Add to collection(s) Add to saved
  1. No category
Uploaded by Rafał Kubat

lab vpn

advertisement 
Konfiguracja sieci VPN na routerach CISCO
1. Zbuduj sieć na podstawie poniższego schematu topologii:
2. Ustaw interfejsy sieciowe routerów:
◦ R1:
Router# config t
Router(config)# hostname R1
R1(config)# int f1/0
R1(config-if)# ip address 10.5.6.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
◦ R2:
Router# config t
Router(config)# hostname R2
R2(config)# int f1/0
R2(config-if)# ip address 10.5.6.2 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# exit
R2(config)# int f1/1
R2(config-if)# ip address 14.15.16.1 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# exit
◦ R3:
Router# config t
Router(config)# hostname R3
R3(config)# int f1/0
R3(config-if)# ip address 14.15.16.2 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# exit
R3(config)# int f1/1
R3(config-if)# ip address 22.23.24.1 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)# exit
◦ R4:
Router# config t
Router(config)# hostname R4
R4(config)# int f1/0
R4(config-if)# ip address 22.23.24.2 255.255.255.0
R4(config-if)# no shutdown
R4(config-if)# exit
R4(config)# int f1/1
R4(config-if)# ip address 172.23.9.1 255.255.255.0
R4(config-if)# no shutdown
R4(config-if)# exit
◦ R5:
Router# config t
Router(config)# hostname R5
R5(config)# int f1/0
R5(config-if)# ip address 172.23.9.2 255.255.255.0
R5(config-if)# no shutdown
R5(config-if)# exit
3. Ustaw trasy routingu statycznego dla routerów:
R1(config)# ip route 0.0.0.0 0.0.0.0 10.5.6.2
R2(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.2
R3(config)#
R3(config)#
R3(config)#
R3(config)#
ip
ip
ip
ip
route
route
route
route
14.15.16.0 255.255.255.0 14.15.16.1
22.23.24.0 255.255.255.0 22.23.24.2
10.5.6.0 255.255.255.0 14.15.16.1
172.23.9.0 255.255.255.0 22.23.24.2
R4(config)# ip route 0.0.0.0 0.0.0.0 22.23.24.1
R5(config)# ip route 0.0.0.0 0.0.0.0 172.23.9.1
Sprawdź połączenie za pomocą polecenia ping.
4. Ustawienie polityki ISAKMP/IKE na routerach R2 i R4:
R2(config)# crypto
R2(config-isakmp)#
R2(config-isakmp)#
R2(config-isakmp)#
R2(config-isakmp)#
R2(config-isakmp)#
R2(config-isakmp)#
isakmp policy 5
encryption 3des
group 2
hash sha
lifetime 28800
authentication pre-share
exit
R4(config)# crypto
R4(config-isakmp)#
R4(config-isakmp)#
R4(config-isakmp)#
R4(config-isakmp)#
R4(config-isakmp)#
R4(config-isakmp)#
isakmp policy 5
encryption 3des
group 2
hash sha
lifetime 28800
authentication pre-share
exit
5. Ustawienie klucza dla klientów VPN:
R2(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.2
R4(config)# crypto isakmp key hr5xb84l6aa9r6 address 14.15.16.1
6. Ustawienia IPSec transform-set:
R2(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
R2(cfg-crypto-trans)# exit
R4(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
R4(config-isakmp)# exit
7. Listy dostępu dla IPSec:
R2(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
R2(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.2
R4(config)# access-list 101 permit ip 172.23.9.0 0.0.0.255 10.5.6.0 0.0.0.255
R4(config)# ip route 0.0.0.0 0.0.0.0 22.23.24.1
8. Ustawienie tras dla zdalnych sieci VPN:
R2(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.2
R4(config)# ip route 10.5.6.0 255.255.255.0 22.23.24.1
9. Crypto map:
R2(config)# crypto map
R2(config-crypto-map)#
R2(config-crypto-map)#
R2(config-crypto-map)#
R2(config-crypto-map)#
R2(config-crypto-map)#
R2(config-crypto-map)#
CISCO 10 ipsec-isakmp
set security-association life seconds 3600
set transform-set STRONG
set pfs group2
set peer 22.23.24.2
match address 101
exit
R4(config)# crypto map
R4(config-crypto-map)#
R4(config-crypto-map)#
R4(config-crypto-map)#
R4(config-crypto-map)#
R4(config-crypto-map)#
R4(config-crypto-map)#
CISCO 10 ipsec-isakmp
set security-association life seconds 3600
set transform-set STRONG
set pfs group2
set peer 14.15.16.1
match address 101
exit
10. Przypisanie crypto map do interfejsu:
R2(config)# int f1/1
R2(config-if)# crypto map CISCO
R2(config-if)# exit
R4(config)# int f1/0
R4(config-if)# crypto map CISCO
R4(config-if)# exit
11. Uruchomienie tunelu i sprawdzenie działania konfiguracji:
R1# ping
Protocol [ip]:
Target IP address: 172.23.9.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
R2# show crypto isakmp sa
R2# show crypto ipsec sa
Download
advertisement