一.概述
思科ASA防火墙从9.7开始支持SVTI(Static Virtual Tunnel
Interface)方式的IPsec
VPN,不过GRE隧道必须使用ipsec加密,单独的GRE隧道不能使用,因为是静态的VTI,所以不支持对端为动态地址。另外,GRE隧道支持的动态路由协议也只有BGP,使用这种方式的site-to-site
vpn不会与EzVPN出现冲突。如果想通过EzVPN客户端拨通之后,访问site-to-site VPN
分支站点身后的网络,需要把EzVPN地址池的地址发布到BGP中(添加一条静态路由,再network),也可以在Branch端手工添加静态路由。
二.测试拓扑
三.配置步骤
1.基本配置
①Branch路由器
hostname Branch
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Loopback192
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.10
②Internet路由器
hostname Internet
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 202.100.2.10 255.255.255.0
no shutdown
interface Ethernet0/2
ip address 202.100.3.10 255.255.255.0
no shutdown
③EzVPN路由器
interface Loopback0
ip address 100.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.3.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.3.10
④Center ASA防火墙
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.1.1.254 255.255.255.0
no shutdown
route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1
2.site-to-site vpn配置
①Branch路由器
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Cisc0123 address 202.100.2.1
crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile ipsecpro
set transform-set transet
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 202.100.2.1
tunnel protection ipsec profile ipsecpro
router bgp 65001
bgp router-id 1.1.1.1
bgp log-neighbor-changes
network 192.168.1.0
neighbor 172.16.1.100 remote-as 65002
②Center防火墙
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
ikev1 pre-shared-key Cisc0123
crypto ipsec ikev1 transform-set transet esp-3des esp-md5-hmac
crypto ipsec profile ipsecpro
set ikev1 transform-set transet
interface Tunnel0
nameif Tunnel-vpn
ip address 172.16.1.100 255.255.255.0
tunnel source interface Outside
tunnel destination 202.100.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecpro
router bgp 65002
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 172.16.1.1 remote-as 65001
neighbor 172.16.1.1 timers 10 30 30
neighbor 172.16.1.1 activate
neighbor 172.16.1.1 default-originate
network 10.1.1.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
3.EzVPN配置
①Center防火墙服务器端
ip local pool EzVPN-POOL 123.1.1.100-123.1.1.200
tunnel-group ipsecgroup type remote-access
tunnel-group ipsecgroup general-attributes
address-pool EzVPN-POOL
tunnel-group ipsecgroup ipsec-attributes
ikev1 pre-shared-key Cisc0123
username ipsecuser password Cisc0123
crypto ikev1 enable Outside
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec ikev1 transform-set EzVPN-Trans esp-des esp-md5-hmac
crypto dynamic-map Ezdymap 10 set peer 202.100.3.1
crypto dynamic-map Ezdymap 10 set ikev1 transform-set EzVPN-Trans
crypto map Ez-crymap 10 ipsec-isakmp dynamic Ezdymap
crypto map Ez-crymap interface Outside
②EzVPN路由器客户端
crypto ipsec client ezvpn EzVPN-Client
connect auto
group ipsecgroup key Cisc0123
mode client
peer 202.100.2.1
interface Loopback0
crypto ipsec client ezvpn EzVPN-Client inside
interface Ethernet0/0
crypto ipsec client ezvpn EzVPN-Client outside
四.测试
1.Site-to-Site VPN
①Branch路由器能通过BGP学到路由
②ASA防火墙也能通过BGP学到路由
③Branch路由器能通过身后网络ping通总部Internal地址
2.EzVPN
①手工拨号能够成功
②拨通之后,可以通过身后网络ping通总部身后网络地址
③但是无法ping通分支身后网络地址
④在branch路由器上debug可以看到是Branch没有到EzVPN地址池地址的路由
⑤解决方法
A.静态路由
ip route 123.1.1.0 255.255.255.0 172.16.1.100
B.BGP发布
route Outside 123.1.1.0 255.255.255.0 1.1.1.1 1
router bgp 65002
address-family ipv4 unicast
network 123.1.1.0 mask 255.255.255.0