IPSec穿越NAT
IPSec ×××有兩種封裝格式,一種是AH,一種是ESP,AH由於包含對數據包源目IP進行完整性校驗,Nat是絕對不能部署的,否則,目的端在收到數據包由於完整性校驗失敗,而丟棄該數據包,而ESP可以部署Nat,卻不能部署PAT,因為該數據包沒有傳輸層報頭,無法進行端口轉化,而導致數據包被丟棄,Cisco 開發了一種Nat-traver(nat穿越)技術,用來解決這樣的問題,通過在IKE phase1階段協商的數據包中有個VID字段,用來表明該路由器是否支持Nat-traver,而在3,4個數據包通過交換NAT-D(一種由源IP和源端口或者由目的IP和目的端口號的Hash值),通過交換比較知道是否進行了Nat-traverse,從而在后續的數據包以后都會在IP包頭后添加一個UDP/4500的報頭,來實現PAT,以下是部署的配置實例!
拓撲圖
R1配置
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key nat address 34.1.1.4
ip access-list extended ipsec
permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
crypto ipsec transform-set ipsec esp-3des esp-md5-hmac
mode tunnel
crypto map ipsec 10 ipsec-isakmp
set peer 34.1.1.4
set transform-set ipsec
match address ipsec
interface Loopback0
ip address 172.16.10.1 255.255.255.0
interface Ethernet0/1
ip address 12.1.1.1 255.255.255.0
crypto map ipsec
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2
interface Ethernet0/0
ip address 23.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 12.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside source list 1 interface Ethernet0/0 overload
access-list 1 permit any
ip route 0.0.0.0 0.0.0.0 23.1.1.3
ip route 172.16.10.0 255.255.255.0 12.1.1.1
R3
interface Ethernet0/0
ip address 23.1.1.3 255.255.255.0
!
interface Ethernet0/1
ip address 34.1.1.3 255.255.255.0
R4
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key nat address 23.1.1.2 #是與NAT設備建立連接
crypto ipsec transform-set ipsec esp-3des esp-md5-hmac
mode tunnel
ip access-list extended ipsec
permit ip 172.16.40.0 0.0.0.255 172.16.10.0 0.0.0.255
crypto map ipsec 10 ipsec-isakmp
set peer 23.1.1.2
set transform-set ipsec
match address ipsec
interface Loopback0
ip address 172.16.40.1 255.255.255.0
interface Ethernet0/1
ip address 34.1.1.4 255.255.255.0
crypto map ipsec
ip route 0.0.0.0 0.0.0.0 34.1.1.3
在R1設備上查看ipsec配置
R1#show crypto session
Crypto session current status
Interface: Ethernet0/1
Session status: UP-ACTIVE
Peer: 34.1.1.4 port 4500
IKEv1 SA: local 12.1.1.1/4500 remote 34.1.1.4/4500 Active
IPSEC FLOW: permit ip 172.16.10.0/255.255.255.0 172.16.40.0/255.255.255.0
Active SAs: 2, origin: crypto map
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
34.1.1.4 12.1.1.1 QM_IDLE 1001 ACTIVE
在R2設備上查看nat轉換
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 23.1.1.2:4500 12.1.1.1:4500 34.1.1.4:4500 34.1.1.4:4500
可以看到是重新封裝的UDP4500端口
在R1進行測試,完成實驗
R1#ping 172.16.40.1 source l0 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.40.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.10.1
!!!!!!!!!!