Show page

Differences

This shows you the differences between two versions of the page.

--- pr:laboratoare:09 [2016/12/15 18:15]
sergiu.costea [Topologie]
+++ pr:laboratoare:09 [2025/07/27 14:49] (current)
@@ Line 1: / Line 1: @@
-===== Laboratorul 09. GRE și IPsec =====
+===== Laboratorul 09. =====
-==== Topologie ====
-}==== Cerințe ====
-=== Setup ===
-<note important> Descărcați configurațiile inițiale de {{:pr:laboratoare:08_bgp_initial_configs.zip|aici}}. </note>
-=== Exerciții ===
-<note info>
-Toate configurațiile au fost încărcate pe rutere. Nu începeți taskurile acestui laborator fără să încărcați initial_configs.
-</note>
-==== GRE (4p) ====
-The traffic flowing between R1’s lo1 interface and R3’s lo1 interface is to be encapsulated using the GRE protocol.
-  * Use the 13.13.13.0/29 network for the tunnel interfaces
-  * The tunnel mode is ''gre ip''
-  * On R1, direct all the traffic going to network 11.3.3.0 through the GRE tunnel. Depending on what  routing protocol you use, watch out for:
-    * routes being advertised through the tunnel (including the route towards the tunnel  endpoint)
-    * the subnet mask of dynamic/static routes
-  * On R3, direct all the traffic going to network 11.1.1.0 through the GRE tunnel.
-  * Verify the GRE encapsulation using Wireshark.
-<note tip>
-If the routes for the Loopback1 interfaces in the routing tables of R1 and R3 are still being known from the routing protocol, you will need to restart it so that only the static routes are installed in the routing table.
-  * For OSPF this is done using:
-<code>
-R#clear ip ospf process
-</code>
-  * For EIGRP this is done using:
-<code>
-R#clear ip eigrp <AS_number>
-</code>
-</note>
-<solution -hidden -en>
-On **R1**:
-<code>
-R1(config)#interface Tunnel 0
-*Jan 14 22:11:14.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
-R1(config-if)#tunnel destination 192.168.23.3
-R1(config-if)#tunnel source 192.168.12.1
-*Jan 14 22:11:44.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
-R1(config-if)#ip address 13.13.13.1 255.255.255.248
-R1(config-if)#exit
-R1(config)#ip route 11.3.3.0 255.255.255.0 13.13.13.3
-</code>
-On **R3**:
-<code>
-R3(config)#interface Tunnel 0
-R3(config-if)#tunnel source 192.168
-*Jan 14 22:12:27.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
-R3(config-if)#tunnel source 192.168.23.3
-R3(config-if)#tunnel destination 192.168.12.1
-*Jan 14 22:12:36.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
-R3(config-if)#ip address 13.13.13.3 255.255.255.248
-R3(config-if)#exit
-R3(config)#ip route 11.1.1.0 255.255.255.0 13.13.13.1
-</code>
-If OSPF is running, the following commands are required to advertise the true loopback subnet masks (instead of the /32 masks):
-On **R1**:
-<code>
-R1(config)#interface Loopback 1
-R1(config-if)#ip ospf network point-to-point
-R1(config-if)#exit
-</code>
-On **R3**:
-<code>
-R3(config)#interface Loopback 1
-R3(config-if)#ip ospf network point-to-point
-R3(config-if)#exit
-</code>
-Test that traffic passes through the tunnel:
-<code>
-R1#traceroute 11.3.3.3
-Translating "11.3.3.3"
-Type escape sequence to abort.
-Tracing the route to 11.3.3.3
-13.13.13.3 48 msec *  16 msec
-</code>
-</solution>
-==== IPSec (5p) ====
-Follow the next steps so that traffic between R1 Loopback0 and R3 Loopback0 is encrypted using IPSec.
-=== ISAKMP ===
-Configure the following ISAKMP policy on both R1 and R3
-  * authentication: pre-shared keys
-  * encryption: aes 256
-  * hashing: sha1
-  * diffie-hellman group: 2
-  * lifetime: 3600
-The syntax for configuring the policy is the following:
-<code>
-R(config)#crypto isakmp policy <policy_number>
-R(config-isakmp)#authentication <pre-share | rsa-encr | rsa-sig>
-R(config-isakmp)#encryption <des | 3des | aes> <key-length>
