此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文档介绍如何配置TACACS IPSEC并对其进行故障排除,以保护思科身份服务引擎(ISE) 2.2 -网络接入设备(NAD)通信。TACACS流量可通过路由器和ISE之间的站点到站点(LAN到LAN) IPSec互联网密钥交换版本2 (IKEv2)隧道进行加密。本文档不涉及TACACS配置部分。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
目标是保护使用不安全的MD5散列、Radius和带IPSec的TACACS的协议。需要考虑的事实很少:
GE-1 ISE接口收到加密数据包后,嵌入式服务路由器(ESR)会在Eth0/0接口上拦截这些数据包。
interface Ethernet0/0
description e0/0->connection to external NAD
ip address 10.48.17.87 255.255.255.0
ip nat outside
ip virtual-reassembly in
no ip route-cache
crypto map radius
ESR解密这些数据包,并根据预配置的NAT规则执行地址转换。传出(指向NAD) RADIUS/TACACS数据包将转换为Ethernet0/0接口地址并随后加密。
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static udp 10.1.1.2 1645 interface Ethernet0/0 1645
ip nat inside source static udp 10.1.1.2 1646 interface Ethernet0/0 1646
ip nat inside source static udp 10.1.1.2 1812 interface Ethernet0/0 1812
ip nat inside source static udp 10.1.1.2 1813 interface Ethernet0/0 1813
ip nat inside source static tcp 10.1.1.2 49 interface Ethernet0/0 49
access-list 1 permit 10.1.1.0 0.0.0.3
发往RADIUS/TACACS端口上的Eth0/0接口的数据包应该通过Eth0/1接口转发到10.1.1.2 ip地址,这是ISE的内部地址。以太网接口0/1的ESR配置
interface Ethernet0/1
description e0/1->tap0 internal connection to ISE
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
no ip route-cache
内部Tap-0接口的ISE配置:
ISE22-1ek/admin# show interface | b tap0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.1.2 netmask 255.255.255.252 broadcast 10.1.1.3
inet6 fe80::6c2e:37ff:fe5f:b609 prefixlen 64 scopeid 0x20<link>
ether 6e:2e:37:5f:b6:09 txqueuelen 500 (Ethernet)
RX packets 81462 bytes 8927953 (8.5 MiB)
RX errors 0 dropped 68798 overruns 0 frame 0
TX packets 105 bytes 8405 (8.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
本文档中的信息使用以下网络设置:
本节介绍如何完成IOS CLI和ISE配置。
如果尚未配置IOS路由器接口,则至少应配置WAN接口。例如:
interface GigabitEthernet0/0/0
ip address 10.48.23.68 255.255.255.0
negotiation auto
no shutdown
!
确保存在与远程对等设备的连接,应使用它来建立站点到站点VPN隧道。可以使用ping命令验证基本连通性。
要为IKEv1连接配置ISAKMP策略,请在全局配置模式下输入crypto isakmp policy <priority>命令。 例如:
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 16
注意:您可以在参与IPSec的每个对等体上配置多个IKE策略。当IKE协商开始时,它会尝试查找在两个对等体上配置的公共策略,并且从远程对等体上指定的优先级最高的策略开始。
要配置预共享身份验证密钥,请在全局配置模式下输入crypto isakmp key命令:
crypto isakmp key Krakow123 address 10.48.17.87
使用扩展或命名访问列表指定应受加密保护的流量。例如:
access-list 101 permit ip 10.48.23.68 0.0.0.0 10.48.17.87 0.0.0.0
注意:VPN流量的ACL在NAT后使用源和目标IP地址。
要定义IPSec转换集(安全协议和算法的可接受组合),请在全局配置模式下输入crypto ipsec transform-set命令。例如:
crypto ipsec transform-set SET esp-aes esp-sha256-hmac
mode transport
要创建或修改加密映射条目并进入加密映射配置模式,请输入crypto map全局配置命令。要完成加密映射条目,至少必须定义以下几个方面:
例如:
crypto map MAP 10 ipsec-isakmp
set peer 10.48.17.87
set transform-set SET
match address 101
最后一步是将之前定义的加密映射集应用到接口。要应用此配置,请输入crypto map接口配置命令:
interface GigabitEthernet0/0
crypto map MAP
下面是最终的IOS路由器CLI配置:
aaa group server tacacs+ ISE_TACACS
server name ISE22
!
aaa authentication login default group ISE_TACACS
aaa authorization exec default group ISE_TACACS
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 16
!
crypto isakmp key Krakow123 address 10.48.17.87
!
crypto ipsec transform-set SET esp-aes esp-sha256-hmac
mode transport
!
crypto map MAP 10 ipsec-isakmp
set peer 10.48.17.87
set transform-set SET
match address 101
!
access-list 101 permit ip 10.48.23.68 0.0.0.0 10.48.17.87 0.0.0.0
!
interface GigabitEthernet0/0/0
ip address 10.48.23.68 255.255.255.0
negotiation auto
no shutdown
!
crypto map MAP 10 ipsec-isakmp
set peer 10.48.17.87
set transform-set SET
match address 101
!
tacacs server ISE22
address ipv4 10.48.17.87
key cisco
应该从CLI在接口GE1-GE5上配置地址,不支持GE0。
interface GigabitEthernet 1
ip address 10.48.17.87 255.255.255.0
ipv6 address autoconfig
ipv6 enable
注意:在接口上配置了IP地址后,应用程序将重新启动:
%更改IP地址可能导致ISE服务重新启动
是否继续更改IP地址? 是/否[N]:是
导航到管理>网络资源>网络设备。单击 Add。确保您配置了名称、IP地址和共享密钥。要终止来自需要的IPSec隧道,请针对IPSEC网络设备组选择YES。
添加NAD后,应在ISE上创建额外的路由,以确保RADIUS流量通过ESR并加密:
ip route 10.48.23.68 255.255.255.255 gateway 10.1.1.1
导航到管理>系统>设置。点击Radius,然后进一步点击IPSEC。选择PSN (Single/Multiple/All)选择Enable选项,选择Interface并选择Authentication Method。Click Save.此时服务将在所选节点上重新启动。
请注意,服务重新启动后,ISE CLI配置显示配置接口没有IP地址且处于关闭状态,这是预期结果,因为ESR(嵌入式服务路由器)将控制ISE接口。
interface GigabitEthernet 1
shutdown
ipv6 address autoconfig
ipv6 enable
服务重新启动后,ESR功能即会启用。要登录到ESR,请在命令行中键入esr:
ISE22-1ek/admin# esr
% Entering ESR 5921 shell
% Cisco IOS Software, C5921 Software (C5921_I86-UNIVERSALK9-M), Version 15.5(2)T2, RELEASE SOFTWARE (fc3)
% Technical Support: http://www.cisco.com/techsupport
% Copyright (c) 1986-2015 Cisco Systems, Inc.
Press RETURN to get started, <CTRL-C> to exit
ise-esr5921>en
ise-esr5921#
ESR随附以下加密配置,足以使ipsec隧道以预共享密钥终止:
crypto keyring MVPN-spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key Krakow123
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 16
!
crypto isakmp policy 20
encr aes
hash sha256
authentication pre-share
group 14
!
crypto isakmp key Krakow123 address 0.0.0.0
!
crypto isakmp profile MVPN-profile
description LAN-to-LAN for spoke router(s) connection
keyring MVPN-spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set radius esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec transform-set radius-2 esp-aes esp-sha256-hmac
mode transport
!
crypto dynamic-map MVPN-dynmap 10
set transform-set radius radius-2
!
crypto map radius 10 ipsec-isakmp dynamic MVPN-dynmap
确保ESR具有发送加密数据包的路由:
ip route 0.0.0.0 0.0.0.0 10.48.26.1
在启动到路由器的SSH会话之前,没有活动的VPN连接:
ISR4451#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
由于使用ISE 2.2作为身份验证源,客户端连接到路由器。
EKORNEYC-M-K04E:~ ekorneyc$ ssh alice@10.48.23.68
Password:
ISR4451#
IOS发送TACACS数据包,该数据包触发VPN会话建立,一旦隧道启动,路由器上就会看到此输出。它确认隧道的第1阶段已启动:
ISR4451#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.48.17.87 10.48.23.68 QM_IDLE 1962 ACTIVE
IPv6 Crypto ISAKMP SA
ISR4451#
第2阶段启动,数据包已加密和解密:
ISR4451#sh cry ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: MAP, local addr 10.48.23.68
protected vrf: (none)
local ident (addr/mask/prot/port): (10.48.23.68/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.48.17.87/255.255.255.255/0/0)
current_peer 10.48.17.87 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 48, #pkts encrypt: 48, #pkts digest: 48
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.48.23.68, remote crypto endpt.: 10.48.17.87
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x64BD51B8(1690128824)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFAE51DF8(4209319416)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 2681, flow_id: ESG:681, sibling_flags FFFFFFFF80004008, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4607998/3127)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x64BD51B8(1690128824)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 2682, flow_id: ESG:682, sibling_flags FFFFFFFF80004008, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4607997/3127)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
ISR4451#
在ESR上可以检查相同的输出,第一阶段的状态为up:
ise-esr5921#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.48.17.87 10.48.23.68 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
ise-esr5921#
第2阶段启动,数据包已成功加密和解密:
ise-esr5921#sh cry ipsec sa
interface: Ethernet0/0
Crypto map tag: radius, local addr 10.48.17.87
protected vrf: (none)
local ident (addr/mask/prot/port): (10.48.17.87/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.48.23.68/255.255.255.255/0/0)
current_peer 10.48.23.68 port 500
PERMIT, flags={}
#pkts encaps: 48, #pkts encrypt: 48, #pkts digest: 48
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.48.17.87, remote crypto endpt.: 10.48.23.68
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xFAE51DF8(4209319416)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x64BD51B8(1690128824)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: radius
sa timing: remaining key lifetime (k/sec): (4242722/3056)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFAE51DF8(4209319416)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: radius
sa timing: remaining key lifetime (k/sec): (4242722/3056)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
ise-esr5921#
实时身份验证表示常规PAP_ASCII身份验证:
在ISE的GE1接口上捕获并使用ESP或Tacacs进行过滤,确认没有明文形式的Tacacs,并且所有流量都加密:
常用VPN故障排除技术可用于排除与IPSEC相关的问题。您可以在下面找到有用的文档:
使用PSK的站点到站点VPN的IOS IKEv2调试故障排除技术说明
也可以使用FlexVPN保护RADIUS流量。以下示例中使用了以下拓扑:
FlexVPN配置非常简单。更多详细信息请访问此处:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html
aaa new-model
!
