ASA IPsec 터널

1.1 인터페이스 IP설정

hostname(config)# interface ethernet0/0
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address <공인IP> <서브넷>
hostname(config-if)# no shutdown

hostname(config)# interface ethernet0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address <내부사설IP> <서브넷>
hostname(config-if)# no shutdown

1.2 라우팅 설정

hostname(config)# route outside 0 0 <gateway ip>

1.3 Config object-groups for each side

Object-group Local & Remote Network Config

object-group network <Name>
    network-object host IP
    network-object <network ip> <Subnet>

1.4 Access-List

Access-list

access-list outside_20_cryptomap extended permit ip <local_inside_network> <local_inside_subnet> <remote_inside_network> <remote_inside_subnet>
  <Object Group Based>
access-list ASA1toASA2 extended permit ip object-group <local object group Name> object-group <remote object group Name>

1.5 IKEv1 / IKEv2 설정

IPsec IKEv1 정책 구성 모드

  • 그룹: 2
  • 인증 방식: sha-1
  • 암호화 방식: 3des
  • lifetime: 43200
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 enable outside

IKEv2

  • 그룹: 2
  • 인증 방식: sha-1
  • 암호화 방식: 3des
  • lifetime: 43200
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)# group 2
hostname(config-ikev12-policy)# prf sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config)# crypto ikev2 enable outside

1.6 IKEv1 변형 집합 생성

전역 구성 모드에서 crypto ipsec ikev1 transform-set 명령을 입력합니다. 다음 예에서는 FirstSet 이름, esp-3des 암호화 및 esp-md5-hmac 인증으로 변형 집합을 구성합니다.

hostname(config)# crypto ipsec transform-set FirstSet (변형집합 이름) esp-3des esp-md5-hmac
Hostname(config)

1.7 IKEv2 제안서 생성

전역 구성 모드에서 crypto ipsec ikev2 ipsec-proposal 명령을 사용하여 제안서에 대해 다중 암호화 및 무결성 유형을 지정할 수 있는 ipsec 제안서 구성 모드를 시작합니다. 이 예에서 secure는 제안서의 이름입니다

hostname(config)# crypto ipsec ikev2 ipsec-proposal secure(제안서 이름)
hostname(config-ipsec-proposal)#
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des hostname(config-ipsec-proposal)# protocol esp integrity sha-1

1.8 터널 그룹 정의

기존 Group Policy를 이용한 방법

hostname(config)# group-policy DefaultGroupPolicy internal
hostname(config)# group-policy DefaultGroupPolicy attributes
hostname(config)#  vpn-tunnel-protocol ikev1 ikev2
hostname(config)# tunnel-group <Peer IP> type ipsec-l2l
hostname(config)# tunnel-group <Peer IP> ipsec-attributes
hostname(config-tunnel-ipsec)# default-group-policy DefaultGroupPolicy
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key <password> (key는 1~128자 영숫자 문자열)
i hostname(config-tunnel-ipsec)# kev2 remote-authentication certificate

1.9 암호화 맵 생성 및 인터페이스에 적용

암호화 맵 생성

hostname(config)# crypto map <Map Name정의> 1 match address <ACL 이름>
hostname(config)# crypto map <Map Name> 1 set peer <Peer IP>
hostname(config)# crypto map <Map Name> 1 set ikev1 transform-set <IKEv1 변형 집합에서 선언한 이름>(Ex: FirstSet)
hostname(config)# crypto map <Map Name> 1 set ikev2 ipsec-proposal <IKEv2 제안서에 선언한 이름> (Ex: secure)

인터페이스 적용

hostname(config)# crypto map <Map Name> interface outside

1.10 확인법

인터페이스 확인

Ciscoasa# show ip

System IP Addresses:
Interface          Name     IP address     Subnet mask     Method GigabitEthernet0/0   inside     192.168.1.1     255.255.255.0   manual GigabitEthernet0/1   outside    10.0.0.1        255.255.255.0   manual              Current IP Addresses:
Interface          Name      IP address     Subnet mask     Method
GigabitEthernet0/0   inside     192.168.1.1     255.255.255.0   manual   GigabitEthernet0/1   outside    10.0.0.1       255.255.255.0   manual

Tunnel Verification (show crypto ipsec sa )

nterface: outside
   Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1
    access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
    remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0)
current_peer: 10.0.0.2
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0
    local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0
    path mtu 1500, ipsec overhead 74, media mtu 1500
    current outbound spi: DB680406
    current inbound spi : 1698CAC7
  inbound esp sas:
    spi: 0x1698CAC7 (379112135)
       transform: esp-aes esp-sha-hmac no compression
       in use settings ={L2L, Tunnel, }
       slot: 0, conn_id: 16384, crypto-map: MAP
       sa timing: remaining key lifetime (kB/sec): (3914999/3326)
       IV size: 16 bytes
       replay detection support: Y
       Anti replay bitmap:
        0x00000000 0x0000001F
  outbound esp sas:
    spi: 0xDB680406 (3681027078)
       transform: esp-aes esp-sha-hmac no compression
       in use settings ={L2L, Tunnel, }
       slot: 0, conn_id: 16384, crypto-map: MAP
       sa timing: remaining key lifetime (kB/sec): (3914999/3326)
       IV size: 16 bytes
       replay detection support: Y
       Anti replay bitmap:
       0x00000000 0x00000001

Tunnel Verification (show crypto isakmp sa)

Active SA: 1
   Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
   Total IKE SA: 1
1   IKE Peer: 10.0.0.2
    Type    : L2L
    Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Tunnel Verification show crypto IKEv2 sa det

IKEv2 SAs:
Session-id:132, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id                 Local                Remote     Status         Role
1574208993     198.51.100.1/4500    203.0.113.134/4500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK,
      Auth verify: PSK
      Life/Active Time: 86400/352 sec
      Session-id: 132
      Status Description: Negotiation done
      Local spi: 4FDFF215BDEC73EC       Remote spi: 2414BEA1E10E3F70
      Local id: 198.51.100.1
      Remote id: DynamicSite2Site1
      Local req mess id: 13             Remote req mess id: 17
      Local next mess id: 13            Remote next mess id: 17
      Local req queued: 13              Remote req queued: 17
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is detected  outside
Child sa: local selector  172.0.0.0/0 - 172.255.255.255/65535
          remote selector 172.16.1.0/0 - 172.16.1.255/65535
          ESP spi in/out: 0x9fd5c736/0x6c5b3cc9
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

""에 대한 건이 검색되었습니다.

    ""에 대한 검색 결과가 없습니다.

    처리중...