TP4’—Ipsec VPN Site to Site Objectif de TP: Configurer les Paramètres IPsec sur les Routeur et Vérifier le IPsec VPN et les tester avec packet tracer. I.
Télécharger le fichier vpn 1.pkt et le lancer sous packet tracer et tester les commandes sous R1. 1. Tester les connectivités entre les PCs et les Routeurs. 2. Configurer le properties Phase 1 de ISAKMP sous routeur R1. Router(config)#crypto isakmp enable
<=== enable IPsec
Router(config)#crypto isakmp policy 1
<=== set new policy with number 1
Router(config-isakmp)#authentication pre-share <=== using shred key authentication method (if
use certification use rsa-sig instead of pre-share)
Router(config-isakmp)#encryption aes
<=== use symmetric encryption AES
Router(config-isakmp)#hash sha
<=== use hash alghorthim sha for data integrity
Router(config-isakmp)#group 2
<=== use diffe helman group 2
Router(config-isakmp)#exit
Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used with next
site , next site ip address 11.0.0.1 and note on packet tracer you use 0.0.0.0 instead of
subnetmask
3. Configurer le properties Phase 2 de ISAKMP sous routeur R1. Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac <=== set transform set
called yasser and esp is the protocol will be used , u can use AH on internal VPN
Router(config)#crypto ipsec security-association lifetime seconds 86400
<=== key expire
after 86400 seconds
Router(config)#ip access-list extended ramzy
<=== ACL called
ramzy to tell which traffic will use the vpn tunnel
Router(config-ext-nacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Router(config-ext-nacl)#exit
Router(config)#crypto map auda 100 ipsec-isakmp
<=== create crypto map
called auda with seq number 100
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(config-crypto-map)#match address ramzy
<=== link above ACL to
this crypto map
Router(config-crypto-map)#set peer 11.0.0.1
<=== link next site ip address
to this crypto map
Router(config-crypto-map)#set pfs group2
<=== link DH group 2 to this
crypto map
Router(config-crypto-map)#set transform-set yasser
<=== link above
transform set to this crypto map
Router(config-crypto-map)#ex
4. Configurer le map crypto sur l’interface outgoing. Router(config)#int fa 0/1
next site link.
Router(config-if)#crypto map auda
<=== apply crypto map auda to interface face the
1 *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#do wr
Building configuration...
[OK]
Router(config-if)#^Z
Router#
II.
Remplir les tableaux de ISAKMP Phase et le réaliser les paramètres que vous voulez prédéfinir sous Routeur R0. a) Paramètres de ISAKMP Phase 1. Paramètres R1 R0 Key distribution Manual or ISAKMP method Encryption DES, 3DES, or AES algorithm Hashing algorithm MD5 or SHA-­‐1 Authentication Pre-­‐shared keys or method RSA Key exchange DH Group 1,2 or 5 IKE SA Lifetime 86400 seconds or less ISAKMP Key b) Paramètres de ISAKMP Phase 1. Paramètres R1 R0 Transform Set Peer Hostname Peer IP Address Network to be encrypted Crypto Map name SA Establishment c) Réaliser les mêmes démarches pour configurer les paramètres sous R0. III.
Vérification de IPsec VPN. Vérifier le tunnel IPsec VPN avec les commandes et noter les résultats. Router#show crypto Isakmp policy
Router#show crypto isakmp sa
Router#show crypto map
Router#sh crypto ipsec transform-set
2