IOS 与 ASA 之间建立 IPsec (IKEv1 with PSK)

两边都使用 crypto map 的方式配置 IPsec，省略 IP 地址和路由预配。

Phase 1 配置

IOS Phase 1 Policy

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5

ASA Phase 1 Policy

ASA-1(config)# crypto ikev1 enable OUT

ASA-1(config)# crypto ikev1 policy 1
ASA-1(config-ikev1-policy)# authentication pre-share
ASA-1(config-ikev1-policy)# encryption aes-256
ASA-1(config-ikev1-policy)# hash sha
ASA-1(config-ikev1-policy)# group 5

IOS PSK

R1(config)#crypto isakmp key CISCO address 1.1.1.2

ASA PSK

ASA-1(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ASA-1(config)# tunnel-group 1.1.1.1 ipsec-attributes
ASA-1(config-tunnel-ipsec)# ikev1 pre-shared-key CISCO

Phase 2 配置

IOS Proxy-ID

R1(config)#ip access-list extended ACL_VPN
R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

ASA Proxy-ID

ASA-1(config)# access-list ACL_VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

IOS Transform Set

R1(config)#crypto ipsec transform-set IPsec_TS esp-sha-hmac esp-aes 256

ASA Transform Set

ASA-1(config)# crypto ipsec ikev1 transform-set IPsec_TS esp-sha-hmac esp-aes-256

IOS Crypto Map

R1(config)#crypto map IOS_Crypto_Map 10 ipsec-isakmp
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set IPsec_TS
R1(config-crypto-map)#match address ACL_VPN

R1(config)#int e0/0
R1(config-if)#crypto map IOS_Crypto_Map

ASA Crypto Map

ASA-1(config)# crypto map ASA_Crypto_Map 10 set peer 1.1.1.1
ASA-1(config)# crypto map ASA_Crypto_Map 10 set ikev1 transform-set IPsec_TS
ASA-1(config)# crypto map ASA_Crypto_Map 10 match address ACL_VPN
ASA-1(config)# crypto map ASA_Crypto_Map interface OUT

测试

VPCS> ping 172.16.1.2

172.16.1.2 icmp_seq=1 timeout
84 bytes from 172.16.1.2 icmp_seq=2 ttl=63 time=13.427 ms
84 bytes from 172.16.1.2 icmp_seq=3 ttl=63 time=4.285 ms
84 bytes from 172.16.1.2 icmp_seq=4 ttl=63 time=13.803 ms
84 bytes from 172.16.1.2 icmp_seq=5 ttl=63 time=6.772 ms

ASA-1(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 1.1.1.1
Index        : 1                      IP Addr      : 1.1.1.1
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (1)AES256
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 168                    Bytes Rx     : 168
Login Time   : 13:31:40 UTC Wed Dec 4 2019
Duration     : 0h:00m:03s

ASA-1(config)#