IPsec Tunnels With NAT
| Document revision: | 1 (Mon Jul 19 09:42:24 GMT 2004) |
| Applies to: | V2.8 |
Application Examples
Summary
This manual contains information about adding new secure connections to existing infrastructure.
Description
During this tutorial we will discuss configuration depicted in the following diagram:
The networks M1 and M3 are interconnected via IPsec tunnel. MT1 and Cisco represent respective gateways for these networks.
The objective is to configure secure connection between M2 and M3 networks without changing Cisco router's configuration.
Configuration PrerequisitesWe are assuming that the secure connection between MT1 and Cisco routers is already configured and tested. This is presented in the following diagram:
Here is an extract from the MT1 router's configuration describing the required IPsec policy, peer and routing settings:
/ ip ipsec policy
add src-address=100.0.0.0/24:any dst-address=200.0.0.0/24:any protocol=all \
action=encrypt level=require ipsec-protocols=esp tunnel=yes \
sa-src-address=10.0.0.2 sa-dst-address=10.0.0.1 proposal=default \
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=10.0.0.1/32:500 secret="gvejimezyfopmekun" generate-policy=no \
exchange-mode=main send-initial-contact=yes proposal-check=obey \
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \
lifebytes=0 disabled=no
/ ip route
add dst-address=200.0.0.0/24 preferred-source=0.0.0.0 gateway=10.0.0.1 \
distance=1 comment="" disabled=no
ToDo List
- Configure IP addresses on MT1 and MT2 routers
- Add NAT rule to MT1 router
- Test connection between M2 and M3 networks
- Secure the connection between MT1 and MT2 routers
- Perform final testing of the connection between M2 and M3 networks
Addressing and Routing Configuration
IP addressing configuration:
-
Router MT1:
/ ip address add address=192.168.0.2/24 network=192.168.0.0 broadcast=192.168.0.255 \ interface=toMT2 comment="Public to MT2" disabled=no -
Router MT2:
/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \ interface=toMT1 comment="Public to MT1" disabled=no add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 \ interface=Local comment="Local to M2" disabled=no
IP routing configuration:
-
Router MT1:
/ ip route add dst-address=192.168.1.0/24 preferred-source=0.0.0.0 gateway=192.168.0.1 \ distance=1 comment="" disabled=no -
Router MT2:
/ ip route add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=192.168.0.2 \ distance=1 comment="" disabled=no
NAT configuration on MT1
It is necessary to add src-nat rule to router MT1 in order for incoming packets from M2 network to match IPsec policy rule for traffic between M1 and M3 networks.
-
Router MT1:
/ ip firewall src-nat add src-address=192.168.1.0/24 action=nat to-src-address=100.0.0.5 \ comment="Change src-address of incoming packets to confirm to \ the IPsec policy" disabled=no
Connection Testing
To test connection between M2 and M3 networks, issue the following command on the MT2 router:
[admin@MT2] ip ipsec policy> /ping 200.0.0.1 src-address=192.168.1.2
On MT1 router you should see out-encrypt and in-decrypted counters incrementing after issuing the following command:
[admin@MT1] > /ip ips cou print interval=1s
out-accept: 95222
out-accept-isakmp: 179
out-drop: 213
out-encrypt: 11712
in-accept: 86895
in-accept-isakmp: 249
in-drop: 0
in-decrypted: 11712
in-drop-encrypted-expected: 39
[admin@ID] >
Securing connection between MT1 and MT2
Now the traffic between M2 and M3 networks runs partially unencrypted, particulary between M1 and M2 routers. In this part we will add two IPsec policy rules to protect this traffic.
IPsec policy configuration
-
Router MT1:
/ ip ipsec policy add src-address=200.0.0.0/24:any dst-address=192.168.1.0/24:any protocol=all \ action=encrypt level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=192.168.0.2 sa-dst-address=192.168.0.1 proposal=default \ manual-sa=none dont-fragment=clear disabled=no -
Router MT2:
/ ip ipsec policy add src-address=192.168.1.0/24:any dst-address=200.0.0.0/24:any protocol=all \ action=encrypt level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=192.168.0.1 sa-dst-address=192.168.0.2 proposal=default \ manual-sa=none dont-fragment=clear disabled=no
IPsec peer configuration
-
Router MT1:
/ ip ipsec peer add address=192.168.0.1/32:500 secret="hikaroteki" generate-policy=no \ exchange-mode=main send-initial-contact=yes proposal-check=obey \ hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \ lifebytes=0 disabled=no -
Router MT2:
/ ip ipsec peer add address=192.168.0.2/32:500 secret="hikaroteki" generate-policy=no \ exchange-mode=main send-initial-contact=yes proposal-check=obey \ hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d \ lifebytes=0 disabled=no
Final Connection Testing
To test the connection, issue the following command on MT2 router:
[admin@MT2] ip ipsec policy> /ping 200.0.0.1 src-address=192.168.1.2
On MT1 router you should see out-encrypt and in-decrypted counters incrementing after issuing the following command:
[admin@MT1] > /ip ips cou print interval=1s
out-accept: 95222
out-accept-isakmp: 179
out-drop: 213
out-encrypt: 11712
in-accept: 86895
in-accept-isakmp: 249
in-drop: 0
in-decrypted: 11712
in-drop-encrypted-expected: 39
[admin@MT1] >
On MT2 router you should see out-encrypt and in-decrypted counters incrementing after issuing the following command:
[admin@MT2] > /ip ips cou print interval=1s
out-accept: 1948171
out-accept-isakmp: 134
out-drop: 9
out-encrypt: 52206
in-accept: 96908
in-accept-isakmp: 78
in-drop: 0
in-decrypted: 6255
in-drop-encrypted-expected: 0
[admin@MT2] >