ASA 与 ASA 之间建立 IPsec (IKEv1 with PSK)

ASA-1 预配

interface GigabitEthernet0/0
 nameif OUT
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif IN
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
route OUT 0.0.0.0 0.0.0.0 1.1.1.2

ASA-2 预配

interface GigabitEthernet0/0
 nameif OUT
 security-level 0
 ip address 1.1.1.2 255.255.255.252
!
interface GigabitEthernet0/1
 nameif IN
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
route OUT 0.0.0.0 0.0.0.0 1.1.1.1

ASA-1 在接口上开启 IKEv1

ASA-1(config)# crypto ikev1 enable OUT

ASA-1 配置 ISAKMP Policy

ASA-1(config)# crypto ikev1 policy 1
ASA-1(config-ikev1-policy)# authentication pre-share
ASA-1(config-ikev1-policy)# encryption aes-256
ASA-1(config-ikev1-policy)# hash sha
ASA-1(config-ikev1-policy)# group 5

ASA-1 定义 Tunnel Group （LAN-to-LAN Connection Profile）

在 site-to-site 类型的 IPsec 中 tunnel group 的名字需要配置成对端设备的 IP 地址

ASA-1(config)# tunnel-group 1.1.1.2 type ipsec-l2l
ASA-1(config)# tunnel-group 1.1.1.2 ipsec-attributes
ASA-1(config-tunnel-ipsec)# ikev1 pre-shared-key CISCO

ASA-1 定义 Proxy-ID （或称为 Traffic of Interest）

ASA-1(config)# object network Local_LAN
ASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0

ASA-1(config)# object network Remote_LAN
ASA-1(config-network-object)# subnet 172.16.1.0 255.255.255.0

ASA-1(config)# access-list ACL_VPN extended permit ip object Local_LAN object Remote_LAN

ASA-1 配置 NAT Exemption (NAT Bypass)

在 site-to-site IPsec 中一般情况下我们不会对数据做 NAT，可以利用 Identity NAT 把两边的 LAN 网段从 NAT 中排除出来

ASA-1(config)# nat (IN,OUT) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN

ASA-1 配置 Transform Set

ASA-1(config)# crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac

ASA-1 配置 Crypto Map

ASA-1(config)# crypto map My_Crypto_Map 10 match address ACL_VPN
ASA-1(config)# crypto map My_Crypto_Map 10 set peer 1.1.1.2
ASA-1(config)# crypto map My_Crypto_Map 10 set ikev1 transform-set TS
ASA-1(config)# crypto map My_Crypto_Map interface OUT

ASA-2 的完整配置

crypto ikev1 enable OUT
!
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key CISCO
!
object network Local_LAN
 subnet 172.16.1.0 255.255.255.0
object network Remote_LAN
 subnet 192.168.1.0 255.255.255.0
!
access-list ACL_VPN extended permit ip object Local_LAN object Remote_LAN
!
nat (IN,OUT) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
!
crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac
!
crypto map My_Crypto_Map 10 match address ACL_VPN
crypto map My_Crypto_Map 10 set peer 1.1.1.1
crypto map My_Crypto_Map 10 set ikev1 transform-set TS
crypto map My_Crypto_Map interface OUT

测试

R1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/7/23 ms

ASA-1(config)# show crypto ipsec sa summary

Current IPSec SA's:            Peak IPSec SA's:
IPSec            :     2         Peak Concurrent SA  :     2
IPSec over UDP   :     0         Peak Concurrent L2L :     2
IPSec over NAT-T :     0         Peak Concurrent RA  :     0
IPSec over TCP   :     0
IPSec VPN LB     :     0
Total            :     2

ASA-1(config)#

在这里我们可以看到 ASA 并未配置任何 ACL 但是从 R1 到 R2 的数据还是被允许通过了防火墙，这是 ASA 的一个默认行为即 VPN 数据会 bypass ACL。可以通过下面的方法修改这种行为

ASA-1(config)# no sysopt connection permit-vpn

该命令控制的是 inbound 方向的数据流量，当 VPN bypass 被关掉以后就需要配置 ACL 来让数据通过了

ASA-1(config)# access-list ACL_LAN-2-LAN extended permit ip object Remote_LAN object Local_LAN
ASA-1(config)# access-group ACL_LAN-2-LAN in interface OUT