Настройка IPsec между Cisco и NSX Edge.
!
enable
!
configure terminal
!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cr3-lab
ip domain name lab.ru
!
crypto key generate rsa modulus 1024
ip ssh version 2
!
service password-encryption
ip tftp source-interface Fa0/1
!
username admin privilege 15 secret cisco123
enable secret cisco123
boot-start-marker
boot-end-marker
!
logging buffered 128000
!
no aaa new-model
no ip domain-lookup
no logging console
!
clock timezone MSK 3 0
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip icmp rate-limit unreachable DF 1000
!
ip cef
no ipv6 cef
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.2.0 0.0.0.255
!
crypto isakmp enable
!
crypto keyring KEY_RING
pre-shared-key address 185.31.133.87 key Sv4kGRT
!
exit
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 14
lifetime 28800
!
crypto isakmp profile ISA_PROF
keyring KEY_RING
match identity address 0.0.0.0
local-address Fa0/0
!
exit
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
exit
crypto map IPSEC local-address Fa0/0
crypto map IPSEC 10 ipsec-isakmp
set peer 185.31.133.87
set security-association lifetime seconds 600
set transform-set ESP-AES256-SHA
set isakmp-profile ISA_PROF
match address 101
!
exit
!
interface Fa0/0
description — Link to sw1-lab port Gi1/3 —
ip address 93.174.51.83 255.255.255.248
no shutdown
duplex auto
speed auto
no cdp enable
crypto map IPSEC
!
interface Fa0/1
description — Link to PC1 —
ip address 192.168.30.1 255.255.255.0
no shutdown
duplex auto
speed auto
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 93.174.51.81
!
ip name-server 8.8.8.8
!
line vty 0 4
transport input ssh
login local
logging synchronous
privilege level 15
exec-timeout 60 0
!
end
!
Разрешить прохождения трафика из удалённой приватной сети.
Если IPsec поднялся, то должно быть:
ВАЖНО!
Настройки IPsec должны быть одинаковы на обоих маршрутизаторах, а также, применимы в зависимости от поддержки на устройствах или операционных системах.
Для NSX EDGE применимы следующие настройки:
Encryption Algorithm: AES (AES128-CBC), AES256 (AES256-CBC), Triple DES (3DES192-CBC), AES-GCM (AES128-GCM)
Diffie-Hellman Group: | DH-2 (Diffie–Hellman group 2/ 1024 bit), DH-5 (Diffie–Hellman group 5/ 1536 bit), | |
. | DH-14 | (Diffie–Hellman group 14/ 2048 bit), DH-15 (Diffie–Hellman group 15/ 3072-bit), |
. | DH-16 | (Diffie–Hellman group 16/ 4096 bit) |
Authentication: | Pre-Shared Key, Certificate | |
Digest Algorithm: | MD5, SHA1 | |
IKE Version: | IKEv1 | . |
Первая фаза IKE
Mode:
Encryption:
Integrity:
Diffie-Hellman group:
Authentication Method:
Security Association Lifetime:
Main mode
AES (128 бит); AES-256 (256 бит); 3DES (192 бита)
SHA1
Group 2 (1024 bit); Group 5 (1536); Group 14 (2048); Group 15 (3072); Group 16 (4096)
Pre-shared secret
28800 seconds
Вторая фаза IKE
Mode:
Encryption:
Integrity:
Perfect Forward Secrecy:
Diffie-Hellman group:
Time Rekeying:
Security Association Lifetime:
ESP tunnel
AES (128 бит), AES-256 (256 бит), 3DES (192 бита)
SHA1
ON
Group 2 (1024 bit); Group 5 (1536); Group 14 (2048); Group 15 (3072); Group 16 (4096)
ON
3600 seconds