### IPsec 이중화
## 공중망 구성
-GIT-HQ-1 = R1
-GIT-HQ-2 = R2
-ISP-1 = R3
-ISP-2 = R4
-GIT-A = R5
-GIT-B = R6
-PC = R7
EX1) GIT-HQ-1 , GIT-HQ-2 , ISP-1 , ISP-2 , GIT-A , GIT-B 구간에 OSPF Routing Protocol을 사용하여 공중망을 구성하시오
.OSPF Process = 1 , Area = 0 , Router-ID = 개인별 설정
.OSPF 라우팅 업데이트가 필요한 Interface로만 OSPF Packet이 송신되어야 한다.
.GIT-HQ-1 , GIT-HQ-2 , ISP-1 , ISP-2 , GIT-A , GIT-B의 Loopback 0 네트워크는 OSPF에 포함되어야 한다.
.OSPF환경내의 모든 네트워크는 Interface에 할당된 SubnetMask로 확인되어야 한다.
.GIT-HQ-1 , GIT-HQ-2 , GIT-A , GIT-B의 사설 네트워크는 OSPF에 포함되지 않아야한다.
.GIT-HQ-1 , GIT-HQ-2 , ISP-1 연결구간에서는 GIT-HQ-1이 DR로 GIT-HQ-2가 BDR로 선출되어야한다.
# GIT-HQ-1 (R1)
router ospf 1
router-id 123.123.1.1
passive-interface default
no passive-interface fastethernet 0/1
network 123.123.1.1 0.0.0.0 area 0
network 121.160.10.1 0.0.0.0 area 0
!
interface fastethernet 0/1
ip ospf priority 255
!
interface loopback 0
ip ospf network point-to-point
!
# GIT-HQ-2 (R2)
router ospf 1
router-id 123.123.2.2
passive-interface default
no passive-interface fastethernet 0/1
network 123.123.2.2 0.0.0.0 area 0
network 121.160.10.2 0.0.0.0 area 0
!
interface fastethernet 0/1
ip ospf priority 200
!
interface loopback 0
ip ospf network point-to-point
!
# ISP-1 (R3)
router ospf 1
router-id 123.123.11.11
passive-interface default
no passive-interface fastethernet 0/1
no passive-interface serial 1/0.10
network 123.123.11.11 0.0.0.0 area 0
network 121.160.10.3 0.0.0.0 area 0
network 121.160.10.33 0.0.0.0 area 0
!
interface loopback 0
ip ospf network point-to-point
!
# ISP (R4)
router ospf 1
router-id 123.123.22.22
passive-interface default
no passive-interface serial 1/0.10
no passive-interface serial 1/0.20
no passive-interface serial 1/0.30
network 123.123.22.22 0.0.0.0 area 0
network 121.160.10.34 0.0.0.0 area 0
network 121.160.10.37 0.0.0.0 area 0
network 121.160.10.41 0.0.0.0 area 0
!
interface loopback 0
ip ospf network point-to-point
!
# GIT-A (R5)
router ospf 1
router-id 123.123.20.20
passive-interface default
no passive-interface serial 1/0.20
network 123.123.20.20 0.0.0.0 area 0
network 121.160.10.38 0.0.0.0 area 0
!
interface loopback 0
ip ospf network point-to-point
!
# GIT-B (R6)
router ospf 1
router-id 123.123.30.30
passive-interface default
no passive-interface serial 1/0.30
network 123.123.30.30 0.0.0.0 area 0
network 121.160.10.42 0.0.0.0 area 0
!
interface loopback 0
ip ospf network point-to-point
!
정보 확인
GIT-HQ-1# show ip ospf neighbor [인접성 2개 확인]
GIT-HQ-2# show ip ospf neighbor [인접성 2개 확인]
ISP-1# show ip ospf neighbor [인접성 3개 확인]
ISP-2# show ip ospf neighbor [인접성 3개 확인]
GIT-A# show ip ospf neighbor [인접성 1개 확인]
GIT-B# show ip ospf neighbor [인접성 1개 확인]
=========================================================================================================================
EX2) GIT-HQ-1 , GIT-HQ-2 내부 네트워크 구간에서 HSRP를 사용하여 Gateway이중화를 구성하시오
.Virtual-IP = 192.168.10.254를 사용해야한다.
.Virtual-IP에 대해서 GIT-HQ-1이 Active Router로 동작해야한다.
.Virtual-IP에 대해서 GIT-HQ-2가 Standby Router로 동작해야한다.
