Thứ Sáu, 6 tháng 12, 2019

Tổng quan VPN Site to Site 2 ASA qua GPON FTTH thực tế



  2. VPN Site to Site 2 ASA qua GPON FTTH thực tế


    I. Tổng quan VPN Site to Site 2 ASA qua GPON FTTH thực tế

    http://svuit.vn/threads/lab-16-7-vpn-site-to-site-2-asa-qua-gpon-ftth-thuc-te-734/

    1.1 Mô hình triển khai VPN Site to Site 2 ASA qua GPON FTTH thực tế
    VPN Site to Site 2 ASA qua GPON FTTH thuc te (1)

    1.2 Yêu cầu triển khai VPN Site to Site 2 ASA qua GPON FTTH thực tế
    Hai con ASA được đặt sau 2 NAT router là GPON-HCM và GPON-HN.
    Triển khai VPN Site to Site dùng IPSec trên 2 con ASA 8.42 và ASA 9.21 để kết nối Site HCM và HN.

    II. Cấu hình VPN Site to Site 2 ASA qua GPON FTTH thực tế

    2.2 SITE HN:

    2.2.1 Cấu hình GPON-HN:
    VPN Site to Site 2 ASA qua GPON FTTH thuc te (2)

     VPN Site to Site 2 ASA qua GPON FTTH thuc te (3)

    VPN Site to Site 2 ASA qua GPON FTTH thuc te (4)


    2.2.2 Cấu hình Cisco ASA HN:
    Code:
    ASA-HN(config-if)# int g0/0ASA-HN(config-if)# nameif outside
ASA-HN(config-if)# ip address 172.16.1.2 255.255.255.0
ASA-HN(config-if)# no shutdown
ASA-HN(config-if)# int g0/1ASA-HN(config-if)# nameif inside
ASA-HN(config-if)# ip address 10.20.20.1 255.255.255.0
ASA-HN(config-if)# no shutdown

ASA-HN(config)# route outside 0 0 172.16.1.1

ASA-HN(config)# crypto ikev1 policy 10
ASA-HN(config-ikev1-policy)# authentication pre-share
ASA-HN(config-ikev1-policy)# encryption 3des
ASA-HN(config-ikev1-policy)# hash md5
ASA-HN(config-ikev1-policy)# group 2
ASA-HN(config-ikev1-policy)# lifetime 86400

ASA-HN(config)# crypto ipsec ikev1 transform-set SVUIT esp-3des esp-md5-hmac

ASA-HN(config-if)# object network INSIDE-HCM
ASA-HN(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA-HN(config-if)# object network DMZ-HCM
ASA-HN(config-network-object)# subnet 10.10.20.0 255.255.255.0
ASA-HN(config)# object network INSIDE-HN
ASA-HN(config-network-object)# subnet 10.20.20.0 255.255.255.0

ASA-HN(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HN object INSIDE-HCM
ASA-HN(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HN object DMZ-HCM

ASA-HN(config)# crypto map ASA-VPN 10 match address VPN-TRAFFIC
ASA-HN(config)# crypto map ASA-VPN 10 set peer 118.69.60.240
ASA-HN(config)# crypto map ASA-VPN 10 set ikev1 transform-set SVUIT
ASA-HN(config)# crypto map ASA-VPN interface outside
ASA-HN(config)# crypto ikev1 enable outside
ASA-HN(config)# tunnel-group 118.69.60.240  type ipsec-l2l
ASA-HN(config)# tunnel-group 118.69.60.240  ipsec-attributes
ASA-HN(config-tunnel-ipsec)# ikev1 pre-shared-key svuit.com
ASA-HN(config-tunnel-ipsec)# exit


    2.2.3 Kiểm tra KẾT NỐI VPN trên Cisco ASA


    show crypto ikev1
    Code:
    ASA-HN# sh crypto ikev1 sa
There are no IKEv1 SAs


    show crypto ipsec
    Code:
    ASA-HN# show crypto ipsec sa
   There are no ipsec sas


    show crypto isakmp
    Code:
    ASA-HN# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs


    Trước khi khởi tạo kết nối, chạy một số lệnh debug:
    Code:
    ASA-HN# debug crypto ipsecASA-HN
ASA-HN# debug crypto ikev1ASA-HN

    Ping, khởi tạo kết nối đến Site HCM
    VPN Site to Site 2 ASA qua GPON FTTH thuc te (5)

    Kết quả debug crypto ikev1 10
    Code:
    ASA-HN# debug crypto ikev1 10
ASA-HN# Sep 12 18:43:17 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Sep 12 18:43:17 [IKEv1]IP = 118.69.60.240, IKE Initiator: New Phase 1, Intf inside, IKE Peer 118.69.60.240  local Proxy Address 10.20.20.0, remote Proxy Address10.10.10.0,  Crypto map (ASA-VPN)
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing ISAKMP SA payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver 02 payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver 03 payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver RFC payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing Fragmentation VID+ extended capabilities payload
Sep 12 18:43:17 [IKEv1]IP = 118.69.60.240, IKE_DECODE SENDING Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR(13) + NONE (0) total length : 168
Sep 12 18:43:25 [IKEv1]IKE Receiver: Packet received on 172.16.1.2:500 from 118.69.60.240:500
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE RECEIVED Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing SA payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Oakley proposal is acceptable
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received NAT-Traversal ver 02 VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Fragmentation VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing ke payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing nonce payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing Cisco Unity VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing xauth V6 VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Send IOS VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Sep 12 18:43:25 [IKEv1]IKE Receiver: Packet received on 172.16.1.2:500 from 118.69.60.240:500
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing ke payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing ISA_KE payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing nonce payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Cisco Unity client VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received xauth V6 VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash


    show crypto ikev1
    Code:
    ASA-HN# sh crypto ikev1 sa
IKEv1 SAs:   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 118.69.60.240    Type    : L2L             Role    : initiator    Rekey   : no              State   : MM_ACTIVE


    show crypto isakmp
    Code:
    ASA-HN# show crypto isakmp sa
IKEv1 SAs:
   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1   IKE Peer: 118.69.60.240    Type    : L2L             Role    : initiator    Rekey   : no              State   : MM_ACTIVE
There are no IKEv2 SAs


    show crypto ipsec sa


    Reset a VPN tunnel

    Code:
    ASA-HN# clear ipsec sa peer 118.69.60.240
ASA-HN# IPSEC: Deleted outbound encrypt rule, SPI 0xC2B56A4B
    Rule ID: 0x00007fffdd0e9840
IPSEC: Deleted outbound permit rule, SPI 0xC2B56A4B
    Rule ID: 0x00007fffdc4e4940
IPSEC: Deleted outbound VPN context, SPI 0xC2B56A4B
    VPN handle: 0x000000000000ff8c
IPSEC: Deleted inbound decrypt rule, SPI 0x3270F109
    Rule ID: 0x00007fffdd3190b0
IPSEC: Deleted inbound permit rule, SPI 0x3270F109
    Rule ID: 0x00007fffdd3196d0
IPSEC: Deleted inbound tunnel flow rule, SPI 0x3270F109
    Rule ID: 0x00007fffdc4e43d0
IPSEC: Deleted inbound VPN context, SPI 0x3270F109
    VPN handle: 0x0000000000011dcc

    Sau khi reset VPN tunnel
    Code:
    ASA-HN# show crypto ipsec sa

   There are no ipsec sas
ASA-HN# show crypto ipsec sa
   There are no ipsec sas
ASA-HN# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
    Last edited by a moderator: Aug 24, 2016
    thanhdc, Sep 13, 2014
    #1
  3. root

    rootWell-Known Member

    Joined:
    Dec 31, 2012
    Messages:
    1,133
    Likes Received:
    60
    Trophy Points:
    48

    - IPWAN của GPON bên site Hồ Chí Minh
    VPN Site to Site 2 ASA qua GPON FTTH thuc te (11)

    - IP trong LAN của GPON trong site Hồ Chí Minh

    VPN Site to Site 2 ASA qua GPON FTTH thuc te (12)

