Életemben most először voltam rákényszerítve, hogy IPSec-et konfiguráljak. Megoldottam, és be is mutatom, milyen konfiguráció kell hozzá. Nekem ez a feladatomnál nem működött, mert az egyik routeren vrf-ben kellett fogadnom a Tunnel-t. Viszont általában nincs vrf, és így hasznos lehet a konfig.
Topológiánk rendkívül bonyolult:
A két routeren felhúzom a Loopback címeket, OSPF-be behirdetem őket, megcsinálom a FastEthernet 0/0 interface-k IP címzését.
R1
---
R1>en R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int lo0 R1(config-if)#ip add *Mar 1 00:12:50.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up R1(config-if)#ip add 10.0.0.1 255.255.255.0 R1(config-if)#int f0/0 R1(config-if)#ip add 1.1.1.1 255.255.255.252 R1(config-if)#no shut R1(config-if)#router ospf *Mar 1 00:13:42.403: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:13:43.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#router ospf 1 R1(config-router)#network 10.0.0.0 0.0.0.255 area 0 R1(config-router)#^Z R1#
Nézzük R2-t:
R2
---
R2>en R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int f0/0 R2(config-if)#ip add 1.1.1.2 255.255.255.252 R2(config-if)#no shut R2(config-if)#int lo0 R2(config-if)# *Mar 1 00:15:31.275: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:15:32.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config-if)#ip add 20. *Mar 1 00:15:33.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up R2(config-if)#ip add 20.0.0.1 255.255.255.0 R2(config-if)#router ospf 1 R2(config-router)#net 20.0.0.0 0.0.0.255 a 0 R2(config-router)#^Z R2# *Mar 1 00:15:55.347: %SYS-5-CONFIG_I: Configured from console by console R2#
Oké, csináljuk meg a Tunneleket:
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int tun0
R1(config-if)#
*Mar 1 00:19:51.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip add 172.16.1.1 255.255.255.252
R1(config-if)#tunnel source f0/0
R1(config-if)#tunnel destination 1.1.1.2
R1(config-if)#
*Mar 1 00:21:06.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#^ZR2-n is:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int tu0
R2(config-if)#
*Mar 1 00:20:21.923: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#ip add 172.16.1.2 255.255.255.252
R2(config-if)#tunnel source fa0/0
R2(config-if)#tunnel destination 1.1.1.1
R2(config-if)#
*Mar 1 00:20:59.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#^Z
R2#
A tunnelt még bele kell hirdetnünk OSPF-be:
R1(config)#router ospf 1
R1(config-router)#net 172.16.1.0 0.0.0.3 area 0
R1(config-router)#
*Mar 1 00:23:24.799: %OSPF-5-ADJCHG: Process 1, Nbr 20.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2-n is:
R2(config)#router ospf 1
R2(config-router)#net 172.16.1.0 0.0.0.3 area 0
R2(config-router)#
*Mar 1 00:23:24.563: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2(config-router)#^Z
R2#
*Mar 1 00:23:25.931: %SYS-5-CONFIG_I: Configured from console by console
R2#
Nézzük, mi van R1 route táblájában OSPF route-ként:
R1#sh ip route ospf
20.0.0.0/32 is subnetted, 1 subnets
O 20.0.0.1 [110/11112] via 172.16.1.2, 00:00:54, Tunnel0
R1#
Király, ezt akartuk látni.
Már csak egy dolgunk van, hogy titkosított legyen a vonal, jöhet az IPSec konfiguráció.
Az alap konfig:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key 0 PASSWORD address IPADDRESS-OF-NEIGHBOR
!
!
crypto ipsec transform-set NAME esp-aes esp-sha-hmac
!
crypto ipsec profile NAME
set transform-set NAME
int tu0
tunnel mode ipsec ipv4
tunnel protection ipsec profile NAME
R1-en:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)#crypto isakmp key 0 fecogee address 1.1.1.2
R1(config)#!
R1(config)#!
R1(config)#crypto ipsec transform-set fecogee esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#!
R1(cfg-crypto-trans)#crypto ipsec profile fecogee
R1(ipsec-profile)# set transform-set fecogee
R1(ipsec-profile)#
R1(ipsec-profile)#int tun0
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile fecogee
R1(config-if)#
R1(config-if)#
*Mar 1 00:26:00.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Mar 1 00:26:00.807: %OSPF-5-ADJCHG: Process 1, Nbr 20.0.0.1 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
R1(config-if)#
*Mar 1 00:26:01.143: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#^Z
R1#
*Mar 1 00:26:03.067: %SYS-5-CONFIG_I: Configured from console by console
R1#
Szétesett az OSPF, és az ISAKMP “ON”, ez jó.
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#crypto isakmp policy 1
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)#crypto isakmp key 0 fecogee address 1.1.1.1
R2(config)#!
R2(config)#!
R2(config)#crypto ipsec transform-set fecogee esp-aes esp-sha-hmac
R2(cfg-crypto-trans)#!
R2(cfg-crypto-trans)#crypto ipsec profile fecogee
R2(ipsec-profile)# set transform-set fecogee
R2(ipsec-profile)#
R2(ipsec-profile)#int tun0
R2(config-if)#tunnel mode ipsec ipv4
R2(config-if)#tunnel protection ipsec profile fecogee
R2(config-if)#^Z
R2#
*Mar 1 00:30:04.507: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 1 00:30:04.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Mar 1 00:30:05.227: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar 1 00:30:06.731: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2#
*Mar 1 00:30:09.207: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2#
Összeállt az OSPF. Nézzük a Tunnelről mit mond a router:
R1#sh int tu0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.1.1/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1.1.1.1 (FastEthernet0/0), destination 1.1.1.2
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "fecogee")
Last input 00:04:51, output 00:04:46, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
39 packets input, 3676 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
39 packets output, 3712 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R1#
