Objectifs de certification

IINS 100-105

  • 3.1 Concepts VPN * 3.1.a Décrire les protocoles IPsec et les modes de livraison (IKE, ESP, AH, mode tunnel, mode transport) * 3.1.b Décrire hairpinning, split tunneling, always-on, NAT traversal
  • 3.3 VPN de site à site * 3.3.a Implémenter un VPN de site à site IPsec avec authentification par clé pré-partagée sur les routeurs Cisco et les pare-feu ASA * 3.3.b Vérifier un VPN de site à site IPsec

Présentation

Inspiré de : http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/7276-overload-private.html

Topologie

IPSEC site-à-site, pre-shard, avec NAT overload entre réseaux privés

Evolution

  • A intégrer avec un pare-feu ZBF.
  • Remplacer un pare-feu IOS par un pare-feu ASA configuré en ASDM
  • Remplacer un pare-feu IOS par un pare-feu ASA configuré en CLI

Description

Règle NoNAT

IKE policy

  • encryption algorithm: AES-256
  • hash algorithm: SHA1
  • authentication method: Pre-Shared Key
  • Diffie-Hellman group: #5
  • lifetime: 86400 seconds

Alors que les valeurs par défaut sont :

  • encryption algorithm: DES (56 bots)
  • hash algorithm: SHA1
  • authentication method: RSA Signature
  • Diffie-Hellman group: #1
  • lifetime: 86400 seconds

IPSEC

  • un seul profil : esp-256-aes et esp-sha-hmac

Configuration R1

hostname R1
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp key cisco123 address 10.2.2.1
!
crypto ipsec transform-set to-R3-set esp-aes 256 esp-sha-hmac
!
crypto map cm-to-R3 1 ipsec-isakmp
 set peer 10.2.2.1
 set transform-set to-R3-set
 match address crypto-acl
!
interface G0/0
 ip address 10.1.1.1 255.255.255.252
 ip nat outside
 no shutdown
 crypto map cm-to-R3
!
interface G0/1
 ip address 192.168.1.1 255.255.255.0 255.255.255.0
 ip nat inside
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2 222
!
ip nat inside source route-map nonat interface G0/0 overload
!
ip access-list extended nonat-acl
 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended crypto-acl
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
route-map nonat permit 10
 match ip address nonat-acl
!
end

Configuration R3

hostname R3
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp key cisco123 address 10.1.1.1
!
crypto ipsec transform-set to-R1-set esp-aes 256 esp-sha-hmac
!
crypto map cm-to-R1 1 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set to-R1-set
 match address crypto-acl
!
interface G0/0
 ip address 10.2.2.1 255.255.255.252
 ip nat outside
 no shutdown
 crypto map cm-to-R1
!
interface G0/1
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.2.2.2 222
!
ip nat inside source route-map nonat interface G0/0 overload
!
ip access-list extended nonat-acl
 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.3.0 0.0.0.255 any
!
ip access-list extended crypto-acl
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address nonat-acl
!
end

Diagnostic

Ping

R1#ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Ingress ping [n]:
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0x0000ABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/4 ms

IKE Policy

R1#show crypto isakmp ?
  key      Show ISAKMP preshared keys
  peers    Show ISAKMP peer structures
  policy   Show ISAKMP protection suite policy
  profile  Show ISAKMP profiles
  sa       Show ISAKMP Security Associations
R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
	encryption algorithm:	AES - Advanced Encryption Standard (256 bit keys).
	hash algorithm:		Secure Hash Standard
	authentication method:	Pre-Shared Key
	Diffie-Hellman group:	#5 (1536 bit)
	lifetime:		86400 seconds, no volume limit
Default protection suite
	encryption algorithm:	DES - Data Encryption Standard (56 bit keys).
	hash algorithm:		Secure Hash Standard
	authentication method:	Rivest-Shamir-Adleman Signature
	Diffie-Hellman group:	#1 (768 bit)
	lifetime:		86400 seconds, no volume limit
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.2.2.1        10.1.1.1        QM_IDLE           1001 ACTIVE
R1#show crypto isakmp peers
Peer: 10.2.2.1 Port: 500 Local: 10.1.1.1
 Phase1 id: 10.2.2.1

IPSEC

Router_A#show crypto ipsec ?     
  client                Show Client Status
  policy                Show IPSEC client policies
  profile               Show ipsec profile information
  sa                    IPSEC SA table
  security-association  Show parameters for IPSec security associations
  spi-lookup            IPSEC SPI table
  transform-set         Crypto transform sets
R1#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: cm-to-R3, local addr 10.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer 10.2.2.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xBF70B56C(3211834732)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD18F7FE4(3515842532)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: cm-to-R3
        sa timing: remaining key lifetime (k/sec): (4204405/3496)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBF70B56C(3211834732)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: cm-to-R3
        sa timing: remaining key lifetime (k/sec): (4204405/3496)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set to-R3-set: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set to-R3-set: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

R1#show crypto ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds

Debug IKE/IPSEC

R1#debug crypto isakmp
Crypto ISAKMP debugging is on

...
R1#debug crypto ipsec
Crypto IPSEC debugging is on

...

Laisser un commentaire