Cisco路由器IPsecVPN配置调试指南

Cisco路由器IPsecVPN配置调试指南2012.01.091.首先观察Cisco路由器是否支持IPsec。登录设备用showcryptoipsec命令就能看出是否支持IPsec，如果不支持则需要升级IOS以支持IPsec。如一Cisco3845路由器开始前IOS版本为c3845-ipbase-mz.124-17b.bin，不支持IPsecVPN功能。升级后支持IPsec的IOS版本为c3845-adventerprisek9-mz.124-25d.bin。2.调通外网。IPsec由于协议的复杂性，一般需要Cisco路由器拥有一个公网IPv4地址。如果不具备公网地址，需要在Cisco路由器外部的防火墙上作一对一NAT公网地址映射，然后有两种IPsec模式：2.1普通IPsec模式，需要UDP500端口的IKE协商，和ESP协议的IPsec协商。2.2IPsec的NAT-T模式，需要UDP500端口的IKE协商，和UDP4500端口的IPsec协商。Cisco路由器缺省开启IPsec的NAT-T模式，如果需要关闭需要显式配置:nocryptoipsecnat-transparencyudp-encaps3.Cisco路由器中IPsec传输模式和隧道模式的自动选择如果加密图中的ACL使用路由器上实接口的IP地址作为源，那么IPsec自动进入传输模式。如果加密图中的ACL未使用路由器上实接口的IP地址作为源，那么IPsec自动进入隧道模式。Router3845(config)#cryptoipsectransform-setMSFTesp-3desesp-md5-hmacRouter3845(cfg-crypto-trans)#mode?transporttransport(payloadencapsulation)modetunneltunnel(datagramencapsulation)modeRouter3845(cfg-crypto-trans)#modetransport4.Cisco3845尝试了两种IOS:c3845-adventerprisek9-mz.124-25.bin和c3845-adventerprisek9-mz.124-25a.bin这两者在开启了IPsec后并不稳定，在nat上网或者showcryptosession时容易发生crash重启。再后来最终确定较好的IOS为c3845-adventerprisek9-mz.124-25d.bin。如果同时开启了NAT和cryptomap，一个IP地址首先进行NAT，不在NAT的ACL中才进行IPsec的MAP。5.按照双方的协定，配置IKE、IPsec、Tunnel等相关参数，尤其是IKE预共享密钥。如果联调时一方没有遵循之前双方商量好的IKE预共享密钥，就会给IPsecVPN建立带来麻烦。主动发起的IPsec协商，如果不能顺利进入IKE_I_MM2，说明IKE协商有误，检查IKE相关参数，尤其是共享密钥，例如下面的错误:ISAKMP:(0:0:N/A:0):foundpeerpre-sharedkeymatching203.92.128.195ISAKMP:(0:0:N/A:0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MMISAKMP:(0:0:N/A:0):OldState=IKE_READYNewState=IKE_I_MM1ISAKMP:(0:0:N/A:0):beginningMainModeexchangeISAKMP:(0:0:N/A:0):sendingpacketto203.92.128.195my_port500peer_port500(I)MM_NO_STATEISAKMP(0:0):receivedpacketfrom203.92.128.195dport500sport500Global(I)MM_NO_STATEISAKMP:(0:0:N/A:0):Couldn'tfindnode:message_id-1502134904ISAKMP(0:0):UnknownInputIKE_MESG_FROM_PEER,IKE_INFO_NOTIFY:state=IKE_I_MM1ISAKMP:(0:0:N/A:0):Input=IKE_MESG_FROM_PEER,IKE_INFO_NOTIFYISAKMP:(0:0:N/A:0):OldState=IKE_I_MM1NewState=IKE_I_MM1%CRYPTO-6-IKMP_MODE_FAILURE:ProcessingofInformationalmodefailedwithpeerat203.92.128.195主动发起的IPsec协商正常情况应该如下:ISAKMP:(0:0:N/A:0):foundpeerpre-sharedkeymatching213.61.69.220ISAKMP:(0:0:N/A:0):Input=IKE_MESG_FROM_IPSEC,IKE_SA_REQ_MMISAKMP:(0:0:N/A:0):OldState=IKE_READYNewState=IKE_I_MM1ISAKMP:(0:0:N/A:0):beginningMainModeexchangeISAKMP:(0:0:N/A:0):sendingpacketto213.61.69.220my_port500peer_port500(I)MM_NO_STATEISAKMP(0:0):receivedpacketfrom213.61.69.220dport500sport500Global(I)MM_NO_STATEISAKMP:(0:0:N/A:0):Input=IKE_MESG_FROM_PEER,IKE_MM_EXCHISAKMP:(0:0:N/A:0):OldState=IKE_I_MM1NewState=IKE_I_MM26.