Site-to-site (ASA-Router) Mục đích Lab: thực IPsec VPN site-to-site dùng pre-shared key ASA (hoặc Pix) với router So sánh giống khác việc cấu hình VPN ASA router Mô hình Lab PIX (Hoặc ASA) Code: PIX# sh run : Saved : PIX Version 8.0(3) ! hostname PIX enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level ip address 101.0.0.2 255.0.0.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.10 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list mangbaove extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit burst-size no asdm history enable arp timeout 14400 route outside 0.0.0.0 0.0.0.0 101.0.0.1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sipdisconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto map mymap 10 match address mangbaove crypto map mymap 10 set peer 102.0.0.2 crypto map mymap 10 set transform-set myset crypto map mymap interface outside crypto isakmp enable outside crypto isakmp policy authentication pre-share encryption aes hash sha group lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group lifetime 86400 telnet timeout ssh timeout console timeout threat-detection basic-threat threat-detection statistics access-list tunnel-group 102.0.0.2 type ipsec-l2l tunnel-group 102.0.0.2 ipsec-attributes pre-shared-key * (key = 123) ! ! prompt hostname context Cryptochecksum:d242d7a4aeb945878985b984c431bf62 : end PIX# PIX(config)# tunnel-group 102.0.0.2 type ? configure mode commands/options: ipsec-l2l IPSec Site to Site group ipsec-ra IPSec Remote Access group (DEPRECATED) remote-access Remote access (IPSec) group PIX(config)# tunnel-group 102.0.0.2 type ipsec-l2l PIX# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 101.0.0.1 to network 0.0.0.0 C C S* 101.0.0.0 255.0.0.0 is directly connected, outside 192.168.1.0 255.255.255.0 is directly connected, inside 0.0.0.0 0.0.0.0 [1/0] via 101.0.0.1, outside Cho client khởi tạo traffic ban đầu (interest) Router R2 Code: R2#sh run Building configuration Current configuration : 1156 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes authentication pre-share group crypto isakmp key 123 address 101.0.0.2 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 101.0.0.2 set transform-set myset match address 101 reverse-route ! ! ! ! interface Loopback1 ip address 2.2.2.2 255.0.0.0 ! interface Loopback2 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 102.0.0.2 255.0.0.0 duplex auto speed auto crypto map mymap ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 102.0.0.1 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line exec-timeout 0 logging synchronous line aux line vty login ! ! end R2#sh ip ro Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 102.0.0.1 to network 0.0.0.0 C C C S S* 102.0.0.0/8 is directly connected, FastEthernet0/0 2.0.0.0/8 is directly connected, Loopback1 172.16.0.0/24 is subnetted, subnets 172.16.1.0 is directly connected, Loopback2 192.168.1.0/24 [1/0] via 101.0.0.2 0.0.0.0/0 [1/0] via 102.0.0.1 ISP Code: ISP#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C C 102.0.0.0/8 is directly connected, FastEthernet0/1 101.0.0.0/8 is directly connected, FastEthernet0/0 ISP#sh run Building configuration Current configuration : 637 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ISP ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 101.0.0.1 255.0.0.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 102.0.0.1 255.0.0.0 duplex auto speed auto ! ! ! ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line exec-timeout 0 logging synchronous line aux line vty ! ! end Link http://www.4shared.com/file/21297684 sa-router.html Site-site VPN (Router-Router) Mô hình R3#ping 192.168.1.10 source 172.16.1.1 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is seconds: Packet sent with a source address of 172.16.1.1 !!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/69/136 ms R3#sh cry R3#sh crypto isa R3#sh crypto isakmp sa dst src state conn-id slot status 101.0.0.2 102.0.0.2 QM_IDLE ACTIVE R3#sh ip ro R3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 102.0.0.1 to network 0.0.0.0 C 102.0.0.0/8 is directly connected, FastEthernet0/0 C 2.0.0.0/8 is directly connected, Loopback1 172.16.0.0/24 is subnetted, subnets C 172.16.1.0 is directly connected, Loopback2 S* 0.0.0.0/0 [1/0] via 102.0.0.1 Cấu hình R1 Code: R1#sh run Building configuration Current configuration : 1087 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy encr aes authentication pre-share group crypto isakmp key 123 address 102.0.0.2 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 102.0.0.2 set transform-set myset match address 101 reverse-route ! ! ! ! interface FastEthernet0/0 ip address 101.0.0.2 255.0.0.0 duplex auto speed auto crypto map mymap ! interface FastEthernet0/1 ip address 192.168.1.10 255.255.255.0 duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 101.0.0.1 ! ! ip http server no ip http secure-server ! ip access-list extended protected ! access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line exec-timeout 0 logging synchronous line aux line vty ! ! end R1#sh ip ro Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 101.0.0.1 to network 0.0.0.0 C C S* 101.0.0.0/8 is directly connected, FastEthernet0/0 192.168.1.0/24 is directly connected, FastEthernet0/1 0.0.0.0/0 [1/0] via 101.0.0.1 R3 Code: R3#sh run Building configuration Current configuration : 1149 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes authentication pre-share group crypto isakmp key 123 address 101.0.0.2 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer 101.0.0.2 set transform-set myset match address 101 reverse-route ! ! ! ! interface Loopback1 ip address 2.2.2.2 255.0.0.0 ! interface Loopback2 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 102.0.0.2 255.0.0.0 duplex auto speed auto crypto map mymap ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip route 0.0.0.0 0.0.0.0 102.0.0.1 ! ! ip http server no ip http secure-server ! access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line exec-timeout 0 logging synchronous line aux line vty ! ! end R3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 102.0.0.1 to network 0.0.0.0 C C C S* 102.0.0.0/8 is directly connected, FastEthernet0/0 2.0.0.0/8 is directly connected, Loopback1 172.16.0.0/24 is subnetted, subnets 172.16.1.0 is directly connected, Loopback2 0.0.0.0/0 [1/0] via 102.0.0.1 ISP Code: ISP#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type E1 - OSPF external type 1, E2 - OSPF external type i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 102.0.0.0/8 is directly connected, FastEthernet0/1 C 101.0.0.0/8 is directly connected, FastEthernet0/0 ISP#sh ip int br Interface IP-Address OK? Method Status Protocol FastEthernet0/0 up FastEthernet0/1 101.0.0.1 YES manual up 102.0.0.1 YES manual up up Link http://www.4shared.com/file/21297961 N_Router_.html [...]... Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic... static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route... control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! end R1#sh ip ro Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS... - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 102.0.0.1 to network 0.0.0.0 C C C S* 102.0.0.0/8 is directly connected, FastEthernet0/0... service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key 123 address 102.0.0.2 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer... service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ip cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key 123 address 101.0.0.2 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer... ip http secure-server ! access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! end R3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA...speed auto ! interface FastEthernet0/1 ip address 102.0.0.1 255.0.0.0 duplex auto speed auto ! ! ! ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! ! end Link http://www.4shared.com/file/21297684 sa-router.html Site- site VPN (Router -Router) Mô hình R3#ping 192.168.1.10... external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 101.0.0.1 to network 0.0.0.0 C C S* 101.0.0.0/8 is directly connected, FastEthernet0/0 192.168.1.0/24 is directly connected,... sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 !!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 20/69/136 ms R3#sh cry R3#sh crypto isa R3#sh crypto isakmp sa dst src state conn-id slot status 101.0.0.2 102.0.0.2 QM_IDLE 1 0 ACTIVE R3#sh ip ro R3#sh ip route Codes: C - connected, S - static, R - RIP, M -