Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • Lab Cisco VPN-Generic

    Cargado por

    bliss21
    1K vistas2 páginas
    VPN laborator

    Derechos de autor

    © Attribution Non-Commercial (BY-NC)

    Formatos disponibles

    PDF o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    VPN laborator

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PDF o lea en línea desde Scribd
    Marcar por contenido inapropiado
    1K vistas2 páginas

    Lab Cisco VPN-Generic

    Cargado por

    bliss21
    VPN laborator

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Descargue como PDF o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 2

    Configuring Site-to-Site IPsec VPNs with the IOS CLI

    Un tunel Ipsec trece prin 5 faze, dar nu toate acestea eu nevoie de configurare.
    Pentru a configura site-to-site VPN folosind Cisco CLI este nevoie de urmatorii pasi.

    Step 1: Create ISAKMP Policies (IKE Phase 1)


    IKE will need to be enabled for IPsec to work.
    R1(config)# crypto isakmp enable

    To allow IKE Phase 1 negotiation, you must create an Internet Security Association and Key Management Protocol
    (ISAKMP) policy and configure a peer association involving that ISAKMP policy.

    R1(config)# crypto isakmp policy 10


    R1(config-isakmp)# authentication pre-share
    R1(config-isakmp)# encryption aes 256
    R1(config-isakmp)# hash sha
    R1(config-isakmp)# group 5
    R1(config-isakmp)# lifetime 3600

    R3(config)# crypto isakmp policy 10


    R3(config-isakmp)# authentication pre-share
    R3(config-isakmp)# encryption aes 256
    R3(config-isakmp)# hash sha
    R3(config-isakmp)# group 5
    R3(config-isakmp)# lifetime 3600

    #show crypto isakmp policy

    Configure Pre-Shared Keys


    Since we chose pre-shared keys as our authentication method in the IKE policy, we must configure a key on each
    router corresponding to the other VPN endpoint. For simplicity we can use the key “cisco”. A production network
    should use a more complex key.

    R1(config)# crypto isakmp key cisco address 192.168.23.3


    R3(config)# crypto isakmp key cisco address 192.168.12.1

    Step 2: Configure the IPsec Transform Set and Lifetimes (IKE phase 2)The IPsec transform set is another
    crypto configuration parameter that routers negotiate to form a security association. Routers will compare their
    transform sets to the remote peer until they find a transform set that matches exactly.
    R1(config)# crypto ipsec transform-set 50-set esp-aes 256 esp-sha-hmac ah-sha-hmac
    R1(config)#mode tunnel
    R1(cfg-crypto-trans)# exit

    R3(config)# crypto ipsec transform-set 70-set esp-aes 256 esp-sha-hmac ah-sha-hmac


    R3(config)#mode tunnel
    R3(cfg-crypto-trans)# exit

    You can also change the IPsec security association lifetimes from its default which is 3600 seconds or 4,608,000
    kilobytes, whichever comes first.

    R1(config)# crypto ipsec security-association lifetime seconds 1800


    R3(config)# crypto ipsec security-association lifetime seconds 1800

    Step 3: Define Interesting Traffic


    Now that most of the encryption settings are in place, define extended access lists to tell the router which traffic to
    encrypt. A packet that is denied by one of these access lists will not be dropped; it will be sent unencrypted.

    R1(config)# access-list 101 permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23


    R3(config)# access-list 101 permit tcp 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 23

    Usually, it is very important that the two lists be mirror images of each other. The source address in one list must be
    the destination address in the other and vice versa.

    Step 4: Create and Apply Crypto Maps


    A crypto map is a mapping that associates traffic matching an access list (like the one we created earlier) to a peer
    and various IKE and IPsec settings (transform set). Crypto maps can have multiple map statements, so you can have
    traffic that matches a certain access list being encrypted and sent to one IPsec peer, and have other traffic that
    matches a different access list being encrypted towards a different peer.

    R1(config)# crypto map MYMAP 10 ipsec-isakmp


    R1(config-crypto-map)# match address 101
    R1(config-crypto-map)# set peer 192.168.23.3
    R1(config-crypto-map)# set pfs group5
    R1(config-crypto-map)# set transform-set 50-set
    R1(config-crypto-map)# set security-association lifetime seconds 900

    R3(config)# crypto map MYMAP 10 ipsec-isakmp


    R3(config-crypto-map)# match address 101
    R3(config-crypto-map)# set peer 192.168.12.1
    R3(config-crypto-map)# set pfs group5
    R3(config-crypto-map)# set transform-set 70-set
    R3(config-crypto-map)# set security-association lifetime seconds 900

    R1(config)# interface fastethernet0/0


    R1(config-if)# crypto map MYMAP
    *Jan 17 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

    R3(config)# interface serial0/0/1


    R3(config-if)# crypto map MYMAP
    *Jan 17 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

    Step 5: Verify IPsec Configuration


    show crypto ipsec transform-set
    show crypto map

    Step 6: Verify IPsec Operation


    //IKE phase 1 tunnel, QM_IDLE - IKE SA active & operational
    show crypto isakmp sa

    //IKE phase 2 tunnel


    show crypto ipsec sa
    debug crypto isakmp
    debug ip packet
    show access-lists

    También podría gustarte