The IPSecVPN traffic of two branches is tested at the headquarters.

Last Update:2013-12-27 Source: Internet

Author: User

Tags hmac rekey

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I. Overview:A friend posted a post on the forum asking the ipsec vpn traffic of the two branches to pass through the headquarters. If the topology is set up, the test is performed because the performance of ASA8.42 running two VM versions is poor, therefore, the configuration of PIX8.0 instead of ASA should be similar to ASA8.0.Ii. Basic Ideas:A. the intercommunication traffic between the two branches uses the existing IPSec VPN connection to the Headquarters B. Change the interest so that the traffic from the branch to the branch can go to the headquarters and then to the BranchIii. Test topology:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523T051-0.jpg "title =" TUOPU. JPG "alt =" 153115360.jpg"/>4. Basic Configuration:A. Guangzhou headquarters firewall FW1:Interface Ethernet0
Nameif Inside
Security-level 100
Ip address 192.168.1.1 255.255.255.0
No shut
Interface Ethernet1
Nameif Outside
Security-level 0
Ip address 1.1.1.1 255.255.255.252 no shutroute Outside 0.0.0.0 0.0.0.0 1.1.1.2access-list Outside extended permit icmp any anyaccess-group Outside in interface Outside same-security-traffic permit intra-interface ---- because the next two branches the traffic goes through Outside, the Outside interface is used again, that is, the interface rebounded traffic, so traffic access from the same interface is required.B. Guangzhou headquarters Gateway Router GZWG:Interface Ethernet0/0
Ip address 1.1.1.2 255.255.255.252
Ip nat inside
No shutinterface Ethernet0/1
Ip address 202.100.1.2 255.255.255.252
Ip nat outside
No shutip access-list extended PAT
Permit ip host 1.1.1.1 any
Permit ip 192.168.1.0 0.0.0.255 anyip route 0.0.0.0 0.0.0.0 202.100.1.1
Ip route 192.168.1.0 255.255.255.0 1.1.1.1ip nat inside source list PAT interface Ethernet0/1 overloadip nat inside source static udp 1.1.1.1 4500 interface Ethernet0/1 4500
Ip nat inside source static udp 1.1.1.1 500 interface Ethernet0/1 500C. ISP:Interface Ethernet0/0
Ip address 202.100.1.1 255.255.255.252
No shutinterface Ethernet0/1
Ip address 202.100.1.9 255.255.255.252
No shutinterface Ethernet0/2
Ip address 202.100.1.5 255.255.255.252
No shutD. Beijing Branch Gateway Router BJGW:Interface Ethernet0/0
Ip address 2.2.2.1 255.255.255.252
Ip nat inside
No shutinterface Ethernet0/1
Ip address 202.100.1.10 255.255.255.252
Ip nat outside no shutip route 0.0.0.0 0.0.0.0 202.100.1.9
Ip route 192.168.2.0 255.255.255.0 2.2.2.2ip access-list extended PAT permit ip host 2.2.2.2 any permit ip 192.168.2.0 0.0.255 any

Ip nat inside source list PAT interface Ethernet0/1 overload

Ip nat inside source static udp 2.2.2.2 4500 interface Ethernet0/1 4500
Ip nat inside source static udp 2.2.2.2 500 interface Ethernet0/1 500

--- If static PAT is not configured, the Headquarters cannot directly initiate VPN access.

