ASA IPsec 터널
1.1 인터페이스 IP설정
hostname(config)# interface ethernet0/0
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address <공인IP> <서브넷>
hostname(config-if)# no shutdown
hostname(config)# interface ethernet0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address <내부사설IP> <서브넷>
hostname(config-if)# no shutdown
1.2 라우팅 설정
hostname(config)# route outside 0 0 <gateway ip>
1.3 Config object-groups for each side
Object-group Local & Remote Network Config
object-group network <Name>
network-object host IP
network-object <network ip> <Subnet>
1.4 Access-List
Access-list
access-list outside_20_cryptomap extended permit ip <local_inside_network> <local_inside_subnet> <remote_inside_network> <remote_inside_subnet>
<Object Group Based>
access-list ASA1toASA2 extended permit ip object-group <local object group Name> object-group <remote object group Name>
1.5 IKEv1 / IKEv2 설정
IPsec IKEv1 정책 구성 모드
- 그룹: 2
- 인증 방식: sha-1
- 암호화 방식: 3des
- lifetime: 43200
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 enable outside
IKEv2
- 그룹: 2
- 인증 방식: sha-1
- 암호화 방식: 3des
- lifetime: 43200
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)# group 2
hostname(config-ikev12-policy)# prf sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config)# crypto ikev2 enable outside
1.6 IKEv1 변형 집합 생성
전역 구성 모드에서 crypto ipsec ikev1 transform-set 명령을 입력합니다. 다음 예에서는 FirstSet 이름, esp-3des 암호화 및 esp-md5-hmac 인증으로 변형 집합을 구성합니다.
hostname(config)# crypto ipsec transform-set FirstSet (변형집합 이름) esp-3des esp-md5-hmac
Hostname(config)
1.7 IKEv2 제안서 생성
전역 구성 모드에서 crypto ipsec ikev2 ipsec-proposal 명령을 사용하여 제안서에 대해 다중 암호화 및 무결성 유형을 지정할 수 있는 ipsec 제안서 구성 모드를 시작합니다. 이 예에서 secure는 제안서의 이름입니다
hostname(config)# crypto ipsec ikev2 ipsec-proposal secure(제안서 이름)
hostname(config-ipsec-proposal)#
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des hostname(config-ipsec-proposal)# protocol esp integrity sha-1
1.8 터널 그룹 정의
기존 Group Policy를 이용한 방법
hostname(config)# group-policy DefaultGroupPolicy internal
hostname(config)# group-policy DefaultGroupPolicy attributes
hostname(config)# vpn-tunnel-protocol ikev1 ikev2
hostname(config)# tunnel-group <Peer IP> type ipsec-l2l
hostname(config)# tunnel-group <Peer IP> ipsec-attributes
hostname(config-tunnel-ipsec)# default-group-policy DefaultGroupPolicy
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key <password> (key는 1~128자 영숫자 문자열)
i hostname(config-tunnel-ipsec)# kev2 remote-authentication certificate
1.9 암호화 맵 생성 및 인터페이스에 적용
암호화 맵 생성
hostname(config)# crypto map <Map Name정의> 1 match address <ACL 이름>
hostname(config)# crypto map <Map Name> 1 set peer <Peer IP>
hostname(config)# crypto map <Map Name> 1 set ikev1 transform-set <IKEv1 변형 집합에서 선언한 이름>(Ex: FirstSet)
hostname(config)# crypto map <Map Name> 1 set ikev2 ipsec-proposal <IKEv2 제안서에 선언한 이름> (Ex: secure)
인터페이스 적용
hostname(config)# crypto map <Map Name> interface outside
1.10 확인법
인터페이스 확인
Ciscoasa# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method GigabitEthernet0/0 inside 192.168.1.1 255.255.255.0 manual GigabitEthernet0/1 outside 10.0.0.1 255.255.255.0 manual Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.1.1 255.255.255.0 manual GigabitEthernet0/1 outside 10.0.0.1 255.255.255.0 manual
Tunnel Verification (show crypto ipsec sa )
nterface: outside
Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1
access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0)
current_peer: 10.0.0.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DB680406
current inbound spi : 1698CAC7
inbound esp sas:
spi: 0x1698CAC7 (379112135)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: MAP
sa timing: remaining key lifetime (kB/sec): (3914999/3326)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xDB680406 (3681027078)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 16384, crypto-map: MAP
sa timing: remaining key lifetime (kB/sec): (3914999/3326)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Tunnel Verification (show crypto isakmp sa)
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.0.0.2
Type : L2L
Role : responder
Rekey : no State : MM_ACTIVE
Tunnel Verification show crypto IKEv2 sa det
IKEv2 SAs:
Session-id:132, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1574208993 198.51.100.1/4500 203.0.113.134/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/352 sec
Session-id: 132
Status Description: Negotiation done
Local spi: 4FDFF215BDEC73EC Remote spi: 2414BEA1E10E3F70
Local id: 198.51.100.1
Remote id: DynamicSite2Site1
Local req mess id: 13 Remote req mess id: 17
Local next mess id: 13 Remote next mess id: 17
Local req queued: 13 Remote req queued: 17
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is detected outside
Child sa: local selector 172.0.0.0/0 - 172.255.255.255/65535
remote selector 172.16.1.0/0 - 172.16.1.255/65535
ESP spi in/out: 0x9fd5c736/0x6c5b3cc9
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel