TP4’—Ipsec VPN Site to Site Objectif de TP: Configurer les Paramètres IPsec sur les Routeur et Vérifier le IPsec VPN et les tester avec packet tracer. I. Télécharger le fichier vpn 1.pkt et le lancer sous packet tracer et tester les commandes sous R1. 1. Tester les connectivités entre les PCs et les Routeurs. 2. Configurer le properties Phase 1 de ISAKMP sous routeur R1. Router(config)#crypto isakmp enable <=== enable IPsec Router(config)#crypto isakmp policy 1 <=== set new policy with number 1 Router(config-isakmp)#authentication pre-share <=== using shred key authentication method (if use certification use rsa-sig instead of pre-share) Router(config-isakmp)#encryption aes <=== use symmetric encryption AES Router(config-isakmp)#hash sha <=== use hash alghorthim sha for data integrity Router(config-isakmp)#group 2 <=== use diffe helman group 2 Router(config-isakmp)#exit Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used with next site , next site ip address 11.0.0.1 and note on packet tracer you use 0.0.0.0 instead of subnetmask 3. Configurer le properties Phase 2 de ISAKMP sous routeur R1. Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac <=== set transform set called yasser and esp is the protocol will be used , u can use AH on internal VPN Router(config)#crypto ipsec security-association lifetime seconds 86400 <=== key expire after 86400 seconds Router(config)#ip access-list extended ramzy <=== ACL called ramzy to tell which traffic will use the vpn tunnel Router(config-ext-nacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Router(config-ext-nacl)#exit Router(config)#crypto map auda 100 ipsec-isakmp <=== create crypto map called auda with seq number 100 % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)#match address ramzy <=== link above ACL to this crypto map Router(config-crypto-map)#set peer 11.0.0.1 <=== link next site ip address to this crypto map Router(config-crypto-map)#set pfs group2 <=== link DH group 2 to this crypto map Router(config-crypto-map)#set transform-set yasser <=== link above transform set to this crypto map Router(config-crypto-map)#ex 4. Configurer le map crypto sur l’interface outgoing. Router(config)#int fa 0/1 next site link. Router(config-if)#crypto map auda <=== apply crypto map auda to interface face the 1 *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#do wr Building configuration... [OK] Router(config-if)#^Z Router# II. Remplir les tableaux de ISAKMP Phase et le réaliser les paramètres que vous voulez prédéfinir sous Routeur R0. a) Paramètres de ISAKMP Phase 1. Paramètres R1 R0 Key distribution Manual or ISAKMP method Encryption DES, 3DES, or AES algorithm Hashing algorithm MD5 or SHA-­‐1 Authentication Pre-­‐shared keys or method RSA Key exchange DH Group 1,2 or 5 IKE SA Lifetime 86400 seconds or less ISAKMP Key b) Paramètres de ISAKMP Phase 1. Paramètres R1 R0 Transform Set Peer Hostname Peer IP Address Network to be encrypted Crypto Map name SA Establishment c) Réaliser les mêmes démarches pour configurer les paramètres sous R0. III. Vérification de IPsec VPN. Vérifier le tunnel IPsec VPN avec les commandes et noter les résultats. Router#show crypto Isakmp policy Router#show crypto isakmp sa Router#show crypto map Router#sh crypto ipsec transform-set 2