GRE-Over-IPsec (Dynamic)
### GRE-Over-IPsec (Static route)
## 공중망 구성
EX1) GIT-A , GIT-B , ISP-1 , ISP-2 , ISP-3 , ISP-4 구간에 OSPF Routing Protocol을 사용하여 공중망을 구성하시오
.OSPF Process = 1 , Area = 0
.Router-ID = GIT = X.X.X.X , ISP = XX.XX.XX.XX (X = Router 번호)
.OSPF 라우팅 업데이트가 필요한 Interface로만 OSPF Packet이 송신되어야 한다.
.ISP-1 , ISP-2 , ISP-3의 Loopback 0 네트워크는 OSPF에 포함되어야 한다.
.OSPF환경내의 모든 네트워크는 Interface에 할당된 SubnetMask로 확인되어야 한다.
.GIT-A , GIT-B의 사설 네트워크는 OSPF에 포함되지 않아야한다.
# ISP-1 (R3)
router ospf 1
router-id 11.11.11.11
passive-interface default
no passive-interface serial 1/0.10
no passive-interface serial 1/0.12
network 100.100.11.0 0.0.0.255 area 0
network 121.160.10.0 0.0.0.255 area 0
network 121.160.12.0 0.0.0.255 area 0
!
interface loopback 0
ip ospf network point-to-point
!
# ISP-2 (R4)
router ospf 1
router-id 22.22.22.22
passive-interface default
no passive-interface serial 1/0.12
no passive-interface serial 1/0.23
network 100.100.12.0 0.0.0.255 area 0
network 121.160.12.0 0.0.0.255 area 0
network 121.160.23.0 0.0.0.255 area 0
!
interface loopback 0
ip ospf network point-to-point
!
# ISP-3 (R5)
router ospf 1
router-id 33.33.33.33
passive-interface default
no passive-interface serial 1/0.23
no passive-interface serial 1/0.34
network 100.100.13.0 0.0.0.255 area 0
network 121.160.23.0 0.0.0.255 area 0
network 121.160.34.0 0.0.0.255 area 0
!
interface loopback 0
ip ospf network point-to-point
!
# ISP-4 (R6)
router ospf 1
router-id 44.44.44.44
passive-interface default
no passive-interface serial 1/0.20
no passive-interface serial 1/0.34
network 100.100.14.0 0.0.0.255 area 0
network 121.160.20.0 0.0.0.255 area 0
network 121.160.34.0 0.0.0.255 area 0
!
interface loopback 0
ip ospf network point-to-point
!
정보 확인
ISP-1# show ip ospf neighbor [인접성 2개 확인]
ISP-2# show ip ospf neighbor [인접성 2개 확인]
ISP-3# show ip ospf neighbor [인접성 2개 확인]
ISP-4# show ip ospf neighbor [인접성 2개 확인]
=========================================================================================================================
## EIGRP Routing Protocol을 사용한 사설망 구성
-EIGRP Routing Protocol을 사용하여 GIT-A <--> ISP-1 , ISP-4 <--> GIT-B 에 사설망을 구성하시오
.AS = 100 , 자동 요약 기능은 사용하지않는다.
.EIGRP 라우팅 업데이트가 필요한 Interface로만 EIGRP Packet을 송신해야 한다.
.GIT-A , GIT-B의 사설 네트워크와 Loopback 0 네트워크는 EIGRP에 포함되어야 한다.
# GIT-A
router eigrp 100
no auto-summary
passive-interface default
network 192.168.10.0
!
# GIT-B
router eigrp 100
no auto-summary
passive-interface default
network 192.168.20.0
!
정보 확인
GIT-A#show ip protocol
Routing Protocol is "eigrp 100"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 100
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
121.160.10.0/24
192.168.10.0
Passive Interface(s):
FastEthernet0/0
FastEthernet0/1
Serial1/0
Serial1/0.10
Serial1/1
Serial1/2
Serial1/3
Passive Interface(s):
Loopback0
Tunnel12
VoIP-Null0
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170
GIT-B#show ip protocol
=========================================================================================================================
## 사설 망에서 외부 네트워크로 통신하기위한 Default-route 생성
# GIT-A
ip route 0.0.0.0 0.0.0.0 121.160.10.11
!
# GIT-B
ip route 0.0.0.0 0.0.0.0 121.160.20.4
!
