在FTD上配置IKEv2的VRF感知站点到站点隧道

简介

本文档介绍如何在由Firepower管理中心(FMC)管理的Firepower威胁防御(FTD)上配置可感知虚拟路由和转发(VRF)的IKEv2站点到站点VPN隧道。

先决条件

要求

Cisco 建议您了解以下主题：

• VPN基本知识
• 使用FMC的经验
• 了解VRF实施

使用的组件

本文档中的信息基于以下软件版本：

• Cisco FMC版本7.x
• 思科FTD版本7.x

虚拟路由和转发

在虚拟路由中，可以创建多个虚拟路由器为接口组维护单独的路由表，从而实现网络分离。这样无需使用多个设备即可对网络路径进行分段，从而增加了功能。
由于路由实例是独立的，因此可以使用重叠的IP地址而不会相互冲突。每个VRF都有自己的路由协议会话以及IPv4和IPv6路由表。

限制

• 任何VRF实例中的接口都不能用作隧道终端/VPN接口。
• 用于终止VPN隧道的接口只能位于全局VRF中。

限制1

如果将 outside 接口添加到虚拟路由器 vrf_outside ，则创建站点到站点VPN拓扑时，此接口不会显示在用于选择终端接口的下拉列表中。

限制2

如果接outside 口上存在站点到站点VPN拓扑，则无法将接口添加到VRF实例。FMC产生以下错误：充当VPN隧道的 outside (WAN)接口将终端终止为全局VRF的一部分，而不是自定义VRF。

网络图

配置

在FTD 7.x和任何其他设备（ASA/FTD/路由器或第三方供应商）之间配置IKEv2站点到站点VPN隧道。

导航到 Devices > Device Management。点击 Edit ，然后选择Routing。

步骤1:单击 Manage Virtual Routers如图所示。

第二步：点击 Add Virtual Router 并将所需的VRF实例添加到其中。对于此部署，使用vrf_inside命令。

第三步：创建VRF实例后，将显示添加所需接口的选项。对于此部署，inside将接口添加到vrf_inside中，如图所示。

第四步：对于此部署，这些是站点到站点VPN隧道的流量选择器。

Source: 192.168.70.0/24 [This network is on inside interface which is in "vrf_inside"] 192.168.80.0/24 [This network is on dmz interface which is not in any vrf instance] Destination : 192.168.10.0/24

路由泄漏

VRF允许路由器为不同的虚拟网络维护单独的路由表。需要例外时，VRF路由泄漏允许在VRF之间路由某些流量。全局路由表(GRT)和虚拟路由与转发(VRF)表之间的路由泄漏通过使用静态路由完成。这两种方法都提供下一跳IP地址（用于多路访问网段）或将路由指向某个接口（点对点接口）之外。

从VRF到全局的路由泄漏

1. 对于FTD，选择Devices > Device Management，然后单击Edit。
2. 单击。Routing默认情况下，会显示“全局路由属性”页面。
3. 单击。Static Route
4. 单击Add Route， configure：

· Interface — 选择内部接口。

· Network— 选择vrf_inside虚拟路由器网络对象(192.168.70.0/24)。

· Gateway— 留空。将路由泄漏到另一台虚拟路由器时，请勿选择网关。

路由泄漏允许受站点到站点VPN的外部（远程）终端保护的终端访问vrf_inside虚拟路由器中的192.168.70.0/24网络。

5. 单击OK 如图所示。

在CLI中，路由显示为：

route inside 192.168.70.0 255.255.255.0 1 

请注意，网络192.168.70.0/24直接连接到inside接口，但此网络在GRT中不可见，因为网络在VRF实例中。为了在GRT中使用此路由，路由已从vrf_inside泄露到Global。

从全局到VRF的路由泄漏

1. 选择Devices > Device Management，然后单击Edit。
2. 单击Routing(可选)，然后从下拉菜单中选择vrf_inside。
3. 单击。Static Route
4. 单击Add Route ， configure：

· Interface — 选择全局路由器的外部接口

· Network— 选择全局虚拟路由器网络对象(192.168.10.0/24)

· Gateway— 留空。将路由泄漏到另一台虚拟路由器时，请勿选择网关

此静态路由允许192.168.70.0/24网络上的终端发起通过站点到站点VPN隧道与192.168.10.0/24的连接。

5. 单击OK如图所示。

在CLI中，路由显示为：

route vrf vrf_inside outside 192.168.10.0 255.255.255.0 1

验证

使用本部分可确认配置能否正常运行。所有输出都是从网络图所示的FTD中收集的。

FTD# show vrf Name VRF ID Description Interfaces vrf_inside 1 inside 

FTD# show run route route outside 10.0.0.0 255.0.0.0 10.106.50.1 1 route inside 192.168.70.0 255.255.255.0 1 

FTD# show run route vrf vrf_inside route vrf vrf_inside outside 192.168.10.0 255.255.255.0 1

FTD# show route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is not set S 10.0.0.0 255.0.0.0 [1/0] via 10.106.50.1, outside C 10.106.50.0 255.255.255.0 is directly connected, outside L 10.106.50.212 255.255.255.255 is directly connected, outside V 192.168.10.0 255.255.255.0 connected by VPN (advertised), outside S 192.168.70.0 255.255.255.0 [1/0] is directly connected, inside C 192.168.80.0 255.255.255.0 is directly connected, dmz L 192.168.80.1 255.255.255.255 is directly connected, dmz 

FTD# show crypto ikev2 sa IKEv2 SAs: Session-id:8, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 444445753 10.106.50.212/500 10.197.224.175/500 READY RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/11 sec Child sa: local selector 192.168.70.0/0 - 192.168.70.255/65535 remote selector 192.168.10.0/0 - 192.168.10.255/65535 ESP spi in/out: 0x5e950adb/0x47acd2dc 

FTD# show crypto ipsec sa peer 10.197.224.175 peer address: 10.197.224.175 Crypto map tag: CSM_outside_map, seq num: 2, local addr: 10.106.50.212 access-list vrf-crypto-acl extended permit ip 192.168.70.0 255.255.255.0 192.168.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 10.197.224.175 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.106.50.212/500, remote crypto endpt.: 10.197.224.175/500 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 47ACD2DC current inbound spi : 5E950ADB inbound esp sas: spi: 0x5E950ADB (1586825947) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv2, } slot: 0, conn_id: 10, crypto-map: CSM_outside_map sa timing: remaining key lifetime (kB/sec): (4193279/28774) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0x47ACD2DC (1202508508) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv2, } slot: 0, conn_id: 10, crypto-map: CSM_outside_map sa timing: remaining key lifetime (kB/sec): (4147199/28774) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 

故障排除

本部分提供了可用于对配置进行故障排除的信息。

FTD# show crypto ipsec sa peer 10.197.224.175 peer address: 10.197.224.175 Crypto map tag: CSM_outside_map, seq num: 2, local addr: 10.106.50.212 access-list vrf-crypto-acl extended permit ip 192.168.70.0 255.255.255.0 192.168.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.70.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 10.197.224.175 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 >>>> Packets received from remote end gets decapsulated but there are not encaps for the responses #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.106.50.212/500, remote crypto endpt.: 10.197.224.175/500 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 490F4CD1 current inbound spi : DB5608EB inbound esp sas: spi: 0xDB5608EB (3679848683) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv2, } slot: 0, conn_id: 11, crypto-map: CSM_outside_map sa timing: remaining key lifetime (kB/sec): (4008959/28761) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0x490F4CD1 (1225739473) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv2, } slot: 0, conn_id: 11, crypto-map: CSM_outside_map sa timing: remaining key lifetime (kB/sec): (4239360/28761) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 

capture capin type raw-data interface inside [Capturing - 0 bytes] >>>> Captures applied on LAN(inside) interface shows decapsulated packets are not routed into LAN network match ip host 192.168.10.2 host 192.168.70.2 FTD# show cap capin 0 packet captured 0 packet shown 

