   0        0        0 202.100.1.1
ASAv(config)# sh asp drop frame acl-drop
  Flow is denied by configured rule (acl-drop)                                4

Last clearing: Never

由于由于 ASA 默认会 inspect UDP 流量,因此 ISAKMP 可以正常协商,而后续的加密数据是三层流量(协议号50),在 Outside 接口 in 方向会被阻挡。
需要调整 Outside 接口 ACL : 

! --- ASAv Configuration to make traffic work ---
! allow negociation traffic initiated by R1
access-list Outside_ACL extended permit udp host 202.100.1.1 eq isakmp host 202.100.2.1 eq isakmp
! allow ESP traffic from R1
access-list Outside_ACL extended permit esp host 202.100.1.1 host 202.100.2.1
!

2.2 ACL 处理逻辑 2

acl-checking-in.jpeg

Figure 3: 入方向加密数据的处理

  1. 如果满足 reverse crypto map ACL 但是收到的数据没有加密,仍然会被丢弃
  2. IP 数据包接受接口入方向的 ACL 检查
  3. 如果数据是未加密的,直接转发即可
  4. 如果数据是加密的,执行解密操作
  5. 解密后的数据接受 inbound access crypto map ACL 检查(该 ACL 位于 crypto map 配置块中,默认 permit all )
  6. 转发解密后的数据

acl-checking-out.jpeg

Figure 4: 出方向加密数据的处理

  1. 所有出方向的数据接受 crypto map ACL 检查,如果匹配表示需要加密
  2. 不需要加密的数据,直接交给
  3. 加密后的数据接受 outbound access crypto map ACL 检查(该 ACL 位于 crypto map 配置块中,默认 permit all )
  4. 加密数据
  5. 加密后的数据也要接受接口 outbound ACL 检查
  6. 二层封装

2.3 NAT-T (UDP4500)

nat-t.png

Figure 5: 实验拓扑

初始配置(关闭NAT-T)

从 Inside2 发起去往 Inside1 的流量,第一阶段协商是成功的,只是加密数据 (ESP) 没法送达: 

Site2(config)#do sh crypto session
Crypto session current status

Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: 202.100.1.1 port 500
  Session ID: 0
  IKEv1 SA: local 192.168.1.1/500 remote 202.100.1.1/500 Active
  IPSEC FLOW: permit ip 2.2.2.0/255.255.255.0 1.1.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Site2(config)#do sh cry engine conn active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
    3  IPsec   DES+MD5                   0        0        0 192.168.1.1
    4  IPsec   DES+MD5                  10        0        0 192.168.1.1 有加密数据产生
 1002  IKE     SHA+DES                   0        0        0 192.168.1.1

Internet(config)# sh xl
1 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
可以看到 udp 500 的槽位
UDP PAT from Inside:192.168.1.1/500 to Outside:202.100.1.10/500 flags ri idle 0:02:55 timeout 0:00:30

使用 packet-tracer 模拟: 

Internet# packet-tracer input Inside rawip  192.168.1.1 50 202.100.1.1 detailed
...

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

因此原因在于 ESP 是三层数据,无法对其进行 NAT 操作,必须开启 NAT-T 功能,即添加 UDP4500 头部。

PCAP 💾

2.4 NAT 对加密设备的影响 3

NAT 操作执行顺序:

Inside-to-Outside Outside-to-Inside
  • If IPSec then check input access list
  • decryption - for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption - for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing

3 L2L 高可用相关特性 4

ha.png

Figure 6: 实验拓扑

预配

3.1 反向路由注入 (RRI)

当 IPSec 会话建立成功后( 生成 Active SA 后 ),在本地自动添加一条去往目标网络(对端peer的感兴趣流所在的网段)的,且下一跳为对端加密点的 静态 路由。
如果将此静态路由添加到动态路由协议中,则 Inside 网络将动态获知当前处于 Active 状态的出口网关。

比如上图所示的拓扑中,Inside 路由器上并不需要配置默认路由,当 Branch 与 Active 网关建立 IPSec 后,会自动在 Active 上添加静态路由。通过将此自动生成的静态路由 重分布 进 OSPF 中,则内网能知道去往 1.1.1.0/24 的下一条为 202.100.1.1

RRI 的 局限性 在于为保证正常通信,必须由 Branch 触发安全会话的建立,因为只有这样才能产生静态路由。

感觉 RRI 和高可用没太多关系,只是为了给内部网络自动引导路由。 

! ########### Active RRI Configuration  ###########
crypto map My_Map 10
 set reverse-route tag 10 ! in order to distinguish in route-map
 reverse-route            ! enable RRI
!
route-map rri-to-ospf permit 10
 match tag 10
!
router os 1
 redistribute static subnets route-map rri-to-ospf
!