E. Beijing Branch firewall FW2:Interface Ethernet0
Nameif Inside
Security-level 100
Ip address 192.168.2.1 255.255.255.0 no shutinterface Ethernet1
Nameif Outside
Security-level 0
Ip address 2.2.2.2 255.255.255.252 no shutroute Outside 0.0.0.0 0.0.0.0 2.2.2.1 1access-list Outside extended permit icmp any access-group Outside in interface Outside
F. Shanghai Branch Gateway Router SHGW:Interface Ethernet0/0
Ip address 192.168.3.1 255.255.255.0
Ip nat inside
No shutinterface Ethernet0/1
Ip address 202.100.1.6 255.255.255.252
Ip nat outside
No shutip route 0.0.0.0 0.0.0.0 202.100.1.5ip access-list extended PAT
Deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Permit ip 192.168.3.0 0.0.0.255 anyip nat inside source list PAT interface Ethernet0/1 overload G. Internet access test:650) this. width = 650; "src ="/e/u/themes/default/images/spacer.gif "style =" border: 1px solid # ddd; "alt =" spacer.gif "/> 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523Q633-1.jpg "title =" 1.JPG" alt = "153331392.jpg"/> ① Guangzhou headquarters accesses the Internet:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523RM1-2.jpg "title =" 2.JPG" alt = "153425131.jpg"/> ISP # debug ip icmp packet debugging is on
ISP #
* Mar 1 02:44:21. 135: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
* Mar 1 02:44:22. 411: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
* Mar 1 02:44:23. 467: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
* Mar 1 02:44:24. 659: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2
* Mar 1 02:44:25. 743: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.2 ② Internet access test for Beijing Branch:650) this. width = 650; "src ="/e/u/themes/default/images/spacer.gif "style =" border: 1px solid # ddd; "alt =" spacer.gif "/> 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523UW4-3.jpg "title =" 3.JPG" alt = "153524462.jpg"/> ISP # debug ip icmp
ICMP packet debugging is on
ISP #
* Mar 1 02:46:28. 855: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
* Mar 1 02:46:30. 151: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
* Mar 1 02:46:31. 363: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
* Mar 1 02:46:32. 427: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
* Mar 1 02:46:33. 631: ICMP: echo reply sent, src 202.100.1.9, dst 202.100.1.10
③ Test the Internet access function of the Shanghai branch:650) this. width = 650; "src ="/e/u/themes/default/images/spacer.gif "style =" border: 1px solid # ddd; "alt =" spacer.gif "/> 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523SJ3-4.jpg "title =" 4.JPG" alt = "153656124.jpg"/> ISP # debug ip icmp
ICMP packet debugging is onISP # * Mar 1 02:48:03. 875: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
* Mar 1 02:48:05. 003: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
* Mar 1 02:48:06. 115: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
* Mar 1 02:48:07. 183: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
* Mar 1 02:48:08. 279: ICMP: echo reply sent, src 202.100.1.5, dst 202.100.1.6
5. VPN configuration: A. Guangzhou headquarters Firewall: ① First-stage strategy:Crypto isakmp policy 10
Authentication pre-share
Encryption des
Hash md5
Group 2tunnel-group 202.100.1.6 type ipsec-l2l
Tunnel-group 202.100.1.6 ipsec-attributes
Pre-shared-key cisco
Tunnel-group 202.100.1.10 type ipsec-l2l
Tunnel-group 202.100.1.10 ipsec-attributes
Pre-shared-key cisco ② Second stage conversion set:Crypto ipsec transform-set transet esp-des esp-md5-hmac ③ Interesting stream Configuration:Access-list VPN-GZ-to-BJ extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Access-list VPN-GZ-to-BJ extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
Access-list VPN-GZ-to-SH extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.0
Access-list VPN-GZ-to-SH extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 ③ Configure crypto map and call the interface:Crypto map crymap 10 match address VPN-GZ-to-SH
Crypto map crymap 10 set peer 202.100.1.6
Crypto map crymap 10 set transform-set transet
Crypto map crymap 20 match address VPN-GZ-to-BJ
Crypto map crymap 20 set peer 202.100.1.10
Crypto map crymap 20 set transform-set transet
Crypto map crymap interface Outside
Crypto isakmp enable Outside B. Beijing Branch Firewall: ① First-stage strategy:Crypto isakmp policy 10
Authentication pre-share
Encryption des
Hash md5
Group 2tunnel-group 202.100.1.2 type ipsec-l2l
Tunnel-group 202.100.1.2 ipsec-attributes
Pre-shared-key cisco ② Second stage conversion set:Crypto ipsec transform-set transet esp-des esp-md5-hmac ③ Interesting stream Configuration:Access-list VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Access-list VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0 ③ Configure crypto map and call the interface:Crypto map crymap 10 match address VPN
Crypto map crymap 10 set peer 202.100.1.2
Crypto map crymap 10 set transform-set transet
Crypto map crymap interface Outside
Crypto isakmp enable OutsideC. Shanghai Branch router: ① First-stage strategy:Crypto isakmp policy 10
Hash md5
Authentication pre-share
Group 2
Crypto isakmp key cisco address 202.100.1.2 ② Second stage conversion set:Crypto ipsec transform-set transet esp-des esp-md5-hmac ③ Interesting stream Configuration:Ip access-list extended VPN
Permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
③ Configure crypto map and call the interface:Crypto map crymap 10 ipsec-isakmp
Set peer 202.100.1.2
Set transform-set transet
Match address VPN
Crypto map crymapinterface Ethernet0/1
Crypto map crymap 6. VPN test: A. Visit the Guangzhou headquarters from the Beijing Branch:650) this. width = 650; "src ="/e/u/themes/default/images/spacer.gif "style =" border: 1px solid # ddd; "alt =" spacer.gif "/> 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523S134-5.jpg "title =" 5.JPG" alt = "153753406.jpg"/> BJpix # show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total ike sa: 1

1 IKE Peer: 202.100.1.2
Type: L2L Role: initiator
Rekey: no State: MM_ACTIVE B. Access the Guangzhou headquarters from the Shanghai branch:650) this. width = 650; "src ="/e/u/themes/default/images/spacer.gif "style =" border: 1px solid # ddd; "alt =" spacer.gif "/> 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523R957-6.jpg "title =" 6.JPG" alt = "153838203.jpg"/> SHGW # show crypto isakmp sa
Dst src state conn-id slot status
202.100.1.2 202.100.1.6 QM_IDLE 1 0 ACTIVE

SHGW # show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/1 202.100.1.6 set HMAC_MD5 + DES_56_CB 0 0
2001 Ethernet0/1 202.100.1.6 set DES + MD5 4 0
2002 Ethernet0/1 202.100.1.6 set DES + MD5 0 4
C. Mutual access between Beijing and Shanghai via Headquarters:650) this. width = 650; "src ="/e/u/themes/default/images/spacer.gif "style =" border: 1px solid # ddd; "alt =" spacer.gif "/> 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/15523R5O-7.jpg "title =" 7.JPG" alt = "153932384.jpg"/> SHGW # show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Ethernet0/1 202.100.1.6 set HMAC_MD5 + DES_56_CB 0 0
2 Ethernet0/1 202.100.1.6 set HMAC_MD5 + DES_56_CB 0 0
2001 Ethernet0/1 202.100.1.6 set DES + MD5 4 0
2002 Ethernet0/1 202.100.1.6 set DES + MD5 0 4
2003 Ethernet0/1 202.100.1.6 set DES + MD5 4 0
2004 Ethernet0/1 202.100.1.6 set DES + MD5 0 3

SHGW # show crypto isakmp sa
Dst src state conn-id slot status
202.100.1.2 202.100.1.6 QM_IDLE 2 0 ACTIVE

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More