CẤU HÌNH VPN SITE TO SITE

Mục tiêu

Cấu hình VPN gateway sử dụng IPSec giữa 2 thiết bị ASA
- Cấu hình các tham số IKE
- Cấu hình các tham số IPSec
- Kiểm tra

Mô hình

http://i199.photobucket.com/albums/aa6/voinuoc/topovpnsite2site.jpg

Cấu hình tham khảo

Bước 1: Đặt địa chỉ IP, tên cho các interface và định tuyến

ASA1

ASA1(config)# interface ethernet 0/0
ASA1(config-if)# no shut
ASA1(config-if)# ip add 192.168.1.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# exit

ASA1(config)# interface e0/1
ASA1(config-if)# no shut
ASA1(config-if)# ip add 10.0.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# exit

ASA1(config)# route outside 0 0 192.168.1.2


ASA2

ASA2(config)# interface ethernet 0/0
ASA2(config-if)# no shut
ASA2(config-if)# ip add 192.168.2.1 255.255.255.0
ASA2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA2(config-if)# exit

ASA2(config)# interface e0/1
ASA2(config-if)# no shut
ASA2(config-if)# ip add 20.0.2.1 255.255.255.0
ASA2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA2(config-if)# exit

ASA2(config)# route outside 0 0 192.168.2.2


Bước 2: Tạo isakmp policy trên ASA1 và ASA2

ASA1

ASA1(config)# isakmp policy 1
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption 3des
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# exit


ASA2

ASA2(config)# isakmp policy 1
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# exit


Bước 3: Enable IKE trên interface outside

ASA1

ASA1(config)# isakmp enable outside
ASA1(config)# isakmp identity address
ASA1(config)# isakmp key cisco123 address 192.168.2.1 netmask 255.255.255.255


ASA2

ASA2(config)# isakmp enable outside
ASA2(config)# isakmp identity address
ASA2(config)# isakmp key cisco123 address 192.168.1.1 netmask 255.255.255.255

Bước 4: Cấu hình tunnel-group type/attributes

ASA1

ASA1(config)#tunnel-group 192.168.2.1 type ipsec-l2l
ASA1(config)#tunnel-group 192.168.2.1 ipsec-attributes

ASA2

ASA2(config)#tunnel-group 192.168.1.1 type ipsec-l2l
ASA2(config)#tunnel-group 192.168.1.1 ipsec-attributes

Bước 5: Tạo ACL cho interesting traffic
ASA1


ASA1(config)#access-list vpnsite2site permit ip 10.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
ASA1(config)#nat-control
ASA1(config)#nat (inside) 0 access-list vpnsite2site
(ASA sẽ bỏ qua không NAT traffic này.)


ASA2

ASA2(config)#access-list vpnsite2site permit ip 20.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
ASA2(config)#nat-control
ASA2(config)#nat (inside) 0 access-list vpnsite2site


Bước 6: Tạo transform-set tên MYSET


ASA1(config)# crypto ipsec transform-set MYSET esp-des

ASA2(config)# crypto ipsec transform-set MYSET esp-des

Bước 7: Tạo crypto map
ASA1

ASA1(config)# crypto map abcmap 1 match address vpnsite2site
ASA1(config)# crypto map abcmap 1 set peer 192.168.2.1
ASA1(config)# crypto map abcmap 1 set transform-set MYSET

ASA2

ASA2(config)# crypto map abcmap 1 match address vpnsite2site
ASA2(config)# crypto map abcmap 1 set peer 192.168.1.1
ASA2(config)# crypto map abcmap 1 set transform-set MYSET

Bước 8: Áp crypto map vào interface outside


ASA1(config)# crypto map abcmap interface outside
ASA2(config)# crypto map abcmap interface outside

Bước 9: Kiểm tra


ASA1# show run crypto isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
ASA1# show run crypto ipsec
crypto ipsec transform-set MYSET esp-des esp-none

ASA1# show run crypto map
crypto map abcmap 1 match address vpnsite2site
crypto map abcmap 1 set peer 192.168.2.1
crypto map abcmap 1 set transform-set MYSET
crypto map abcmap interface outside

ASA1# show run tunnel-group
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *

ASA1# show run access-list
access-list vpnsite2site extended permit ip 10.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0

Ping 2 PC để kiểm tra VPN tunnel


http://i199.photobucket.com/albums/aa6/voinuoc/pingtaotunnel.jpg

ASA1# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

ASA1# show crypto isakmp ipsec sa
interface: outside
Crypto map tag: abcmap, seq num: 1, local addr: 192.168.1.1
access-list vpnsite2site permit ip 10.0.1.0 255.255.255.0 20.0.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.2.0/255.255.255.0/0/0)
current_peer: 192.168.2.1
#pkts encaps: 468, #pkts encrypt: 468, #pkts digest: 0
#pkts decaps: 453, #pkts decrypt: 453, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 468, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ipsec overhead 46, media mtu 1500
current outbound spi: C56F24CD
inbound esp sas:
spi: 0xD9A5378B (3651483531)
transform: esp-des esp-none none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: abcmap
sa timing: remaining key lifetime (kB/sec): (3824973/27366)
IV size: 8 bytes
replay detection support: N
outbound esp sas:
spi: 0xC56F24CD (3312395469)
transform: esp-des esp-none none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4, crypto-map: abcmap
sa timing: remaining key lifetime (kB/sec): (3824973/27363)
IV size: 8 bytes
replay detection support: N

ASA1

ASA1(config)# isakmp policy 1
ASA1(config-isakmp-policy)# authentication pre-share
ASA1(config-isakmp-policy)# encryption 3des
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ASA1(config-isakmp-policy)# encryption des
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# exit

ASA2

ASA2(config)# isakmp policy 1
ASA2(config-isakmp-policy)# authentication pre-share
ASA2(config-isakmp-policy)# encryption des
ASA2(config-isakmp-policy)# hash sha
ASA2(config-isakmp-policy)# exit

Hai ASA encryption khác nhau des trên ASA1# 3des trên ASA2 vẫn ok àh bạn

Hi,

Pharse 1 kiểu encryption phải đồng bộ nhau mới đc. ASA1 vẫn là des đó chứ. Để ý lại bạn sẽ thấy


ASA1(config-isakmp-policy)# encryption 3des
The 3DES/AES algorithms require a VPN-3DES-AES activation key.
ASA1(config-isakmp-policy)# encryption des

tôi đang có một bài tập tìm hiểu về VPN site-to-site trong win2k3 server, giúp tôi nhé, trong môn mcsa (70-291),thanks

thế thì mở sách lab 291 ra bạn àh, bạn đang làm trong windows của microsoft, diễn đàn này trả lời thắc mắc về cấu hình thiết bị cisco thôi

toi co' doc. sach' roi` nhung nhu vay van chua du? de? toi tim hieu?, toi dang hoc. cisco, co 1 bai tap can lam` ve vpn site-to-tite, neu ban co tai lieu. giup' toi nhe', cam on ban rat nhieu`

ngoài site to site trên ASA,còn có trên Router nữa,bài lab trên khá chuẩn cho ASA,bạn letrang0207hp định làm vpn ở đâu? nếu làm bằng microsoft thì bảo mật sẽ ko cao hơn cisco.