Cisco VPN

發佈日期: 作者:

設定IPsec VPN

PART1:定義IKE

定義crypto isakmp policy(兩端點需一致)
(config)# crypto isakmp policy < policy-id>
(config-isakmp)#authentication pre-share
(config-isakmp)#group < bit-type>
  bit-type為1表示使用768bit key,2表示使用1024bit key 
(config-isakmp)#encryption < encryption-method> //optional 
 常見的方法有3des,aes 128 
(config-isakmp)#lifetime 60 //optional
 預設為86400(1天) 
2
定義ISAKMP Pre-share key
(config)# crypto isakmp key < samekey> address < site-ip>

PART2:定義IPsec
1
定義Transform Sets
(config)# crypto ipsec transform-set < transform-set-name> < para>
para常見的有
esp-3des esp-sha-hmac
ah-md5-hmac esp-des esp-md5-hmac

定義crypto map
(config)# crypto map < crypt-name> < crypt-lifetime> ipsec-isakmp  (兩端點需一致)
(config-crypto-map)# set peer < site-ip>
(config-crypto-map)# set transform-set < transform-set-name>
(config-crypto-map)# match address < acl>
 acl指定可使用IPsec的ip,像是access-list < acl> permit ip < src net> < dst net> 
(config-crypto-map)# set security-association lifetime seconds < sec> //optional
3
套用crypto map到介面上
(config)# interface < int>
(config-if)# crypto map < crypt-name>
封包從該介面離開時會套用ipsec規則

ex:
IPSEC VPN本端site為10.1.1.1,另一端site為10.1.1.2
IKE部份,要求policy為1,使用pre-share,isakmp key使用thisiskey
IPsec只允許172.16.1.0/24到172.16.100.0/24,當該流量進入gi0/1時開始ipsec vpn

IKE
1.1
r1(config)# crypto isakmp policy 1
r1(config-isakmp)#authentication pre-share
1.2
r1(config)# crypto isakmp key thisiskey address 10.1.1.2

IPsec
2.1
(config)# crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
2.2
(config)# crypto map is 10 ipsec-isakmp 
(config-crypto-map)# set peer 10.1.1.2
(config-crypto-map)# set transform-set ts1 
(config-crypto-map)# match address 101
(config)#access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.100.0 0.0.0.255 
2.3
(config)# interface gi0/1
(config-if)# crypto map is

顯示IPsec資訊
#show crypto isakmp sa
dst src state conn-id slot status
10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVE //ip sec的兩端site ip 
ps:若未有流量使用IPsec,則不會有任何訊息顯示 

顯示ipsec安全性相關設定 
#show crypto ipsec sa

顯示所有ipsec session資訊
#show crypto engine connections active
畫面大致如下
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 10.0.0.1 set HMAC_SHA+3DES_56_C 0 0
2001 Serial1/0 10.0.0.1 set AES+SHA 28 0
2002 Serial1/0 10.0.0.1 set AES+SHA 0 0

顯示加密的對應
#show crypto map
畫面大致如下
Crypto Map “SDM_CMAP_1” 1 ipsec-isakmp
 Description: Tunnel to10.0.0.2
 Peer = 10.0.0.2
 Extended IP access list 100
  access-list 100 permit gre host 10.0.0.1 host 10.0.0.2
 Current peer: 10.0.0.2
 Security association lifetime: 4608000 kilobytes/3600 seconds
 PFS (Y/N): N
 Transform sets={
  TSHOOT-TRANSFORM,
 }
 Interfaces using crypto map SDM_CMAP_1:
  Serial1/0
  Tunnel0

顯示tunnel的狀態及資訊
#show interfaces tunnel < id> 

……………………………………………………………………………………

設定GRE  

步驟如下 

(config)#interface tunnel < tunnel-num>
(config-if)#ip address < ip mask>  //邏輯上的位置  
(config-if)#tunnel source < src-site-interface> //實際上處理gre的來源 
(config-if)#tunnel destination < dst-site-ip> //實際上處理gre的目地 
dst-site-ip的位置需和src-site-interface上的ip位置同網段
封包從該tunnel介面離開時會套用GRE規則
ps:
tunnel source也可使用loopback(config)# interface loopback < loopback-num>
(config-if)# ip address < ip mask>  

ex: 
r1 loopback ip指定為10.1.1.1 ,r2 loopback ip指定為10.1.1.9
r1 gre tunnel介面IP為10.9.2.11
(config)# interface loopback 1
(config-if)# ip address 10.1.1.1 255.255.255.0  2
(config)#interface tunnel 9
(config-if)#ip address 10.9.2.1 255.255.255.255
(config-if)#tunnel source loopback 1
(config-if)#tunnel destination 10.1.1.9 ex:
R1介面eth0:10.1.1.1/24(連接內網) serial0:202.38.160.1/24(連接Internet)
R2介面eth0:10.3.1.1/24(連接內網) serial0:192.15.135.80/24(連接Internet)
R1部份 
R1(config)#interface tunnel 0
R1(config-if)#ip address 10.2.1.1 255.255.255.0   
R1(config-if)#tunnel source serial0  
R1(config-if)#tunnel destination 192.15.135.80
R1(config)ip route 10.3.1.0 255.255.255.0 10.2.1.2
R2部份 
R2(config)#interface tunnel 0
R2(config-if)#ip address 10.2.1.2 255.255.255.0   
R2(config-if)#tunnel source serial0  
R2(config-if)#tunnel destination 202.38.160.1
R2(config)ip route 10.1.1.0 255.255.255.0 10.2.1.1

ps:
上述範例之介面如狀態如下
R1# sh ip int brie
Interface IP-Address OK? Method Status Protocol
Ethernet0 10.1.1.1 YES manual up up
Serial0 202.38.160.1 YES manual up up //實際上處理gre的來源
Tunnel0 10.2.1.1 YES manual up up //GRE邏輯上的位置

……………………………………………………………………………………………………. 

設定GRE/IPsec tunnel

其封包架構為[IP for ipsec][ipsec][ [IP for gre][gre][原始packet] ]  

ex:
IKE部份,要求policy為1,使用pre-share,isakmp key使用thisiskey
IPsec只允許10.1.1.1/24到10.1.1.2/24,當該流量進入r1的loopback1時開始ipsec vpn
IPSEC VPN本端site為10.1.1.1(loopback1),另一端site為10.1.1.2(loopback2)
r1 gre tunnel9介面IP為192.168.1.1,r2 gre tunnel9介面ip為192.168.1.2

1
IKE
r1(config)# crypto isakmp policy 1
r1(config-isakmp)#authentication pre-share
r1(config)# crypto isakmp key thisiskey address 10.1.1.2
2
IPsec
(config)# crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
(config)# crypto map is 10 ipsec-isakmp
(config-crypto-map)# set peer 10.1.1.2
(config-crypto-map)# set transform-set ts1
(config-crypto-map)# match address 101
(config)#access-list 101 permit ip 10.1.1.1 0.0.0.0 10.1.1.2 0.0.0.0  
3
GRE and IPsec
3.1
(config)# interface tunnel 9
(config-if)# crypto map is (config-if)#ip address 192.168.1.1 255.255.255.255
(config-if)#tunnel source loopback 1
(config-if)#tunnel destination 192.168.1.2
3.2
(config)# loopback 1
(config-if)# ip address 10.1.1.1 255.255.255.0