ISP IPSEC LAB

ISP IPSEC LAB

1-IPSEC Theory http://down.51cto.com/data/21125822-IPSEC I will not introduce the LAN To LAN VPN details. There are too many Internet connections (R1 (config) # crypto isakmp policy 100R1 (config-isakmp) # encryption 3desR1 (config-isakmp) # hash shaR1 (config-isakmp) # authentication pre-shareR1 (config-isakmp) # group? 1 Diffie-Hellman group 12 Diffie-Hellman group 25 Diffie-Hellman group 5R1 (config-isakmp) # group 1R1 (config-isakmp) # lifetime 60R1 (config-isakmp) # exitR1 (config) # crypto ipsec transform-set cisco ah-md5-hmacR1 (cfg-crypto-trans )#? Crypto transform configuration commands: default Set a command to its defaultsexit Exit from crypto transform configuration modemode encapsulation mode (transport/tunnel) no Negate a command or set its defaultsR1 (cfg-crypto-trans) # mode tunnelR1 (config) # access-list 100 permit ip 14.1.1.0 0.0.0.255 35.1.1.0 0.0.255r1 (config) # crypto map cisco1 100 ipsec-isakmp \ 100 is Sequence to insert into crypto map entry % NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured. r1 (config-crypto-map) # match address 100R1 (config-crypto-map) # set peer 23.1.1.3R1 (config-crypto-map) # set transform-set ciscoR1 (config-crypto-map) # set security-association lifetime seconds 6000R1 (config) # int s1/0R1 (config-if) # crypto map cisco1R1 (config) # crypto isakmp key cisco address 23.1.1.3Show command: show crypto iskamp sa/detailShow Crypto IPSEC saR1 # show crypto engine activeons activeCrypto Engine ConnectionsID Type Encrypt Decrypt Encrypt IP-Address5 IPsec MD5 0 623 623 12.1.1.16 IPsec MD5 623 0 12.1.1.1R1 # show crypto your session current statusInterface: serial1/0 Session status: UP-NO-IKEPeer: 23.1.1.3 port 500 ipsec flow: permit ip 14.1.1.0/255.255.255.0 35.1.1.0/255.255.255.0Active SAs: 2, origin: crypto mapR1 # clear crypto isakmp \ clear command R1 # clear crypto saDebug crypto iskamp/ipsec3-IPSEC ACL inbound: Hanging in interface s1/0 in direction: access-list permit esp/permit udp (500)/permit ahp traffic Crypto map xxxx \ This is the outbound direction of the access-group ip address access-group 102 in: 4-IPSEC over GRE
The routing behind R1 and R3 cannot run the dynamic routing protocol. Therefore, ipsec over gre is used to solve this problem and it only encrypts the traffic behind R1 and R3 (config) # ip route 10.1.1.0 255.255.255.0 f0/1R2 (config) # ip route 10.1.2.0 255.255.255.0 f1/0R1 (config) # int tunnel 13R1 (config-if) # no shutR1 (config-if) # ip add 192.168.1.1 255.255.255.252R1 (config-if) # tunnel source f0/1R1 (config-if) # tunnel destination 200.1.1.2R1 (config) # ip route 10.1.2.0 255.255.255.0 Tunnel13R3 # sh run int tunnel 13 Build Ing configuration... Current configuration: 130 bytes! Interface Tunnel13ip address 192.168.1.2 255.255.255.252tunnel source FastEthernet1/0 tunnel destination 100.1.1.1R3 (config) # ip route 10.1.1.0 255.255.255.0 Tunnel13 configuration key points: 1) the tunneling addresses at both ends must be in the same network segment) do not forget to configure a route to access the private network of the other Party through tunnel. Whether the GRE configuration is successfully verified. No R5 # traceroute 10.1.1.4Type escape sequence to abort. tracing the route to 10.1.1.41 10.1.2.3 84 msec 64 msec 20 msec2 192.168.1.1 80 msec 96 msec 84 msec3 10.1.1.4 80 msec * 112 msec Note: do not set the public network to the GRE tunnel source, the destination address is advertised in the dynamic routing protocol. Otherwise, the tunnel and dynamic routing are up and down. Because gre tunnel is built on the default route, and dynamic routing is learned through the GRE tunnel, if the static default route is declared, then R1 learns 10.1.1.0 from the tunnel0 port, the establishment of gre tunnel was originally from the default route through the fa0/0, but now it is To tunne0 (the longest matching principle of the route table), and then the default route fails, which is obviously contradictory, the router cannot find the direction. In this way, the gre tunnel will cause the establishment of the tunnel to time out and go down. Naturally, the dynamic routing protocol based on the gre tunnel will also go down, at this time, the dynamic route is not up yet, and the default route used to establish the GRE tunnel can match again. At this time, the tunnel is created again, and the dynamic route is also up, this will keep up & down. R1 (config) # crypto isakmp policy 10R1 (config-isakmp) # authentication pre-shareR1 (config-isakmp) # exitR1 (config) # crypto isakmp key cisco123 add 200.1.1.2R1 (config) # crypto ipsec transform-set yeslab esp-des esp-sha-hmacR1 (cfg-crypto-trans) # mode tunnelR1 (cfg-crypto-trans) # exitR1 (config) # crypto map fuyi 10 ipsec-isakmpR1 (config-crypto-map) # set peer 