25%

🚀

7

! Site-To-Site IPSec VPN Cisco. VPN , (, ). VPN , , .

Merion Academy


Site-To-Site IPSec VPN

, Cisco VPN - IP Security (IPSec) . , Cisco IP-.

ISAKMP (Internet Security Association and and Key Management Protocol) IPSec VPN-. ISAKMP, IKE (Internet Key Exchange) , (negotiation protocol), , IPsec. ISAKMP : 1 2.

1 , ISAKMP. 2 , . IPSec , .


IPSec VPN

:

  1. ISAKMP ( 1 ISAKMP)
  2. IPSec ( 2 ISAKMP, ACL, Crypto MAP)

, , IP-, . 1 10.10.10.0/24, 2 20.20.20.0/24. , LAN - .

 Site-To-Site IPSec VPN-

ISAKMP (IKE) - ISAKMP Phase 1

IKE SA (Security Association) IPsec. , IKE SA (ISAKMP SA) (peer).

R1 . ISAKMP Phase 1:

R1(config)#  crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

:

  • 3DES - , 1
  • MD5 -
  • Pre-Share - (PSK)
  • Group 2 - -,
  • 86400 - . ( ), . .

, ISAKMP Phase 1 . , ISAKMP Phase 1 ( ), , VPN- , , .

Pre-Shared ( R2) :

R1(config)# crypto isakmp key merionet address 1.1.1.2

Pre-Shared merionet, IP- - 1.1.1.2. , R1 VPN- R2 (1.1.1.2), .


IPSec 4

IPSec :

  • ACL
  • IPSec Transform
  • (Crypto Map)
  • (public)

.


1: ACL

access-list ( Extended ACL ) VPN-. 10.10.10.0/24 20.20.20.0/24. crypto access-list interesting traffic access-list.

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

2: IPSec Transform

(Transform Set), . TS.

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

:

  • ESP-3DES -
  • MD5 -

3: Crypto Map

Crypto Map ISAKMP IPSec:

R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC

CMAP. ipsec-isakmp , IPsec. (1.1.1.2) , .


4:

- , . FastEthernet 0/1.

R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP

, .

, , , isakmp : ISAKMP is ON.

IPSec VPN 1.

2 VPN. R2 , IP- ACL.

R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key merionet address 1.1.1.1
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TS
R2(config-crypto-map)# match address VPN-TRAFFIC

R2(config)# interface FastEthernet0/1
R2(config- if)# crypto map CMAP

(NAT) VPN- IPSec

(NAT), , . VPN- Site-To-Site NAT (deny NAT) , VPN.

, deny NAT, :

:

R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload
R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any

:

R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload
R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0  0.0.0.255
R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any

VPN- IPSec

, VPN- . VPN-, VPN, , - :

R1# ping 20.20.20.1 source fastethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms

- icmp (ping) -, , . , VPN-, 2 , .

VPN-, show crypto session:

R1# show crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE    
Peer: 1.1.1.2 port 500
  IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
  IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
        Active SAs: 2, origin: crypto map

! Site-To-Site IPSEC VPN Cisco!


>