资源记录
rsrc.ink

HILLSTONE FW & CISCO ASA IKEV2 IPSEC VPN山石防火墙 思科ASA IKEV2 IPSEC VPN

需求:企业新分支机构F部署CISCO ASA 做为互联网出口网关,与总部山石防火墙建立IPSEC VPN 以实现资源共享

分支机构F的CISCO ASA 软件版本为9.2 ,支持 IKE verison 2。

山石防火墙与思科ASA IPSEC VPN IKEV2 配置如下:

山石防火墙IKEV2 IPSEC VPN配置

hsfwa# show configuration

zone “untrust”
  type wan
exit
zone “ipsecvpn“
  vrouter “trust-vr”
exit
hostname “hsfwa”
 
ikev2 proposal “asaikev2“
  hash md5
  prf sha
  encryption aes256
  group 2
exit
ikev2 ipsec-proposal “asaikev2p2“
  protocol esp
  hash md5
  encryption aes256
  lifetime 86400
exit
ikev2 peer “ciscoasa“
  interface ethernet0/1
  match-peer “20.5.5.1”
  ikev2-proposal “asaikev2“
  local-id ip 20.0.0.1
  auth psk
  ikev2-profile “ikev2profile“
    remote id ip 20.5.5.1
    remote key 123456
    traffic-selector src subnet 10.1.1.0/24
    traffic-selector dst subnet 172.16.5.0/24
  exit
exit
tunnel ipsec “asatunnel” ikev2
  ikev2-peer “ciscoasa“
  ipsec-proposal “asaikev2p2“
  auto-connect
exit
interface ethernet0/0
  zone  “trust”
  ip address 10.1.1.254 255.255.255.0
  manage ssh
  manage ping
exit
interface ethernet0/1
  zone  “untrust”
  ip address 20.0.0.1 255.255.255.0
  manage ping
exit
interface tunnel80
  zone  “ipsecvpn“
  manage ping
  tunnel ikev2 “asatunnel“
  reverse-route prefer
exit
ip vrouter “trust-vr”
  snatrule id 1 from “10.1.1.0/24” to “Any” service “Any” trans-to eif-ip mode dynamicport
  ip route 0.0.0.0/0 20.0.0.100
  ip route 172.16.5.0/24 “tunnel80“
exit
 
rule id 1
  action permit
  src-zone “trust”
  dst-zone “untrust”
  src-addr “Any”
  dst-addr “Any”
  service “Any”
exit
rule id 81
  action permit
  src-zone “trust”
  dst-zone “ipsecvpn“
  src-addr “Any”
  dst-addr “Any”
  service “Any”
exit
rule id 82
  action permit
  src-zone “ipsecvpn“
  dst-zone “trust”
  src-addr “Any”
  dst-addr “Any”
  service “Any”
exit
 
End
cisco asa ipsec vpn ikev2配置

ciscoasa# show run
!
ASA Version 9.2(2)
!
hostname ciscoasa
!
interface Ethernet0/0
 switchport access vlan 10
!
interface Ethernet0/1
 switchport access vlan 20
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 172.16.5.254 255.255.255.0
!
interface Vlan20
 nameif outside
 security-level 0
 ip address 20.5.5.1 255.255.255.0
!
object network obj-172.16.5.0
 subnet 172.16.5.0 255.255.255.0
object network obj-10.1.1.0
 subnet 10.1.1.0 255.255.255.0

access-list ipsecvpn extended permit ip 172.16.5.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside,outside) source static obj-172.16.5.0 obj-172.16.5.0 destination static obj-10.1.1.0 obj-10.1.1.0
!
object network obj-172.16.5.0
 nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 20.5.5.100 1

crypto ipsec ikev2 ipsec-proposal ipsecv2p2
 protocol esp encryption aes-256
 protocol esp integrity md5

crypto map vpnmap 10 match address ipsecvpn
crypto map vpnmap 10 set peer 20.0.0.1
crypto map vpnmap 10 set ikev2 ipsec-proposal ipsecv2p2
crypto map vpnmap 10 set reverse-route
crypto map vpnmap interface outside

crypto ikev2 policy 10
 encryption aes-256
 integrity md5
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 20.0.0.1 type ipsec-l2l
tunnel-group 20.0.0.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 123456
 ikev2 local-authentication pre-shared-key 123456
!
: end

测试验证:

1、总部服务器 ping 和 tracert 分支F内部设备,验证ISPEC VPN连通性和路径

2、总部山石防火墙使用 show ikev2 ike-sa 和 show ikev2 ipsec-sa 验证IKEV2协商状态

3、分支F cisco asa 使用 show crypto isakmp sa 和  show crypto ipsec sa 验证ike2 协调状态