capture asp type asp-drop all [Capturing - 0 bytes] >>>> ASP Captures shows decapsulated packets are being dropped on FTD FTD# show capture asp | i 192.168.70.2 145: 15:28:47.670894 192.168.10.2 > 192.168.70.2 icmp: echo request 154: 15:28:49.666545 192.168.10.2 > 192.168.70.2 icmp: echo request 171: 15:28:51.672740 192.168.10.2 > 192.168.70.2 icmp: echo request 172: 15:28:53.664928 192.168.10.2 > 192.168.70.2 icmp: echo request 

FTD# packet-tracer input outside icmp 192.168.10.2 8 0 192.168.70.2 detailed >>>> Packet tracer from outside shows "no route" for 192.168.70.0/24 network Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2ba3bce77330, priority=1, domain=permit, deny=false hits=171480, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=outside, output_ifc=any Result: input-interface: outside(vrfid:0) input-status: up input-line-status: up Action: drop Drop-reason: (no-route) No route to host, Drop-location: frame 0x000055d9b7e8c7ce flow (NA)/NA 

FTD# show run route route outside 10.0.0.0 255.0.0.0 10.106.50.1 1  >>>> As the network 192.168.70.0/24 is in "vrf_inside" instance, there is no route leaked from Global to vrf_inside 

FTD# show run route route outside 10.0.0.0 255.0.0.0 10.106.50.1 1 route inside 192.168.70.0 255.255.255.0 1 >>>> After leaking the route from Global to vrf_inside 

FTD# show cap capin >>>> Now capture shows bi-directional traffic on LAN(inside) interface 10 packets captured 1: 15:44:32.972743 192.168.10.2 > 192.168.70.2 icmp: echo request 2: 15:44:32.974543 192.168.70.2 > 192.168.10.2 icmp: echo reply 3: 15:44:33.032209 192.168.10.2 > 192.168.70.2 icmp: echo request 4: 15:44:33.033353 192.168.70.2 > 192.168.10.2 icmp: echo reply 5: 15:44:33.089656 192.168.10.2 > 192.168.70.2 icmp: echo request 6: 15:44:33.092814 192.168.70.2 > 192.168.10.2 icmp: echo reply 7: 15:44:33.149024 192.168.10.2 > 192.168.70.2 icmp: echo request 8: 15:44:33.151878 192.168.70.2 > 192.168.10.2 icmp: echo reply 9: 15:44:33.158774 192.168.10.2 > 192.168.70.2 icmp: echo request 10: 15:44:33.161048 192.168.70.2 > 192.168.10.2 icmp: echo reply 10 packets shown 

FTD# packet-tracer input outside icmp 192.168.10.2 8 0 192.168.70.2 detailed >>>> Verified packet flow using Packet tracer Phase: 1 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Found next-hop 0.0.0.0 using egress ifc inside(vrfid:1) -------------------Output Omitted------------------------
 Phase: 8 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2ba3bdc75cc0, priority=70, domain=ipsec-tunnel-flow, deny=false hits=7, user_data=0xea71cdc, cs_id=0x2ba3bce93e70, reverse, flags=0x0, protocol=0 src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any dst ip/id=192.168.70.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=outside(vrfid:0), output_ifc=any -------------------Output Omitted------------------------ Phase: 13 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x2ba3bd44ed40, priority=70, domain=encrypt, deny=false hits=7, user_data=0xea6e344, cs_id=0x2ba3bce93e70, reverse, flags=0x0, protocol=0 src ip/id=192.168.70.0, mask=255.255.255.0, port=0, tag=any dst ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any(vrfid:65535), output_ifc=outside Result: input-interface: outside(vrfid:0) input-status: up input-line-status: up output-interface: inside(vrfid:1) output-status: up output-line-status: up Action: drop Drop-reason: (ipsec-spoof) IPSEC Spoof detected, Drop-location: frame 0x000055d9b7e8b4d1 flow (NA)/NA