!
aaa group server tacacs+ ISE_TACACS
server name ISE22_VRF
ip vrf forwarding TACACS
!
aaa authentication login default group ISE_TACACS
aaa authorization exec default group ISE_TACACS
aaa authorization network default local
!
crypto ikev2 authorization policy default
route set interface Loopback0
no route set interface
!
!
crypto ikev2 keyring mykeys
peer ISE22
address 10.48.17.87
pre-shared-key Krakow123
!
!
!
crypto ikev2 profile default
match identity remote address 10.48.17.87 255.255.255.255
authentication remote pre-share (with the command authentication remote pre-share keyin place keyring is not required)
authentication local pre-share
keyring local mykeys
aaa authorization group psk list default default
!
!
ip tftp source-interface GigabitEthernet0
!
!
!
crypto ipsec profile default
set ikev2-profile default (it is default configuration)
!
!
!
interface Loopback0
ip vrf forwarding TACACS
ip address 100.100.100.100 255.255.255.0
!
interface Tunnel0
ip vrf forwarding TACACS
ip address 10.1.12.1 255.255.255.0
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.48.17.87
tunnel protection ipsec profile default
!
interface GigabitEthernet0/0/0
ip address 10.48.23.68 255.255.255.0
negotiation auto
!
!
ip route 0.0.0.0 0.0.0.0 10.48.23.1
ip tacacs source-interface Loopback0
!
!
tacacs server ISE22_VRF
address ipv4 10.1.1.2
key cisco
!
ISR4451#
ise-esr5921#sh run
Building configuration...
Current configuration : 5778 bytes
!
! Last configuration change at 17:32:58 CET Thu Feb 23 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service call-home
!
hostname ise-esr5921
!
boot-start-marker
boot host unix:default-config
boot-end-marker
!
!
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
license udi pid CISCO5921-K9 sn 98492083R3X
username lab password 0 lab
!
redundancy
!
!
!
crypto keyring MVPN-spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key Krakow123
crypto ikev2 authorization policy default
route set interface
route set remote ipv4 10.1.1.0 255.255.255.0
!
!
!
crypto ikev2 keyring mykeys
peer ISR4451
address 10.48.23.68
pre-shared-key Krakow123
!
!
!
crypto ikev2 profile default
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local mykeys
aaa authorization group psk list default default local
virtual-template 1
!
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 16
!
crypto isakmp policy 20
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key Krakow123 address 0.0.0.0
crypto isakmp profile MVPN-profile
description LAN-to-LAN for spoke router(s) connection
keyring MVPN-spokes
match identity address 0.0.0.0
!
!
crypto ipsec transform-set radius esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec transform-set radius-2 esp-aes esp-sha256-hmac
mode transport
!
!
!
crypto dynamic-map MVPN-dynmap 10
set transform-set radius radius-2
!
!
crypto map radius 10 ipsec-isakmp dynamic MVPN-dynmap
!
!
!
!
!
interface Loopback0
ip address 10.1.12.2 255.255.255.0
!
interface Ethernet0/0
description e0/0->connection to external NAD
ip address 10.48.17.87 255.255.255.0
ip nat outside
ip virtual-reassembly in
no ip route-cache
crypto map radius
!
interface Ethernet0/1
description e0/1->tap0 internal connection to ISE
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0/2
description e0/2->connection to CSSM backend license server
no ip address
ip virtual-reassembly in
no ip route-cache
!
interface Ethernet0/3
no ip address
shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static udp 10.1.1.2 1645 interface Ethernet0/0 1645
ip nat inside source static udp 10.1.1.2 1646 interface Ethernet0/0 1646
ip nat inside source static udp 10.1.1.2 1812 interface Ethernet0/0 1812
ip nat inside source static udp 10.1.1.2 1813 interface Ethernet0/0 1813
ip nat inside source static tcp 10.1.1.2 49 interface Ethernet0/0 49
ip route 0.0.0.0 0.0.0.0 10.48.17.1
!
!
!
access-list 1 permit 10.1.1.0 0.0.0.3
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end
版本 | 发布日期 | 备注 |
---|---|---|
1.0 |
01-Apr-2017 |
初始版本 |