Differences
This shows you the differences between two versions of the page.
|
cns:laboratoare:laborator-09 [2013/01/06 13:24] traian.popeea [Tasks] |
— (current) | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 9 - IPSec and GRE ====== | ||
| - | |||
| - | ===== Topology ===== | ||
| - | {{ :cns:resurse:lab9_cns.png?direct&800 }} | ||
| - | |||
| - | |||
| - | ===== Interfaces ===== | ||
| - | ^ Device ^ Interface ^ IP Address ^ Subnet Mask ^ | ||
| - | | R1 | Fa0/0 | 192.168.12.1 | 255.255.255.248 | | ||
| - | | R1 | Lo0 | 10.1.1.1 | 255.255.255.0 | | ||
| - | | R1 | Lo1 | 11.1.1.1 | 255.255.255.0 | | ||
| - | | R2 | Fa0/0 | 192.168.12.2 | 255.255.255.248 | | ||
| - | | R2 | Fa0/1 | 192.168.23.2 | 255.255.255.248 | | ||
| - | | R3 | Fa0/0 | 192.168.23.3 | 255.255.255.248 | | ||
| - | | R3 | Lo0 | 10.3.3.3 | 255.255.255.0 | | ||
| - | | R3 | Lo1| 11.3.3.3 | 255.255.255.0 | | ||
| - | |||
| - | |||
| - | ===== Tasks ===== | ||
| - | |||
| - | Open the [[http://ocw.cs.pub.ro/courses/_media/cns/laborator/lab9_cns_topology.net| Lab9_CNS_Topology.net]] file. | ||
| - | |||
| - | - [2p] Configure the above topology with the IP addresses shown in the IP Addressing table. Configure EIGRP/OSPF in the above topology in order to have end-to-end connectivity. | ||
| - | - Test by using an extended ping from R1’s lo1 interface to R3’s lo1 interface. | ||
| - | - [+5p=7p] Configure so that traffic between R1 Lo0 and R3 Lo0 is encrypted using IPSec. | ||
| - | - Configure the following ISAKMP policy on both R1 and R3 | ||
| - | * authentication: pre-shared keys | ||
| - | * encryption: aes 256 | ||
| - | * hashing: sha1 | ||
| - | * diffie-hellman group: 2 | ||
| - | * lifetime: 3600 | ||
| - | - Configure "cns!@#" as a pre-shared key on both R1 and R3. | ||
| - | - Configure the following transform set on both R1 and R3: | ||
| - | * Tag (name of the transform set): TS_SRS | ||
| - | * Transform set: esp-aes 256 esp-sha-hmac | ||
| - | * Mode: transport | ||
| - | - Construct an access-list that will match the traffic that you want to encrypt. The access-list will have to define both the source and the destination of the traffic. An access-list must be defined on both R1 and R3. **Watch out for the fact that the 2 ACLs must mirror each other**. | ||
| - | - Create a crypto-map called **TUNNEL_MAP** on both R1 and R3. | ||
| - | * The crypto map must match the ACL that you used to define interesting traffic. | ||
| - | * The crypto map must set the remote peer for the tunnel. The remote peer is going to be the IP address of the outgoing Ethernet interface of each router. | ||
| - | * The crypto map must set the transform set to “TS_SRS” | ||
| - | - Apply the crypto map on interface F0/0 of R1 and F0/1 of R3. | ||
| - | - Verifying that the traffic is encrypted. | ||
| - | * Use the ''capture R2 F0/0 tunnel.cap'' command in the dynagen console to start a capture on R2’s F0/0 interface | ||
| - | * Generate traffic between loopback interfaces. | ||
| - | * Stop the capture using the ''no capture R2 F0/0'' command in the dynagen console. | ||
| - | * Open the tunnel.cap file with Wireshark. | ||
| - | - [+4p=11p] All the traffic that will be flowing between R1’s lo1 interface and R3’s lo1 interface is to be encapsulated using the GRE protocol. | ||
| - | - The network that is to be used on the Tunnel interfaces is 13.13.13.0 /29 | ||
| - | - The tunnel mode is ''gre ip'' | ||
| - | - On R1, direct all the traffic going to network 11.3.3.0 through the GRE tunnel. Depending on what routing protocol you use, watch out for: | ||
| - | * routes being advertised through the tunnel (including the route towards the tunnel endpoint) | ||
| - | * the subnet mask of dynamic/static routes | ||
| - | - On R3, direct all the traffic going to network 11.1.1.0 through the GRE tunnel. | ||
| - | - Verifying the GRE encapsulation using Wireshark. | ||
