VPN [Lab 16.7] VPN Site to Site 2 ASA qua GPON FTTH thực tế

thanhdc

Junior – IT Sơ cấp
Aug 10, 2014
124
3
18

VPN Site to Site 2 ASA qua GPON FTTH thực tế


I. Tổng quan VPN Site to Site 2 ASA qua GPON FTTH thực tế



1.1 Mô hình triển khai VPN Site to Site 2 ASA qua GPON FTTH thực tế

VPN Site to Site 2 ASA qua GPON FTTH thuc te (1)

1.2 Yêu cầu triển khai VPN Site to Site 2 ASA qua GPON FTTH thực tế

Hai con ASA được đặt sau 2 NAT router là GPON-HCM và GPON-HN.
Triển khai VPN Site to Site dùng IPSec trên 2 con ASA 8.42 và ASA 9.21 để kết nối Site HCM và HN.

II. Cấu hình VPN Site to Site 2 ASA qua GPON FTTH thực tế

2.2 SITE HN:

2.2.1 Cấu hình GPON-HN:

VPN Site to Site 2 ASA qua GPON FTTH thuc te (2)



VPN Site to Site 2 ASA qua GPON FTTH thuc te (3)


VPN Site to Site 2 ASA qua GPON FTTH thuc te (4)


2.2.2 Cấu hình Cisco ASA HN:

Code:
ASA-HN(config-if)# int g0/0ASA-HN(config-if)# nameif outside
ASA-HN(config-if)# ip address 172.16.1.2 255.255.255.0
ASA-HN(config-if)# no shutdown
ASA-HN(config-if)# int g0/1ASA-HN(config-if)# nameif inside
ASA-HN(config-if)# ip address 10.20.20.1 255.255.255.0
ASA-HN(config-if)# no shutdown

ASA-HN(config)# route outside 0 0 172.16.1.1

ASA-HN(config)# crypto ikev1 policy 10
ASA-HN(config-ikev1-policy)# authentication pre-share
ASA-HN(config-ikev1-policy)# encryption 3des
ASA-HN(config-ikev1-policy)# hash md5
ASA-HN(config-ikev1-policy)# group 2
ASA-HN(config-ikev1-policy)# lifetime 86400

ASA-HN(config)# crypto ipsec ikev1 transform-set SVUIT esp-3des esp-md5-hmac

ASA-HN(config-if)# object network INSIDE-HCM
ASA-HN(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA-HN(config-if)# object network DMZ-HCM
ASA-HN(config-network-object)# subnet 10.10.20.0 255.255.255.0
ASA-HN(config)# object network INSIDE-HN
ASA-HN(config-network-object)# subnet 10.20.20.0 255.255.255.0

ASA-HN(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HN object INSIDE-HCM
ASA-HN(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HN object DMZ-HCM

ASA-HN(config)# crypto map ASA-VPN 10 match address VPN-TRAFFIC
ASA-HN(config)# crypto map ASA-VPN 10 set peer 118.69.60.240
ASA-HN(config)# crypto map ASA-VPN 10 set ikev1 transform-set SVUIT
ASA-HN(config)# crypto map ASA-VPN interface outside
ASA-HN(config)# crypto ikev1 enable outside
ASA-HN(config)# tunnel-group 118.69.60.240  type ipsec-l2l
ASA-HN(config)# tunnel-group 118.69.60.240  ipsec-attributes
ASA-HN(config-tunnel-ipsec)# ikev1 pre-shared-key svuit.com
ASA-HN(config-tunnel-ipsec)# exit


2.2.3 Kiểm tra KẾT NỐI VPN trên Cisco ASA



show crypto ikev1

Code:
ASA-HN# sh crypto ikev1 sa
There are no IKEv1 SAs



show crypto ipsec

Code:
ASA-HN# show crypto ipsec sa
   There are no ipsec sas



show crypto isakmp

Code:
ASA-HN# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs



Trước khi khởi tạo kết nối, chạy một số lệnh debug:

Code:
ASA-HN# debug crypto ipsecASA-HN
ASA-HN# debug crypto ikev1ASA-HN


Ping, khởi tạo kết nối đến Site HCM

VPN Site to Site 2 ASA qua GPON FTTH thuc te (5)