200.1.1.2 \ crypto map fuyi local-address lo 0 \ if you set peer to ring You need to enter this command R1 (config-crypto-map) # set transform-set yeslabR1 (config-crypto-map) # match address 100R1 (config-crypto-map) # exitR1 (config) # access-list 100 per ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255/IKE the first stage needs to verify the identity of the remote peer, and then establish a secure verified channel for communication. IKE's first-stage negotiation involves the use of encryption and hashing algorithms to protect its own technology, the use of pre-shared/public key encryption/digital signature verification methods, and the adoption of (Diffe-Hellman Group) session Key Generation parameters. After the first phase of the/IKE negotiation, a two-way ISAKMP/ike sa is established for communication. /IKE 2nd can protect user data and establish an ipsec sa. IKE 2nd negotiation involves the use of ESP/AH protective covers (encapsulation Protocols) and protective covers (using DES, 3DES, AES, SHA) algorithms) optional key material for the network or IP traffic under protection and the negotiation protocol. After IKE 2nd stage negotiation, IKE establishes two one-way ipsec sa for user data processing (one for sending user data and the other for receiving encrypted data ). Before encryption: After encryption: R1 (config) # int tunnel 13R1 (config-if) # crypto map fuyiR1 # sh crypto isakmp saIPv4 Crypto ISAKMP SAdst src state conn-id limit 100.1.1.1 QM_IDLE 1001 ACTIVER1 # show crypto ipsec sainterface: Your map tag: fuyi, local addr limit vrf: (none) local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0 /0) current_peer 200.1.1.2 port 500 PERMIT, flags = {origin_is_acl,} # pkts encaps: 8, # pkts encrypt: 8, # pkts digest: 8 # pkts decaps: 8, # pkts decrypt: 8, # pkts verify: 8 # pkts compressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0 # pkts not decompressed: 0, # pkts decompress failed: 0 # send errors 1, # recv errors 0 local crypto endpt.: 100.1.1.1, remote crypto endpt.: 200.1.1.2p Ath mtu 1476, ip mtu 1476, ip mtu idb Tunnel13current outbound spi: 0x554186D6 (1430357718) PFS (Y/N): N, DH group: none: 5-GRE Over IPSEC defines the streams of interest for GRE traffic, in this way, the transmission mode can be used to protect the entire traffic, including the traffic behind R1/R3 and the dynamic routing protocol R1/R3 over ipsec, because the communication points and encryption points are the same (100.1.1.1 <--> 200.1.1.2 ). Of course, Mode can also be used as the tunnel Mode. How can we understand gre over ipsec? Establish an ipsec tunnel and define the interest stream as gre for the ipsec tunnel. If it is a gre traffic, use ipsec Encryption. Therefore, as long as the traffic passes through the gre tunnel is processed by ipsec again, this is the foundation of the GRE over IPsec test. Modify ipsec over gre. <step1> Add an interesting stream R1 # sh access-listsExtended IP access list 10010 permit ip on R1/R3. 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255Extended IP access list 10110 permit ip 0.0.0.0 255.255.255.252 0.0.0.0 255.255.255.252 <step2> disable crypto map fuyiR1 (config) in the tunnel Port) # interface tunnel 13R1 (config-if) # no crypto map fuyi <step3> change crypto map's interest stream R1 (config) # crypto map fuyi 10 ipsec-isakmpR1 (config-crypto-map) # no match add 100R1 (config-crypto-map) # match add 101 <step4> call R1 (config) on the outbound interface # int f0/1R1 (config-if) # crypto map fuyi6-IPSEC NATAH will make a hash on the IP header and cannot traverse the NATESP Transport mode, because it will not generate a new ip header to disable NAT traversal: no crypto ipsec nat-tra udp-en simulate NAT traversal is enabled .. define the stream of interest: R1 # sh access-listsExtended IP access list 10110 permit ip host 10.1.1.4 host 10.1.2.5 (9 matches) r1 # sh run | se cryno service password-encryptioncrypto isakmp policy 10 authentication pre-encryption crypto isakmp key cisco123 address encrypt ipsec transform-set yeslab esp-des esp-sha-hmaccrypto map fuyi 10 ipsec -isakmpset peer 200.1.1.2set transform-set yeslabmatch address 101 \ calls crypto map fuyiR2 # sh run | se ip natip nat inside <f0/1> ip nat outside <f1 /0> ip nat inside source list 100 interface FastEthernet1/0 overloadR2 # sh access-listsExtended IP access list 10020 permit ip host 100.1.1.1 host 200.1.1.2 (6 matches) r3 # sh run | se cryno service password-encryptioncrypto isakmp policy 10 authentication pre-encryption crypto isakmp key cisco123 address 200.1.1.1 \ note peer address crypto ipsec transform-set yeslab esp-des esp-sha -hmaccrypto map fuyi 10 ipsec-isakmpset peer 200.1.1.1 \ note peer address set transform-set yeslabmatch address 101 crypto map fuyi Test Result: