IP : 边界网关协议(BGP)

与BGP配置示例的ASA VPN/IPsec

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文为边界网关协议(BGP)结邻的建立在一个IPsec站点到站点VPN通道的提供一配置示例在Cisco可适应安全工具(ASA)之间运行软件版本15.x的该运行软件版本9.x和Cisco IOS路由器。

贡献用Dinkar夏尔马和Amandeep辛哈, Cisco TAC工程师。

先决条件

要求

思科建议您有IPsec在ASA和Cisco IOS设备的站点到站点VPN隧道配置知识。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 运行Cisco IOS软件版本15.x和以后的Cisco 2900路由器。

  • 运行软件版本9.x和以后的ASA 5500-x。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

命令行配置

本文使用本地ASA和远程路由器配置。

本地ASA

ASA Version 9.2(2)4

!--- Configure the Inside and outside interface.

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.20.1 255.255.255.0
!

!--- Configure BGP router process.

router bgp 200
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 198.51.100.1 remote-as 100
  neighbor 198.51.100.1 description Remote Router
  neighbor 198.51.100.1 ebgp-multihop 255
  neighbor 198.51.100.1 activate
  network 172.16.20.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family
!
route outside 198.51.100.0 255.255.255.0 203.0.113.2 1
!--- The traffic specified by this ACL is traffic that is to be encrypted and
sent across the VPN tunnel.


access-list outside_cryptomap permit ip host 203.0.113.1 host 198.51.100.1
!

!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 300.
!---The configuration commands here define the Phase 1 policy parameters that are used.


crypto ikev1 policy 300
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
!

!--- In order to create and manage the database of connection-specific records for
!--- ipsec-l2l-IPsec (LAN-to-LAN) tunnels, use the command tunnel-group in global
!--- configuration mode. For L2L connections the name of the tunnel group MUST be the
IP !--- address of the IPsec peer.

tunnel-group 198.51.100.1 type ipsec-l2l

!--- Enter the pre-shared-key in order to configure the authentication method.

tunnel-group 198.51.100.1 ipsec-attributes
 ikev1 pre-shared-key cisco123
!

!--- Enable ikev1 on outside interface.

crypto ikev1 enable outside


!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!---Define the transform set for Phase 2.

crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac

!--- Define which traffic should be sent to the IPsec peer.


crypto map outside_map 1 match address outside_cryptomap

!--- Sets the IPsec peer

crypto map outside_map 1 set peer 198.51.100.1

!--Sets the IPsec transform set "TSET" to be used with the crypto map entry
"outside_map".

crypto map outside_map 1 set ikev1 transform-set TSET

!---Specifies the interface to be used with the settings defined in
this configuration.


crypto map outside_map interface outside

远程路由器

version 15.1
!
!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 300.
!--- The configuration commands here define the Phase 1 policy parameters
that are used.


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5

!--- Enter the pre-shared-key in order to configure the authentication method.


crypto isakmp key cisco123 address 203.0.113.1 255.255.255.0
!

!--- PHASE 2 CONFIGURATION ---!!--- The encryption types for Phase 2 are defined here.

!---Define the transform set for Phase 2.


crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!--- Define crypto map which is used to establish the IPsec Security Association
for protecting the traffic.

crypto map CMAP 10 ipsec-isakmp

!--- Sets the IP address of the remote end.

set peer 203.0.113.1

!--- Configures IPsec to use the transform-set
!--- "Router-IPSEC" defined earlier in this configuration.


 set transform-set TSET

!--- Specifies the interesting traffic to be encrypted.


 match address VPN
!
!
interface Loopback0
 ip address 172.16.30.1 255.255.255.0
!

!--- Configures the interface to use the crypto map "CMAP" for IPsec.

interface FastEthernet0/0
 ip address 198.51.100.1 255.255.255.0
 duplex auto
 speed auto
 crypto map CMAP
!

!--- Configure BGP router process


router bgp 100
 no synchronization
 bgp log-neighbor-changes
 network 172.16.30.0 mask 255.255.255.0
 neighbor 203.0.113.1 remote-as 200
 neighbor 203.0.113.1 ebgp-multihop 255
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 198.51.100.2
!

!--- Define which traffic should be sent to the IPsec peer.


ip access-list extended VPN
 permit ip host 198.51.100.1 host 203.0.113.1
!