-R(config-isakmp)#hash <md5 | sha>
-R(config-isakmp)#group <diffie_hellman_group_number>
-R(config-isakmp)#lifetime <lifetime_in_seconds>
-</code>
-<solution -hidden -en>
-On **R1**:
-<code>
-R1(config)#crypto isakmp policy 1
-R1(config-isakmp)#authentication pre-share
-R1(config-isakmp)#encryption aes 256
-R1(config-isakmp)#hash sha
-R1(config-isakmp)#group 2
-R1(config-isakmp)#lifetime 3600
-R1(config-isakmp)#exit
-</code>
-On **R3**:
-<code>
-R3(config)#crypto isakmp policy 1
-R3(config-isakmp)#authentication pre-share
-R3(config-isakmp)#encryption aes 256
-R3(config-isakmp)#hash sha
-R3(config-isakmp)#group 2
-R3(config-isakmp)#lifetime 3600
-R3(config-isakmp)#exit
-</code>
-</solution>
-Configure “srs!@#” as a pre-shared key on both R1 and R3.
-The pre-shared key is configured using the //crypto isakmp key// command:
-<code>
-R(config)#crypto isakmp key <key_index> <key_string> address <peer_address>
-</code>
-<solution -hidden -en>
-On **R1**:
-<code>
-R1(config)#crypto isakmp key 0 srs!@# address 192.168.23.3
-</code>
-On **R3**:
-<code>
-R3(config)#crypto isakmp key 0 srs!@# address 192.168.12.1
-</code>
-</solution>
-=== IPSec ===
-Configure the following transform set on both R1 and R3:
-  * Tag (name of the transform set): TS_SRS
-  * Transform set: esp-aes 256 esp-sha-hmac
-  * Mode: transport
-The commands for configuring a transform-set are the following:
-<code>
-R(config)#crypto ipsec transform-set <transform_set_name> <tranform_set_parameters>
-R(config-trans)#mode < transport | tunnel>
-</code>
-<solution -hidden -en>
-On **R1**:
-<code>
-R1(config)#crypto ipsec transform-set TS_SRS esp-aes 256 esp-sha-hmac
-R1(cfg-crypto-trans)#mode transport
-R1(cfg-crypto-trans)#exit
-</code>
-On **R3**:
-<code>
-R3(config)#crypto ipsec transform-set TS_SRS esp-aes 256 esp-sha-hmac
-R3(cfg-crypto-trans)#mode transport
-R3(cfg-crypto-trans)#exit
-</code>
-</solution>
-Construct an access-list that will match the traffic that you want to encrypt.
-  * The access-list will have to define both the source and the destination of the traffic.
-  * An access-list must be defined on both R1 and R3.
-  * Watch out for the fact that the 2 ACLs must mirror each other.
-  * The access-list can match all IP traffic
-<solution -hidden -en>
-On **R1**:
-<code>
-R1(config)#ip access-list extended INTERESTING
-R1(config-ext-nacl)#permit ip host 10.1.1.1 host 10.3.3.3
-R1(config-ext-nacl)#exit
-</code>
-On **R3**:
-<code>
-R3(config)#ip access-list extended INTERESTING
-R3(config-ext-nacl)#permit ip host 10.3.3.3 host 10.1.1.1
-R3(config-ext-nacl)#exit
-</code>
-</solution>
-Create a crypto-map called TUNNEL_MAP on both R1 and R3.
-  * The crypto map must match the ACL that you used to define interesting traffic.
-  * The crypto map must set the remote peer for the tunnel. The remote peer is going to be the  IP address of the outgoing Ethernet interface of each router.
-  * The crypto map must set the transform set to “TS_SRS”
-The steps for configuring the crypto-map are the following:
-<code>
-R(config)#crypto map <name> <sequence_no> ipsec-isakmp
-R(config-crypto-map)#set peer <peer_IP>
-R(config-crypto-map)#match address <acl_no | acl_name>
-R(config-crypto-map)#set transform-set <transform_set_name>
-</code>
-<solution -hidden -en>
-On **R1**:
-<code>
-R1(config)#crypto map TUNNEL_MAP 10 ipsec-isakmp
-% NOTE: This new crypto map will remain disabled until a peer
-        and a valid access list have been configured.
-R1(config-crypto-map)#set peer 192.168.23.3
-R1(config-crypto-map)#match address INTERESTING
-R1(config-crypto-map)#set transform-set TS_SRS
-R1(config-crypto-map)#exit
-</code>
-On **R3**:
-<code>
-R3(config)#crypto map TUNNEL_MAP 10 ipsec-isakmp
-% NOTE: This new crypto map will remain disabled until a peer