升级IOS以便支持IPsec6.1.升级前Router#shverCiscoIOSSoftware,3800Software(C3845-IPBASE-M),Version12.4(17b),RELEASESOFTWARE(fc2)TechnicalSupport:(c)1986-2008byCiscoSystems,Inc.CompiledTue26-Feb-0808:47byprod_rel_teamROM:SystemBootstrap,Version12.4(13r)T10,RELEASESOFTWARE(fc1)Routeruptimeis6weeks,6days,19hours,14minutesSystemreturnedtoROMbypower-onSystemimagefileisflash:c3845-ipbase-mz.124-17b.binCisco3845(revision1.0)with225280K/36864Kbytesofmemory.ProcessorboardIDFHK1251F0EF2GigabitEthernetinterfacesDRAMconfigurationis64bitswidewithparityenabled.479KbytesofNVRAM.62720KbytesofATASystemCompactFlash(Read/Write)Configurationregisteris0x2142Router#dirDirectoryofflash:/1-rw-18668672Dec15200809:03:56+00:00c3845-ipbase-mz.124-17b.bin2-rw-2751Dec15200809:11:28+00:00sdmconfig-38xx.cfg3-rw-931840Dec15200809:11:42+00:00es.tar4-rw-1505280Dec15200809:11:58+00:00common.tar5-rw-1038Dec15200809:12:10+00:00home.shtml6-rw-112640Dec15200809:12:22+00:00home.tar7-rw-1697952Dec15200809:12:42+00:00securedesktop-ios-3.1.1.45-k9.pkg8-rw-415956Dec15200809:13:00+00:00sslclient-win-1.1.4.176.pkg64012288bytestotal(40660992bytesfree)Router#6.2.升级后Router3845#shverCiscoIOSSoftware,3800Software(C3845-ADVENTERPRISEK9-M),Version12.4(25),RELEASESOFTWARE(fc2)TechnicalSupport:(c)1986-2009byCiscoSystems,Inc.CompiledTue21-Apr-0915:50byprod_rel_teamROM:SystemBootstrap,Version12.4(13r)T10,RELEASESOFTWARE(fc1)Router3845uptimeis6minutesSystemreturnedtoROMbyreloadat20:11:01NanjingMonDec52011Systemrestartedat20:12:35NanjingMonDec52011Systemimagefileisflash:c3845-adventerprisek9-mz.124-25.binThisproductcontainscryptographicfeaturesandissubjecttoUnitedStatesandlocalcountrylawsgoverningimport,export,transferanduse.DeliveryofCiscocryptographicproductsdoesnotimplythird-partyauthoritytoimport,export,distributeoruseencryption.Importers,exporters,distributorsandusersareresponsibleforcompliancewithU.S.andlocalcountrylaws.Byusingthisproductyouagreetocomplywithapplicablelawsandregulations.IfyouareunabletocomplywithU.S.andlocallaws,returnthisproductimmediately.AsummaryofU.S.lawsgoverningCiscocryptographicproductsmaybefoundat:@cisco.com.Cisco3845(revision1.0)with222208K/39936Kbytesofmemory.ProcessorboardIDFHK1251F0EF2GigabitEthernetinterfaces1VirtualPrivateNetwork(VPN)ModuleDRAMconfigurationis64bitswidewithparityenabled.479Kby