    - Thực hiện Routing mạng inside ASA để cho ra internet

    VPN Site to Site 2 ASA qua GPON FTTH thuc te (13)

    - Mở port cho phép VPN (UDP port 500,4500 và TCP/UDP 10000)

    VPN Site to Site 2 ASA qua GPON FTTH thuc te (14)
    - Cấu hình VPN IPSEC tại site Hồ Chí Minh trên ASA

    Code:
    ASA-HCM(config-if)# int e0/0
ASA-HCM(config-if)# nameif outside
ASA-HCM(config-if)# ip address 192.168.1.191 255.255.255.0
ASA-HCM(config-if)# no shutdown
ASA-HCM(config-if)# int e0/1
ASA-HCM(config-if)# nameif inside
ASA-HCM(config-if)# ip address 10.10.10.1 255.255.255.0
ASA-HCM(config-if)# no shutdown


ASA-HCM(config)# route outside 0 0 192.168.1.1
  
ASA-HCM(config)# crypto ikev1 policy 10
ASA-HCM(config-ikev1-policy)# authentication pre-share
ASA-HCM(config-ikev1-policy)# encryption 3des
ASA-HCM(config-ikev1-policy)# hash md5
ASA-HCM(config-ikev1-policy)# group 2
ASA-HCM(config-ikev1-policy)# lifetime 86400


ASA-HCM(config)# crypto ipsec ikev1 transform-set SVUIT esp-3des esp-md5-hmac


ASA-HCM(config-if)# object network INSIDE-HCM
ASA-HCM(config-network-object)# subnet 10.10.10.0 255.255.255.0
  
ASA-HCM(config)# object network INSIDE-HN
ASA-HCM(config-network-object)# subnet 10.20.20.0 255.255.255.0
  
ASA-HCM(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HCM object INSIDE-HN
 
ASA-HCM(config)# crypto map ASA-VPN 10 match address VPN-TRAFFIC
ASA-HCM(config)# crypto map ASA-VPN 10 set peer [COLOR=#ff0000]42.118.255.128[/COLOR]
ASA-HCM(config)# crypto map ASA-VPN 10 set ikev1 transform-set SVUIT

ASA-HCM(config)# crypto map ASA-VPN interface outside
ASA-HCM(config)# crypto ikev1 enable outside
 
ASA-HCM(config)# tunnel-group [COLOR=#ff0000]42.118.255.128[/COLOR] type ipsec-l2l
ASA-HCM(config)# tunnel-group [COLOR=#ff0000]42.118.255.128[/COLOR] ipsec-attributes
ASA-HCM(config-tunnel-ipsec)# ikev1 pre-shared-key [COLOR=#ff0000]svuit.com[/COLOR]
ASA-HCM(config-tunnel-ipsec)# exit
    - ping tới GPON site Hà Nôi thành công

    - PC trong mạng inside của ASA ở site Hồ Chí Minh thực hiện ping và truy cập web của PC trong inside ASA site Hà Nội thành công
    VPN Site to Site 2 ASA qua GPON FTTH thuc te (15)


    - Kiểm tra trạng thái VPN
    Code:
    ASA-HCM# sh crypto ikev1 sa


IKEv1 SAs:


   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1   IKE Peer: 42.118.255.128
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

    - Kiểm tra trạng thái IPSEC
    Code:
    ASA-HCM# sh crypto ipsec sa
interface: outside
    Crypto map tag: ASA-VPN, seq num: 10, local addr: 192.168.1.191


      access-list VPN-TRAFFIC extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
      current_peer: 42.118.255.128


      #pkts encaps: 148, #pkts encrypt: 148, #pkts digest: 148
      #pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 148, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 192.168.1.191/4500, remote crypto endpt.: 42.118.255.128/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 86F8261F
      current inbound spi : 006AAEF5


    inbound esp sas:
      spi: 0x006AAEF5 (6991605)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: ASA-VPN
         sa timing: remaining key lifetime (kB/sec): (4373962/27114)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x86F8261F (2264409631)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: ASA-VPN
         sa timing: remaining key lifetime (kB/sec): (4373986/27113)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Người đăng: vào lúc

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)