## IPsec (IP Security)
-R7 = 본사 PC
-R8 = 지사 PC
-R1 = GIT 본사
-R2 = GIT 지사
-R3 = ISP-1
-R4 = ISP-2
-R5 = ISP-3
-R6 = ISP-4
=========================================================================================================================
## 공중망 구성
EX1) GIT-A , GIT-B , ISP-1 , ISP-2 , ISP-3 , ISP-4 구간에 OSPF Routing Protocol을 사용하여 공중망을 구성하시오
.OSPF Process = 1 , Area = 0
.Router-ID = GIT = X.X.X.X , ISP = XX.XX.XX.XX (X = Router 번호)
.OSPF 라우팅 업데이트가 필요한 Interface로만 OSPF Packet이 송신되어야 한다.
.ISP-1 , ISP-2 , ISP-3의 Loopback 0 네트워크는 OSPF에 포함되어야 한다.
.OSPF환경내의 모든 네트워크는 Interface에 할당된 SubnetMask로 확인되어야 한다.
.GIT-A , GIT-B의 사설 네트워크는 OSPF에 포함되지 않아야한다.
# ISP-1 (R3)
router ospf 1
router-id 11.11.11.11
passive-interface default
no passive-interface serial 1/0.12
network 100.100.11.0 0.0.0.255 area 0
network 121.160.10.0 0.0.0.255 area 0
network 121.160.12.0 0.0.0.255 area 0
!
# ISP-2 (R4)
router ospf 1
router-id 22.22.22.22
passive-interface default
no passive-interface serial 1/0.12
no passive-interface serial 1/0.23
network 100.100.12.0 0.0.0.255 area 0
network 121.160.12.0 0.0.0.255 area 0
network 121.160.23.0 0.0.0.255 area 0
!
# ISP-3 (R5)
router ospf 1
router-id 33.33.33.33
passive-interface default
no passive-interface serial 1/0.23
no passive-interface serial 1/0.34
network 100.100.13.0 0.0.0.255 area 0
network 121.160.23.0 0.0.0.255 area 0
network 121.160.34.0 0.0.0.255 area 0
!
# ISP-4 (R6)
router ospf 1
router-id 44.44.44.44
passive-interface default
no passive-interface serial 1/0.20
no passive-interface serial 1/0.34
network 100.100.14.0 0.0.0.255 area 0
network 121.160.20.0 0.0.0.255 area 0
network 121.160.34.0 0.0.0.255 area 0
!
정보 확인
ISP-1# show ip ospf neighbor [인접성 2개 확인]
ISP-2# show ip ospf neighbor [인접성 2개 확인]
ISP-3# show ip ospf neighbor [인접성 2개 확인]
ISP-4# show ip ospf neighbor [인접성 2개 확인]
=========================================================================================================================
## 사설 망에서 외부 네트워크로 통신하기위한 Default-route 생성
# GIT-A
ip route 0.0.0.0 0.0.0.0 121.160.10.11
!
# GIT-B
ip route 0.0.0.0 0.0.0.0 121.160.20.4
!
정보 확인
GIT-A# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.1.0 is directly connected, Loopback0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.10.0 is directly connected, Serial1/0.10
S* 0.0.0.0/0 [1/0] via 121.160.10.11
GIT-B# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.2.0 is directly connected, Loopback0
C 192.168.20.0/24 is directly connected, FastEthernet0/1
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.20.0 is directly connected, Serial1/0.20
S* 0.0.0.0/0 [1/0] via 121.160.20.4
=========================================================================================================================
EX3) GIT-A의 192.168.10.0/24와 GIT-B의 192.168.20.0/24 네트워크간 통신시 정보보호가 실시되어져야 한다.
[Phase 1]
-인증방식 : 사전 인증방식 (사전 인증방식 , 인증서 방식 , RSA 인증)
-암호화 알고리즘 : 3DES (DES , 3DES , AES)
-인증 알고리즘 : MD5 (MD5 , SHA)
-Key교환 알고리즘 : Diffie-Hellman 2 (1,2,5)
-Key교환 주기 : 1시간
[Phase 2]
-IPsec Protocol : ESP
-암호화 알고리즘 : AES
-인증 알고리즘 : SHA-HMAC
# GIT-A (R1)
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10 <---- Phase-1 조건
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
!
crypto isakmp key 0 cisco address 121.160.20.2
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_VPN 10 ipsec-isakmp
set peer 121.160.20.2
set transform-set IPSEC
match address 101
!
interface serial 1/0.10
crypto map IPSEC_VPN
!
# GIT-B (R2)
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
!
crypto isakmp key 0 cisco address 121.160.10.1
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_VPN 10 ipsec-isakmp
set peer 121.160.10.1
set transform-set IPSEC
match address 101
!
interface serial 1/0.20
crypto map IPSEC_VPN
!
정보 확인
=> capture R1 s1/0 IPSEC.cap FR
PC1# ping 192.168.20.2 source 192.168.10.1
PC2# ping 192.168.10.1 source 192.168.20.2
GIT-A# show crypto isakmp peer : Phase-1 연결 확인
Peer: 121.160.20.2 Port: 500 Local: 121.160.10.1
Phase1 id: 121.160.20.2
GIT-A# show crypto isakmp peer : Phase-1 연결 확인
Peer: 121.160.10.1 Port: 500 Local: 121.160.20.2
Phase1 id: 121.160.10.1
GIT-A# show crypto engine connection active : 암/복호화 확인
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Se1/0.10 IPsec AES+SHA 0 9 121.160.10.1
2 Se1/0.10 IPsec AES+SHA 9 0 121.160.10.1
1001 Se1/0.10 IKE MD5+3DES 0 0 121.160.10.1
GIT-B# show crypto engine connections active : 암/복호화 확인
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Se1/0.20 IPsec AES+SHA 0 9 121.160.20.2
2 Se1/0.20 IPsec AES+SHA 9 0 121.160.20.2
1001 Se1/0.20 IKE MD5+3DES 0 0 121.160.20.2
'물리서버' 카테고리의 다른 글
| Port-security (0) | 2021.11.24 |
|---|---|
| MPLS VPN (Static) (0) | 2021.11.23 |
| Data Privacy (0) | 2021.11.23 |
| GRE-Over-IPsec (Dynamic) (0) | 2021.11.23 |
| 0. GRE-Over-IPsec Pre-config (0) | 2021.11.23 |