정보 확인
GIT-A# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.1.0 is directly connected, Loopback0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.10.0 is directly connected, Serial1/0.10
S* 0.0.0.0/0 [1/0] via 121.160.10.11
GIT-B# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.2.0 is directly connected, Loopback0
C 192.168.20.0/24 is directly connected, FastEthernet0/1
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.20.0 is directly connected, Serial1/0.20
S* 0.0.0.0/0 [1/0] via 121.160.20.4
=========================================================================================================================
## 사설망을 연결하기위한 Tunnel 생성
EX) GIT-A와 GIT-B 구간을 GRE Tunnel을 사용하여 연결하시오
.GIT-A와 GIT-B 구간 Tunnel에 할당할 IP 주소는 172.16.10.0/24를 사용해야한다.
.Tunnel로 통신시 사용할 공인 Source IP address , Destination IP address는
ISP-1 , ISP-4에 직접 연결된 물리적인 Interface의 IP 주소를 사용해야 한다.
# GIT-A
interface tunnel 12
ip address 172.16.10.1 255.255.255.0
tunnel source 121.160.10.1
tunnel destination 121.160.20.2
!
# GIT-B
interface tunnel 12
ip address 172.16.10.2 255.255.255.0
tunnel source 121.160.20.2
tunnel destination 121.160.10.1
!
정보 확인
GIT-A# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.1.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.10.0 is directly connected, Tunnel12
C 192.168.10.0/24 is directly connected, FastEthernet0/0
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.10.0 is directly connected, Serial1/0.10
S* 0.0.0.0/0 [1/0] via 121.160.10.11
GIT-A# ping 172.16.10.2
GIT-B# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.2.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.10.0 is directly connected, Tunnel12
C 192.168.20.0/24 is directly connected, FastEthernet0/1
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.20.0 is directly connected, Serial1/0.20
S* 0.0.0.0/0 [1/0] via 121.160.20.4
GIT-B# ping 172.16.10.1
==================================================================================================================
## Tunnel 경로를 사용한 사설망 연결
# GIT-A : 192.168.10.0/24
# GIT-B : 192.168.20.0/24
# Tunnel 12 : 172.16.10.0/24
# GIT-A
router eigrp 100
no passive-interface tunnel 12
network 172.16.10.0 0.0.0.255
!
# GIT-B
router eigrp 100
no passive-interface tunnel 12
network 172.16.10.0 0.0.0.255
!
정보 확인
GIT-A# show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.10.2 Tu12 14 00:00:05 73 5000 0 3
GIT-B# show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.10.1 Tu12 14 00:00:05 73 5000 0 3
GIT-A# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.1.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.10.0 is directly connected, Tunnel12
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.10.0 is directly connected, Serial1/0.10
C 192.168.10.0/24 is directly connected, FastEthernet0/0
D 192.168.20.0/24 [90/297270016] via 172.16.10.2, 00:00:04, Tunnel12
S* 0.0.0.0/0 [1/0] via 121.160.10.11
PC1# ping 192.168.20.2
GIT-B# show ip route
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.2.0 is directly connected, Loopback0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.10.0 is directly connected, Tunnel12
121.0.0.0/24 is subnetted, 1 subnets
C 121.160.20.0 is directly connected, Serial1/0.20
D 192.168.10.0/24 [90/297270016] via 172.16.10.1, 00:00:26, Tunnel12
C 192.168.20.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 121.160.20.4
PC2# ping 192.168.10.1
=========================================================================================================================
EX) 아래의 조건에 맞게 IPsec을 구성하시오
.GIT-A의 192.168.10.0/24와 GIT-B의 192.168.20.0/24 네트워크간 통신시 정보보호가 실시되어져야 한다.
[Phase 1]
-인증방식 : 사전 인증방식 (사전 인증방식 , 인증서 방식 , RSA 인증)
-암호화 알고리즘 : 3DES (DES , 3DES , AES)
-인증 알고리즘 : MD5 (MD5 , SHA)
-Key교환 알고리즘 : Diffie-Hellman 2 (1,2,5)
-Key교환 주기 : 1시간
[Phase 2]
-IPsec Protocol : ESP
-암호화 알고리즘 : AES
-인증 알고리즘 : SHA-HMAC
# GIT-A (R1)
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
!
crypto isakmp key 0 cisco address 121.160.20.2
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_VPN 10 ipsec-isakmp
set peer 121.160.20.2
set transform-set IPSEC
match address 101
!
interface tunnel 12
crypto map IPSEC_VPN
!
