一.概述: IPSec ×××有多种穿越NAT的方法,NAT-T就是其中的一种。IPSec ×××通常情况下,无法穿越NAT设备,主要原因是ESP流量不像TCP或UDP那样带有端口号。测试IPSec
..一.概述:. IPSec ×××有多种穿越NAT的方法,NAT-T就是其中的一种。IPSec ×××通常情况下,无法穿越NAT设备,主要原因是ESP流量不像TCP或UDP那样带有端口号。测试IPSec ×××的第一阶段为aggressive-mode时,无意中发现在PIX/ASA默认没有开启NAT-T的情况下,IPSEC ×××同样能建立,特记录下来。..二.基本思路:..A.路由器默认开启nat-t..B.思科PIX/ASA默认没有开启nat-t..C.如果想要采用NAT-T,需要两个加密点都启用NAT-T,加密点在探测到需要使用NAT-T时,会使用NAT-T..D.没有启用NAT-T ×××能通,貌似是路由器的PAT比较智能,会自动PAT ESP流量..E.如果中间的PAT设备为防火墙,不启用NAT-T或相关的技术,应该穿越不了..三.测试拓扑:
.
.四.基本配置:..A.R1:..interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shut..interface Loopback0
ip address 192.168.2.1 255.255.255.0..ip route 0.0.0.0 0.0.0.0 192.168.1.2..B.R2:..interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat inside.. no shut..interface Ethernet0/1
ip address 202.100.1.2 255.255.255.0
ip nat outside.. no shut..ip route 0.0.0.0 0.0.0.0 202.100.1.3..ip access-list extended PAT
permit ip any any..ip nat inside source list PAT interface Ethernet0/1 overload..C.R3:..interface Ethernet0/0
ip address 202.100.1.3 255.255.255.0
. no shut.interface Ethernet0/1
ip address 202.100.2.3 255.255.255.0
. no shut...D.PIX80:..interface Ethernet0
nameif Inside
security-level 100
ip address 172.16.1.10 255.255.255.0
. no shut.interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.10 255.255.255.0
.. no shut.route Outside 0.0.0.0 0.0.0.0 202.100.2.3...access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any ..nat (Inside) 1 access-list PAT..global (Outside) 1 interface..access-list OUTSIDE extended permit icmp any any
access-group OUTSIDE in interface Outside..E.R4:..interface Ethernet0/0
ip address 172.16.1.4 255.255.255.0
. no shut...ip route 0.0.0.0 0.0.0.0 172.16.1.10...五.×××配置:..A.R1:..①第一阶段策略:..crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp keepalive 10 periodic
crypto isakmp peer address 202.100.2.10
set aggressive-mode password cisco123
set aggressive-mode client-endpoint fqdn R1 ..②第二阶段策略:..crypto ipsec transform-set transet esp-3des esp-md5-hmac ..③配置感兴趣流:..ip access-list extended ×××
permit ip 192.168.2.0 0.0.0.255 172.16.1.0 0.0.0.255..④配置crypto map并在接口应用:..crypto map crymap 10 ipsec-isakmp
set peer 202.100.2.3
set transform-set transet
set pfs group2
match address ×××
reverse-route..B.PIX80:..①第一阶段策略:..crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2..crypto isakmp identity hostname..tunnel-group 202.100.1.2 type ipsec-l2l
tunnel-group 202.100.1.2 ipsec-attributes
ikev1 pre-shared-key cisco123..---备注:tunnel-group也可以用对方的FQDN..②第二阶段策略:..crypto map crymap 10 set transform-set transet ..③配置感兴趣流并做NAT免除:..access-list ××× extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ..access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0..nat (Inside) 0 access-list NONAT ..④配置crypto map 并在接口调用:..crypto map crymap 10 match address ×××
crypto map crymap 10 set pfs
crypto map crymap 10 set peer 202.100.1.2
crypto map crymap 10 set transform-set transet
crypto map crymap 10 set phase1-mode aggressive
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside..⑤在接口启用isakmp :..crypto isakmp enable Outside...六.测试:..A.只能由PAT侧先触发×××:..R4#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#..R1#PING 172.16.1.4 SOUrce 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 28/85/136 ms..
B.看到ESP流量直接封装在IP之下:
Pro Inside global Inside local Outside local Outside global
esp 202.100.1.2:0 192.168.1.1:0 202.100.2.10:0 202.100.2.10:CEC6AC77
udp 202.100.1.2:1 192.168.1.1:500 202.100.2.10:500 202.100.2.10:500
esp 202.100.1.2:0 192.168.1.1:CCA11424 202.100.2.10:0 202.100.2.10:0
udp 202.100.1.2:500 202.100.1.2:500 202.100.2.10:500 202.100.2.10:500..D.在防火墙上启用NAT-T,清除SA重新连接,抓包可以看ESP封装在UDP之下:..---采用命令:crypto isakmp nat-traversal 10..
..R1#ping 172.16.1.4 source 192.168.2.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/51/92 ms
...
