Vpn site to site 2 asa qua gpon ftth thực tế

1. VPN Site to Site 2 ASA qua GPON FTTH thực tế
I. Tổng quan:
1.1 Mô hình:

3. 1.2 Yêu cầu:
Hai con ASA được đặt sau 2 NAT router là GPON-HCM và GPON-HN.
Triển khai VPN Site to Site dùng IPSec trên 2 con ASA 8.42 và ASA 9.21 để kết nối Site HCM
và HN.
II. Cấu hình:
2.2 SITE HN:
2.2.1 Cấu hình GPON-HN:

6. 2.2.2 ASA HN:
ASA-HN(config-if)# int g0/0ASA-HN(config-if)# nameif outside
ASA-HN(config-if)# ip address 172.16.1.2 255.255.255.0
ASA-HN(config-if)# no shutdown
ASA-HN(config-if)# int g0/1ASA-HN(config-if)# nameif inside
ASA-HN(config-if)# ip address 10.20.20.1 255.255.255.0

7. ASA-HN(config-if)# no shutdown
ASA-HN(config)# route outside 0 0 172.16.1.1
ASA-HN(config)# crypto ikev1 policy 10
ASA-HN(config-ikev1-policy)# authentication pre-share
ASA-HN(config-ikev1-policy)# encryption 3des
ASA-HN(config-ikev1-policy)# hash md5
ASA-HN(config-ikev1-policy)# group 2
ASA-HN(config-ikev1-policy)# lifetime 86400
ASA-HN(config)# crypto ipsec ikev1 transform-set SVUIT esp-3des esp-md5-hmac
ASA-HN(config-if)# object network INSIDE-HCM
ASA-HN(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA-HN(config-if)# object network DMZ-HCM
ASA-HN(config-network-object)# subnet 10.10.20.0 255.255.255.0
ASA-HN(config)# object network INSIDE-HN
ASA-HN(config-network-object)# subnet 10.20.20.0 255.255.255.0
ASA-HN(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HN object INSIDE-HCM
ASA-HN(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HN object DMZ-HCM
ASA-HN(config)# crypto map ASA-VPN 10 match address VPN-TRAFFIC
ASA-HN(config)# crypto map ASA-VPN 10 set peer 118.69.60.240
ASA-HN(config)# crypto map ASA-VPN 10 set ikev1 transform-set SVUIT
ASA-HN(config)# crypto map ASA-VPN interface outside
ASA-HN(config)# crypto ikev1 enable outside
ASA-HN(config)# tunnel-group 118.69.60.240 type ipsec-l2l
ASA-HN(config)# tunnel-group 118.69.60.240 ipsec-attributes
ASA-HN(config-tunnel-ipsec)# ikev1 pre-shared-key svuit.com
ASA-HN(config-tunnel-ipsec)# exit
2.2.3 KẾT NỐI VPN:
show crypto ikev1
ASA-HN# sh crypto ikev1 sa
There are no IKEv1 SAs
show crypto ipsec
ASA-HN# show crypto ipsec sa
There are no ipsec sas

8. show crypto isakmp
ASA-HN# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
Trước khi khởi tạo kết nối, chạy một số lệnh debug:
ASA-HN# debug crypto ipsecASA-HN#
ASA-HN# debug crypto ikev1ASA-HN#
Ping, khởi tạo kết nối đến Site HCM
Kết quả debug crypto ikev1 10
ASA-HN# debug crypto ikev1 10
ASA-HN# Sep 12 18:43:17 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Sep 12 18:43:17 [IKEv1]IP = 118.69.60.240, IKE Initiator: New Phase 1, Intf inside, IKE Peer 118.69.6
local Proxy Address 10.20.20.0, remote Proxy Address10.10.10.0, Crypto map (ASA-VPN)
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing ISAKMP SA payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver 02 payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver 03 payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Traversal VIDver RFC payload
Sep 12 18:43:17 [IKEv1 DEBUG]IP = 118.69.60.240, constructing Fragmentation VID+ extended capa
payload
Sep 12 18:43:17 [IKEv1]IP = 118.69.60.240, IKE_DECODE SENDING Message (msgid=0)with payloa
HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR(13) + NONE (0) total leng
Sep 12 18:43:25 [IKEv1]IKE Receiver: Packet received on 172.16.1.2:500 from 118.69.60.240:500

9. Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE RECEIVED Message (msgid=0)with paylo
HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing SA payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Oakley proposal is acceptable
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received NAT-Traversal ver 02 VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Fragmentation VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, IKE Peer included IKE fragmentation capability fl
Main Mode: True Aggressive Mode: True
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing ke payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing nonce payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing Cisco Unity VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing xauth V6 VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Send IOS VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Constructing ASA spoofing IOS Vendor ID paylo
(version: 1.0.0, capabilities: 20000001)
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, constructing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE SENDING Message (msgid=0) with payloa
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NA
(130) + NAT-D (130) + NONE (0) total length : 296
Sep 12 18:43:25 [IKEv1]IKE Receiver: Packet received on 172.16.1.2:500 from 118.69.60.240:500
Sep 12 18:43:25 [IKEv1]IP = 118.69.60.240, IKE_DECODE RECEIVED Message (msgid=0) with paylo
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NA
(130) + NAT-D (130) + NONE (0) total length : 296
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing ke payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing ISA_KE payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing nonce payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Cisco Unity client VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received xauth V6 VID
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Processing VPN3000/ASA spoofing IOS Vendor
payload (version: 1.0.0, capabilities: 20000001)
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing VID payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, Received Altiga/Cisco VPN3000/Cisco ASA GW
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing NAT-Discovery payload
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, processing NAT-Discovery payload

10. Sep 12 18:43:25 [IKEv1 DEBUG]IP = 118.69.60.240, computing NAT Discovery hash
show crypto ikev1
ASA-HN# sh crypto ikev1 sa
IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 118.69.60.240 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE
show crypto isakmp
ASA-HN# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1 IKE Peer: 118.69.60.240 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
show crypto ipsec sa
ASA-HN# show crypto ipsec sa
interface: outside
Crypto map tag: ASA-VPN, seq num: 10, local addr: 172.16.1.2
access-list VPN-TRAFFIC extended permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 118.69.60.240
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.2/4500, remote crypto endpt.: 118.69.60.240/4500
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled

11. current outbound spi: 006AAEF5
current inbound spi : 86F8261F
inbound esp sas:
spi: 0x86F8261F (2264409631)
transform: esp-3desesp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: ASA-VPN
sa timing: remaining key lifetime (kB/sec): (3914986/27261)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x006AAEF5 (6991605)
transform: esp-3desesp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: ASA-VPN
sa timing: remaining key lifetime (kB/sec): (3914962/27261)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Reset a VPN tunnel
ASA-HN# clear ipsec sa peer 118.69.60.240
ASA-HN# IPSEC: Deleted outbound encrypt rule, SPI 0xC2B56A4B
Rule ID: 0x00007fffdd0e9840
IPSEC: Deleted outbound permit rule, SPI 0xC2B56A4B
Rule ID: 0x00007fffdc4e4940
IPSEC: Deleted outbound VPN context, SPI 0xC2B56A4B
VPN handle: 0x000000000000ff8c
IPSEC: Deleted inbound decrypt rule, SPI 0x3270F109
Rule ID: 0x00007fffdd3190b0
IPSEC: Deleted inbound permit rule, SPI 0x3270F109
Rule ID: 0x00007fffdd3196d0
IPSEC: Deleted inbound tunnel flow rule, SPI 0x3270F109
Rule ID: 0x00007fffdc4e43d0
IPSEC: Deleted inbound VPN context, SPI 0x3270F109
VPN handle: 0x0000000000011dcc
Sau khi reset VPN tunnel