ASA设备管理器配置

本文使用VPN和BGP配置。

VPN 配置

完成这些步骤:

  1. 选择 Wizards > VPN Wizard 以便使用 VPN 向导和创建 LAN 到 LAN 连接。在“VPN Wizard”窗口中,单击 Next,在此默认选择“Site-to-Site”。

  2. 对端IP地址字段,请输入对端IP地址。从VPN访问接口下拉列表,请选择您要终止通道的接口。单击 Next

  3. 本地网络远程网络字段,请分别输入本地和远程网络IP地址(即您要加密)的流量。单击 Next

    注意:IP地址是之间您希望BGP结邻形成的本地和远程IP地址在。

  4. 点击定制配置单选按钮然后检查IKE版本1复选框。单击 Next

  5. 选择认证方法选项卡。在Pre-Shared Key字段,请输入预先共享密钥。单击 Next

  6. 选择加密算法选项卡。在IKE策略IPsec建议字段,请输入您要使用的IKE策略和IPsec建议。单击 Next

  7. 这是可选配置。如果选择跳到此步骤,其次请单击。

  8. 此配置到目前为止摘要完成的页显示。点击芬通社为了推送配置到ASA。

  9. 如此镜像所显示,您能查看VPN配置。

BGP配置

  1. 选择路由的Configuration> > BGP >General。检查Enable (event) BGP路由复选框。在AS数字域,请输入自治编号。单击 Apply

  2. 选择路由的Configuration> > BGP > IPV4家族>邻居。在IP地址和远程AS字段,请输入各自BGP邻居IP地址(即远程路由器)和远程AS编号。单击 Ok

  3. 选择路由的Configuration> > BGP > IPV4家族>网络。输入您希望通告到远程路由器的网络的信息。

验证

使用本部分可确认配置能否正常运行。

您可以使用 ASDM 启用日志记录和查看日志:

  • show crypto isakmp sa -显示被构件在对等体之间的互联网安全协会和密钥管理协议(ISAKMP)安全关联(SA)。
    ASA# show crypto isakmp sa
    IKEv1 SAs:
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: 198.51.100.1
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE

    There are no IKEv2 SAs

    Router#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    203.0.113.1     198.51.100.1    QM_IDLE           1024    0 ACTIVE

    IPv6 Crypto ISAKMP SA
  • show crypto ipsec sa -显示每第2阶段被构件的SA和发送的流量总量。
    ASA# show crypto ipsec sa
    interface: outside
       
        Crypto map tag: outside_map, seq num: 1, local addr: 203.0.113.1
          local ident (addr/mask/prot/port): (203.0.113.1/255.255.255.255/0/0)
          remote ident (addr/mask/prot/port): (198.51.100.1/255.255.255.255/0/0)
          current_peer: 198.51.100.1

          #pkts encaps: 168, #pkts encrypt: 168, #pkts digest: 168
          #pkts decaps: 172, #pkts decrypt: 172, #pkts verify: 172
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 168, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0

          local crypto endpt.: 203.0.113.1/0, remote crypto endpt.: 198.51.100.1/0
          path mtu 1500, ipsec overhead 58(36), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: 8827DADE
          current inbound spi : 338E6488

        inbound esp sas:
          spi: 0x338E6488 (864969864)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 65536, crypto-map: outside_map
             sa timing: remaining key lifetime (kB/sec): (4374000/1988)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
        outbound esp sas:
          spi: 0x8827DADE (2284313310)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 65536, crypto-map: outside_map
             sa timing: remaining key lifetime (kB/sec): (4373989/1988)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    Router# show crypto ipsec sa

    interface: FastEthernet0/0
        Crypto map tag: CMAP, local addr 198.51.100.1

       protected vrf: (none)
       local  ident (addr/mask/prot/port): (198.51.100.1/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): (203.0.113.1/255.255.255.255/0/0)
       current_peer 203.0.113.1 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 181, #pkts encrypt: 181, #pkts digest: 181
        #pkts decaps: 167, #pkts decrypt: 167, #pkts verify: 167
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0

         local crypto endpt.: 198.51.100.1, remote crypto endpt.: 203.0.113.1
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x338E6488(864969864)

         inbound esp sas:
          spi: 0x8827DADE(2284313310)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 3007, flow_id: NETGX:1007, crypto map: CMAP
            sa timing: remaining key lifetime (k/sec): (4406240/1952)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE

         inbound ah sas:

         inbound pcp sas:

         outbound esp sas:
          spi: 0x338E6488(864969864)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            conn id: 3008, flow_id: NETGX:1008, crypto map: CMAP
            sa timing: remaining key lifetime (k/sec): (4406261/1952)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
  • show bgp neighbors -显示BGP邻居关系状态。

    ASA# show bgp neighbors

    BGP neighbor is 198.51.100.1,  context single_vf,  remote AS 100, external link
     Description: Remote Router
      BGP version 4, remote router ID 172.16.30.1
      BGP state = Established, up for 00:00:12
      Last read 00:00:12, last write 00:00:11, hold time is 180, keepalive interval
    is 60 seconds
      Neighbor sessions:
        1 active, is not multisession capable (disabled)
      Neighbor capabilities:
        Route refresh: advertised and received(new)
        Four-octets ASN Capability: advertised
        Address family IPv4 Unicast: advertised and received
        Multisession Capability:
      Message statistics:
        InQ depth is 0
        OutQ depth is 0

                       Sent       Rcvd
        Opens:         1          1
        Notifications: 0          0
        Updates:       2          1
        Keepalives:    2          3
        Route Refresh: 0          0
        Total:         5          5
      Default minimum time between advertisement runs is 30 seconds