-        and a valid access list have been configured.
-R3(config-crypto-map)#set peer 192.168.12.1
-R3(config-crypto-map)#match address INTERESTING
-R3(config-crypto-map)#set transform-set TS_SRS
-R3(config-crypto-map)#exit
-</code>
-</solution>
-Apply the crypto map on interface F0/0 of R1 and F0/1 of R3 using the following command:
-<code>
-R(config-if)#crypto map <crypto_map_name>
-</code>
-<note tip>Generate some traffic from R1's Loopback0 interface to R3's Loopback0 interface to start the tunnel setup</note>
-<note tip>You can verify the security associations on a router by using the //show crypto isakmp sa// command</note>
-<solution -hidden -en>
-<code>
-R1(config-if)#crypto map TUNNEL_MAP
-R1(config-if)#
-*Jan 14 20:24:25.355: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
-R1(config-if)#exit
-</code>
-<code>
-R3(config-if)#crypto map TUNNEL_MAP
-R3(config-if)#
-*Jan 14 20:24:31.351: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
-R3(config-if)#exit
-</code>
-Create traffic to start tunnel setup:
-<code>
-R1#ping 10.3.3.3 source 10.1.1.1
-Translating "10.3.3.3"
-Type escape sequence to abort.
-Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
-Packet sent with a source address of 10.1.1.1
-.!!!!
-Success rate is 80 percent (4/5), round-trip min/avg/max = 12/14/20 ms
-</code>
-Check security associations:
-<code>
-R1#show crypto isakmp sa
-IPv4 Crypto ISAKMP SA
-dst             src             state          conn-id slot status
-.168.23.3    192.168.12.1    QM_IDLE           1001    0 ACTIVE
-IPv6 Crypto ISAKMP SA
-R1#show crypto ipsec sa
-interface: FastEthernet0/0
-    Crypto map tag: TUNNEL_MAP, local addr 192.168.12.1
-   protected vrf: (none)
-   local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
-   remote ident (addr/mask/prot/port): (10.3.3.3/255.255.255.255/0/0)
-   current_peer 192.168.23.3 port 500
-     PERMIT, flags={origin_is_acl,}
-    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
-    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
-    #pkts compressed: 0, #pkts decompressed: 0
-    #pkts not compressed: 0, #pkts compr. failed: 0
-    #pkts not decompressed: 0, #pkts decompress failed: 0
-    #send errors 1, #recv errors 0
-     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3
-     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
-     current outbound spi: 0xD480DB37(3565214519)
-     inbound esp sas:
-      spi: 0xB3825B11(3011664657)
-        transform: esp-256-aes esp-sha-hmac ,
-        in use settings ={Tunnel, }
-        conn id: 1, flow_id: SW:1, crypto map: TUNNEL_MAP
-        sa timing: remaining key lifetime (k/sec): (4558528/3557)
-        IV size: 16 bytes
-        replay detection support: Y
-        Status: ACTIVE
-     inbound ah sas:
-     inbound pcp sas:
-     outbound esp sas:
-      spi: 0xD480DB37(3565214519)
-        transform: esp-256-aes esp-sha-hmac ,
-        in use settings ={Tunnel, }
-        conn id: 2, flow_id: SW:2, crypto map: TUNNEL_MAP
-        sa timing: remaining key lifetime (k/sec): (4558528/3555)
-        IV size: 16 bytes
-        replay detection support: Y
-        Status: ACTIVE
-     outbound ah sas:
-     outbound pcp sas:
-</code>
-</solution>
-=== Packet Capture ===
-Verify that the traffic is encrypted.
-  * Use the ''capture R2 F0/0 tunnel.cap'' command in the dynagen console to start a capture on R2’s F0/0 interface
-  * Generate traffic between loopback interfaces.
-  * Stop the capture using the ''no capture R2 F0/0'' command in the dynagen console.
-  * Open the tunnel.cap file with Wireshark.

Cursuri

Laboratoare

Resurse

pr/laboratoare/09.1481818504.txt.gz · Last modified: 2016/12/15 18:15 by sergiu.costea

Show page Old revisions

Media Manager Back to top