FlexVPN试验(一): 站点间静态隧道 (static tunnel)+预设密钥(PSK)

FlexVPN使用Internet Key Exchange Version 2 (IKEv2) 作密钥管理协议。从IOS15.2(1)T开始,IOS自带Smart Default功能,提供以下默认IKEv2配置,以简化FlexVPN配置。

 

IKEv2 vs. IKEv1

相比IKEv1,IKEv2有以下优势:

  • 各平台各厂商兼容性更好,统一构架
  • 使用更少的信息交换(4个)就能建立起隧道。所以带宽占用更少,隧道建立更快。
  • 认证方式选择更多,比如支持EAP认证。当然也支持IKEv1也有的Pre-shared key(PSK) 和证书认证(CA、RSA-Sig)方式。并支持两边使用不同的认证方式,比如一边是PSK,一边是RSA-Sig
  • IKEv2更灵活。当站点间有多个网络(比如prod、dev等),或者不同用户(比如部门A的员工、部门B的员工)接入不同网络,流量分割更容易。
  • 更安全,修正了IKEv1的很多弱点,对DoS攻击防御力上升。。。

 

试验介绍:

这次试验是站点间FlexVPN配置。最简单的应用:静态点对点隧道,用PSK做认证。以后还会介绍其他FlexVPN配置,包括动态隧道和其他认证方式。

 

试验拓扑如下。本试验只用到HUB1和SPOKE1,其他设备是为别的试验准备的。

FlexVPN_site

端口配置如下:

CSR-HUB1

g3: 200.1.13.1/24

Tunnel 0: 10.1.13.1/24

MGMT: 192.168.1.91/24

 

 

CSR-SPOKE1

g3: 200.1.13.3/24

Tunnel0: 10.1.13.3/24

MGMT: 192.168.1.94/24

 

NTP指向外部NTP server。

 

CSRHUB1配置

 

  1. 配置预设密钥(PSK)

 

crypto ikev2 keyring mykeys

peer SPOKE #设置密钥组,限制IP增强安全性

address 200.1.13.3

pre-shared-key Cisco123

 

  1. 配置IKEv2 profile

crypto ikev2 profile FLEXVPN-Static

match identity remote address 200.1.13.3 255.255.255.255 #如果设置为any则可以接纳任何远端设备,这里通过限制IP增强安全性

authentication remote pre-share #用PSK认证

authentication local pre-share #用PSK认证,local可以和remote认证方式不同

keyring local mykeys #调用密钥

dpd 60 2 on-demand #设置dead peer detection参数

 

  1. 在IPsec profile里调用IKEv2 profile

crypto ipsec profile default

set ikev2-profile FLEXVPN-Static

 

  1. 在tunnel interface调用IPsec profile加密

CSR-HUB1#show run interface tu 0

Building configuration…

 

Current configuration : 165 bytes

!

interface Tunnel0

ip address 10.1.13.1 255.255.255.0

tunnel source GigabitEthernet3

tunnel destination 200.1.13.3

tunnel protection ipsec profile default

end

 

CSRSPOKE1配置

参照CSR-HUB1对应配置

 

验证

 

CSR-SPOKE1#     show crypto ikev2 sa detailed

IPv4 Crypto IKEv2 SA

 

Tunnel-id Local                 Remote               fvrf/ivrf           Status

1         200.1.13.3/500       200.1.13.1/500       none/none           READY

Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/1792 sec

CE id: 1561, Session-id: 1

Status Description: Negotiation done

Local spi: 4A27CEEEEB3E4CA7       Remote spi: E83A70F5492CE2C7

Local id: 200.1.13.3

Remote id: 200.1.13.1

Local req msg id: 3             Remote req msg id: 1

Local next msg id: 3             Remote next msg id: 1

Local req queued: 3             Remote req queued: 1

Local window:     5             Remote window:     5

DPD configured for 60 seconds, retry 2

Fragmentation not configured.

Extended Authentication not configured.

NAT-T is not detected

Cisco Trust Security SGT is disabled

Initiator of SA : Yes

 

IPv6 Crypto IKEv2 SA

 

CSR-SPOKE1#     show crypto ipsec sa

 

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 200.1.13.3

 

protected vrf: (none)

local ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)

current_peer 200.1.13.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

 

local crypto endpt.: 200.1.13.3, remote crypto endpt.: 200.1.13.1

plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3

current outbound spi: 0xC7C8CD12(3351825682)

PFS (Y/N): N, DH group: none

 

inbound esp sas:

spi: 0x1405901D(335908893)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4607999/1725)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

 

inbound ah sas:

 

inbound pcp sas:

 

outbound esp sas:

spi: 0xC7C8CD12(3351825682)

transform: esp-aes esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000008, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4607999/1725)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

 

outbound ah sas:

 

outbound pcp sas:

 

CSR-HUB1#show crypto session

Crypto session current status

 

Interface: Tunnel0

Profile: FLEXVPN-Static

Session status: UP-ACTIVE

Peer: 200.1.13.3 port 500

Session ID: 288

IKEv2 SA: local 200.1.13.1/500 remote 200.1.13.3/500 Active

IPSEC FLOW: permit 47 host 200.1.13.1 host 200.1.13.3

Active SAs: 2, origin: crypto map

 

CSR-HUB1#show ip int br

Interface             IP-Address     OK? Method Status               Protocol

GigabitEthernet1       192.168.1.91   YES manual up                   up

GigabitEthernet2       unassigned     YES NVRAM administratively down down

GigabitEthernet3       200.1.13.1     YES manual up                   up

GigabitEthernet4       unassigned     YES NVRAM administratively down down

Tunnel0               10.1.13.1       YES manual up                   up    

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s