观察路由信息: 

Active(config-crypto-map)#do sh ip ro static
...

S*    0.0.0.0/0 [1/0] via 61.128.1.10
      1.0.0.0/24 is subnetted, 1 subnets
S        1.1.1.0 [1/0] via 202.100.1.1 新增加的静态路由

Inside(config)#do sh ip ro os
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
O E2     1.1.1.0 [110/20] via 10.1.1.10, 00:00:17, Ethernet0/0 重分布进来的路由

3.2 DPD (Keepalive 机制)

可以和 RRI 一起使用,以保证注入的路由的时效性。否则如果中间链路出现问题,两端加密点的 SA 仍然是 active 状态,此时注入进 Inside 网络的路由其实是无效的。启用 DPD 后,可以及时发现链路故障并尽快删除失效的 SA 。

3.3 Default peer

将 peer 设为 default ,会优先与 default peer 建立 IPSec ,比如设置了三个 peer (peerA, peerB, peerC) ,A 为 default 。当 A 的链路出现问题(也可能是 DPD 探测出了链路故障),则会尝试与 B 建立会话。如果 B 再次出现问题,此时仍然优先尝试 A ,失败后再尝试 C 。

3.4 高可用性配置示例

! ####################### Branch  #######################
crypto isakmp key Cisco123 address 137.78.5.1  ! key for another peer
crypto isakmp keepalive 10 periodic ! DPD
!
crypto map My_Map 10 ipsec-isakmp
 set peer 61.128.1.1 default
 set peer 137.78.5.1
!

! ####################### Active #######################
crypto isakmp keepalive 10 periodic ! DPD
crypto map My_Map 10
 set reverse-route tag 10 ! in order to distinguish in route-map
 reverse-route            ! enable RRI
!
route-map rri-to-ospf permit 10
 match tag 10
!
router os 1
 redistribute static subnets route-map rri-to-ospf
!

! ####################### Standby #######################
crypto ikev1 enable Outside
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
!
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
 ikev1 pre-shared-key Cisco123
 ! DPD
 isakmp keepalive threshold 10 retry 2
!
access-list VPN_Traffic extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
!
crypto ipsec ikev1 transform-set My_Transform_Set esp-des esp-md5-hmac
!
crypto map My_Crypto_Map 10 match address VPN_Traffic
crypto map My_Crypto_Map 10 set peer 202.100.1.1
crypto map My_Crypto_Map 10 set ikev1 transform-set My_Transform_Set
! RRI
crypto map My_Crypto_Map 10 set reverse-route
crypto map My_Crypto_Map interface Outside
crypto map My_Crypto_Map 10 set connection-type answer-only
!
access-list RRI standard permit 1.1.1.0 255.255.255.0
!
route-map rri-to-ospf permit 10
 match ip address RRI
!
router os 1
 redistribute static subnets route-map rri-to-ospf
!

尝试 shutdown Internet e0/1 或 e0/2 接口,可以看到 Branch 会自动切换 peer ,同时 Inside 上被重分布进 OSPF 的那条路由也会动态变化,指向正确的网关。

4 动态地址 VPN

4.1 Dynamic MAP

适用于 Hub 有固定 IP 但是 Spoke 是动态 IP 的情况,通常使用 EZVPN 的方式,也可以使用动态 MAP 解决。

dynamic map 不用设 peer ,谁发过来就认为对方是 peer 。也不用设置感兴趣流,以对端发来的为准。

该方案配置在 Hub 端,Spoke 端正常配置 L2L VPN 即可。该方案适用于简单的网络拓扑,因为不能运行动态路由协议,这也是 L2L VPN 所不支持的(不能传递组播,广播流量)。

配置要点:

  • 动态 Map 必须间接通过静态 Map 调用到接口
  • 原来静态 Map 下的配置,改到动态 Map 下做
  • 无需 set peer
  • 无需设置感兴趣流,会自动从对方 SA 消息中学习
  • 动态 Map 只能被动建立 VPN 会话,不能主动发起
  • 多用于中心站点,等待分支站点连接

dmap.png

Figure 7: 实验拓扑

预配
Branch L2L VPN 配置(无特殊配置) 
! ############## Branch L2L VPN ###############
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key Cisco123 address 202.100.1.1
!
ip access-list extended VPN_ACL
 per ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
crypto ipsec transform-set My_Transform_Set esp-des esp-md5-hmac
!
crypto map My_Map 10 ipsec-isakmp
 set peer 202.100.1.1
 set transform-set My_Transform_Set
 match address VPN_ACL
!
int e0/0
 crypto map My_Map
!