Kết quả debug crypto ikev1 10

Code:
ASA-HN# debug crypto ikev1 10
ASA-HN# Sep 12 18:43:17 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Sep 12 18:43:17 [IKEv1]IP = 118.69.60.240, IKE Initiator: New Phase 1, Intf inside, IKE Peer 118.69.60.240  local Proxy Address 10.20.20.0, remote Proxy Address10.10.10.0,  Crypto map (ASA-VPN)
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing ISAKMP SA payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver 02 payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver 03 payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver RFC payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing Fragmentation VID+ extended capabilities payload
Sep 12 18:43:17 [IKEv1]IP = 118.69.60.240, IKE_DECODE SENDING Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR(13) + NONE (0) total length : 168
Sep 12 18:43:25 [IKEv1]IKE Receiver: Packet received on 172.16.1.2:500 from 118.69.60.240:500
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE RECEIVED Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing SA payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Oakley proposal is acceptable
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received NAT-Traversal ver 02 VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Fragmentation VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing ke payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing nonce payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing Cisco Unity VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing xauth V6 VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Send IOS VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Sep 12 18:43:25 [IKEv1]IKE Receiver: Packet received on 172.16.1.2:500 from 118.69.60.240:500
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing ke payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing ISA_KE payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing nonce payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Cisco Unity client VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received xauth V6 VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash



show crypto ikev1

Code:
ASA-HN# sh crypto ikev1 sa
IKEv1 SAs:   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 118.69.60.240    Type    : L2L             Role    : initiator    Rekey   : no              State   : MM_ACTIVE



show crypto isakmp

Code:
ASA-HN# show crypto isakmp sa
IKEv1 SAs:
   Active SA: 1    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1   IKE Peer: 118.69.60.240    Type    : L2L             Role    : initiator    Rekey   : no              State   : MM_ACTIVE
There are no IKEv2 SAs



show crypto ipsec sa

ASA-HN# show crypto ipsec sa
interface: outside
Crypto map tag: ASA-VPN, seq num: 10, local addr: 172.16.1.2


access-list VPN-TRAFFIC extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer:
118.69.60.240

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0


local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 118.69.60.240/4500
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 006AAEF5
current inbound spi : 86F8261F


inbound esp sas:
spi: 0x86F8261F (2264409631)
transform: esp-3desesp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: ASA-VPN
sa timing: remaining key lifetime (kB/sec): (3914986/27261)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x006AAEF5 (6991605)
transform: esp-3desesp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: ASA-VPN
sa timing: remaining key lifetime (kB/sec): (3914962/27261)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001


Reset a VPN tunnel

Code:
ASA-HN# clear ipsec sa peer 118.69.60.240
ASA-HN# IPSEC: Deleted outbound encrypt rule, SPI 0xC2B56A4B
    Rule ID: 0x00007fffdd0e9840
IPSEC: Deleted outbound permit rule, SPI 0xC2B56A4B
    Rule ID: 0x00007fffdc4e4940
IPSEC: Deleted outbound VPN context, SPI 0xC2B56A4B
    VPN handle: 0x000000000000ff8c
IPSEC: Deleted inbound decrypt rule, SPI 0x3270F109
    Rule ID: 0x00007fffdd3190b0
IPSEC: Deleted inbound permit rule, SPI 0x3270F109
    Rule ID: 0x00007fffdd3196d0
IPSEC: Deleted inbound tunnel flow rule, SPI 0x3270F109
    Rule ID: 0x00007fffdc4e43d0
IPSEC: Deleted inbound VPN context, SPI 0x3270F109
    VPN handle: 0x0000000000011dcc


Sau khi reset VPN tunnel

Code:
ASA-HN# show crypto ipsec sa

   There are no ipsec sas
ASA-HN# show crypto ipsec sa
   There are no ipsec sas
ASA-HN# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
 
Last edited by a moderator:
- IPWAN của GPON bên site Hồ Chí Minh
VPN Site to Site 2 ASA qua GPON FTTH thuc te (11)

- IP trong LAN của GPON trong site Hồ Chí Minh

VPN Site to Site 2 ASA qua GPON FTTH thuc te (12)

- Thực hiện Routing mạng inside ASA để cho ra internet

VPN Site to Site 2 ASA qua GPON FTTH thuc te (13)

- Mở port cho phép VPN (UDP port 500,4500 và TCP/UDP 10000)

VPN Site to Site 2 ASA qua GPON FTTH thuc te (14)
- Cấu hình VPN IPSEC tại site Hồ Chí Minh trên ASA

