Cisco ASA 版本 9.7.1 及更高版本支持主动/主动模式。使用这些 Cisco ASA 时,您可同时使两个隧道保持活动状态。借助该冗余度,您应该始终可以通过其中一个隧道连接到您的 VPC。
示例配置
- 配置外部接口。
- 确保 Crypto ISAKMP 策略序列号具有唯一性。
- 确保 Crypto IPsec 转换集和 Crypto ISAKMP 策略序列与设备上配置的任何其他 IPsec 隧道一致。
- 对在客户网关和您的本地网络之间传输流量的全部路由选择进行配置。
重要
下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。
! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. ! ! ------------------------------------------------------------------------- ! IPSec Tunnel #1 ! ------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #200, which may conflict with ! an existing policy using the same number. If so, we recommend changing ! the sequence number to avoid conflicts. ! crypto ikev1 enable 'outside_interface' crypto ikev1 policy 200 encryption aes authentication pre-share group 2 lifetime 28800 hash sha ! ------------------------------------------------------------------------- ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set ipsec-prop-vpn-12345678-0 esp-aes esp-sha-hmac ! The IPSec profile references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. ! crypto ipsec profile ipsec-vpn-12345678-0 set pfs group2 set security-association lifetime seconds 3600 set ikev1 transform-set ipsec-prop-vpn-12345678-0 exit ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! This option instructs the router to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. crypto ipsec df-bit clear-df 'outside_interface' ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! This option instructs the router to fragment the unencrypted packets ! (prior to encryption). !You will need to replace the outside_interface with the interface name of your ASA Firewall. ! crypto ipsec fragmentation before-encryption 'outside_interface' ! ------------------------------------------------------------------------- ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group 13.54.43.86 type ipsec-l2l tunnel-group 13.54.43.86 ipsec-attributes ikev1 pre-shared-key pre-shared-key ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! ------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! Association with the IPSec security association is done through the ! "tunnel protection" command. ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. interface Tunnel1 nameif Tunnel-int-vpn-12345678-0 ip address 169.254.33.198 255.255.255.252 tunnel source interface 'outside_interface' tunnel destination 13.54.43.86 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-12345678-0 no shutdown exit ! ------------------------------------------------------------------------- ! #4 Static Route Configuration ! ! Your Customer Gateway needs to set a static route for the prefix corresponding to your ! VPC to send traffic over the tunnel interface. ! An example for a VPC with the prefix 10.0.0.0/16 is provided below: ! route Tunnel-int-vpn-12345678-0 10.0.0.0 255.255.0.0 169.254.33.197 100 ! ------------------------------------------------------------------------- ! IPSec Tunnel #2 ! ------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #201, which may conflict with ! an existing policy using the same number. If so, we recommend changing ! the sequence number to avoid conflicts. ! crypto ikev1 enable 'outside_interface' crypto ikev1 policy 201 encryption aes authentication pre-share group 2 lifetime 28800 hash sha ! ------------------------------------------------------------------------- ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set ipsec-prop-vpn-12345678-1 esp-aes esp-sha-hmac ! The IPSec profile references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. ! crypto ipsec profile ipsec-vpn-12345678-1 set pfs group2 set security-association lifetime seconds 3600 set ikev1 transform-set ipsec-prop-vpn-12345678-1 exit ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! This option instructs the router to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. crypto ipsec df-bit clear-df 'outside_interface' ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! This option instructs the router to fragment the unencrypted packets ! (prior to encryption). !You will need to replace the outside_interface with the interface name of your ASA Firewall. ! crypto ipsec fragmentation before-encryption 'outside_interface' ! ------------------------------------------------------------------------- ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group 52.65.137.78 type ipsec-l2l tunnel-group 52.65.137.78 ipsec-attributes ikev1 pre-shared-key pre-shared-key ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! ------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! Association with the IPSec security association is done through the ! "tunnel protection" command. ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. interface Tunnel2 nameif Tunnel-int-vpn-12345678-1 ip address 169.254.33.194 255.255.255.252 tunnel source interface 'outside_interface' tunnel destination 52.65.137.78 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-12345678-1 no shutdown exit ! ------------------------------------------------------------------------- ! #4 Static Route Configuration ! ! Your Customer Gateway needs to set a static route for the prefix corresponding to your ! VPC to send traffic over the tunnel interface. ! An example for a VPC with the prefix 10.0.0.0/16 is provided below: ! route Tunnel-int-vpn-12345678-1 10.0.0.0 255.255.0.0 169.254.33.193 200
评论抢沙发