You need to enable JavaScript to run this app.
导航
思科防火墙配置文件
最近更新时间:2023.01.06 07:45:01首次发布时间:2023.01.06 07:45:01

本文为您介绍如何在用户本地VPN网关是思科(cisico)防火墙的场景下,配置本地IPsec连接的配置文件。

说明

同一厂商不同型号防火墙的配置文件可能存在差异,本文仅做示例参考,具体请咨询防火墙厂商。本文使用的预共享密钥均为便于理解的演示目的,实际操作中请配置安全性更高的预共享密钥。

云上IPsec连接配置参数

  • 预共享密钥:test@1234

  • 路由模式:感兴趣流

  • 本端网段:1.1.1.1/32172.1.1.1/32

  • 对端网段:2.2.2.2/323.3.3.3/324.4.4.4/32

  • IKE配置

    策略取值
    认证算法md5
    加密算法aes192
    DH算法group1
    协商模式main
    版本ikev2
    生命周期86400
    Local ID119.XX.XX.94
    Remote ID180.XX.XX.137
  • IPsec配置

    策略取值
    认证算法md5
    加密算法aes192
    DH算法group1
    生命周期3600

说明

此为云上的配置:“本端”、“Local”均指云上VPN侧,“对端”、“Remote”均指用户本地VPN侧。配置文件中刚好相反,“本端”、“Local”均指用户本地VPN侧,“对端”、“Remote”均指云上VPN侧。

配置文件

csr版本

crypto ikev2 proposal ikev2proposal  #IKE版本密钥交换协议版本
encryption aes  #加密算法
integrity md5  #认证算法
group 1  #DH算法
lifetime 86400 #第一阶段协商的生存时间


crypto ikev2 policy ikev2policy
proposal ikev2proposal


crypto ikev2 keyring keys  #配置密钥信息
peer strongswan
address 119.XX.XX.94  #云上VPN网关的标识
pre-shared-key local test@1234  #用户本地IPsec连接的预共享密钥
pre-shared-key remote test@1234  #云上IPsec连接的预共享密钥


crypto ikev2 profile ikev2profile
identity local address 180.XX.XX.137   #用户网关的标识
match identity remote address 119.XX.XX.94    #云上VPN网关的标识119.XX.XX.94
authentication remote pre-share
authentication local pre-share
keyring local keys


crypto ipsec transform-set vsr esp-aes esp-md5-hmac


#用户端策略条目,需要用户本地网段与云上网段一一匹配
access-list 101 permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
access-list 101 permit ip 2.2.2.2 0.0.0.0 172.1.1.1 0.0.0.0
access-list 101 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0
access-list 101 permit ip 3.3.3.3 0.0.0.0 172.1.1.1 0.0.0.0
access-list 101 permit ip 4.4.4.4 0.0.0.0 1.1.1.1 0.0.0.0
access-list 101 permit ip 4.4.4.4 0.0.0.0 172.1.1.1 0.0.0.0




crypto map cmap 10 ipsec-isakmp
set peer 119.XX.XX.94  #云上VPN网关的标识
set transform-set TS
set ikev2 -profile ikev2profile
match address 101 
set pfs group1  #设置IPsec策略的选择DH(Diffie-Hellman)密钥交换算法



set security-association lifetime seconds 3600  #IPsec SA的生命周期(s)



interface myport1
ip address 180.XX.XX 255.255.255.0 #用户本地VPN网关的IP地址
crypto map cmap




#配置本地路由条目(用户本地防火墙往云上方向)
ip route 172.1.1.1 255.255.255.255 119.91.131.94
ip route 1.1.1.1 255.255.255.255 119.91.131.94


ios版本

`VPC utilizes unique identifiers to manipulate the configuration of
 a VPN Connection. Each VPN Connection is assigned an identifier and is
 associated with Virtual Private Gateway Identifier and User Gateway IP.

