Bowen directory
a, IPSec virtual private network troubleshooting
Second, configure your firewall or router that implements IPSec virtual private network
III Summary
About IPSec virtual private network working principle and the concept, wrote the previous blog post: Cisco router IPSec virtual private network principles and detailed configuration , has a blog in detail, in front of a gateway is used in the case of the company down to build virtual Cisco router private networks, today achieved to configure IPSec VPN on ASA firewall.
As the "Virtual Private Network" (see the first letter, you know what it is) is sensitive \ sense of the word, so use its Chinese name "virtual private network" in the blog post instead.
A, IPSec virtual private network troubleshooting
IPSec virtual private network at work very broad application, in addition to master how to build IPSec peer virtual private network communications, but also have some troubleshooting capabilities.
1、"show crypto isakmp sa"命令
Bowen hyperlink above mentioned, by "show crypto isakmp sa" command to learn the state in which the connection management (introduced here only the main mode).
MM_NO-STATE: initial state established ISAKMP SA, will manage connection fails in this state.
MM_SA_SETUP: between peer ISAKMP policy negotiation is successful in the state.
MM_KEY_EXCH: peer DH algorithm to successfully establish a shared key, this time not for device authentication.
MM_KEY_AUTH: peer device successfully validated, then it will transition to QM_IDLE state.
- QM_IDLE: Management connection is successfully established, the upcoming transition to phase 2 data connection establishment process.
2、"debug crypto isakmp"命令
If you want to understand in more detail the whole process, you can use the "debug crypto isakmp" command, which is the most commonly used commands work in the diagnosis and management to troubleshoot connection problems.
The DES encryption algorithm router has changed 3DES, this time between peers Phase 1 encryption algorithm apparently does not match, you can clearly see this through "debug crypto isakmp" command. As shown below:
Router will still contrast policies one by one, after the discovery, "Encryption algorthm offered does not match policy!" (Encryption algorithm does not match), so "atts are not acceptable" (the policy will not be accepted). The router then will be compared with the local default policy, if the policy is still not match, it will conclude that "no offers accepted!" (No policy match), the last router will return to "MM_NO_STATE" state.
Second, configure your firewall or router that implements IPSec Virtual Private Network
1, the network environment as follows:
2, environmental analysis:
1), within the Corporation 192.168.10.0/24 network using network address, subnet address 192.168.20.0/24 branch use. ISP router as the public Internet router. R1 and ASA-1 for head office and branch gateway server, so be sure there will be default route to the router to the public network.
2), between the internal network within the network and branch offices of the Corporation to establish a virtual private network, but if you do not configure anything else, will affect the network to access the Internet, they are generally either establish a virtual private network, also you can access the Internet, so this problem should be solved.
3. The requirements are as follows:
1, required to achieve 192.168.20.0/24 network segment 192.168.10.0/24 head office and branch offices communicate with each other through a virtual private network, and the impact of these two segments do not access the public network, which is the ISP router (public network access control by PAT port complex technology implementations do not configure any routes on ISP router).
4, start the configuration:
Configure basic network parameters
1)ASA配置如下:
ASA(config)# int eth0/0 #进入接口
ASA(config-if)# nameif outside #接口配置为outside
ASA(config-if)# ip add 192.168.100.1 255.255.255.0 #接口配置IP地址
ASA(config-if)# no shu #启用接口
ASA(config-if)# exit
ASA(config)# int eth0/1 #进入接口
ASA(config-if)# nameif inside #接口配置为inside
ASA(config-if)# ip add 192.168.10.254 255.255.255.0 #接口配置IP地址
ASA(config-if)# no shu #启用接口
ASA(config-if)# exit
ASA(config)# route outside 0 0 192.168.100.254 #配置去往公网的IP地址
ASA(config)# access-list out_to_in permit ip any any #创建ACL允许所有流量通过outside接口进入inside
ASA(config)# access-group out_to_in in interface outside #ACL应用到outside接口
2)ISP配置如下:
ISP(config)#int f0/0 #(相关注释请参考上面)
ISP(config-if)#ip add 192.168.100.254 255.255.255.0
ISP(config-if)#no shu
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#int f1/0
ISP(config-if)#ip add 192.168.200.254 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#int loopback 0 #创建loop back 0接口(模拟Internet网)
ISP(config-if)#ip add 100.100.100.100 255.255.255.255 #配置IP地址
ISP(config-if)#no shutdown #启用接口
ISP(config-if)#exit
3)R1配置如下:
R1(config)#int f1/0
R1(config-if)#ip add 192.168.200.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#int f0/0
R1(config-if)#ip add 192.168.20.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.200.254 #配置去往公网的路由
4)PC1配置如下:
PC1(config)#no ip routing #关闭路由功能
PC1(config)#int f0/0
PC1(config-if)#ip add 192.168.10.1 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.10.254 #配置网关
PC1(config)#exit
5)PC2配置如下:
PC2(config)#no ip routing
PC2(config)#int f0/0
PC2(config-if)#ip add 192.168.20.1 255.255.255.0
PC2(config-if)#no shutdown
PC2(config-if)#exit
PC2(config)#ip default-gateway 192.168.20.254
PC2(config)#exitConfiguring IPSec Virtual Private Network
R1 configured as follows:
R1(config)#crypto isakmp policy 1 #策略序列号为“1”,范围是1~10000,数值越小,优先级越高
R1(config-isakmp)#encryption aes #配置加密算法
R1(config-isakmp)#hash sha #hash命令指定验证过程中采用的散列算法
R1(config-isakmp)#authentication pre-share #配置共享密钥的方式为“预先共享密钥”
R1(config-isakmp)#lifetime 86400 #配置保持时间,默认保持时间为24小时
R1(config-isakmp)#group 2 #配置加密共享密钥方式使用dh算法
R1(config-isakmp)#exit
R1(config)# access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255#创建ACL抓取需要走虚拟专用网的流量
R1(config)#crypto ipsec transform-set sh-set esp-aes esp-sha-hmac #配置传输集指定加密和验证算法
R1(cfg-crypto-trans)#exit
R1(config)#crypto isakmp key 0 pwd@123 address 192.168.100.1 #创建共享密钥和对等体IP地址建立IPSec 虚拟专用网连接
R1(config)#crypto map sh-虚拟专用网简写 1 ipsec-isakmp #创建crypto map调用,名字为bj-虚拟专用网简写
R1(config-crypto-map)#match address 100 #调用ACL抓取本地走虚拟专用网的流量
R1(config-crypto-map)#set peer 192.168.100.1 #调用对等体的IP地址
R1(config-crypto-map)#set transform-set sh-set #调用本地创建的传输集
R1(config-crypto-map)#exit
R1(config)#interface fastEthernet 1/0 #进入到外网接口,也就是0/0接口
R1(config-if)#crypto map sh-虚拟专用网简写 #应用创建的mapASA firewall configuration is as follows:
ASA(config)# crypto isakmp policy 1 #策略序列号为“1”,范围是1~10000,数值越小,优先级越高
ASA(config-isakmp-policy)# encryption aes #配置加密算法
ASA(config-isakmp-policy)# hash sha #hash命令指定验证过程中采用的散列算法
ASA(config-isakmp-policy)# authentication pre-share #配置共享密钥的方式为“预先共享密钥”
ASA(config-isakmp-policy)# lifetime 86400 #配置保持时间,默认保持时间为24小时
ASA(config-isakmp-policy)# group 2 #配置加密共享密钥方式使用dh算法
ASA(config-isakmp-policy)# exit
ASA(config)# access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 #创建ACL抓取需要走虚拟专用网的流量 (防火墙掩码是正掩码,路由器是反掩码)
ASA(config)# crypto ipsec transform-set bj-set esp-aes esp-sha-hmac #配置传输集指定加密和验证算法
ASA(config)# crypto isakmp key pwd@123 address 192.168.200.1 #创建共享密钥和对等体IP地址建立IPSec 虚拟专用网连接
ASA(config)# crypto map bj-虚拟专用网简写 1 match address 100 #调用ACL识别要走虚拟专用网的流量
ASA(config)# crypto map bj-虚拟专用网简写 1 set peer 192.168.200.1 #调用对等体IP地址
ASA(config)# crypto map bj-虚拟专用网简写 1 set transform-set bj-set #调用本地创建的传输集
ASA(config)# crypto isakmp enable outside #开启IKE协商
ASA(config)# crypto map bj-虚拟专用网简写 interface outside #应用crypto map到外网接口5. Verify IPSec Virtual Private Network
View IPSec virtual private network managing connection is established
IPSec Virtual Private Network also completed the configuration, PC1 and PC2 clients can now communicate with each other, and began to implement two NAT configuration a PC can access the Internet network (ie loop back0 interface to the ISP router).
6, NAT configuration to achieve the client to access the Internet network
Currently two PC machine is not ping the ISP router loop back 0 interface. As shown below:
ASA firewall configuration is as follows:
ASA(config)# nat (inside) 1 192.168.10.0 255.255.255.0 #将内部网段转换为外部接口地址
ASA(config)# global (outside) 1 interface
ASA(config)# fixup protocol icmp #开启icmp协议,防火墙默认是关闭的
ASA(config)# nat-control #开启nat控制
ASA(config)# access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 #创建ACL抓取流量
ASA(config)# nat (inside) 0 access-list nonat R1 configured as follows:
R1(config)#access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 #创建ACL抓取拒绝虚拟专用网的流量
R1(config)#access-list 110 permit ip any any #允许所有流量
R1(config)#ip nat inside source list 110 int f1/0 overload #采用端口复用的PAT方式,解决内网访问互联网的问题
R1(config)#int f1/0 #进入接口
R1(config-if)#ip nat outside #启用nat功能,接口为outside
R1(config-if)#int f0/0 #进入接口
R1(config-if)#ip nat inside #启用nat功能,接口为inside
R1(config-if)#exitExperiments so far have all been to meet the needs of both the network can access the Internet, it does not affect PCC1 and PC2 communicate through a virtual private network segment.
7, the configuration verification NAT
Can be seen on the map, both can access the Internet network, PC1 to PC2 network and can communicate through a virtual private network.
Third, the summary
1, in the process of establishing a data connection, ASA firewall only support ESP, therefore, is to end the router, you have to use the ESP protocol for data validation, routers and ASA can successfully establish a data connection.
2, IKE negotiation on the router is turned on by default, but in ASA mode is off, you need to use the command "crypto isakmp enable outside" open.
3, the firewall does not support the show crypto isakmp policy command, you can run to see through show.
4, ASA default release all virtual private network traffic, because traffic has always been virtual private network security, so the ASA for the green light.
-------- end of this article so far, thanks for reading --------