IPSec 隧道配置示例-帕洛阿尔托网络防火墙-Cisco ASA

IPSec 隧道配置示例-帕洛阿尔托网络防火墙-Cisco ASA

61602
Created On 09/25/18 17:15 PM - Last Modified 06/13/23 01:50 AM


Resolution


下面是一个与 Cisco ASA 防火墙连接的帕洛阿尔托网络防火墙的示例 IPSec 隧道配置。

 

1阶段提案

Cisco ASA:

加密 isakmp 策略10

身份验证前份额

3des 加密

哈希沙

第 2 组

一生 86400

 

帕洛阿尔托网络防火墙:

<ike-crypto-profiles></ike-crypto-profiles>

   <entry name="default"></entry>

      <encryption></encryption>

         <member>aes192</member>

         <member>aes256</member>

         <member>aes128</member>

         <member>3des</member>

     

   <hash></hash>

      <member>sha1</member>

      <member>md5</member>

  

   <dh-group></dh-group>

      <member>group2</member>

      <member>group1</member>

  

   <lifetime></lifetime>

      <hours>24</hours>

  

  

 

2阶段提案

Cisco ASA:

加密 ipsec 转换-设置帕洛阿尔托 esp-aes-256 esp-sha-hmac

20集转换集外的加密映射帕洛阿尔托

 

帕洛阿尔托网络防火墙:

<ipsec-crypto-profiles></ipsec-crypto-profiles>

   <entry name="default"></entry>

      <esp></esp>

         <encryption></encryption>

            <member>aes256</member>

        

         <authentication>

            <member>sha1</member>

         </authentication>

     

      <dh-group></dh-group>

      <lifetime></lifetime>

         <hours>24</hours>

     

  

<crypto-profiles></crypto-profiles>

 

网关

Cisco ASA:

加密映射外部20设置对等10.9.3。8

隧道群10.9.3.8 型 ipsec-l2l

隧道组 10.9.3.8 ipsec 属性

shared 前的关键 *

isakmp keepalive 阈值无限

提示主机名上下文

Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe

 

帕洛阿尔托网络防火墙:

<gateway></gateway>

   <entry name="XYZ.ASA"></entry>

      <peer-address></peer-address>

         <ip>10.88.12.253</ip>

     

      <local-address></local-address>

         <ip>10.9. 3.8/24</ip>

         <interface>ethernet1/1</interface>

     

      <authentication>

         <pre-shared-key></pre-shared-key>

            <key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>

        

      </authentication>

      <protocol></protocol>

         <ikev1></ikev1>

            <exchange-mode>自动</exchange-mode>

            <ike-crypto-profile>默认</ike-crypto-profile>

            <dpd></dpd>

               <enable>是的</enable>

               <interval>10</interval>

               <retry>3</retry>

           

        

     

  

 

阶段 2-代理 ID/隧道

Cisco ASA:

访问列表 ASAtoPAN 扩展允许 ip 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0。0

20匹配地址外的加密映射 ASAtoPAN

 

帕洛阿尔托网络防火墙:

<tunnel></tunnel>

   <ipsec></ipsec>

      <entry name="XYZTunnel"></entry>

         <anti-replay>不</anti-replay>

         <copy-tos>不</copy-tos>

         <tunnel-monitor></tunnel-monitor>

            <enable>不</enable>

        

         <tunnel-interface>隧道1</tunnel-interface>

         <auto-key></auto-key>

            <ike-gateway></ike-gateway>

               <entry name="XYZ.ASA"></entry>

           

            <ipsec-crypto-profile>默认</ipsec-crypto-profile>

            <proxy-id></proxy-id>

               <local>10.61.0. 0/16</local>

               <remote>10.211.168.0/22</remote>

           

         

      

   

 

 

注意: 代理 ID 下的协议字段应与双方匹配。

 

所有者︰ panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE6CAK&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language