H3C IPsec - NAT环境

2021年01月08日 76点热度 0人点赞 0条评论

在部分情况下,分支机构使用拨号上网,而且获取的还是私网地址(在运营商还会执行一次NAT)。只要总部有公网IP,分支机构还是可以使用IPsec连接到总部的,但只能由分支路由器发起IPsec连接。

在这种情况下,分支机构没有公网IP,而且还要经过运营商的NAT设备。在配置IPsec时,分支机构路由器的身份验证要使用名称的方式,因为经过NAT设备,IP会改变,所以无法使用IP作为IPsec设备的身份标识。如果使用名称作为身份标识,则IKE阶段1的模式就要使用野蛮模式(Aggressive mode)。

分支机构在NAT设备后面时,总部路由器的ipsec policy要使用模板(ipsec policy-template)。因为正常情况下,ipsec policy要指定对端设备的IP,但分支机构在NAT设备后面,总部路由器无法指定分支机构路由器的IP。如果使用模板,则不用指定对端设备的IP。

拓扑

拓扑
拓扑

这个拓扑中包含两个IPsec VPN,一个是Hub和Spoke1,一个是Hub和Spoke2。Hub路由器有公网IP,Spoke1路由器有公网IP,Spoke2路由器没有公网IP。Hub和Spoke1之间的IPsec使用主模式,Hub和Spoke2之间的IPsec使用野蛮模式。

在Internet路由器配置NAT,对Spoke2的IP做地址转换, 以此模拟NAT环境。

配置

Hub路由器

[Hub]dis cu
#
 version 7.1.064, Release 0621P18
#
interface GigabitEthernet1/0
 ip address 10.55.55.52 255.255.255.0
 nat outbound 3000
 ipsec apply policy policy-1
#
interface GigabitEthernet2/0
 ip address 10.1.1.1 255.255.255.252
#
 ip route-static 0.0.0.0 0 10.55.55.1
 ip route-static 172.16.2.0 24 10.55.55.53
#              
acl advanced 3000
 rule 10 deny ip source 10.1.2.0 0.0.0.255 destination 172.17.1.0 0.0.0.255
 rule 15 deny ip source 10.1.3.0 0.0.0.255 destination 172.17.1.0 0.0.0.255
 rule 20 deny ip source 10.1.2.0 0.0.0.255 destination 172.17.2.0 0.0.0.255
 rule 25 deny ip source 10.1.3.0 0.0.0.255 destination 172.17.2.0 0.0.0.255
 rule 1000 permit ip
#
acl advanced 3001
 rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 172.17.1.0 0.0.0.255
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 172.17.1.0 0.0.0.255
#
acl advanced 3002
 rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 172.17.2.0 0.0.0.255
 rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 172.17.2.0 0.0.0.255
#
ipsec transform-set trans-set-1
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy-template template-1 10
 transform-set trans-set-1 
 local-address 10.55.55.52
 ike-profile profile-spoke2
#
ipsec policy policy-1 10 isakmp template template-1
#
ipsec policy policy-1 30 isakmp
 transform-set trans-set-1 
 security acl 3001 
 local-address 10.55.55.52
 remote-address 172.16.2.2
 ike-profile profile-1
#
ike profile profile-1
 keychain keychain-1
 local-identity address 10.55.55.52
 match remote identity address 172.16.2.2 255.255.255.255
 proposal 1 
#
ike profile profile-spoke2
 keychain keychain-spoke2
 exchange-mode aggressive
 local-identity address 10.55.55.52
 match remote identity fqdn spoke2
 proposal 1 
#
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
#
ike keychain keychain-1
 pre-shared-key address 172.16.2.2 255.255.255.255 key cipher $c$3$03X10VFR0Sq1BpPgANZ8P2zOuQZuMA==
#
ike keychain keychain-spoke2
 pre-shared-key hostname spoke2 key cipher $c$3$9OLU5K2zCJ1Y6/zW1JhHNnbLtVCFiQ==
#
return

