読者です 読者をやめる 読者になる 読者になる

NETWORK ENGINEER BLOG

Tips and Reviews for Engineers

ASA と VyOS で IPsec

VyOS は Vyattaの無償版である Vyatta Core よりフォークされたオープンソースのネットワーク OS です。
Cisco の ASA(HA 構成)と VyOS 間で IPsec を確立する際の設定例になります。

検証環境

  • VyOS1.1.7 及び、CentOS6.8 を VMware Workstation 上に構築
  • VMware ESXi5.5 を VMweare Workstation 上に構築し、ESXi5.5 上に ASAv を構築*1

f:id:FriendsNow:20160920135254p:plain

ASA 設定例

HA 関連の最終設定
※HA の具体的な設定方法は、こちらをご参照ください。

<...snip...>
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2
!
interface GigabitEthernet0/2
 description LAN Failover Interface
!
interface GigabitEthernet0/3
 description STATE Failover Interface
<...snip...>
failover
failover lan interface failover GigabitEthernet0/2
failover link state GigabitEthernet0/3
failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2
failover interface ip state 172.16.2.1 255.255.255.0 standby 172.16.2.2
<...snip...>

HA の確認

ciscoasa# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
Version: Ours 9.2(0)2, Mate 9.2(0)2
Last Failover at: 02:57:55 UTC Sep 19 2016
        This host: Primary - Active
                Active time: 27 (sec)
                slot 0: empty
                  Interface inside (192.168.10.1): Normal (Monitored)
                  Interface outside (10.1.2.1): Normal (Monitored)
                  Interface management (192.168.1.101): Normal (Monitored)
        Other host: Secondary - Standby Ready
                Active time: 12455 (sec)
                  Interface inside (192.168.10.2): Normal (Monitored)
                  Interface outside (10.1.2.2): Normal (Monitored)
                  Interface management (192.168.1.102): Normal (Monitored)
<...snip...>
ルートの設定
route outside 10.1.1.0 255.255.255.0 10.1.2.254 1
route outside 192.168.20.0 255.255.255.0 10.1.2.254 1
IPsec の設定

IKE ポリシーの定義及び有効化

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 enable outside

Tunnel Group (LAN-to-LAN プロファイル)の作成

tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco

セレクタ ACL の設定

object-group network local-network
 network-object 192.168.10.0 255.255.255.0
object-group network remote-network
 network-object 192.168.20.0 255.255.255.0
access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network

NAT 除外設定

nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

IKE トランスフォーム設定

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Crypto MAP の設定とインターフェースへの適用

crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 10.1.1.2
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside

IPsec 関連の最終設定

<...snip...>
object-group network local-network
 network-object 192.168.10.0 255.255.255.0
object-group network remote-network
 network-object 192.168.20.0 255.255.255.0
access-list asa-router-vpn extended permit ip object-group local-network object-group remote-network
<...snip...>
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
<...snip...>
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 10.1.1.2
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
<...snip...>
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****

IPsec の確認

ciscoasa# show crypto isakmp sa
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 10.1.1.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

ciscoasa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 10.1.2.1
      access-list asa-router-vpn extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 10.1.1.2
      #pkts encaps: 21281, #pkts encrypt: 21281, #pkts digest: 21281
      #pkts decaps: 21281, #pkts decrypt: 21281, #pkts verify: 21281
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 21281, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

packet-tracer での確認

ciscoasa# packet-tracer input inside icmp 192.168.10.100 0 8 192.168.20.100
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.20.0    255.255.255.0   via 10.1.2.254, outside
!...上記ルーティングテーブルにより転送されている事を確認
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.20.100/0 to 192.168.20.100/0
!...上記 NAT 設定により、暗号化対象のフローは NAT 対象外となっている事を確認
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.10.100/0 to 192.168.10.100/0
<...snip...>
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
!...VPN により暗号化され、通信が許可されている事を確認
<...snip...>
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
!...最終的に該当通信を許可している事を確認

VyOS 設定例

IKE ポリシーの設定

set vpn ipsec ike-group IKE-1W lifetime 86400
set vpn ipsec ike-group IKE-1W proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1W proposal 1 encryption aes128
set vpn ipsec ike-group IKE-1W proposal 1 hash sha1

Phase2ポリシーの設定

set vpn ipsec esp-group ESP-1W lifetime 28800
set vpn ipsec esp-group ESP-1W mode tunnel
set vpn ipsec esp-group ESP-1W pfs dh-group2
set vpn ipsec esp-group ESP-1W proposal 1 encryption aes128
set vpn ipsec esp-group ESP-1W proposal 1 hash sha1

インターフェースでの IPsec 有効化

set vpn ipsec ipsec-interfaces interface eth2

NAT-T 有効化

set vpn ipsec nat-traversal enable

IPsec ピアの設定

set vpn ipsec site-to-site peer 10.1.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 10.1.2.1 authentication pre-shared-secret cisco
set vpn ipsec site-to-site peer 10.1.2.1 default-esp-group ESP-1W
set vpn ipsec site-to-site peer 10.1.2.1 ike-group IKE-1W
set vpn ipsec site-to-site peer 10.1.2.1 local-address 10.1.1.2
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 esp-group ESP-1W
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 remote prefix 192.168.10.0/24

