🚀

10

IPSec Palo Alto Cisco ASA Firewall. Palo Alto PANOS 8.1.10. , PANOS. IPSec VPN. . IPSec IP- . , !

Merion Academy


  IPSec VPN  Cisco ASA   Palo Alto

IPSec VPN Cisco ASA Palo Alto

- IPSec Cisco ASA Palo Alto

, IP- Palo Alto, Cisco ASA. IP- Palo Alto Cisco ASA ( , ). IP- 1.1.1.1 Cisco ASA 2.2.2.2 Palo Alto :

, LAN 192.168.1.0/24 Cisco ASA, , LAN 192.168.2.0/24 Palo Alto. , ping.

admin@PA-220> ping host 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data
64 bytes from 1.1.1.1: icmp_seq1 ttl=64 time=0.177 ms
64 bytes from 1.1.1.1: icmp_seq2 ttl=64 time=0.157 ms

IPSec Palo Alto

-, IPSec Palo Alto. 1 2 IPSec Palo Alto .

Palo Alto

-, Palo Alto. , Network >> Zones>> Add. . .

Palo Alto

IPSec. , Network >> Interfaces>> Tunnel. , . , , 1. IP- IPv4 IPv6. , Advanced, .

IKE Crypto Profile [ 1 IPSec]

1 IPSec. Network >> Network Profiles >> IKE Crypto >> Add. IKE Crypto profile. DH , . 8 . .

 IKE Crypto Profile

Crypto Profile IPSec [ 2 IPSec]

2 IPSec. Network>> Network Profiles >> IPSec Crypto >> Add. , IPSec. IPsec . ESP (Encapsulation Security Protocol) AH (Authentication Header) IPSec. DH, . 1 . .

 Crypto Profile IPSec

IKE

Network >> Network Profiles >> IKE Gateways >> Add. (General) IKE. Interface / -, ethernet1/1, IP- 2.2.2.2. Peer IP Address Type IP. Peer address, 1.1.1.1. Authentication, . . (Pre Shared Key) (Certificate). (Pre-shared Key). (Pre-shared Key) , FortiGate Firewall. Local Identification Peer Identification IP-.

   IKE

Advanced Option, IKEv1 Ike Crypto Profile, 3.

Ike Crypto Profile

IPSec

IKE IPSec Crypto profile IPSec. IPSec. Network >> IPSec Tunnels >> Add. IPSec. , 2. Ike Gateway IPsec Crypto Profile, 3 5 .

  IPSec

(IDs) - . 192.168.1.0/24 192.168.2.0/24 LAN.

IDs

IPSec

, VPN . Policies >> Security >> Add, .

. Network >> Virtual Routers >> Default >> Static Routes >> Add. , .. 192.168.1.0/24 . , 2.

IPSec Palo Alto. IPSec FortiGate Firewall.


IPSec Cisco ASA

IPSec Cisco ASA. , , Cisco ASA 9.8 (1). IPSec .

IPSec Cisco ASA:

  • 1 (IKEv1)
  • (Tunnel Group) (Pre-Shared Key)
  • 2 (IPSec)
  • ACL (Extended ACL) (Crypto Map)

, 1 Cisco ASA. Cisco ASA

1 (IKEv1) Cisco ASA

ciscoasa(config)# crypto ikev1 enable outside
ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash md5
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 7200

.

  • Encryption: 3des 1
  • : md5 .
  • Group: 2 2
  • Authentication
  • Lifetime: 7200 86400 1

Cisco ASA IKEv1 , . , :

ciscoasa(config)# crypto ikev1 enable outside

Cisco ASA

. GNS3 .

ciscoasa(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ciscoasa(config)# tunnel-group 2.2.2.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key GNS3Network

IPSec IKEv1 ( 2)

IPSec 2

ciscoasa(config-ikev1-policy)# crypto ipsec ikev1 transform-set ESP-AES-SHA esp-3des esp-md5-hmac 
ciscoasa(config)# crypto ipsec security-association lifetime seconds 7200

.

  • ESP: ESP , IPSec
  • 3DES: 3DES
  • MD5: MD5 ,
  • 7200 : IPSec Phase2

(Crypto MAP) ACL (Extended ACL) IPSec Cisco ASA

. ACL, . , . (ACL).

ACL

ciscoasa(config)# object-group network local-network
ciscoasa(config-network-object-group)# network-object 192.168.1.0 255.255.255.0
ciscoasa(config-network-object-group)# object-group network remote-network
ciscoasa(config-network-object-group)# network-object 192.168.2.0 255.255.255.0
ciscoasa(config-network-object-group)# access-list asa-paloalto-vpn extended permit ip object-group local-network object-group remote-network

ciscoasa(config)# crypto map outside_map 10 match address asa-paloalto-vpn
ciscoasa(config)# crypto map outside_map 10 set pfs group2
ciscoasa(config)# crypto map outside_map 10 set peer 2.2.2.2
ciscoasa(config)# crypto map outside_map 10 set ikev1 transform-set ESP-ASE-SHA

ciscoasa(config)# crypto map outside_map interface outside

IPSec Wireshark

IPSec. IPSec , . , CLI Palo Alto IPSec:

admin@PA-VM>test vpn ipsec-sa
admin@PA-VM>test vpn ipsec-sa

Device >> IPSec IPSec! UP, , :

. Palo Alto Cisco ASA.

ciscoasa# ping 192.168.2.1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 30/30/30 ms

- ARP. .

: IP Cisco ASA (.. ), .

ciscoasa(config)# management-access inside

IPSec

, IPSec, Cisco ASA Cisco.

IPSec Cisco ASA

ciscoasa# show running-config ipsec
ciscoasa# show running-config crypto ikev1
ciscoasa# show running-config crypto map

IPSec- Palo Alto

Monitor >> System "(subtype eq vpn)". , VPN.

IPSec, IPSec:

admin@PA-CM>test vpn ipsec-sa
admin@PA-CM>test vpn ipsec-sa

IPSec Wireshark

IPSec ESP (Encapsulating Security Payload) IPsec, , , . , ESP- ,


IPSec Cisco ASA Palo Alto. . IPSec VPN IP-.


>