Site-to-site IPSec VPN through NAT

Thanks to:  http://www.howfantastic.net/

Network Diagram

IPSec with NAT

Premise

A branch office with an ADSL connection would like to access corporate and local resources without running a local client on office machines. Split tunnelling is not required, all traffic must be routed back up to the corporate HQ. Only one static IP has been provided by the ADSL ISP.

Config

We’ll need to port forward UDP 500 (IKE) so that our corporate ASA can connect to the branch ASA. On the ADSL router we use the following NAT rules:
ip nat inside source list LAN interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500
You’ll see I’ve moved the B-End IP of the IPSec tunnel to the ADSL router so the A-End config doesn’t change. All I need to do is renumber the blue linknet to my chosen RFC1918 subnet of 192.168.1.0/24 and give my ASA a new default route matching the ADSL routers interface and all is well.

Testing

One thing which has bitten me in the past is that an IPSec tunnel won’t come up until you send some traffic down it. Since I’m doing this in GNS3 and VPCs, I’ll open up my crypto-map to allow ICMP so that I can bring up the tunnel with some pings.
A-END
access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp any 10.1.0.0 255.255.255.0
B-END
access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp 10.1.0.0 255.255.225.0 any
I also brought up a loopback with ip 8.8.8.8 on R1, to give my host on the otherside of the VPN something to ping. Finally I should say that I’m running OSPF on the two routers either side of the ‘public internet’ cloud, in order that the IPSec Peers have a route to either other.
First I had a look to see if my IPSec SA had come up:
A# show crypto ipsec sa

There are no ipsec sas
Hmm.
VPCS[1]> ping 8.8.8.8
8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 ttl=255 time=60.482 ms
8.8.8.8 icmp_seq=3 ttl=255 time=53.498 ms
8.8.8.8 icmp_seq=4 ttl=255 time=55.094 ms
8.8.8.8 icmp_seq=5 ttl=255 time=47.397 ms

IPSec SA Verification

After bringing up the tunnel by pinging 8.8.8.8 from a host behind the B-END ASA, I was able toverify it (apart from the ICMP Echo Replies I got) as follows:
A# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.0.2.6

      access-list OUTSIDE_CRYPTOMAP_10 extended permit ip any 10.1.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      current_peer: 192.0.2.129

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.0.2.6/500, remote crypto endpt.: 192.0.2.129/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: C7F1AEC5
      current inbound spi : 9DE630E8

    inbound esp sas:
      spi: 0x9DE630E8 (2649108712)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4055039/28776)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xC7F1AEC5 (3354504901)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4193279/28776)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

A#
Here is how the B-END sees things:
B# show crypto ipsec sa                  
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1

      access-list OUTSIDE_CRYPTOMAP_10 extended permit ip 10.1.0.0 255.255.255.0 any 
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 192.0.2.6

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.1/500, remote crypto endpt.: 192.0.2.6/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 8E827434
      current inbound spi : 8471E0F8

    inbound esp sas:
      spi: 0x8471E0F8 (2222055672)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4147198/27959)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0007FFFF
    outbound esp sas:
      spi: 0x8E827434 (2390914100)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4285438/27959)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

B#
You can also check out the IKEV2 SAs like this:
A# show crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 89722291         192.0.2.6/500       192.0.2.129/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/3606 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.1.0.0/0 - 10.1.0.255/65535
          ESP spi in/out: 0xa8d47b04/0xfddbc217

B# show crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 77759211       192.168.1.1/500         192.0.2.6/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/3526 sec
Child sa: local selector  10.1.0.0/0 - 10.1.0.255/65535
          remote selector 0.0.0.0/0 - 255.255.255.255/65535
          ESP spi in/out: 0xfddbc217/0xa8d47b04

NAT-T

By default, an ASA will encapsulate both IKEV2 negotiation and the IPSec encrypted packets in UDP 500. If you want to use NAT-T and encapsulate the IPSec packets in UDP 4500 then oort forward UDP 4500 on the NAT router and enable NAT-T on the each ASA:
NATRouter(config)# ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
ASA(config)# crypto isakmp nat-traversal

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

Policy Based Routing example: route one subnet via ISP A and another via ISP B

Imagen
thanks to: http://glennmatthys.wordpress.com/ Goal Setup a network with a Cisco router that routes one local subnet via internet connection A and another local subnet via internet connection B. In this example we’ll use one LAN side, which has two subnets: 192.168.1.0/24 192.168.2.0/24 We want traffic destined for the internet, originating from the 192.168.1.0/24 network, to be sent to ISP A, which is connected to FastEthernet0 We want traffic destined for the internet, originating from the 192.168.2.0/24 network, to be sent to ISP B, which is connected to FastEthernet1 Both internet connections get their IP address via DHCP. Prerequisites For this  configuration you’ll need: One dual WAN router, such as a 1811 Two internet connections (or simulated ones) 2 nodes, one for the 192.168.1.0/24 subnet and one for the 192.168.2.0/24 subnet. These can be two different computers, or two virtual machines, etc… ClientA, Windows 7, will connect to 192.168.1.0/24 and sur
Leer más