設定の有効化と保存

commit
save

IPsec 関連の最終設定

show | commands | grep vpn
set vpn ipsec esp-group ESP-1W lifetime '28800'
set vpn ipsec esp-group ESP-1W mode 'tunnel'
set vpn ipsec esp-group ESP-1W pfs 'dh-group2'
set vpn ipsec esp-group ESP-1W proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-1W proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1W lifetime '86400'
set vpn ipsec ike-group IKE-1W proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-1W proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-1W proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth2'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 10.1.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.1.2.1 authentication pre-shared-secret 'cisco'
set vpn ipsec site-to-site peer 10.1.2.1 default-esp-group 'ESP-1W'
set vpn ipsec site-to-site peer 10.1.2.1 ike-group 'IKE-1W'
set vpn ipsec site-to-site peer 10.1.2.1 local-address '10.1.1.2'
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 esp-group 'ESP-1W'
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 local prefix '192.168.20.0/24'
set vpn ipsec site-to-site peer 10.1.2.1 tunnel 1 remote prefix '192.168.10.0/24'

IPsec の確認

vyos@vyos02# run show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.1                                10.1.1.2
    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes128   sha1    2        no     11316   86400

vyos@vyos02# run show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.1                                10.1.1.2
    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     1.7M/1.7M      aes128   sha1    no     11319   28800   all

冗長試験

正常時

①ASA のフェイルオーバ状況を確認する。*2

ciscoasa# failover exec active show fail
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
Version: Ours 9.2(0)2, Mate 9.2(0)2
Last Failover at: 02:57:55 UTC Sep 19 2016
        This host: Primary - Active 		<--- プライマリ(ASA01)が Active
                Active time: 12055 (sec)
                slot 0: empty
                  Interface inside (192.168.10.1): Normal (Monitored)
                  Interface outside (10.1.2.1): Normal (Monitored)
                  Interface management (192.168.1.101): Normal (Monitored)
        Other host: Secondary - Standby Ready	<--- セカンダリ(ASA02)が Standby
                Active time: 12455 (sec)
                  Interface inside (192.168.10.2): Normal (Monitored)
                  Interface outside (10.1.2.2): Normal (Monitored)
                  Interface management (192.168.1.102): Normal (Monitored)

②CentOS01 から CentOS02 へ Ping を実行し、通信状況を確認する。

CentOS01の Ping 状況

[root@centos01 ~]# ping 192.168.20.100 -c 2
PING 192.168.20.100 (192.168.20.100) 56(84) bytes of data.
64 bytes from 192.168.20.100: icmp_seq=1 ttl=63 time=1.39 ms
64 bytes from 192.168.20.100: icmp_seq=2 ttl=63 time=1.45 ms
<...snip...>

ASA でパケットキャプチャ

ciscoasa# capture capout interface outside match esp any any
ciscoasa# show capture capout
<...snip...>
   1: 06:12:28.294433       10.1.2.1 > 10.1.1.2:  ip-proto-50, length 132
   2: 06:12:28.295227       10.1.1.2 > 10.1.2.1:  ip-proto-50, length 132
<...snip...>
ciscoasa# no capture capout interface outside match esp any any
故障時*3

①ASA のフェイルオーバ状況を確認する。*4

ciscoasa# failover exec active show fail
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 61 maximum
Version: Ours 9.2(0)2, Mate 9.2(0)2
Last Failover at: 06:27:56 UTC Sep 19 2016
        This host: Secondary - Active	<--- セカンダリ(ASA02)が Active へ遷移
                Active time: 40 (sec)
                slot 0: empty
                  Interface inside (192.168.10.1): Normal (Monitored)
                  Interface outside (10.1.2.1): Normal (Waiting)
                  Interface management (192.168.1.101): Normal (Monitored)
        Other host: Primary - Failed	<--- プライマリ(ASA01)が Failed へ遷移
                Active time: 12567 (sec)
                  Interface inside (192.168.10.2): Normal (Monitored)
                  Interface outside (10.1.2.2): No Link (Waiting)
                  Interface management (192.168.1.102): Normal (Monitored)

②CentOS01 から CentOS02 へ Ping を実行し、通信状況を確認する。

CentOS01の Ping 状況

[root@centos01 ~]# ping 192.168.20.100 -c 2
PING 192.168.20.100 (192.168.20.100) 56(84) bytes of data.
64 bytes from 192.168.20.100: icmp_seq=1 ttl=63 time=2.61 ms
64 bytes from 192.168.20.100: icmp_seq=2 ttl=63 time=12.6 ms
<...snip...>

ASA でパケットキャプチャ

ciscoasa# capture capout interface outside match esp any any
ciscoasa# show capture capout
<...snip...>
   1: 06:32:43.445243       10.1.2.1 > 10.1.1.2:  ip-proto-50, length 132
   2: 06:32:43.446067       10.1.1.2 > 10.1.2.1:  ip-proto-50, length 132
<...snip...>
ciscoasa# no capture capout interface outside match esp any any

*1:ASAv(OVA) のインストールは vCenter Server が必須。インストール後の起動には vCenter Server は不要

*2:SSH 経由のため、"failover exec"コマンドを使用し、active 側で確認コマンドを実行する。

*3:ASA01の Outside インターフェース(Ge0/1)で疑似故障発生時

*4:SSH 経由のため、"failover exec"コマンドを使用し、active 側で確認コマンドを実行する。

広告を非表示にする