Sunday, January 8, 2012

Cisco New Feature : Flex VPN



最近发现很多新特性只能在ISR G2上才能够支持了,所以为了学习15.1T之后的安全特性,特意购买了两台1921。最近应该会出不少关于ISR G2安全特性的博文,今天这篇只是一个开始。
     从ISR G2和ASA 8.4开始,Cisco就支持IKE V2的IPSec VPN了,ASA 8.4的配置以前已经发布过相关博文了,这次主要介绍ISR G2上IKE V2 IPSec VPN的配置,Cisco给在IOS上的IKE V2的IPSec VPN取了一个全新的,给力的名字,叫做Flex VPN。包含了很多内容,突然发现变化真的很大,配置和以前相比可以说是完全不一样了。下面是Flex VPN的第三个部分,Flex VPN的Server与Client配置,这个技术应该会替代传统的EzVPN和DMVPN,而且它是一个公有技术,兼容性会很好,例如Windows7不用安装任何客户端就能够拨号到Flex VPN Server上来,今天共享的仅仅是Flex VPN的硬件客户端,关于Windows7的拨号我会在后续部分继续介绍。
实验一:预共享密钥认证+本地AAA
hostname Yeslab-CA
!
aaa new-model
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool ippool
dns 100.1.1.1
wins 100.1.1.1
banner ^CWelcome to Yeslab^C
def-domain yeslab.net
backup-gateway yeslabgw1.yeslab.net
backup-gateway yeslabgw2.yeslab.net
backup-gateway yeslabgw3.yeslab.net
route set access-list 5
!
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
  address 202.100.1.1
  pre-shared-key local yeslabccies
  pre-shared-key remote yeslabccies
!
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.1 255.255.255.255
identity local address 202.100.1.100
authentication local pre-share
authentication remote pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group override psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
ip local pool ippool 123.1.1.100 123.1.1.200
!
access-list 5 permit 100.1.1.0 0.0.0.255
!
end
=================================
hostname Client
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list 5
!
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
  address 202.100.1.100
  pre-shared-key local yeslabccies
  pre-shared-key remote yeslabccies
!       
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.100 255.255.255.255
identity local address 202.100.1.1
authentication local pre-share
authentication remote pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group override psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
!
crypto ikev2 client flexvpn Yeslab-Flex-Client
  peer 1 202.100.1.100
  client connect Tunnel0
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
interface GigabitEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
!
access-list 5 permit 1.1.1.0 0.0.0.255

实验二:数字签名认证+本地AAA
hostname Yeslab-CA
!
aaa new-model
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
clock timezone GMT 8 0
!
ip domain name yeslab.net
!
crypto pki server Yeslab-CA
issuer-name cn=Yeslab-CA.yeslab.net, ou=YeslabSec, o=Yeslab
!
crypto pki trustpoint Yeslab-CA
revocation-check crl
rsakeypair Yeslab-CA
!
crypto pki trustpoint Flex-VPN
enrollment url http://202.100.1.100:80
subject-name cn=Yeslab-CA.yeslab.net, ou=YeslabSec, o=Yeslab
revocation-check crl
!
crypto pki certificate map cert-acl 10
subject-name co ou = yeslabsec
!
crypto pki certificate chain Yeslab-CA
certificate ca 01
------省略证书------
        quit
crypto pki certificate chain Flex-VPN
certificate 02
------省略证书------
        quit
certificate ca 01
------省略证书------
        quit
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool ippool
dns 100.1.1.1
wins 100.1.1.1
banner ^CWelcome to Yeslab^C
def-domain yeslab.net
backup-gateway yeslabgw1.yeslab.net
backup-gateway yeslabgw2.yeslab.net
backup-gateway yeslabgw3.yeslab.net
route set access-list 5
!
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate cert-acl
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint Flex-VPN
aaa authorization group override cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
ip local pool ippool 123.1.1.100 123.1.1.200
!
access-list 5 permit 100.1.1.0 0.0.0.255
!
ntp master
!
end
======================================================
hostname Client
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
clock timezone GMT 8 0
!
crypto pki trustpoint Flex-VPN
enrollment url http://202.100.1.100:80
subject-name cn=Client.yeslab.net, ou=YeslabSec, o=Yeslab
revocation-check crl
!
crypto pki certificate map cert-acl 10
subject-name co ou = yeslabsec
!
crypto pki certificate chain Flex-VPN
certificate 03
------省略证书------
        quit
certificate ca 01
------省略证书------
        quit
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list 5
!       
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate cert-acl
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint Flex-VPN
aaa authorization group override cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
!
crypto ikev2 client flexvpn Yeslab-Flex-Client
  peer 1 202.100.1.100
  client connect Tunnel0
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
interface GigabitEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
!
access-list 5 permit 1.1.1.0 0.0.0.255
!
ntp server 202.100.1.100
!
end

No comments: