Show page
Recent changes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

pr:laboratoare:09 [2016/12/14 18:52]
sergiu.costea [GRE (4p)] 		pr:laboratoare:09 [2025/07/27 14:49] (current)
Line 1: Line 1:
-===== Laboratorul 09. GRE și IPsec ===== +===== Laboratorul 09. =====
- +
-==== Topologie ==== +
- +
-{{ :​scr:​laboratoare:​topology_9.png |}} +
- +
-==== Cerințe ==== +
- +
-=== Setup === +
-<note important>​ Descărcați configurațiile inițiale de {{:​pr:​laboratoare:​08_bgp_initial_configs.zip|aici}}. </​note>​ +
- +
-=== Exerciții === +
-<note info> +
-Toate configurațiile au fost încărcate pe rutere. Nu începeți taskurile acestui laborator fără să încărcați initial_configs. +
-</​note>​ +
- +
- +
- +
- +
-==== IPSec (5p) ==== +
-Follow the next steps so that traffic between R1 Loopback0 and R3 Loopback0 is encrypted using IPSec. +
- +
-=== ISAKMP === +
-Configure the following ISAKMP policy on both R1 and R3  +
-  * authentication:​ pre-shared keys  +
-  * encryption: aes 256  +
-  * hashing: sha1  +
-  * diffie-hellman group: 2  +
-  * lifetime: 3600  +
- +
-The syntax for configuring the policy is the following:​ +
-<​code>​ +
-R(config)#​crypto isakmp policy <​policy_number>​ +
-R(config-isakmp)#​authentication <​pre-share | rsa-encr | rsa-sig>​ +
-R(config-isakmp)#​encryption <des | 3des | aes> <​key-length>​ +
-R(config-isakmp)#​hash <md5 | sha> +
-R(config-isakmp)#​group <​diffie_hellman_group_number>​ +
-R(config-isakmp)#​lifetime <​lifetime_in_seconds>​ +
-</​code>​ +
-<​solution -hidden -en> +
-On **R1**: +
-<​code>​ +
-R1(config)#​crypto isakmp policy 1  +
-R1(config-isakmp)#​authentication pre-share +
-R1(config-isakmp)#​encryption aes 256 +
-R1(config-isakmp)#​hash sha +
-R1(config-isakmp)#​group 2 +
-R1(config-isakmp)#​lifetime 3600 +
-R1(config-isakmp)#​exit +
-</​code>​ +
- +
-On **R3**: +
-<​code>​ +
-R3(config)#​crypto isakmp policy 1 +
-R3(config-isakmp)#​authentication pre-share +
-R3(config-isakmp)#​encryption aes 256 +
-R3(config-isakmp)#​hash sha +
-R3(config-isakmp)#​group 2 +
-R3(config-isakmp)#​lifetime 3600 +
-R3(config-isakmp)#​exit +
-</​code>​ +
-</​solution>​ +
- +
-Configure “srs!@#​” as a pre-shared key on both R1 and R3. +
-The pre-shared key is configured using the //crypto isakmp key// command: +
-<​code>​ +
-R(config)#​crypto isakmp key <​key_index>​ <​key_string>​ address <​peer_address>​ +
-</​code>​ +
-<​solution -hidden -en> +
- +
-On **R1**: +
-<​code>​ +
-R1(config)#​crypto isakmp key 0 srs!@# address 192.168.23.3 +
-</​code>​ +
- +
-On **R3**: +
-<​code>​ +
-R3(config)#​crypto isakmp key 0 srs!@# address 192.168.12.1 +
-</​code>​ +
- +
-</​solution>​ +
- +
-=== IPSec === +
-Configure the following transform set on both R1 and R3:  +
-  * Tag (name of the transform set): TS_SRS  +
-  * Transform set: esp-aes 256 esp-sha-hmac  +
-  * Mode: transport  +
- +
-The commands for configuring a transform-set are the following:​ +
-<​code>​ +
-R(config)#​crypto ipsec transform-set <​transform_set_name>​ <​tranform_set_parameters>​ +
-R(config-trans)#​mode < transport | tunnel>​ +
-</​code>​ +
- +
-<​solution -hidden -en> +
- +
-On **R1**: +
-<​code>​ +
-R1(config)#​crypto ipsec transform-set TS_SRS esp-aes 256 esp-sha-hmac  +
-R1(cfg-crypto-trans)#​mode transport +
-R1(cfg-crypto-trans)#​exit +
-</​code>​ +
- +
-On **R3**: +
-<​code>​ +
-R3(config)#​crypto ipsec transform-set TS_SRS esp-aes 256 esp-sha-hmac +
-R3(cfg-crypto-trans)#​mode transport +
-R3(cfg-crypto-trans)#​exit +
-</​code>​ +
- +
-</​solution>​ +
- +
-Construct an access-list that will match the traffic that you want to encrypt.  +
-  * The access-list will have to define both the source and the destination of the traffic.  +
-  * An access-list must be defined on both R1 and R3.  +
-  * Watch out for the fact that the 2 ACLs must mirror each other.  +
-  * The access-list can match all IP traffic +
- +
-<​solution -hidden -en> +
-On **R1**: +
-<​code>​ +
-R1(config)#​ip access-list extended INTERESTING +
-R1(config-ext-nacl)#​permit ip host 10.1.1.1 host 10.3.3.3 +
-R1(config-ext-nacl)#​exit +
-</​code>​ +
- +
-On **R3**: +
-<​code>​ +
-R3(config)#​ip access-list extended INTERESTING +
-R3(config-ext-nacl)#​permit ip host 10.3.3.3 host 10.1.1.1 +
-R3(config-ext-nacl)#​exit +
-</​code>​ +
- +
-</​solution>​ +
- +
-Create a crypto-map called TUNNEL_MAP on both R1 and R3. +
-  * The crypto map must match the ACL that you used to define interesting traffic.  +
-  * The crypto map must set the remote peer for the tunnel. The remote peer is going to be the 
IP address of the outgoing Ethernet interface of each router.  +
-  * The crypto map must set the transform set to “TS_SRS” 
 +
- +
-The steps for configuring the crypto-map are the following:​ +
-<​code>​ +
-R(config)#​crypto map <​name>​ <​sequence_no>​ ipsec-isakmp +
-R(config-crypto-map)#​set peer <​peer_IP>​ +
-R(config-crypto-map)#​match address <acl_no | acl_name>​ +
-R(config-crypto-map)#​set transform-set <​transform_set_name>​ +
-</​code>​ +
- +
-<​solution -hidden -en> +
-On **R1**: +
-<​code>​ +
-R1(config)#​crypto map TUNNEL_MAP 10 ipsec-isakmp  +
-% NOTE: This new crypto map will remain disabled until a peer +
-        and a valid access list have been configured. +
-R1(config-crypto-map)#​set peer 192.168.23.3 +
-R1(config-crypto-map)#​match address INTERESTING +
-R1(config-crypto-map)#​set transform-set TS_SRS +
-R1(config-crypto-map)#​exit +
-</​code>​ +
- +
-On **R3**: +
-<​code>​ +
-R3(config)#​crypto map TUNNEL_MAP 10 ipsec-isakmp +
-% NOTE: This new crypto map will remain disabled until a peer +
-        and a valid access list have been configured. +
-R3(config-crypto-map)#​set peer 192.168.12.1 +
-R3(config-crypto-map)#​match address INTERESTING +
-R3(config-crypto-map)#​set transform-set TS_SRS +
-R3(config-crypto-map)#​exit +
-</​code>​ +
- +
-</​solution>​ +
- +
-Apply the crypto map on interface F0/0 of R1 and F0/1 of R3 using the following command: +
-<​code>​ +
-R(config-if)#​crypto map <​crypto_map_name>​ +
-</​code>​ +
- +
-<note tip>​Generate some traffic from R1's Loopback0 interface to R3's Loopback0 interface to start the tunnel setup</​note>​ +
-<note tip>You can verify the security associations on a router by using the //show crypto isakmp sa// command</​note>​ +
-<​solution -hidden -en> +
-<​code>​ +
-R1(config-if)#​crypto map TUNNEL_MAP +
-R1(config-if)#​ +
-*Jan 14 20:​24:​25.355:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON +
-R1(config-if)#​exit +
-</​code>​ +
- +
