Sie möchten routenbasierte IPSec VPN-Tunnel zwischen einer NSX Edge und einer virtuellen Cisco-CSR 1000V-Appliance konfigurieren.
Konfiguration von NSX Edge
Die folgende CLI-Ausgabe zeigt die routenbasierte IPSec-VPN-Konfiguration auf der
NSX Edge:
Edge IPsec VPN Config: { "ipsec" : { "global" : { "extension" : null, "crlCertificates" : [], "pskForDynamicIp" : null, "id" : null, "caCertificates" : [], "serviceCertificate" : null }, "logging" : { "logLevel" : "debug", "enable" : true }, "disableEvent" : null, "enable" : true, "sites" : [ { "name" : "VPN2 to edge-ext tun 2 192.168.14.2", "encryptionAlgorithm" : "3des", "psk" : "****", "tunnelInterfaceId" : 1, "authenticationMode" : "psk", "peerIp" : "111.111.111.5", "ipsecSessionType" : "routebasedsession", "pskEncryption" : null, "digestAlgorithm" : "sha1", "enabled" : true, "localSubnets" : [ "0.0.0.0/0" ], "description" : "VPN to edge subnet2", "mtu" : null, "peerId" : "111.111.111.5", "extension" : null, "ikeOption" : "ikev2", "localIp" : "51.51.51.1", "peerSubnets" : [ "0.0.0.0/0" ], "responderOnly" : false, "certificate" : null, "dhGroup" : "dh2", "siteId" : "ipsecsite-53", "localId" : "51.51.51.1", "tunnelInterfaceLabel" : "vti-1", "enablePfs" : true }, { "peerIp" : "71.71.71.5", "authenticationMode" : "psk", "ipsecSessionType" : "routebasedsession", "tunnelInterfaceId" : 2, "psk" : "****", "name" : "VPN to edge-ext tun 1 192.168.13.2", "encryptionAlgorithm" : "3des", "description" : "VPN to edge subnet1", "localSubnets" : [ "0.0.0.0/0" ], "enabled" : true, "pskEncryption" : null, "digestAlgorithm" : "sha1", "ikeOption" : "ikev2", "extension" : null, "peerSubnets" : [ "0.0.0.0/0" ], "localIp" : "61.61.61.1", "peerId" : "71.71.71.5", "mtu" : null, "siteId" : "ipsecsite-54", "localId" : "61.61.61.1", "enablePfs" : true, "tunnelInterfaceLabel" : "vti-2", "responderOnly" : false, "certificate" : null, "dhGroup" : "dh2" } ] } }
Die folgende CLI-Ausgabe zeigt die VTI-Konfiguration auf der NSX Edge:
Edge VTI Tunnels Config: { "vtiTunnels" : [ { "name" : "vti-1", "mtu" : 1416, "label" : "vti-1", "sourceAddress" : "51.51.51.1", "destinationAddress" : "111.111.111.5", "tunnelAddresses" : [ "192.168.14.2/24" ], "mode" : "VTI", "enabled" : true }, { "enabled" : false, "tunnelAddresses" : [ "192.168.13.2/24" ], "mode" : "VTI", "sourceAddress" : "61.61.61.1", "destinationAddress" : "71.71.71.5", "label" : "vti-2", "mtu" : 1416, "name" : "vti-2" } ] }
Cisco CSR 1000V-Appliance-Konfiguration
Das folgende Skript konfiguriert die beiden übereinstimmenden routenbasierten IPSec-Tunnel auf der Cisco CSR 1000V-Appliance:
crypto ikev2 proposal PH1PROPOSAL encryption 3des integrity sha1 group 2 crypto ikev2 proposal PH2PROPOSAL encryption 3des integrity sha1 group 2 crypto ikev2 policy PH1POLICY proposal PH1PROPOSAL crypto ikev2 policy PH2POLICY proposal PH2PROPOSAL crypto ikev2 keyring PH1KEY peer SITE1 address 61.61.61.1 pre-shared-key sharedvalue ! crypto ikev2 keyring PH2KEY peer SITE2 address 51.51.51.1 pre-shared-key sharedvalue ! crypto ikev2 profile PH1PROFILE match identity remote address 61.61.61.1 255.255.255.0 identity local address 71.71.71.5 authentication remote pre-share key sharedvalue authentication local pre-share key sharedvalue crypto ikev2 profile PH2PROFILE match identity remote address 51.51.51.1 255.255.255.0 identity local address 111.111.111.5 authentication remote pre-share key sharedvalue authentication local pre-share key sharedvalue crypto ipsec transform-set TSET esp-3des esp-sha-hmac mode tunnel crypto ipsec profile IPSEC_PROF1 set transform-set TSET set ikev2-profile PH1PROFILE responder-only crypto ipsec profile IPSEC_PROF2 set transform-set TSET set ikev2-profile PH2PROFILE responder-only interface Tunnel1 ip address 192.168.13.1 255.255.255.0 tunnel source 71.71.71.5 tunnel mode ipsec ipv4 tunnel destination 61.61.61.1 tunnel protection ipsec profile IPSEC_PROF1 interface Tunnel2 ip address 192.168.14.1 255.255.255.0 tunnel source 111.111.111.5 tunnel mode ipsec ipv4 tunnel destination 51.51.51.1 tunnel protection ipsec profile IPSEC_PROF2 interface GigabitEthernet1 ip address dhcp negotiation auto interface GigabitEthernet2 no ip address negotiation auto interface GigabitEthernet2.2 encapsulation dot1Q 23 ip address 81.81.81.5 255.255.255.0 interface GigabitEthernet2.3 encapsulation dot1Q 19 ip address 111.111.111.5 255.255.255.0 interface GigabitEthernet2.4 encapsulation dot1Q 22 ip address 71.71.71.5 255.255.255.0