     For address family: IPv4 Unicast
      Session: 198.51.100.1
      BGP table version 3, neighbor version 3/0
      Output queue size : 0
      Index 1
      1 update-group member
                               Sent       Rcvd
      Prefix activity:         ----       ----
        Prefixes Current:      1          1          (Consumes 80 bytes)
        Prefixes Total:        1          1
        Implicit Withdraw:     0          0
        Explicit Withdraw:     0          0
        Used as bestpath:      n/a        1
        Used as multipath:     n/a        0

                                    Outbound    Inbound
      Local Policy Denied Prefixes: --------    -------
        Bestpath from this peer:     1          n/a
        Total:                       1          0
      Number of NLRIs in the update sent: max 1, min 0

      Address tracking is enabled, the RIB does have a route to 198.51.100.1
      Connections established 1; dropped 0
      Last reset never
      External BGP neighbor may be up to 255 hops away.
      Transport(tcp) path-mtu-discovery is enabled
      Graceful-Restart is disabled
    Router# show ip bgp neighbors
    BGP neighbor is 203.0.113.1,  remote AS 200, external link
      BGP version 4, remote router ID 203.0.113.1
      BGP state = Established, up for 00:01:16
      Last read 00:00:10, last write 00:00:16, hold time is 180, keepalive interval
    is 60 seconds
      Neighbor capabilities:
        Route refresh: advertised and received(old & new)
        Address family IPv4 Unicast: advertised and received
      Message statistics:
        InQ depth is 0
        OutQ depth is 0
                             Sent       Rcvd
        Opens:                  6          6
        Notifications:          4          0
        Updates:               11         12
        Keepalives:          4248       3817
        Route Refresh:          0          0
        Total:               4269       3835
      Default minimum time between advertisement runs is 30 seconds

     For address family: IPv4 Unicast
      BGP table version 26, neighbor version 26/0
      Output queue size: 0
      Index 1, Offset 0, Mask 0x2
      1 update-group member
                                     Sent       Rcvd
      Prefix activity:               ----       ----
        Prefixes Current:               1          1 (Consumes 52 bytes)
        Prefixes Total:                 1          1
        Implicit Withdraw:              0          0
        Explicit Withdraw:              0          0
        Used as bestpath:             n/a          1
        Used as multipath:            n/a          0

                                       Outbound    Inbound
      Local Policy Denied Prefixes:    --------    -------
        Bestpath from this peer:              1        n/a
        Total:                                1          0
      Number of NLRIs in the update sent: max 3, min 0

      Connections established 6; dropped 5
      Last reset 5d22h, due to Peer closed the session
      External BGP neighbor may be up to 255 hops away.
    Connection state is ESTAB, I/O status: 1, unread input bytes: 0
    Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
    Local host: 198.51.100.1, Local port: 179
    Foreign host: 203.0.113.1, Foreign port: 62727
    Connection tableid (VRF): 0

    Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

    Event Timers (current time is 0x300AAA8C):
    Timer          Starts    Wakeups            Next
    Retrans             7          0             0x0
    TimeWait            0          0             0x0
    AckHold             4          1             0x0
    SendWnd             0          0             0x0
    KeepAlive           0          0             0x0
    GiveUp              0          0             0x0
    PmtuAger            0          0             0x0
    DeadWait            0          0             0x0
    Linger              0          0             0x0
    ProcessQ            0          0             0x0

    iss: 4087014083  snduna: 4087014257  sndnxt: 4087014257     sndwnd:  32768
    irs: 1434855898  rcvnxt: 1434856084  rcvwnd:      16199  delrcvwnd:    185

    SRTT: 182 ms, RTTO: 1073 ms, RTV: 891 ms, KRTT: 0 ms
    minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 200 ms
    Status Flags: passive open, gen tcbs
    Option Flags: nagle
    IP Precedence value : 6

    Datagrams (max data segment is 536 bytes):
    Rcvd: 14 (out of order: 0), with data: 5, total data bytes: 185
    Sent: 9 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0),
    with data: 6, total data bytes: 173
     Packets received in fast path: 0, fast processed: 0, slow path: 0
     Packets send in fast path: 0
     fast lock acquisition failures: 0, slow path: 0

检查路由器为了验证LAN-to-LAN连接通过路由流量。

show ip route - Displays the IP routing table entries.
ASA# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C        172.16.20.0 255.255.255.0 is directly connected, inside
L        172.16.20.1 255.255.255.255 is directly connected, inside
B        172.16.30.0 255.255.255.0 [20/0] via 198.51.100.1, 01:43:14
S     198.51.100.0 255.255.255.0 [1/0] via 203.0.113.2, outside
C        203.0.113.0 255.255.255.0 is directly connected, outside
L        203.0.113.1 255.255.255.255 is directly connected, outside

 

Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 198.51.100.2 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.30.0 is directly connected, Loopback0
B       172.16.20.0 [20/0] via 203.0.113.1, 01:44:02
C    198.51.100.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.106.45.0 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 198.51.100.2

故障排除

目前没有针对此配置的故障排除信息。

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118835