-<​code>​ +
-R3(config-if)#​crypto map TUNNEL_MAP +
-R3(config-if)#​ +
-*Jan 14 20:​24:​31.351:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON +
-R3(config-if)#​exit +
-</​code>​ +
- +
-Create traffic to start tunnel setup: +
-<​code>​ +
-R1#ping 10.3.3.3 source 10.1.1.1 +
-Translating "​10.3.3.3"​ +
- +
-Type escape sequence to abort. +
-Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds: +
-Packet sent with a source address of 10.1.1.1  +
-.!!!! +
-Success rate is 80 percent (4/5), round-trip min/avg/max = 12/14/20 ms +
-</​code>​ +
- +
-Check security associations:​ +
-<​code>​ +
-R1#show crypto isakmp sa +
-IPv4 Crypto ISAKMP SA +
-dst             ​src ​            ​state ​         conn-id slot status +
-192.168.23.3 ​   192.168.12.1 ​   QM_IDLE ​          ​1001 ​   0 ACTIVE +
- +
-IPv6 Crypto ISAKMP SA +
- +
-R1#show crypto ipsec sa +
- +
-interface: FastEthernet0/​0 +
-    Crypto map tag: TUNNEL_MAP, local addr 192.168.12.1 +
- +
-   ​protected vrf: (none) +
-   ​local ​ ident (addr/​mask/​prot/​port):​ (10.1.1.1/​255.255.255.255/​0/​0) +
-   ​remote ident (addr/​mask/​prot/​port):​ (10.3.3.3/​255.255.255.255/​0/​0) +
-   ​current_peer 192.168.23.3 port 500 +
-     ​PERMIT,​ flags={origin_is_acl,​} +
-    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 +
-    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 +
-    #pkts compressed: 0, #pkts decompressed:​ 0 +
-    #pkts not compressed: 0, #pkts compr. failed: 0 +
-    #pkts not decompressed:​ 0, #pkts decompress failed: 0 +
-    #send errors 1, #recv errors 0 +
- +
-     local crypto endpt.: 192.168.12.1,​ remote crypto endpt.: 192.168.23.3 +
-     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/​0 +
-     ​current outbound spi: 0xD480DB37(3565214519) +
- +
-     ​inbound esp sas: +
-      spi: 0xB3825B11(3011664657) +
-        transform: esp-256-aes esp-sha-hmac , +
-        in use settings ={Tunnel, } +
-        conn id: 1, flow_id: SW:1, crypto map: TUNNEL_MAP +
-        sa timing: remaining key lifetime (k/sec): (4558528/​3557) +
-        IV size: 16 bytes +
-        replay detection support: Y +
-        Status: ACTIVE +
- +
-     ​inbound ah sas: +
- +
-     ​inbound pcp sas: +
- +
-     ​outbound esp sas: +
-      spi: 0xD480DB37(3565214519) +
-        transform: esp-256-aes esp-sha-hmac , +
-        in use settings ={Tunnel, } +
-        conn id: 2, flow_id: SW:2, crypto map: TUNNEL_MAP +
-        sa timing: remaining key lifetime (k/sec): (4558528/​3555) +
-        IV size: 16 bytes +
-        replay detection support: Y +
-        Status: ACTIVE +
- +
-     ​outbound ah sas: +
- +
-     ​outbound pcp sas: +
-</​code>​ +
- +
- +
-</​solution>​ +
- +
-=== Packet Capture === +
-Verify that the traffic is encrypted. +
-  * Use the ''​capture R2 F0/0 tunnel.cap''​ command in the dynagen console to start a capture on R2’s F0/0 interface +
-  * Generate traffic between loopback interfaces. +
-  * Stop the capture using the ''​no capture R2 F0/​0''​ command in the dynagen console.  +
-  * Open the tunnel.cap file with Wireshark.+
  
  

Cursuri

Laboratoare

Resurse

pr/laboratoare/09.1481734351.txt.gz · Last modified: 2016/12/14 18:52 by sergiu.costea
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0