.GIT-HQ-1 내부 구간 장애 발생시 GIT-HQ-2가 Active Router로 동작해야한다.
.GIT-HQ-1 내부 구간 장애 복구 60초후 다시 Active Router로 동작해야한다.
.GIT-HQ-1 외부 구간 장애 발생시 GIT-HQ-2가 즉각적으로 Active Router로 동작해야한다.
# GIT-HQ-1 (R1)
interface fastethernet 0/0
standby 1 ip 192.168.10.254
standby 1 priority 120
standby 1 timer 1 3
standby 1 preempt delay mini 60
standby 1 track fastethernet0/1 100
!
# GIT-HQ-2 (R2)
interface fastethernet 0/0
standby 1 ip 192.168.10.254
standby 1 priority 80
standby 1 timer 1 3
standby 1 preempt
!
정보 확인
GIT-HQ-1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 120 P Active local 192.168.10.252 192.168.10.25
GIT-HQ-2# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 80 P Standby 192.168.10.251 local 192.168.10.254
=========================================================================================================================
## 사설 망에서 외부 네트워크로 통신하기위한 Default-route 생성
# GIT-HQ-1 (R1)
ip route 0.0.0.0 0.0.0.0 121.160.10.3
!
# GIT-HQ-2 (R2)
ip route 0.0.0.0 0.0.0.0 121.160.10.3
!
# GIT-A (R5)
ip route 0.0.0.0 0.0.0.0 121.160.10.37
!
# GIT-B (R6)
ip route 0.0.0.0 0.0.0.0 121.160.10.41
!
정보 확인
GIT-HQ-1# show ip route
C 192.168.10.0/24 is directly connected, FastEthernet0/0
123.0.0.0/24 is subnetted, 6 subnets
C 123.123.1.0 is directly connected, Loopback0
O 123.123.2.0 [110/11] via 121.160.10.2, 00:16:32, FastEthernet0/1
O 123.123.11.0 [110/11] via 121.160.10.3, 00:16:32, FastEthernet0/1
O 123.123.20.0 [110/139] via 121.160.10.3, 00:16:32, FastEthernet0/1
O 123.123.22.0 [110/75] via 121.160.10.3, 00:16:32, FastEthernet0/1
O 123.123.30.0 [110/139] via 121.160.10.3, 00:16:32, FastEthernet0/1
121.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 121.160.10.0/29 is directly connected, FastEthernet0/1
O 121.160.10.32/30 [110/74] via 121.160.10.3, 00:16:32, FastEthernet0/1
O 121.160.10.36/30 [110/138] via 121.160.10.3, 00:16:32, FastEthernet0/1
O 121.160.10.40/30 [110/138] via 121.160.10.3, 00:16:32, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 121.160.10.3 <----------------------------- Default-route 확인
GIT-HQ-2# show ip route
GIT-A# show ip route
GIT-B# show ip route
=========================================================================================================================
EX2) GIT-HQ-1 , GIT-HQ-2 외부 네트워크 구간에서 HSRP를 사용하여 Gateway이중화를 구성하시오
.Virtual-IP = 121.160.10.4를 사용해야한다.
.Virtual-IP에 대해서 GIT-HQ-1이 Active Router로 동작해야한다.
.Virtual-IP에 대해서 GIT-HQ-2가 Standby Router로 동작해야한다.
.GIT-HQ-1 외부 구간 장애 발생시 GIT-HQ-2가 Active Router로 동작해야한다.
.GIT-HQ-1 외부 구간 장애 복구 60초후 다시 Active Router로 동작해야한다.
.GIT-HQ-1 내부 구간 장애 발생시 GIT-HQ-2가 즉각적으로 Active Router로 동작해야한다.
# GIT-HQ-1 (R1)
interface fastethernet 0/1
standby 2 ip 121.160.10.4
standby 2 priority 120
standby 2 timer 1 3
standby 2 preempt delay mini 60
standby 2 track fastethernet0/0 100
standby 2 name HSRP_IPSEC
!
# GIT-HQ-2 (R2)
interface fastethernet 0/1
standby 2 ip 121.160.10.4
standby 2 priority 80
standby 2 timer 1 3
standby 2 preempt
standby 2 name HSRP_IPSEC
!
정보 확인
GIT-HQ-1# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 120 P Active local 192.168.10.252 192.168.10.254
Fa0/1 2 120 P Active local 121.160.10.2 121.160.10.4
GIT-HQ-2# show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 80 P Standby 192.168.10.251 local 192.168.10.254
Fa0/1 2 80 P Standby 121.160.10.1 local 121.160.10.4
=========================================================================================================================
EX3) 아래의 조건에 맞게 IPsec 이중화를 구성하시오
.GIT-HQ-1 , GIT-HQ-2의 192.168.10.0/24와 GIT-A의 192.168.20.0/24 네트워크간 통신시 정보 보호되어야 한다.
.GIT-HQ-1 , GIT-HQ-2의 192.168.10.0/24와 GIT-A의 192.168.30.0/24 네트워크간 통신시 정보 보호되어야 한다.
[Phase 1]
-인증방식 : 사전 인증방식
-암호화 알고리즘 : AES
-인증 알고리즘 : MD5
-Key교환 알고리즘 : Diffie-Hellman 2
-Key교환 주기 : 30분
[Phase 2]
-IPsec Protocol : ESP
-암호화 알고리즘 : AES
-인증 알고리즘 : SHA-HMAC
# GIT-HQ-1 (R1) , GIT-HQ-2 (R2)
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 600
!
crypto isakmp key cisco address 121.160.10.38
crypto isakmp key cisco address 121.160.10.42
crypto isakmp keepalive 10
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_HSRP 10 ipsec-isakmp
set peer 121.160.10.38
set peer 121.160.10.42
set transform-set IPSEC
match address 101
reverse-route : 비대칭 라우팅되는것을 방지하는 기능 (입력된 경로로 출력)
!
interface fastethernet0/1
crypto map IPSEC_HSRP redundancy HSRP_IPSEC
!
# GIT-A (R5)
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
!
crypto isakmp key cisco address 121.160.10.4
crypto isakmp keepalive 10
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_INT 10 ipsec-isakmp
set peer 121.160.10.4
set transform-set IPSEC
match address 101
!
interface serial 1/0.20
crypto map IPSEC_INT
!
# GIT-B (R6)
access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
!
crypto isakmp key cisco address 121.160.10.4
crypto isakmp keepalive 10
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_INT 10 ipsec-isakmp
set peer 121.160.10.4
set transform-set IPSEC
match address 101
!
interface serial 1/0.30
crypto map IPSEC_INT
!
정보 확인
PC# ping 192.168.20.1 : GIT-HQ ----> GIT-A
PC# ping 192.168.30.1 : GIT-HQ ----> GIT-B
GIT-HQ-1# show crypto isakmp peer
Peer: 121.160.10.38 Port: 500 Local: 121.160.10.4
Phase1 id: 121.160.10.38 <---------- GIT-A와 Phase-1 연결
Peer: 121.160.10.42 Port: 500 Local: 121.160.10.4
Phase1 id: 121.160.10.42 <---------- GIT-B와 Phase-1 연결
GIT-A#show crypto isakmp peer
Peer: 121.160.10.4 Port: 500 Local: 121.160.10.38
Phase1 id: 121.160.10.4 <---------- GIT-HQ와 Phase-1 연결
GIT-B#show crypto isakmp peer
Peer: 121.160.10.4 Port: 500 Local: 121.160.10.38
Phase1 id: 121.160.10.4 <---------- GIT-HQ와 Phase-1 연결
GIT-HQ-1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/1 IPsec AES+SHA 0 9 121.160.10.4
2 Fa0/1 IPsec AES+SHA 9 0 121.160.10.4
3 Fa0/1 IPsec AES+SHA 0 5 121.160.10.4
4 Fa0/1 IPsec AES+SHA 5 0 121.160.10.4
1004 Fa0/1 IKE MD5+AES 0 0 121.160.10.4
###### 장애 발생시 경로 변경 확인 ######
PC#ping 192.168.20.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
GIT-HQ-1(config)# interface fastethernet 0/1
GIT-HQ-1(config-if)# shutdown <------- GIT-HQ의 Active Router 장애 발생
PC#ping 192.168.20.1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!..!!!!!!!!!!!!!!!!!!!!!!!!!! <---- 장애 발생후 경로 변경시 통신 실패
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
'물리서버' 카테고리의 다른 글
| GRE-Over-IPsec (Dynamic) (0) | 2021.11.23 |
|---|---|
| 0. GRE-Over-IPsec Pre-config (0) | 2021.11.23 |
| IPsec Pre-config (0) | 2021.11.23 |
| Data Privacy (0) | 2021.11.23 |
| IPsec (IP Security) (0) | 2021.11.23 |
