Konfiguráljunk IPSec-et!

Életemben most először voltam rákényszerítve, hogy IPSec-et konfiguráljak. Megoldottam, és be is mutatom, milyen konfiguráció kell hozzá. Nekem ez a feladatomnál nem működött, mert az egyik routeren vrf-ben kellett fogadnom a Tunnel-t. Viszont általában nincs vrf, és így hasznos lehet a konfig.

Topológiánk rendkívül bonyolult:

ipsec

A két routeren felhúzom a Loopback címeket, OSPF-be behirdetem őket, megcsinálom a FastEthernet 0/0 interface-k IP címzését.

R1
---

R1>en
 R1#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 R1(config)#int lo0
 R1(config-if)#ip add
 *Mar 1 00:12:50.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
 R1(config-if)#ip add 10.0.0.1 255.255.255.0
 R1(config-if)#int f0/0
 R1(config-if)#ip add 1.1.1.1 255.255.255.252
 R1(config-if)#no shut
 R1(config-if)#router ospf
 *Mar 1 00:13:42.403: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
 *Mar 1 00:13:43.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
 R1(config-if)#router ospf 1
 R1(config-router)#network 10.0.0.0 0.0.0.255 area 0
 R1(config-router)#^Z
 R1#

Nézzük R2-t:

R2
---

R2>en
 R2#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 R2(config)#int f0/0
 R2(config-if)#ip add 1.1.1.2 255.255.255.252
 R2(config-if)#no shut
 R2(config-if)#int lo0
 R2(config-if)#
 *Mar 1 00:15:31.275: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
 *Mar 1 00:15:32.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
 R2(config-if)#ip add 20.
 *Mar 1 00:15:33.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
 R2(config-if)#ip add 20.0.0.1 255.255.255.0
 R2(config-if)#router ospf 1
 R2(config-router)#net 20.0.0.0 0.0.0.255 a 0
 R2(config-router)#^Z
 R2#
 *Mar 1 00:15:55.347: %SYS-5-CONFIG_I: Configured from console by console
 R2#

Oké, csináljuk meg a Tunneleket:

 

Enter configuration commands, one per line. End with CNTL/Z.
 R1(config)#int tun0
 R1(config-if)#
 *Mar 1 00:19:51.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
 R1(config-if)#ip add 172.16.1.1 255.255.255.252
 R1(config-if)#tunnel source f0/0
 R1(config-if)#tunnel destination 1.1.1.2
 R1(config-if)#
 *Mar 1 00:21:06.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
 R1(config-if)#^Z

R2-n is:

R2#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 R2(config)#int tu0
 R2(config-if)#
 *Mar 1 00:20:21.923: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
 R2(config-if)#ip add 172.16.1.2 255.255.255.252
 R2(config-if)#tunnel source fa0/0
 R2(config-if)#tunnel destination 1.1.1.1
 R2(config-if)#
 *Mar 1 00:20:59.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
 R2(config-if)#^Z
 R2#

 

A tunnelt még bele kell hirdetnünk OSPF-be:

 

R1(config)#router ospf 1
 R1(config-router)#net 172.16.1.0 0.0.0.3 area 0
 R1(config-router)#
 *Mar 1 00:23:24.799: %OSPF-5-ADJCHG: Process 1, Nbr 20.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done

 

R2-n is:

 

R2(config)#router ospf 1
 R2(config-router)#net 172.16.1.0 0.0.0.3 area 0
 R2(config-router)#
 *Mar 1 00:23:24.563: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 R2(config-router)#^Z
 R2#
 *Mar 1 00:23:25.931: %SYS-5-CONFIG_I: Configured from console by console
 R2#
 

 

Nézzük, mi van R1 route táblájában OSPF route-ként:

 

R1#sh ip route ospf
 20.0.0.0/32 is subnetted, 1 subnets
 O 20.0.0.1 [110/11112] via 172.16.1.2, 00:00:54, Tunnel0
 R1#

 

Király, ezt akartuk látni.
Már csak egy dolgunk van, hogy titkosított legyen a vonal, jöhet az IPSec konfiguráció.

Az alap konfig:

 

crypto isakmp policy 1
 authentication pre-share
 crypto isakmp key 0 PASSWORD address IPADDRESS-OF-NEIGHBOR
 !
 !
 crypto ipsec transform-set NAME esp-aes esp-sha-hmac
 !
 crypto ipsec profile NAME
 set transform-set NAME 
int tu0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile NAME

 

R1-en:

 

R1#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 R1(config)#crypto isakmp policy 1
 R1(config-isakmp)# authentication pre-share
 R1(config-isakmp)#crypto isakmp key 0 fecogee address 1.1.1.2
 R1(config)#!
 R1(config)#!
 R1(config)#crypto ipsec transform-set fecogee esp-aes esp-sha-hmac
 R1(cfg-crypto-trans)#!
 R1(cfg-crypto-trans)#crypto ipsec profile fecogee
 R1(ipsec-profile)# set transform-set fecogee
 R1(ipsec-profile)#
 R1(ipsec-profile)#int tun0
 R1(config-if)#tunnel mode ipsec ipv4
 R1(config-if)#tunnel protection ipsec profile fecogee
 R1(config-if)#
 R1(config-if)#
 *Mar 1 00:26:00.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
 *Mar 1 00:26:00.807: %OSPF-5-ADJCHG: Process 1, Nbr 20.0.0.1 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
 R1(config-if)#
 *Mar 1 00:26:01.143: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
 R1(config-if)#^Z
 R1#
 *Mar 1 00:26:03.067: %SYS-5-CONFIG_I: Configured from console by console
 R1#

 

Szétesett az OSPF, és az ISAKMP “ON”, ez jó.

 

R2#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 R2(config)#crypto isakmp policy 1
 R2(config-isakmp)# authentication pre-share
 R2(config-isakmp)#crypto isakmp key 0 fecogee address 1.1.1.1
 R2(config)#!
 R2(config)#!
 R2(config)#crypto ipsec transform-set fecogee esp-aes esp-sha-hmac
 R2(cfg-crypto-trans)#!
 R2(cfg-crypto-trans)#crypto ipsec profile fecogee
 R2(ipsec-profile)# set transform-set fecogee
 R2(ipsec-profile)#
 R2(ipsec-profile)#int tun0
 R2(config-if)#tunnel mode ipsec ipv4
 R2(config-if)#tunnel protection ipsec profile fecogee
 R2(config-if)#^Z
 R2#
 *Mar 1 00:30:04.507: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
 *Mar 1 00:30:04.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
 *Mar 1 00:30:05.227: %SYS-5-CONFIG_I: Configured from console by console
 R2#
 *Mar 1 00:30:06.731: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
 R2#
 *Mar 1 00:30:09.207: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 R2#

 

Összeállt az OSPF. Nézzük a Tunnelről mit mond a router:

 

R1#sh int tu0
 Tunnel0 is up, line protocol is up
 Hardware is Tunnel
 Internet address is 172.16.1.1/30
 MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel source 1.1.1.1 (FastEthernet0/0), destination 1.1.1.2
 Tunnel protocol/transport IPSEC/IP
 Tunnel TTL 255
 Fast tunneling enabled
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Tunnel protection via IPSec (profile "fecogee")
 Last input 00:04:51, output 00:04:46, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
 39 packets input, 3676 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 39 packets output, 3712 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 unknown protocol drops
 0 output buffer failures, 0 output buffers swapped out
 R1#

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.