Scribd Logo
Upload

Welcome to Scribd!

  • Cau Hinh IPsec VPN

    Uploaded by

    Duy Quang Ho
    58 views3 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    58 views3 pages

    Cau Hinh IPsec VPN

    Uploaded by

    Duy Quang Ho

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    2.4. LAB cu hnh IPsec VPN site to site Ta c m hnh Lab nh sau: http://img840.imageshack.us/img840/3568/image044j.jpg (http://img840.imageshack.us/i/image044j.jpg/) Hnh 2.

    6: Lab IPsec VPN site to site Kch bn: Trong bi Lab ny, chng ta s cu hnh mt IPsec VPN site-to-site. Mt khi cu hnh VPN, lu lng gia cc giao din loopback trn R1 v R3 s c m ha. Bc 1: Cu hnh a ch R1(config)# interface loopback0 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# interface fastethernet0/0 R1(config-if)# ip address 192.168.12.1 255.255.255.0 R1(config-if)# no shutdown

    R2(config)# interface fastethernet0/0 R2(config-if)# ip address 192.168.12.2 255.255.255.0 R2(config-if)# no shutdown R2(config-if)# interface serial0/0/1 R2(config-if)# ip address 192.168.23.2 255.255.255.0 R2(config-if)# clockrate 64000 R2(config-if)# no shutdown

    R3(config)# interface loopback0 R3(config-if)# ip address 172.16.3.1 255.255.255.0 R3(config-if)# interface serial0/0/1 R3(config-if)# ip address 192.168.23.3 255.255.255.0 R3(config-if)# no shutdown Bc 2: Cu hnh nh tuyn EIGRP R1(config)# router eigrp 1 R1(config-router)# no auto-summary R1(config-router)# network 172.16.0.0 R1(config-router)# network 192.168.12.0

    R2(config)# router eigrp 1 R2(config-router)# no auto-summary R2(config-router)# network 192.168.12.0 R2(config-router)# network 192.168.23.0

    R3(config)# router eigrp 1 R3(config-router)# no auto-summary R3(config-router)# network 172.16.0.0 R3(config-router)# network 192.168.23.0 Bc 3: To cc IKE policy R1(config)# crypto isakmp enable

    R1(config)# crypto isakmp policy 10 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# hash sha R1(config-isakmp)# group 5 R1(config-isakmp)# lifetime 3600

    R3(config)# crypto isakmp enable R3(config)# crypto isakmp policy 10 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# encryption aes 256 R3(config-isakmp)# hash sha R3(config-isakmp)# group 5 R3(config-isakmp)# lifetime 3600 Bc 4: Cu hnh cc Pre-Shared Key R1(config)# crypto isakmp key cisco address 192.168.23.3 R3(config)# crypto isakmp key cisco address 192.168.12.1 Bc 5: Cu hnh transform set IPsec v lifetime R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac R1(cfg-crypto-trans)# exit

    R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac R3(cfg-crypto-trans)# exit

    R1(config)# crypto ipsec security-association lifetime seconds 1800 R3(config)# crypto ipsec security-association lifetime seconds 1800 Bc 6: Xc nh lu lng cn quan tm R1(config)# access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 R3(config)# access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255 Bc 7: To v p dng cc crypto map R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 101 R1(config-crypto-map)# set peer 192.168.23.3 R1(config-crypto-map)# set pfs group5 R1(config-crypto-map)# set transform-set 50 R1(config-crypto-map)# set security-association lifetime seconds 900

    R3(config)# crypto map MYMAP 10 ipsec-isakmp R3(config-crypto-map)# match address 101 R3(config-crypto-map)# set peer 192.168.12.1 R3(config-crypto-map)# set pfs group5 R3(config-crypto-map)# set transform-set 50 R3(config-crypto-map)# set security-association lifetime seconds 900

    # p dng cc crypto map vo cc cng router R1(config)# interface fastethernet0/0 R1(config-if)# crypto map MYMAP

    R3(config)# interface serial0/0/1 R3(config-if)# crypto map MYMAP

    2.5. Kt qu Lab cu hnh 2.5.1. Kim tra cu hnh IPsec S dng lnh show crypto ipsec transform-set hin th cu hnh cc IPsec policy trong transform set http://img847.imageshack.us/img847/3417/image045rb.jpg (http://img847.imageshack.us/i/image045rb.jpg/) S dng lnh show crypto map hin th cc crypto map s p dng trong router. http://img89.imageshack.us/img89/9986/image046nc.jpg (http://img89.imageshack.us/i/image046nc.jpg/) 2.5.2. Kim tra hot ng ca IPsec S dng lnh show scrypto isakmp sa hin th cc SA IKE http://img841.imageshack.us/img841/1922/image047dm.jpg (http://img841.imageshack.us/i/image047dm.jpg/) S dng lnh show crypto ipsec sa hin th bng thng tin v cc gi tin SA gia R1 v R3.

    http://img687.imageshack.us/img687/1130/image048ts.jpg (http://img687.imageshack.us/i/image048ts.jpg/) 2.5.3. Kim tra qu trnh m ho gi tin T R1 ta tin hnh telnet qua R3, ngay khi chng ta s dng chng trnh Wireshark bt gi tin trong qu trnh hai router trao i. Trc tin ta tt chc nng crypto map trn R1 v R3, sau tin hnh telnet. http://img37.imageshack.us/img37/3882/image049mt.jpg (http://img37.imageshack.us/i/image049mt.jpg/) Hnh 2.11: Chi tit gi tin telnet cha c m ho t R1 Sau ta bt li chc nng crypto map trn R1 v R3, khi gi tin s c m ho. http://img849.imageshack.us/img849/8111/image050lw.jpg (http://img849.imageshack.us/i/image050lw.jpg/)

    You might also like