! ######### Dynamic crypto map configuration for Hub ############
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp key Cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set My_Transform_Set esp-des esp-md5-hmac
!
crypto dynamic-map My_Dynamic_Map 10
 set transform-set My_Transform_Set
 ! no need to set peer here
 ! no need to set ACL here
!
crypto map My_Map 100 ipsec-isakmp dynamic My_Dynamic_Map
!
int e0/0
 crypto map My_Map
!

4.2 DDNS

5 SVTI VPN

【 SVTI VPN 】和【 GRE Over IPSec 】原理类似,优势是不需要额外的 4 字节 GRE 头部,可以说提高了发送效率。

5.1 IKEv1

svti-topo.png

Figure 8: 实验拓扑

5.2 IKEv2

svti-ikev2.png

Figure 9: 拓扑

预配 
! ########### Branch SVTI IKEv2 Configuration #############
crypto ikev2 proposal My_Proposal   ! can omit defining proposal and just use the default one
 encryption 3des aes-cbc-256
 integrity sha256 sha512
 group 2 5 14
!
crypto ikev2 policy My_Policy       ! can omit defining policy and just use the default one which refers to default proposal
 proposal My_Proposal
!
crypto ikev2 keyring My_Keyring
 peer Hub
  address 61.128.2.20
  pre-shared-key Cisco123
 !
!
crypto ipsec transform-set My_Transform_Set esp-des esp-md5-hmac  ! can omit defining transform-set and just use default one
 mode tunnel
!
crypto ikev2 profile My_IKEv2_Profile
 match identity remote address 61.128.2.20
 identity local address 202.100.1.1
 authentication local pre-share
 authentication remote pre-share
 keyring local My_Keyring
!
crypto ipsec profile My_IPSEc_Profile
 set ikev2-profile My_IKEv2_Profile
!
int tun0
 ip add 172.16.2.1 255.255.255.0
 tunnel source e0/0
 tunnel mode ipsec ipv4
 tunnel destination 61.128.2.20
 tunnel protection ipsec profile My_IPSEc_Profile
!

! ####################### Hub SVTI IKEv2 Configuration #######################
crypto ikev2 proposal My_Proposal   ! can omit defining proposal and just use the default one
 encryption 3des aes-cbc-256
 integrity sha256 sha512
 group 2 5 14
!
crypto ikev2 policy My_Policy       ! can omit defining policy and just use the default one which refers to default proposal
 proposal My_Proposal
!
crypto ikev2 keyring My_Keyring
 peer Branch
  address 202.100.1.1
  pre-shared-key Cisco123
 !
!
crypto ipsec transform-set My_Transform_Set esp-des esp-md5-hmac  ! can omit defining transform-set and just use default one
 mode tunnel
!
crypto ikev2 profile My_IKEv2_Profile
 match identity remote address 202.100.1.1
 identity local address 61.128.2.20
 authentication local pre-share
 authentication remote pre-share
 keyring local My_Keyring
!
crypto ipsec profile My_IPSEc_Profile
 set ikev2-profile My_IKEv2_Profile
!
int tun0
 ip add 172.16.2.20 255.255.255.0
 tunnel source e0/0
 tunnel mode ipsec ipv4
 tunnel destination 202.100.1.1
 tunnel protection ipsec profile My_IPSEc_Profile
!
配置动态路由 
! ######### Branch/Hub ############
int r e0/1,tun0
 ip os 1 a 0
!
router os 1
 pass e0/1
!

6 GETVPN

必须在全局可路由环境下使用(通常在内网使用),本质是为了加密,常见于在 MPLS 网络中提供加密功能。

GETVPN 有如下几个特点:

  • 基于 native routing (即全局可路由)
  • 保留原始数据 IP 头部(即不影响 QoS )
  • Group 内部使用相同的安全策略,Group 内成员预先协商 IPSec SA ,实现 any-to-any 传输
  • 高效率支持对组播的加密

Footnotes:

1

基于 IKEv2 的 VPN 统称为 FlexVPN

2

IPsec Data Plane Configuration Guide, Cisco IOS Release 12.4T

3

NAT Order of Operation

4

如果使用 GRE over IPSec, SVTI, DMVPN 等基于隧道的 VPN 技术,就没必要使用 DPD 和 RRI 技术了。

Author: Hao Ruan (ruanhao1116@gmail.com)

Created: 2022-04-30 Sat 15:38

Updated: 2023-03-06 Mon 22:12

Emacs 27.2 (Org mode 9.4.4)