需求:企业新分支机构F部署CISCO ASA 做为互联网出口网关,与总部山石防火墙建立IPSEC VPN 以实现资源共享
分支机构F的CISCO ASA 软件版本为9.2 ,支持 IKE verison 2。
山石防火墙与思科ASA IPSEC VPN IKEV2 配置如下:
山石防火墙IKEV2 IPSEC VPN配置
hsfwa# show configuration
zone “untrust”
type wan
exit
zone “ipsecvpn“
vrouter “trust-vr”
exit
hostname “hsfwa”
ikev2 proposal “asaikev2“
hash md5
prf sha
encryption aes256
group 2
exit
ikev2 ipsec-proposal “asaikev2p2“
protocol esp
hash md5
encryption aes256
lifetime 86400
exit
ikev2 peer “ciscoasa“
interface ethernet0/1
match-peer “20.5.5.1”
ikev2-proposal “asaikev2“
local-id ip 20.0.0.1
auth psk
ikev2-profile “ikev2profile“
remote id ip 20.5.5.1
remote key 123456
traffic-selector src subnet 10.1.1.0/24
traffic-selector dst subnet 172.16.5.0/24
exit
exit
tunnel ipsec “asatunnel” ikev2
ikev2-peer “ciscoasa“
ipsec-proposal “asaikev2p2“
auto-connect
exit
interface ethernet0/0
zone “trust”
ip address 10.1.1.254 255.255.255.0
manage ssh
manage ping
exit
interface ethernet0/1
zone “untrust”
ip address 20.0.0.1 255.255.255.0
manage ping
exit
interface tunnel80
zone “ipsecvpn“
manage ping
tunnel ikev2 “asatunnel“
reverse-route prefer
exit
ip vrouter “trust-vr”
snatrule id 1 from “10.1.1.0/24” to “Any” service “Any” trans-to eif-ip mode dynamicport
ip route 0.0.0.0/0 20.0.0.100
ip route 172.16.5.0/24 “tunnel80“
exit
rule id 1
action permit
src-zone “trust”
dst-zone “untrust”
src-addr “Any”
dst-addr “Any”
service “Any”
exit
rule id 81
action permit
src-zone “trust”
dst-zone “ipsecvpn“
src-addr “Any”
dst-addr “Any”
service “Any”
exit
rule id 82
action permit
src-zone “ipsecvpn“
dst-zone “trust”
src-addr “Any”
dst-addr “Any”
service “Any”
exit
End
cisco asa ipsec vpn ikev2配置
ciscoasa# show run
!
ASA Version 9.2(2)
!
hostname ciscoasa
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Vlan10
nameif inside
security-level 100
ip address 172.16.5.254 255.255.255.0
!
interface Vlan20
nameif outside
security-level 0
ip address 20.5.5.1 255.255.255.0
!
object network obj-172.16.5.0
subnet 172.16.5.0 255.255.255.0
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
access-list ipsecvpn extended permit ip 172.16.5.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside,outside) source static obj-172.16.5.0 obj-172.16.5.0 destination static obj-10.1.1.0 obj-10.1.1.0
!
object network obj-172.16.5.0
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 20.5.5.100 1
crypto ipsec ikev2 ipsec-proposal ipsecv2p2
protocol esp encryption aes-256
protocol esp integrity md5
crypto map vpnmap 10 match address ipsecvpn
crypto map vpnmap 10 set peer 20.0.0.1
crypto map vpnmap 10 set ikev2 ipsec-proposal ipsecv2p2
crypto map vpnmap 10 set reverse-route
crypto map vpnmap interface outside
crypto ikev2 policy 10
encryption aes-256
integrity md5
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 20.0.0.1 type ipsec-l2l
tunnel-group 20.0.0.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key 123456
ikev2 local-authentication pre-shared-key 123456
!
: end
测试验证:
1、总部服务器 ping 和 tracert 分支F内部设备,验证ISPEC VPN连通性和路径
2、总部山石防火墙使用 show ikev2 ike-sa 和 show ikev2 ipsec-sa 验证IKEV2协商状态
3、分支F cisco asa 使用 show crypto isakmp sa 和 show crypto ipsec sa 验证ike2 协调状态