S-Terra IP-Sec VPN

Создание IP-Sec туннеля между центральным офисом и филиалами, согласно приведенной схеме.

Ниже приводятся настройки для каждого устройства S-Terra, в соответствии со схемой.  Проверить  создание SA можно с помощью команд:

sa_mgr show - security association
sa_mgr clear -all очистка sa

fwconn_show

Файл конфигурации центральной S-Terra

gate-central#sh run
!
username cscons privilege 15 password 0 csp
hostname gate-central
enable password csp
!
!
!
crypto isakmp policy 1
encr gost
hash gost
authentication pre-share
group vko
!
crypto isakmp key @Wsxdr56 address 172.16.31.3
!
crypto isakmp key @Wsxdr56 address 172.16.242.130
!
crypto ipsec transform-set CTS-GOST-IMIT esp-gost28147-4m-imit
!
ip access-list extended ACL-CRYPTO-FILIAL02
permit ip 192.168.10.0 0.0.0.255 10.211.19.0 0.0.0.255
permit ip 10.211.1.0 0.0.0.255 10.211.19.0 0.0.0.255
permit ip 10.211.2.0 0.0.0.255 10.211.19.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 10.211.5.0 0.0.0.255
permit ip 10.211.1.0 0.0.0.255 10.211.5.0 0.0.0.255
permit ip 10.211.2.0 0.0.0.255 10.211.5.0 0.0.0.255
!
ip access-list extended ACL-CRYPTO-FILIAL01
permit ip 192.168.10.0 0.0.0.255 10.111.1.0 0.0.0.255
permit ip 10.211.1.0 0.0.0.255 10.111.1.0 0.0.0.255
permit ip 10.211.2.0 0.0.0.255 10.111.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 10.111.2.0 0.0.0.255
permit ip 10.211.1.0 0.0.0.255 10.111.2.0 0.0.0.255
permit ip 10.211.2.0 0.0.0.255 10.111.2.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.111.0 0.0.0.3
permit ip 10.211.1.0 0.0.0.255 192.168.111.0 0.0.0.3
permit ip 10.211.2.0 0.0.0.255 192.168.111.0 0.0.0.3
permit ip 192.168.10.0 0.0.0.255 10.226.1.0 0.0.0.255
permit ip 10.211.1.0 0.0.0.255 10.226.1.0 0.0.0.255
permit ip 10.211.2.0 0.0.0.255 10.226.1.0 0.0.0.255
!
!
crypto map CRYPTO-MAP 100 ipsec-isakmp
match address ACL-CRYPTO-FILIAL02
set transform-set CTS-GOST-IMIT
set pfs vko
set peer 172.16.31.3
!
crypto map CRYPTO-MAP 200 ipsec-isakmp
match address ACL-CRYPTO-FILIAL01
set transform-set CTS-GOST-IMIT
set pfs vko
set peer 172.16.242.130
!
interface FastEthernet0/0
ip address 172.16.153.34 255.255.255.240
crypto map CRYPTO-MAP
!
interface FastEthernet0/1
ip address 192.168.10.13 255.255.255.0
!
interface FastEthernet0/2
no ip address
shutdown
!
interface FastEthernet0/3
no ip address
shutdown
!
!
ip route 0.0.0.0 0.0.0.0 172.16.153.33
ip route 10.211.1.0 255.255.255.0 192.168.10.251
ip route 10.211.2.0 255.255.255.0 192.168.10.251
!
end
gate-central#

Файл конфигурации  S-Terra Филиала 1

gate-filial01#sh run
!
username cscons privilege 15 password 0 csp
!
hostname gate-filial01
enable password csp
!
crypto isakmp policy 1
encr gost
hash gost
authentication pre-share
group vko
!
crypto isakmp key @Wsxdr56 address 172.16.153.34
!
crypto ipsec transform-set CTS-GOST-IMIT esp-gost28147-4m-imit
!
ip access-list extended ACL-CRYPTO-CENTRAL
permit ip 192.168.111.0 0.0.0.3 192.168.10.0 0.0.0.255
permit ip 192.168.111.0 0.0.0.3 10.211.1.0 0.0.0.255
permit ip 192.168.111.0 0.0.0.3 10.211.2.0 0.0.0.255
permit ip 10.111.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.111.1.0 0.0.0.255 10.211.1.0 0.0.0.255
permit ip 10.111.1.0 0.0.0.255 10.211.2.0 0.0.0.255
permit ip 10.111.2.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.111.2.0 0.0.0.255 10.211.1.0 0.0.0.255
permit ip 10.111.2.0 0.0.0.255 10.211.2.0 0.0.0.255
permit ip 10.226.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.226.1.0 0.0.0.255 10.211.1.0 0.0.0.255
permit ip 10.226.1.0 0.0.0.255 10.211.2.0 0.0.0.255
!
!
crypto map CRYPTO-MAP 100 ipsec-isakmp
match address ACL-CRYPTO-CENTRAL
set transform-set CTS-GOST-IMIT
set pfs vko
set peer 172.16.153.34
!
interface FastEthernet0/0
ip address 172.16.242.130 255.255.255.252
crypto map CRYPTO-MAP
!
interface FastEthernet0/1
ip address 192.168.111.1 255.255.255.252
!
interface FastEthernet0/2
no ip address
shutdown
!
interface FastEthernet0/3
no ip address
shutdown
!
!
ip route 0.0.0.0 0.0.0.0 172.16.242.129
ip route 10.111.1.0 255.255.255.0 192.168.111.2
ip route 10.111.2.0 255.255.255.0 192.168.111.2
ip route 10.226.1.0 255.255.255.0 192.168.111.2
!
end
gate-filial01#

Файл конфигурации  S-Terra Филиала 2

gate-filial02#sh run
!
username cscons privilege 15 password 0 csp
hostname gate-filial02
enable password csp
!
crypto isakmp policy 1
encr gost
hash gost
authentication pre-share
group vko
!
crypto isakmp key @Wsxdr56 address 172.16.153.34
!
crypto ipsec transform-set CTS-GOST-IMIT esp-gost28147-4m-imit
!
ip access-list extended ACL-CRYPTO-CENTRAL
permit ip 10.211.19.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.211.19.0 0.0.0.255 10.211.1.0 0.0.0.255
permit ip 10.211.19.0 0.0.0.255 10.211.2.0 0.0.0.255
permit ip 10.211.5.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.211.5.0 0.0.0.255 10.211.1.0 0.0.0.255
permit ip 10.211.5.0 0.0.0.255 10.211.2.0 0.0.0.255
!
!
crypto map CRYPTO-MAP 100 ipsec-isakmp
match address ACL-CRYPTO-CENTRAL
set transform-set CTS-GOST-IMIT
set pfs vko
set peer 172.16.153.34
!
interface FastEthernet0/0
ip address 172.16.31.3 255.255.255.240
crypto map CRYPTO-MAP
!
interface FastEthernet0/1
ip address 10.211.19.50 255.255.255.0
!
interface FastEthernet0/2
no ip address
shutdown
!
interface FastEthernet0/3
no ip address
shutdown
!
!
ip route 0.0.0.0 0.0.0.0 172.16.31.1
ip route 10.211.5.0 255.255.255.0 10.211.19.5
!
end
gate-filial02#