# GIT-B (R2)
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto isakmp enable
!
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
!
crypto isakmp key 0 cisco address 121.160.10.1
!
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
!
crypto map IPSEC_VPN 10 ipsec-isakmp
set peer 121.160.10.1
set transform-set IPSEC
match address 101
!
interface tunnel 12
crypto map IPSEC_VPN
!
정보 확인
=> capture R1 s1/0 IPSEC.cap FR
PC1# ping 192.168.20.2 source 192.168.10.1
GIT-A# show crypto isakmp peer : Phase-1 연결 확인
Peer: 121.160.20.2 Port: 500 Local: 121.160.10.1
Phase1 id: 121.160.20.2
GIT-A# show crypto engine connection active : Phase-2 암/복호화 확인
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu12 IPsec AES+SHA 0 9 121.160.10.1
2 Tu12 IPsec AES+SHA 9 0 121.160.10.1
1001 Tu12 IKE MD5+3DES 0 0 121.160.10.1
-Wireshark를 사용한 Capture 정보를 확인하게되면 사설 네트워크간 송/수신하는 트래픽 정보는
정보보호에 포함되지만 EIGRP는 보호되지 않는다.
EIGRP도 사설 네트워크기때문에 정보 보호에 포함되어야 한다. (ACL에 EIGRP 정보 추가 설정)
# GIT-A
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit eigrp any any <--------------------------------- 추가 설정
!
*Mar 1 00:44:52.543: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /224.0.0.10, src_addr= 172.16.10.2, prot= 88
*Mar 1 00:45:20.075: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.13.3 (Tunnel13) is down: holding time expired
# GIT-B
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit eigrp any any <--------------------------------- 추가 설정
!
*Mar 1 00:44:52.543: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /224.0.0.10, src_addr= 172.16.10.1, prot= 88
*Mar 1 00:45:20.075: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.13.3 (Tunnel13) is down: holding time expired
-IPsec 구성시 EIGRP를 정보보호 범위로 포함시키게되면 Tunnel로 연결된 EIGRP 인접성이 단절된다.
-IPsec 구성시 "crypto map"을 사용하여 적용하게되면 IP Unicast Traffic에 대한 보안기능만 지원하기때문에
Mutlicast를 사용하는 RIP , EIGRP , OSPF등과 같은 Protocol은 보호할 수 없다.
-Dynamic routing protocol을 보호범위에 포함하게되면 해당 정보를 전송할수 없기때문에 인접성이 단절된다.
-이 문제를 해결하기 위해서는 EIGRP 네트워크에 대한 암호화 기능이 지원되지 않기때문에 (EIGRP 라우팅시 Multicast를 사용)
ACL구성시 EIGRP 정보가 아닌 GRE Header부터 정보보호에 포함해야 한다.
# GIT-A , GIT-B
interface tunnel 12
no crypto map IPSEC_VPN
!
no access-list 101
!
# GIT-A
access-list 101 permit gre host 121.160.10.1 host 121.160.20.2 <---- Tunnel로 통신하는 모든 트래픽을 정보 보호 정책에 포함
!
interface serial 1/0.10
crypto map IPSEC_VPN
!
*Mar 1 01:05:38.099: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.16.10.2 (Tunnel12) is up: new adjacency
# GIT-B
access-list 101 permit gre host 121.160.20.2 host 121.160.10.1 <---- Tunnel로 통신하는 모든 트래픽을 정보 보호 정책에 포함
!
interface serial 1/0.20
crypto map IPSEC_VPN
!
*Mar 1 01:05:41.127: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.16.10.1 (Tunnel12) is up: new adjacency
정보 확인
=> capture R1 s1/0 IPSEC_2.cap FR
-Capture한 정보를 확인하게되면 ICMP , EIGRP 정보가 확인되지 않는다. (ESP로만 확인)
PC1# ping 192.168.20.2 source 192.168.10.1
GIT-A# show crypto isakmp peer : Phase-1 연결 확인
Peer: 121.160.20.2 Port: 500 Local: 121.160.10.1
Phase1 id: 121.160.20.2
GIT-A# show crypto engine connection active : Phase-2 암/복호화 확인
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu12 IPsec AES+SHA 0 6 121.160.10.1
2 Tu12 IPsec AES+SHA 7 0 121.160.10.1
1001 Tu12 IKE MD5+3DES 0 0 121.160.10.1