Site-to-site IPSec VPN through NAT
Thanks to: http://www.howfantastic.net/
Network Diagram
Premise
A branch office with an ADSL connection would like to access corporate and local resources without running a local client on office machines. Split tunnelling is not required, all traffic must be routed back up to the corporate HQ. Only one static IP has been provided by the ADSL ISP.
Config
We’ll need to port forward UDP 500 (IKE) so that our corporate ASA can connect to the branch ASA. On the ADSL router we use the following NAT rules:
ip nat inside source list LAN interface FastEthernet0/0 overload ip nat inside source static udp 192.168.1.1 500 interface FastEthernet0/0 500
You’ll see I’ve moved the B-End IP of the IPSec tunnel to the ADSL router so the A-End config doesn’t change. All I need to do is renumber the blue linknet to my chosen RFC1918 subnet of 192.168.1.0/24 and give my ASA a new default route matching the ADSL routers interface and all is well.
Testing
One thing which has bitten me in the past is that an IPSec tunnel won’t come up until you send some traffic down it. Since I’m doing this in GNS3 and VPCs, I’ll open up my crypto-map to allow ICMP so that I can bring up the tunnel with some pings.
A-END
access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp any 10.1.0.0 255.255.255.0
B-END
access-list OUTSIDE_CRYPTOMAP_10 extended permit icmp 10.1.0.0 255.255.225.0 any
I also brought up a loopback with ip 8.8.8.8 on R1, to give my host on the otherside of the VPN something to ping. Finally I should say that I’m running OSPF on the two routers either side of the ‘public internet’ cloud, in order that the IPSec Peers have a route to either other.
First I had a look to see if my IPSec SA had come up:
A# show crypto ipsec sa There are no ipsec sas
Hmm.
VPCS[1]> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 ttl=255 time=60.482 ms 8.8.8.8 icmp_seq=3 ttl=255 time=53.498 ms 8.8.8.8 icmp_seq=4 ttl=255 time=55.094 ms 8.8.8.8 icmp_seq=5 ttl=255 time=47.397 ms
IPSec SA Verification
After bringing up the tunnel by pinging 8.8.8.8 from a host behind the B-END ASA, I was able toverify it (apart from the ICMP Echo Replies I got) as follows:
A# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 192.0.2.6
access-list OUTSIDE_CRYPTOMAP_10 extended permit ip any 10.1.0.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
current_peer: 192.0.2.129
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.0.2.6/500, remote crypto endpt.: 192.0.2.129/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C7F1AEC5
current inbound spi : 9DE630E8
inbound esp sas:
spi: 0x9DE630E8 (2649108712)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055039/28776)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xC7F1AEC5 (3354504901)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 45056, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193279/28776)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
A#
Here is how the B-END sees things:
B# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1
access-list OUTSIDE_CRYPTOMAP_10 extended permit ip 10.1.0.0 255.255.255.0 any
local ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 192.0.2.6
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.1/500, remote crypto endpt.: 192.0.2.6/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 8E827434
current inbound spi : 8471E0F8
inbound esp sas:
spi: 0x8471E0F8 (2222055672)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4147198/27959)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0007FFFF
outbound esp sas:
spi: 0x8E827434 (2390914100)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4285438/27959)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
B#
You can also check out the IKEV2 SAs like this:
A# show crypto ikev2 sa
IKEv2 SAs:
Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
89722291 192.0.2.6/500 192.0.2.129/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3606 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 10.1.0.0/0 - 10.1.0.255/65535
ESP spi in/out: 0xa8d47b04/0xfddbc217
B# show crypto ikev2 sa
IKEv2 SAs:
Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
77759211 192.168.1.1/500 192.0.2.6/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3526 sec
Child sa: local selector 10.1.0.0/0 - 10.1.0.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0xfddbc217/0xa8d47b04
NAT-T
By default, an ASA will encapsulate both IKEV2 negotiation and the IPSec encrypted packets in UDP 500. If you want to use NAT-T and encapsulate the IPSec packets in UDP 4500 then oort forward UDP 4500 on the NAT router and enable NAT-T on the each ASA:
NATRouter(config)# ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet0/0 4500
ASA(config)# crypto isakmp nat-traversal
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.