- Cấu hình VPN gateway sử dụng IPSec giữa 2 thiết bị ASA
- Cấu hình các tham số IKE
- Cấu hình các tham số IPSec
- Kiểm tra
Mô hình
Cấu hình tham khảo
Bước 1: Đặt địa chỉ IP, tên cho các interface và định tuyến
ASA1
ASA1(config)# interface ethernet 0/0
ASA1(config-if)# no shut
ASA1(config-if)# ip add 192.168.1.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# exit
ASA1(config)# interface e0/1
ASA1(config-if)# no shut
ASA1(config-if)# ip add 10.0.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# exit
ASA1(config)# route outside 0 0 192.168.1.2
ASA2
ASA2(config)# interface ethernet 0/0
ASA2(config-if)# no shut
ASA2(config-if)# ip add 192.168.2.1 255.255.255.0
ASA2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA2(config-if)# exit
ASA2(config)# interface e0/1
ASA2(config-if)# no shut
ASA2(config-if)# ip add 20.0.2.1 255.255.255.0
ASA2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA2(config-if)# exit
ASA2(config)# route outside 0 0 192.168.2.2
Bước 2: Tạo isakmp policy trên ASA1 và ASA2
ASA1
ASA1(config)# isakmp policy 1
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption 3des
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# exit
ASA2
ASA2(config)# isakmp policy 1
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# exit
Bước 3: Enable IKE trên interface outside
ASA1
ASA1(config)# isakmp enable outside
ASA1(config)# isakmp identity address
ASA1(config)# isakmp key cisco123 address 192.168.2.1 netmask 255.255.255.255
ASA2
ASA2(config)# isakmp enable outside
ASA2(config)# isakmp identity address
ASA2(config)# isakmp key cisco123 address 192.168.1.1 netmask 255.255.255.255
Bước 4: Cấu hình tunnel-group type/attributes
ASA1
ASA1(config)#tunnel-group 192.168.2.1 type ipsec-l2l
ASA1(config)#tunnel-group 192.168.2.1 ipsec-attributes
ASA2
ASA2(config)#tunnel-group 192.168.1.1 type ipsec-l2l
ASA2(config)#tunnel-group 192.168.1.1 ipsec-attributes
Bước 5: Tạo ACL cho interesting traffic
ASA1
ASA1(config)#access-list vpnsite2site permit ip 10.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
ASA1(config)#nat-control
ASA1(config)#nat (inside) 0 access-list vpnsite2site
(ASA sẽ bỏ qua không NAT traffic này.)
ASA2
ASA2(config)#access-list vpnsite2site permit ip 20.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
ASA2(config)#nat-control
ASA2(config)#nat (inside) 0 access-list vpnsite2site
Bước 6: Tạo transform-set tên MYSET
ASA1(config)# crypto ipsec transform-set MYSET esp-des
ASA2(config)# crypto ipsec transform-set MYSET esp-des
Bước 7: Tạo crypto map
ASA1
ASA1(config)# crypto map abcmap 1 match address vpnsite2site
ASA1(config)# crypto map abcmap 1 set peer 192.168.2.1
ASA1(config)# crypto map abcmap 1 set transform-set MYSET
ASA2
ASA2(config)# crypto map abcmap 1 match address vpnsite2site
ASA2(config)# crypto map abcmap 1 set peer 192.168.1.1
ASA2(config)# crypto map abcmap 1 set transform-set MYSET
Bước 8: Áp crypto map vào interface outside
ASA1(config)# crypto map abcmap interface outside
ASA2(config)# crypto map abcmap interface outside
Bước 9: Kiểm tra
ASA1# show run crypto isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
ASA1# show run crypto ipsec
crypto ipsec transform-set MYSET esp-des esp-none
ASA1# show run crypto map
crypto map abcmap 1 match address vpnsite2site
crypto map abcmap 1 set peer 192.168.2.1
crypto map abcmap 1 set transform-set MYSET
crypto map abcmap interface outside
ASA1# show run tunnel-group
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
ASA1# show run access-list
access-list vpnsite2site extended permit ip 10.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
Ping 2 PC để kiểm tra VPN tunnel
ASA1# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1# show crypto isakmp ipsec sa
interface: outside
Crypto map tag: abcmap, seq num: 1, local addr: 192.168.1.1
access-list vpnsite2site permit ip 10.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.2.0/255.255.255.0/0/0)
current_peer: 192.168.2.1
#pkts encaps: 468, #pkts encrypt: 468, #pkts digest: 0
#pkts decaps: 453, #pkts decrypt: 453, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 468, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ipsec overhead 46, media mtu 1500
current outbound spi: C56F24CD
inbound esp sas:
spi: 0xD9A5378B (3651483531)
transform: esp-des esp-none none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: abcmap
sa timing: remaining key lifetime (kB/sec): (3824973/27366)
IV size: 8 bytes
replay detection support: N
outbound esp sas:
spi: 0xC56F24CD (3312395469)
transform: esp-des esp-none none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: abcmap
sa timing: remaining key lifetime (kB/sec): (3824973/27363)
IV size: 8 bytes
replay detection support: N