Spoke1路由器

[Hub]dis cu
#
 version 7.1.064, Release 0621P18
#
interface GigabitEthernet1/0
 ip address 172.16.2.2 255.255.255.0
 mirroring-group 1 mirroring-port both
 nat outbound 3000
 ipsec apply policy policy-1
#              
interface GigabitEthernet2/0
 ip address 172.17.1.1 255.255.255.0
#
 ip route-static 0.0.0.0 0 172.16.2.1
#
acl advanced 3000
 rule 10 deny ip source 172.17.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 15 deny ip source 172.16.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
 rule 1000 permit ip
#
acl advanced 3001
 rule 0 permit ip source 172.17.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 5 permit ip source 172.17.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
#
ipsec transform-set trans-set-1
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy-template template-1 10
 transform-set trans-set-1 
 security acl 3001 
 local-address 10.55.55.53
 remote-address 10.55.55.52
 ike-profile profile-1
 sa idle-time 86400
#
ipsec policy policy-1 30 isakmp
 transform-set trans-set-1 
 security acl 3001 
 local-address 172.16.2.2
 remote-address 10.55.55.52
 ike-profile profile-1
#
ike profile profile-1
 keychain keychain-1
 local-identity address 172.16.2.2
 match remote identity address 10.55.55.52 255.255.255.255
 proposal 1 
#
ike proposal 1
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
#
ike keychain keychain-1
 pre-shared-key address 10.55.55.52 255.255.255.255 key cipher $c$3$3g5t82J4iYiWSDvwzUOq3C8E6OVoYg==
#
return

Spoke2路由器

[Hub]dis cu
#
 version 7.1.064, Release 0621P18
#
interface GigabitEthernet1/0
 ip address 172.16.3.2 255.255.255.0
 mirroring-group 1 mirroring-port both
 nat outbound 3000
 ipsec apply policy policy-1
#
interface GigabitEthernet2/0
 ip address 172.17.2.1 255.255.255.0
#
 ip route-static 0.0.0.0 0 172.16.3.1
#
acl advanced 3000
 rule 10 deny ip source 172.17.2.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 15 deny ip source 172.17.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
 rule 1000 permit ip
#
acl advanced 3001
 rule 0 permit ip source 172.17.2.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
 rule 5 permit ip source 172.17.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
#              
ipsec transform-set trans-set-1
 esp encryption-algorithm 3des-cbc 
 esp authentication-algorithm md5 
#
ipsec policy policy-1 10 isakmp
 transform-set trans-set-1 
 security acl 3001 
 remote-address 10.55.55.52
 ike-profile profile-1
#
ike profile profile-1
 keychain keychain-1
 exchange-mode aggressive
 local-identity fqdn spoke2
 match remote identity address 10.55.55.52 255.255.255.255
 proposal 1 
#
ike proposal 1 
 encryption-algorithm 3des-cbc
 authentication-algorithm md5
#
ike keychain keychain-1
 pre-shared-key address 10.55.55.52 255.255.255.255 key cipher $c$3$lEp0jV5MgvQxXH0Y87mNxuMiDf12Lw==
#
return

测试

查看连接后的信息

Hub路由器

[Hub]dis ike sa
    Connection-ID   Local               Remote              Flag      DOI    
-------------------------------------------------------------------------
    229             10.55.55.52         172.16.2.2          RD        IPsec  
    238             10.55.55.52         10.55.55.53         RD        IPsec  


[Hub]dis ipsec sa brief 
-----------------------------------------------------------------------------
Interface/Global          Dst Address       SPI         Protocol    Status      
-----------------------------------------------------------------------------
GE1/0                     10.55.55.53       1296829538  ESP         Active      
GE1/0                     10.55.55.52       4035185804  ESP         Active      
GE1/0                     10.55.55.53       31648174    ESP         Active      
GE1/0                     10.55.55.52       2094144089  ESP         Active      
GE1/0                     10.55.55.53       247606592   ESP         Active      
GE1/0                     10.55.55.52       2838397726  ESP         Active      
GE1/0                     172.16.2.2        723266982   ESP         Active      
GE1/0                     10.55.55.52       1233217591  ESP         Active 