12. ASA-HN# show crypto ipsec sa
There are no ipsec sas
ASA-HN# show crypto ipsec sa
There are no ipsec sas
ASA-HN# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
- IPWAN của GPON bên site Hồ Chí Minh
- IP trong LAN của GPON trong site Hồ Chí Minh

13. - Thực hiện Routing mạng inside ASA để cho ra internet

14. - Mở port cho phép VPN (UDP port 500,4500 và TCP/UDP 10000)

15. - Cấu hình VPN IPSEC tại site Hồ Chí Minh trên ASA
Code:
ASA-HCM(config-if)# int e0/0
ASA-HCM(config-if)# nameif outside
ASA-HCM(config-if)# ip address 192.168.1.191 255.255.255.0
ASA-HCM(config-if)# no shutdown
ASA-HCM(config-if)# int e0/1
ASA-HCM(config-if)# nameif inside
ASA-HCM(config-if)# ip address 10.10.10.1 255.255.255.0
ASA-HCM(config-if)# no shutdown
ASA-HCM(config)# route outside 0 0 192.168.1.1
ASA-HCM(config)# crypto ikev1 policy 10
ASA-HCM(config-ikev1-policy)# authentication pre-share

16. ASA-HCM(config-ikev1-policy)# encryption 3des
ASA-HCM(config-ikev1-policy)# hash md5
ASA-HCM(config-ikev1-policy)# group 2
ASA-HCM(config-ikev1-policy)# lifetime 86400
ASA-HCM(config)# crypto ipsec ikev1 transform-set SVUIT esp-3des esp-md5-hmac
ASA-HCM(config-if)# object network INSIDE-HCM
ASA-HCM(config-network-object)# subnet 10.10.10.0 255.255.255.0
ASA-HCM(config)# object network INSIDE-HN
ASA-HCM(config-network-object)# subnet 10.20.20.0 255.255.255.0
ASA-HCM(config)# access-list VPN-TRAFFIC permit ip object INSIDE-HCM object INSIDE-HN
ASA-HCM(config)# crypto map ASA-VPN 10 match address VPN-TRAFFIC
ASA-HCM(config)# crypto map ASA-VPN 10 set peer 42.118.255.128
ASA-HCM(config)# crypto map ASA-VPN 10 set ikev1 transform-set SVUIT
ASA-HCM(config)# crypto map ASA-VPN interface outside
ASA-HCM(config)# crypto ikev1 enable outside
ASA-HCM(config)# tunnel-group 42.118.255.128 type ipsec-l2l
ASA-HCM(config)# tunnel-group 42.118.255.128 ipsec-attributes
ASA-HCM(config-tunnel-ipsec)# ikev1 pre-shared-key svuit.com
ASA-HCM(config-tunnel-ipsec)# exit
- ping tới GPON site Hà Nôi thành công
ASA-HCM# ping 42.118.255.128
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 42.118.255.128, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
- PC trong mạng inside của ASA ở site Hồ Chí Minh thực hiện ping và truy cập web của PC
trong inside ASA site Hà Nội thành công

17. - Kiểm tra trạng thái VPN
Code:
ASA-HCM# sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 42.118.255.128
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
- Kiểm tra trạng thái IPSEC
Code:
ASA-HCM# sh crypto ipsec sa
interface: outside
Crypto map tag: ASA-VPN, seq num: 10, local addr: 192.168.1.191

18. access-list VPN-TRAFFIC extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0
255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
current_peer: 42.118.255.128
#pkts encaps: 148, #pkts encrypt: 148, #pkts digest: 148
#pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 148, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.191/4500, remote crypto endpt.:
42.118.255.128/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 86F8261F
current inbound spi : 006AAEF5
inbound esp sas:
spi: 0x006AAEF5 (6991605)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4096, crypto-map: ASA-VPN
sa timing: remaining key lifetime (kB/sec): (4373962/27114)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x86F8261F (2264409631)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4096, crypto-map: ASA-VPN
sa timing: remaining key lifetime (kB/sec): (4373986/27113)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001