 Your VPN Connection ID : 37315   #用户本地防火墙IPsec连接的ID
 Your Virtual Private Gateway ID : 23850   #用户本地防火墙VPN网关的ID
 Your User Gateway IP : 180.XX.XX.137   #用户本地网关IP,对应控制台配置IPsec连接中的Remote ID

 To configure an IKE-based IPsec tunnel, perform the following tasks:

 #1: Internet Key Exchange (IKE) Configuration #IKE配置

 A policy is established for the supported ISAKMP encryption,
 authentication, Diffie-Hellman and key parameters. 

 An IKE proposal defines a set of attributes describing how IKE negotiation in
 phase 1 should take place.
 By default, there is an IKE proposal that is used as the default IKE proposal.
 The default IKE proposal parameters are as follows:
 Authentication Encryption Diffie-Hellman Duration
 algorithm algorithm group (seconds)
 --------------------------------------------------------
 SHA DES Group 1 86400

crypto isakmp policy 1
authentication pre-share
encryption esp-aes 192   #加密算法
hash esp-md5-hmac   #认证算法
group 1    #DH算法
lifetime 86400   #IKE SA的生命周期,单位秒(s)


 The ISAKMP keyring stores the pre-shared key used to authenticate the
 tunnel endpoints.

crypto keyring 1
pre-shared-key address 119.XX.XX.94 key test@1234  #云上VPN网关的标识和预共享密钥


 An ISAKMP profile is used to associate the keyring with a particular
 endpoint. IKE negotiation mode for phase 1 uses Main mode.   #协商模式。main:主模式,aggressive:野蛮模式
 Uses the IP address of the user gateway as the local ID. Uses the WAN IP
 address of the VPN gateway as the remote ID.

crypto isakmp profile 1
keyring 1
self-identity address 180.XX.XX.137  #用户本地VPN网关的标识

match identity address 119.XX.XX.94  #云上VPN网关的标识



no initiate mode




 #2: IPsec Configuration
 
 By default, the time-based IPsec SA lifetime is 3600 seconds.

 The IPsec transform set defines the encryption, authentication, and IPsec
 mode parameters. IP packets are encapsulated in tunnel mode.

crypto ipsec transform-set vsr esp-aes 192 esp-md5-hmac #IPsec的加密算法和认证算法


 IPsec uses access lists to identify the traffic to be protected. Configure
 the access list to identify data flows.



#策略条目,需要用户本地网段与云上网段一一匹配
access-list 101 permit ip 2.2.2.2 0.0.0.0 1.1.1.1 0.0.0.0
access-list 101 permit ip 2.2.2.2 0.0.0.0 172.1.1.1 0.0.0.0
access-list 101 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0
access-list 101 permit ip 3.3.3.3 0.0.0.0 172.1.1.1 0.0.0.0
access-list 101 permit ip 4.4.4.4 0.0.0.0 1.1.1.1 0.0.0.0
access-list 101 permit ip 4.4.4.4 0.0.0.0 172.1.1.1 0.0.0.0



 ACL for VPN connection probe



 The IPsec crypto map references the IPsec transform set, the ISAKMP profile
 and the access list. The PFS feature is disabled for the IPsec crypto map.

crypto map 1 1 ipsec-isakmp
set peer 119.XX.XX.94  #IPsec peer
set transform-set vsr
set isakmp-profile 1
match address 101


set pfs group1  #IPsec阶段的DH算法



set security-association lifetime seconds 3600 #生命周期,单位秒(s)



 #3: Interface Configuration

 Apply the IPsec crypto map to an interface. All traffic routed to the
 interface will be encrypted and transmitted to the VPC. Traffic from the VPC
 will be received on this interface.

interface myporttest1
ip address 180.XX.XX.137 255.255.255.0  #配置用户本VPN网关,所有路由到此处的流量都将被加密并传输到云上VPC,云上VPC的流量将下发此处并接收。
crypto map 1


 #4: Routing Configuration 

 Configure static routing or a routing protocol for interconnections between the
 Virtual Private Gateway and your User Gateway.

ip route 172.1.1.1/32 119.XX.XX.94
ip route 1.1.1.1/32 119.XX.XX.94