Skip to main content
search

Настройка IPsec между Cisco и NSX Edge.

1)На маршрутизаторе Cisco применить, как пример на 2811, следующую конфигурацию:

!

enable

!

configure terminal

!

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cr3-lab

ip domain name lab.ru

!

crypto key generate rsa modulus 1024

ip ssh version 2

!

service password-encryption

ip tftp source-interface Fa0/1

!

username admin privilege 15 secret cisco123

enable secret cisco123

boot-start-marker

boot-end-marker

!

logging buffered 128000

!

no aaa new-model

no ip domain-lookup

no logging console

!

clock timezone MSK 3 0

!

no ip source-route

no ip gratuitous-arps

ip icmp rate-limit unreachable 1000

ip icmp rate-limit unreachable DF 1000

!

ip cef

no ipv6 cef

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.2.0 0.0.0.255

!

crypto isakmp enable

!

crypto keyring KEY_RING

pre-shared-key address 185.31.133.87 key Sv4kGRT

!

exit

!

crypto isakmp policy 10

encr aes 256

hash sha

authentication pre-share

group 14

lifetime 28800

!

crypto isakmp profile ISA_PROF

keyring KEY_RING

match identity address 0.0.0.0

local-address Fa0/0

!

exit

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

!

exit

!

crypto map IPSEC local-address Fa0/0

crypto map IPSEC 10 ipsec-isakmp

set peer 185.31.133.87

set security-association lifetime seconds 600

set transform-set ESP-AES256-SHA

set isakmp-profile ISA_PROF

match address 101

!

exit

!

interface Fa0/0

description — Link to sw1-lab port Gi1/3 —

ip address 93.174.51.83 255.255.255.248

no shutdown

duplex auto

speed auto

no cdp enable

crypto map IPSEC

!

interface Fa0/1

description — Link to PC1 —

ip address 192.168.30.1 255.255.255.0

no shutdown

duplex auto

speed auto

no cdp enable

!

ip route 0.0.0.0 0.0.0.0 93.174.51.81

!

ip name-server 8.8.8.8

!

line vty 0 4

transport input ssh

login local

logging synchronous

privilege level 15

exec-timeout 60 0

!

end

!

2)Настройки NSX EDGE, как пример:

Разрешить прохождения трафика из удалённой приватной сети.

Если IPsec поднялся, то должно быть:

ВАЖНО!

Настройки IPsec должны быть одинаковы на обоих маршрутизаторах, а также, применимы в зависимости от поддержки на устройствах или операционных системах.

Для NSX EDGE применимы следующие настройки:

Encryption Algorithm: AES (AES128-CBC), AES256 (AES256-CBC), Triple DES (3DES192-CBC), AES-GCM (AES128-GCM)

Diffie-Hellman Group: DH-2 (Diffie–Hellman group 2/ 1024 bit), DH-5 (Diffie–Hellman group 5/ 1536 bit),
. DH-14 (Diffie–Hellman group 14/ 2048 bit), DH-15 (Diffie–Hellman group 15/ 3072-bit),
. DH-16 (Diffie–Hellman group 16/ 4096 bit)
Authentication: Pre-Shared Key, Certificate
Digest Algorithm: MD5, SHA1
IKE Version: IKEv1 .

Настройки в Edge Gateways:

Первая фаза IKE

Mode:

Encryption:

Integrity:

Diffie-Hellman group:

Authentication Method:

Security Association Lifetime:

Main mode

AES (128 бит); AES-256 (256 бит); 3DES (192 бита)

SHA1

Group 2 (1024 bit); Group 5 (1536); Group 14 (2048); Group 15 (3072); Group 16 (4096)

Pre-shared secret

28800 seconds

Вторая фаза IKE

Mode:

Encryption:

Integrity:

Perfect Forward Secrecy:

Diffie-Hellman group:

Time Rekeying:

Security Association Lifetime:

ESP tunnel

AES (128 бит), AES-256 (256 бит), 3DES (192 бита)

SHA1

ON

Group 2 (1024 bit); Group 5 (1536); Group 14 (2048); Group 15 (3072); Group 16 (4096)

ON

3600 seconds

Close Menu