思科下一代模拟器EVE-NG做一个ASAIPsecIKEv2点对点互联实验
接上一篇实验,实验的内网只做了单个网段的配置,协议是ike v1的,这边和上一篇不同的是
协议使用v2,并且局域网内网支持多网段。
依旧是网络拓扑图
实现目标,VPC1和VPC2相互ping通
1.防火墙1 asa1配置
#主机名,网卡ip配置
hostname asa1
interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 200.0.0.1 255.255.255.0no shutdowninterface GigabitEthernet0/1nameif insidesecurity-level 100ip address 10.1.1.254 255.255.255.0no shutdown#路由配置 设置静态路由,下一跳地址为200.0.0.2
route outside 0 0 200.0.0.2//以下是定义object,方便后面调用
object network Inside_networksubnet 10.1.0.0 255.255.0.0object-group network SH_Internal //定义远端子网网段network-object 192.168.1.0 255.255.255.0network-object 192.168.2.0 255.255.255.0object-group network SY_Internal //定义本端子网网段network-object 10.1.1.0 255.255.255.0network-object 10.1.2.0 255.255.255.0access-list 110 extended permit ip any any
access-list IPSEC_IKEV2_V extended permit ip object-group SY_Internal object-group SH_Internal //定义感兴趣流nat (inside,outside) source static SY_Internal SY_Internal destination static SH_Internal SH_Internal //将数据流和NAT分离object network Inside_networknat (inside,outside) dynamic interface //设置PATaccess-group 110 in interface outsidecrypto ipsec ikev2 ipsec-proposal ESP_AES256_SHA //定义ipsec转换集 protocol esp encryption aes-256protocol esp integrity md5crypto map VMAP 10 match address IPSEC_IKEV2_V //定义crypto map,此处的“IPSEC_IKEV2_V”便是刚才创建的感兴趣流的ACL的名称
crypto map VMAP 10 set peer 200.0.0.2 //设置对端出口ip
crypto map VMAP 10 set ikev2 ipsec-proposal ESP_AES256_SHA //调用刚才创建的ipsec转换集
crypto map VMAP interface outside //将其运用到outside端
crypto ikev2 policy 10 //定义ikev2策略encryption aes-256integrity sha256 md5group 2prf sha256 md5lifetime seconds 86400crypto ikev2 enable outside //在outside端口启用ikev2,这个很重要,如果不启用,其余都是浮云tunnel-group 200.0.0.2 type ipsec-l2l //定义组类型
tunnel-group 200.0.0.2 ipsec-attributes //定义组属性ikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key cisco#允许ping配置
access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-group OUTSIDE_IN_ACL in interface outside#保存
wr#重启
reload
2.防火墙2 asa2配置
hostname asa2
interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 200.0.0.2 255.255.255.0no shutdowninterface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.1.254 255.255.255.0no shutdown#路由配置 设置静态路由,下一跳地址为200.0.0.1
route outside 0 0 200.0.0.1//以下是定义object,方便后面调用
object network Inside_networksubnet 192.168.0.0 255.255.0.0object-group network SY_Internal //定义远端子网网段network-object 10.1.1.0 255.255.255.0network-object 10.1.2.0 255.255.255.0object-group network SH_Internal //定义本端子网网段network-object 192.168.1.0 255.255.255.0network-object 192.168.2.0 255.255.255.0access-list 110 extended permit ip any any
access-list IPSEC_IKEV2_V extended permit ip object-group SH_Internal object-group SY_Internal //定义感兴趣流nat (inside,outside) source static SH_Internal SH_Internal destination static SY_Internal SY_Internal //将数据流和NAT分离object network Inside_networknat (inside,outside) dynamic interface //设置PATaccess-group 110 in interface outsidecrypto ipsec ikev2 ipsec-proposal ESP_AES256_SHA //定义ipsec转换集 protocol esp encryption aes-256protocol esp integrity md5crypto map VMAP 10 match address IPSEC_IKEV2_V //定义crypto map,此处的“IPSEC_IKEV2_V”便是刚才创建的感兴趣流的ACL的名称
crypto map VMAP 10 set peer 200.0.0.1 //设置对端出口ip
crypto map VMAP 10 set ikev2 ipsec-proposal ESP_AES256_SHA //调用刚才创建的ipsec转换集
crypto map VMAP interface outside //将其运用到outside端
crypto ikev2 policy 10 //定义ikev2策略encryption aes-256integrity sha256 md5group 2prf sha256 md5lifetime seconds 86400crypto ikev2 enable outside //在outside端口启用ikev2,这个很重要,如果不启用,其余都是浮云tunnel-group 200.0.0.1 type ipsec-l2l //定义组类型
tunnel-group 200.0.0.1 ipsec-attributes //定义组属性 本段和对端的预共享密钥ikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key cisco#允许ping配置
access-list OUTSIDE_IN_ACL permit icmp any any echo-reply
access-group OUTSIDE_IN_ACL in interface outside#保存
wr#重启
reload3.VPC1配置
ip 10.1.1.1/24 10.1.1.254
save4.VPC2配置
ip 192.168.1.1/24 192.168.1.254
save5.互ping测试
6.查看管理连接sa的状态
show crypto isakmp sa 
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!