четверг, 28 ноября 2013 г.

Как создается IPSEC туннель, примеры Cisco IOS

Готовлюсь к экзамену 642-637 Secure. Читаю одноименную книжку. Теперь всё ясно и понятно про IPSec и GRE. Зарисовки из конфигов рутеров в GNS.

IKE фаза 1 (Main mode or Aggressive mode)
1. Negotiate phase (согласование опций)
1.1 Hashing: MD5, SHA
1.2 Authentikation: PSK, RSA Sigs
1.3 Group (DH): 1,2,5
1.4 Lifetime of tunnel wo traffic seconds
1.5 Encryption: DES, 3DES, AES
2. Setup Keys (DH)
3. Authenticate
4. IKE phase 1 SA/tunnel ready


IKE фаза 2
1. Negotiate phase 2 (Quick mode)
1.1 Hashing: MD5/SHA HMAC
1.2 (Already authenticated)
1.3 Group/PFS (DH) Можно выбрать ещё раз
1.4 Lifetime: time or data (для туннеля 2)
1.5 Encryption
2. IKE phate 2 SA/Tunnel ready


---
Вариант 1 - обычный IPsec


!
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 360
crypto isakmp key GnsTest address 172.16.2.2
!
!
crypto ipsec transform-set GNSTEST esp-aes esp-sha-hmac
!
crypto map GNS-CM 10 ipsec-isakmp
set peer 172.16.2.2
match address 101
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
crypto map GNS-CM
!
access-list 101 permit ip host 192.168.1.1 host 192.168.2.1
!


Вариант 2 - IPSec поверх GRE с использованием Crypto-Map на физическом интерфейсе


!
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 360
crypto isakmp key GnsTest address 172.16.2.2
!
!
crypto ipsec transform-set GNSTEST esp-aes esp-sha-hmac
!
crypto map GNS-CM 10 ipsec-isakmp
set peer 172.16.2.2
set transform-set GNSTEST
match address 101
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel destination 172.16.2.2
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
crypto map GNS-CM
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 192.168.0.0 255.255.0.0 Tunnel0
!
access-list 101 permit gre any any
!


Вариант 3 - IPSec поверх GRE с использованием Ipsec-profile на VTI


!
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 360
crypto isakmp key GnsTest address 172.16.2.2
!
!
crypto ipsec transform-set GNSTEST esp-aes esp-sha-hmac
!
crypto ipsec profile IPSP
set transform-set GNSTEST
!
!
crypto map GNS-CM 10 ipsec-isakmp
set peer 172.16.2.2
set transform-set GNSTEST
match address 101
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel destination 172.16.2.2
tunnel protection ipsec profile IPSP
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 192.168.0.0 255.255.0.0 Tunnel0
!


Вариант 4 - Multipoint GRE with static NHRP Hub and P2P GRE Spoke без IPSec


Hub:
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp map 172.16.0.10 10.0.1.2
ip nhrp map 172.16.0.11 10.0.2.2
ip nhrp network-id 192
tunnel source 10.0.0.1
tunnel mode gre multipoint
tunnel key 33
end
!


Spoke:
!
interface Tunnel0
ip address 172.16.0.11 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 10.0.0.1
tunnel key 33
!


Обязательно нужно использовать NHRP, иначе хаб не знает ничего о туннелях споков.


Вариант 5 - Multipoint GRE with dynamic NHRP Hub and Multipoint GRE Spoke без IPSec
Hub:
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 33
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 33
!
Spoke:
interface Tunnel0
ip address 172.16.0.10 255.255.255.0
no ip redirects
ip nhrp map 172.16.0.1 10.0.0.1
ip nhrp map multicast 10.0.0.1
ip nhrp network-id 33
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 33
!



Вариант 6 - Multipoint GRE with dynamic NHRP Hub and Multipoint GRE Spoke с импользованиемIPSec


Hub:
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 360
crypto isakmp key GnsTest address 10.0.0.0 255.255.0.0
!
!
crypto ipsec transform-set GNSTEST esp-aes esp-sha-hmac
!
crypto ipsec profile IPSP
set transform-set GNSTEST
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 33
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 33
tunnel protection ipsec profile IPSP
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!



Spoke:
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 5
lifetime 360
crypto isakmp key GnsTest address 10.0.0.0 255.255.0.0
!
!
crypto ipsec transform-set GNSTEST esp-aes esp-sha-hmac
!
crypto ipsec profile IPSP
set transform-set GNSTEST
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.10 255.255.255.0
no ip redirects
ip nhrp map 172.16.0.1 10.0.0.1
ip nhrp map multicast 10.0.0.1
ip nhrp network-id 33
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 33
tunnel protection ipsec profile IPSP
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
duplex auto
speed auto

!

Комментариев нет:

Отправить комментарий