Shulou(Shulou.com)06/01 Report--

Purpose: to verify that the firewall can successfully establish IPSec-v-p-n with the other exit router in the NAT-T environment

And realize the communication between the two places of the company.

Introduction to the experimental environment: ASA is on the intranet; R1 Magi R2 is the exit, do NAT and specify the default route to Internet

Ipsec version: ikev2

Error report:

Although the router is matched to a non-NAT-T version according to an ikev2 router found on the Internet, there are also a lot of problems.

-- cisco ikev2 profile not found

-Exchange type: Informational (5)

-- Exchange type: NO PAYLOAD

-- specify IKE identity to use

-- rec'd IPSEC packet ha

-IKEv2-PROTO-1: (167): The peer's KE payload contained the wrong DH group

/ / if pfs perfect forward secrecy is enabled (the key is negotiated again during the ipsec sa phase), while pfs is not enabled, this error will be reported, but the encrypted communication will not be affected.

Post the correct key configuration first

ASA:

Route outside 0.0.0.0 0.0.0.0 10.249.188.254

/ / define the stream of interest

Access-list l2lacl extended permit ip 10.249.190.0 255.255.255.0 192.168.1.0 255.255.255.0

Ipsec section:

/ / define the ikev2 negotiation policy for the first phase of ipsec, mainly for the secure exchange of keys.

Crypto ikev2 policy 10

Encryption 3des

Integrity sha512

Group 2

Prf sha512

Lifetime seconds 86400

/ / define ipsec Phase II transform set encryption policy

Crypto ipsec ikev2 ipsec-proposal l2ltrans

Protocol esp encryption 3des

Protocol esp integrity sha-1

/ / when matching the stream of interest, call the encryption graph l2lmap

Crypto map l2lmap 1 match address l2lacl

Crypto map l2lmap 1 set pfs

Crypto map l2lmap 1 set peer 202.134.122.2

Crypto map l2lmap 1 set ikev2 ipsec-proposal l2ltrans

/ / ipsec type is point-to-point L2L, authentication key of both parties of ipsec (human intervention)

Tunnel-group 202.134.122.2 type ipsec-l2l

Tunnel-group 202.134.122.2 ipsec-attributes

Ikev2 remote-authentication pre-shared-key cisco

Ikev2 local-authentication pre-shared-key cisco

/ / call on the interface

Crypto ikev2 enable outside

Crypto map l2lmap interface outside

R1

Ip route 0.0.0.0 0.0.0.0 202.134.121.2

Ip nat inside source list natacl interface Ethernet0/1 overload

/ / if you do not write the following port mapping, you can actively establish ipsec * with the exit router of the other party in the intranet NAT-T environment, and vice versa

Ip nat inside source static udp 10.249.190.253 500 202.134.121.1 500 extendable

Ip nat inside source static udp 10.249.190.253 4500 202.134.121.1 4500 extendable

Ip nat outside source static udp 202.134.122.2 500 202.134.122.2 500 extendable

Ip nat outside source static udp 202.134.122.2 4500 202.134.122.2 4500 extendable

/ / all the traffic from this route exit is needed to access the remote private network, so all traffic is encrypted.

Ip access-list extended natacl

Permit ip any any

R2

/ / define the ikev2 negotiation strategy for the first phase of ipsec

Crypto ikev2 proposal ikev2-proposal

Encryption 3des

Integrity sha512

Group 2

/ / define the policy of ikev2

Crypto ikev2 policy ikev2-policy

Proposal ikev2-proposal

/ / define encryption authentication parameters (name, public network address, pre-shared key)

Crypto ikev2 keyring ikev2-keyring

Peer ASA2

Address 202.134.121.1

Pre-shared-key cisco

/ / define the authentication framework of ikev2 (real private network address of remote device, local public network address, pre-shared authentication method, authentication parameters)

If the private network address is incorrect, it will stay in the first stage of ikev2 negotiation, SA-INIT, and then the error will always be reported in the IKE-AUTH phase.

Crypto ikev2 profile IKEV2-profile

Match identity remote address 10.249.190.253 255.255.255.0

Identity local address 202.134.122.2

Authentication remote pre-share

Authentication local pre-share

Keyring local ikev2-keyring

/ / define the second phase transform set parameters

Crypto ipsec transform-set l2ltrans esp-3des esp-sha-hmac

Mode tunnel

/ / define encryption graph

Crypto map l2lmap 10 ipsec-isakmp

Set peer 202.134.121.1

Set transform-set l2ltrans

Set ikev2-profile IKEV2-profile

Set pfs

Match address l2lacl

/ / isolate the traffic to be encrypted

Ip access-list extended l2lacl

Permit ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

Permit ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

Permit ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

Permit ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

Ip access-list extended natacl

Deny ip 192.168.1.0 0.0.0.255 10.249.188.0 0.0.0.255

Deny ip 192.168.1.0 0.0.0.255 10.249.189.0 0.0.0.255

Deny ip 192.168.1.0 0.0.0.255 10.249.190.0 0.0.0.255

Deny ip 192.168.1.0 0.0.0.255 10.249.191.0 0.0.0.255

Permit ip any any

/ / API call

Ip nat inside source list natacl interface Ethernet0/0 overload

Ip route 0.0.0.0 0.0.0.0 202.134.122.1

Interface Ethernet0/0

Ip address 202.134.122.2 255.255.255.0

Ip nat outside

Ip virtual-reassembly in

Crypto map l2lmap

Report wrong content picture and description, code again when you are free, to be continued.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.