[Hub]dis ipsec policy
-------------------------------------------
IPsec Policy: policy-1
Interface: GigabitEthernet1/0
-------------------------------------------

  -----------------------------
  Sequence number: 10
  Mode: Template
  -----------------------------
  Policy template name: template-1

  -----------------------------
  Sequence number: 30
  Mode: ISAKMP
  -----------------------------
  Traffic Flow Confidentiality: Disabled
  Security data flow: 3001
  Selector mode: standard
  Local address: 10.55.55.52
  Remote address: 172.16.2.2
  Remote address switchback mode: Disabled
  Transform set:  trans-set-1
  IKE profile: profile-1
  IKEv2 profile: 
  smart-link policy: 
  SA trigger mode: Traffic-based
  SA duration(time based): 3600 seconds
  SA duration(traffic based): 1843200 kilobytes
  SA soft-duration buffer(time based): --
  SA soft-duration buffer(traffic based): --
  SA idle time: --
  SA df-bit:
 



[Hub]dis ipsec policy-template
-------------------------------------------
IPsec Policy Template: template-1
-------------------------------------------

  -----------------------------
  Sequence number: 10
  -----------------------------
  Traffic Flow Confidentiality: Disabled
  Security data flow : 3002
  Selector mode: standard
  Local address: 10.55.55.52
  IKE profile: profile-spoke2
  IKEv2 profile: 
  Remote address: 
  Transform set: trans-set-1
  IPsec SA local duration(time based): 3600 seconds
  IPsec SA local duration(traffic based): 1843200 kilobytes
  SA idle time: --
  SA df-bit:


[Hub]dis ipsec global-info 
IPsec anti-reply check: enable
IPsec anti-replay window (packets): 64
IPsec decrypt-check: enable
IPsec flow-redirect: disable
IPsec fragmentation: before-encryption
IPsec global-df-bit: copy
IPsec limit max-tunnel: --
IPsec redundancy: disable
IPsec sa global-duration time-based (seconds): 3600
IPsec sa global-duration traffic-based (KBytes): 1843200
IPsec sa idle-time (seconds): --

Spoke1路由器

[spoke1]dis ike sa
    Connection-ID   Local               Remote              Flag      DOI    
-------------------------------------------------------------------------
    6               172.16.2.2          10.55.55.52         RD        IPsec  
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY


[spoke1]dis ipsec sa brief 
-----------------------------------------------------------------------------
Interface/Global          Dst Address       SPI         Protocol    Status      
-----------------------------------------------------------------------------
GE1/0                     10.55.55.52       1233217591  ESP         Active      
GE1/0                     172.16.2.2        723266982   ESP         Active   

Spoke2路由器

[spoke2]dis ike sa
    Connection-ID   Local               Remote              Flag      DOI    
-------------------------------------------------------------------------
    21              172.16.3.2          10.55.55.52         RD        IPsec  
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY


[spoke2]dis ipsec sa brief 
-----------------------------------------------------------------------------
Interface/Global          Dst Address       SPI         Protocol    Status      
-----------------------------------------------------------------------------
GE1/0                     10.55.55.52       4035185804  ESP         Active      
GE1/0                     172.16.3.2        1296829538  ESP         Active   

其他命令

reset ike sa
清除ike sa
reset要在用户模式下执行

reset ipsec sa
清除ipsec sa

reset ike sa connection-id 229
清除id为229的ike sa

reset ipsec sa remote 172.16.2.2
清除对端IP为172.16.2.2的ipsec sa

dis ike sa
dis ike sa verbose
dis ipsec sa
dis ipsec sa brief
dis ipsec policy
dis ipsec policy-template
dis ipsec global-info
dis ike statistics
dis ipsec statistics
dis ipsec tunnel

 

arben

文章评论