Code:
ASA-HCM(config-if)# int e0/0
ASA-HCM(config-if)# nameif outside
ASA-HCM(config-if)# ip address 192.168.1.191 255.255.255.0
ASA-HCM(config-if)# no shutdown
ASA-HCM(config-if)# int e0/1
ASA-HCM(config-if)# nameif inside
ASA-HCM(config-if)# ip address 10.10.10.1 255.255.255.0
ASA-HCM(config-if)# no shutdown


ASA-HCM(config)# route outside 0 0 192.168.1.1
  
ASA-HCM(config)# crypto ikev1 policy 10
ASA-HCM(config-ikev1-policy)# authentication pre-share
ASA-HCM(config-ikev1-policy)# encryption 3des
ASA-HCM(config-ikev1-policy)# hash md5
ASA-HCM(config-ikev1-policy)# group 2
ASA-HCM(config-ikev1-policy)# lifetime 86400


ASA-HCM(config)# crypto ipsec ikev1 transform-set SVUIT esp-3des esp-md5-hmac


ASA-HCM(config-if)# object network INSIDE-HCM
ASA-HCM(config-network-object)# subnet 10.10.10.0 255.255.255.0
  
ASA-HCM(config)# object network INSIDE-HN
ASA-HCM(config-network-object)# subnet 10.20.20.0 255.255.255.0
  
ASA-HCM(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HCM object INSIDE-HN
 
ASA-HCM(config)# crypto map ASA-VPN 10 match address VPN-TRAFFIC
ASA-HCM(config)# crypto map ASA-VPN 10 set peer [COLOR=#ff0000]42.118.255.128[/COLOR]
ASA-HCM(config)# crypto map ASA-VPN 10 set ikev1 transform-set SVUIT

ASA-HCM(config)# crypto map ASA-VPN interface outside
ASA-HCM(config)# crypto ikev1 enable outside
 
ASA-HCM(config)# tunnel-group [COLOR=#ff0000]42.118.255.128[/COLOR] type ipsec-l2l
ASA-HCM(config)# tunnel-group [COLOR=#ff0000]42.118.255.128[/COLOR] ipsec-attributes
ASA-HCM(config-tunnel-ipsec)# ikev1 pre-shared-key [COLOR=#ff0000]svuit.com[/COLOR]
ASA-HCM(config-tunnel-ipsec)# exit

- ping tới GPON site Hà Nôi thành công
ASA-HCM# ping 42.118.255.128
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 42.118.255.128, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

- PC trong mạng inside của ASA ở site Hồ Chí Minh thực hiện ping và truy cập web của PC trong inside ASA site Hà Nội thành công
VPN Site to Site 2 ASA qua GPON FTTH thuc te (15)


- Kiểm tra trạng thái VPN
Code:
ASA-HCM# sh crypto ikev1 sa


IKEv1 SAs:


   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1   IKE Peer: 42.118.255.128
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


- Kiểm tra trạng thái IPSEC
Code:
ASA-HCM# sh crypto ipsec sa
interface: outside
    Crypto map tag: ASA-VPN, seq num: 10, local addr: 192.168.1.191


      access-list VPN-TRAFFIC extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
      current_peer: 42.118.255.128


      #pkts encaps: 148, #pkts encrypt: 148, #pkts digest: 148
      #pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 148, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 192.168.1.191/4500, remote crypto endpt.: 42.118.255.128/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 86F8261F
      current inbound spi : 006AAEF5


    inbound esp sas:
      spi: 0x006AAEF5 (6991605)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: ASA-VPN
         sa timing: remaining key lifetime (kB/sec): (4373962/27114)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x86F8261F (2264409631)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4096, crypto-map: ASA-VPN
         sa timing: remaining key lifetime (kB/sec): (4373986/27113)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
 
Last edited:

About us

  • Securityzone.vn là một trang web chuyên về an ninh mạng và công nghệ thông tin. Trang web này cung cấp các bài viết, tin tức, video, diễn đàn và các dịch vụ liên quan đến lĩnh vực này. Securityzone.vn là một trong những cộng đồng IT lớn và uy tín tại Việt Nam, thu hút nhiều người quan tâm và tham gia. Securityzone.vn cũng là nơi để các chuyên gia, nhà nghiên cứu, sinh viên và người yêu thích an ninh mạng có thể trao đổi, học hỏi và chia sẻ kiến thức, kinh nghiệm và giải pháp về các vấn đề bảo mật trong thời đại số.

Quick Navigation

User Menu