IPSec VPN有多种穿越NAT的方法,NAT-T就是其中的一种。IPSec VPN通常情况下,无法穿越NAT设备,主要原因是ESP流量不像TCP或UDP那样带有端口号。测试IPSec VPN的第一阶段为aggressive-mode时,无意中发现在PIX/ASA默认没有开启NAT-T的情况下,IPSEC VPN同样能建立,特记录下来。
二.基本思路:
A.路由器默认开启nat-t
B.思科PIX/ASA默认没有开启nat-t
C.如果想要采用NAT-T,需要两个加密点都启用NAT-T,加密点在探测到需要使用NAT-T时,会使用NAT-T
D.没有启用NAT-T VPN能通,貌似是路由器的PAT比较智能,会自动PAT ESP流量
E.如果中间的PAT设备为防火墙,不启用NAT-T或相关的技术,应该穿越不了
三.测试拓扑:
四.基本配置:
A.R1:
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shut
ip address 192.168.1.1 255.255.255.0
no shut
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.2
B.R2:
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip address 192.168.1.2 255.255.255.0
ip nat inside
no shut
interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.3
ip access-list extended PAT
permit ip any any
permit ip any any
ip nat inside source list PAT interface Ethernet0/1 overload
C.R3:
interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
ip address 202.100.2.3 255.255.255.0
ip address 202.100.1.3 255.255.255.0
no shut
interface Ethernet0/1ip address 202.100.2.3 255.255.255.0
no shut
D.PIX80:
interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.10 255.255.255.0
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
nameif Inside
security-level 100
ip address 172.16.1.10 255.255.255.0
no shut
interface Ethernet1nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
no shut
route Outside 0.0.0.0 0.0.0.0 202.100.2.3
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (Inside) 1 access-list PAT
global (Outside) 1 interface
access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group OUTSIDE in interface Outside
E.R4:
interface Ethernet0/0
ip address 172.16.1.4 255.255.255.0
ip address 172.16.1.4 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.10
五.VPN配置:
A.R1:
①第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp peer address 202.100.2.10
set aggressive-mode password cisco123
set aggressive-mode client-endpoint fqdn R1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp peer address 202.100.2.10
set aggressive-mode password cisco123
set aggressive-mode client-endpoint fqdn R1
②第二阶段策略:
crypto ipsec transform-set transet esp-3des esp-md5-hmac
③配置感兴趣流:
ip access-list extended VPN
permit ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255
④配置crypto map并在接口应用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.3
set transform-set transet
set pfs group2
match address VPN
reverse-route
set peer 202.100.2.3
set transform-set transet
set pfs group2
match address VPN
reverse-route
B.PIX80:
①第一阶段策略:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
authentication pre-share
encryption 3des
hash md5
group 2
crypto isakmp identity hostname
tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
tunnel-group 202.100.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123
---备注:tunnel-group也可以用对方的FQDN
②第二阶段策略:
crypto map crymap 10 set transform-set transet
③配置感兴趣流并做NAT免除:
access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list NONAT
④配置crypto map 并在接口调用:
crypto map crymap 10 match address VPN
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
⑤在接口启用isakmp :
crypto isakmp enable Outside
六.测试:
A.只能有PAT测首先触发VPN:
R4#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
R1#PING 172.16.1.4 SOUrce 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 ms
C.可以看到R2路由器自动进行了ESP的双向NAT:
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
esp 202.100.1.2:0 192.168.1.1:0 202.100.2.10:0 202.100.2.10:CEC6AC77
udp 202.100.1.2:1 192.168.1.1:500 202.100.2.10:500 202.100.2.10:500
esp 202.100.1.2:0 192.168.1.1:CCA11424 202.100.2.10:0 202.100.2.10:0
udp 202.100.1.2:500 202.100.1.2:500 202.100.2.10:500 202.100.2.10:500
Pro Inside global Inside local Outside local Outside global
esp 202.100.1.2:0 192.168.1.1:0 202.100.2.10:0 202.100.2.10:CEC6AC77
udp 202.100.1.2:1 192.168.1.1:500 202.100.2.10:500 202.100.2.10:500
esp 202.100.1.2:0 192.168.1.1:CCA11424 202.100.2.10:0 202.100.2.10:0
udp 202.100.1.2:500 202.100.1.2:500 202.100.2.10:500 202.100.2.10:500
D.在防火墙上启用NAT-T,清除SA重新连接,抓包可以看ESP封装在UDP之下:
---采用命令:crypto isakmp nat-traversal 10
R1#ping 172.16.1.4 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 ms