IPsec - GNS3

IPsec, and IPsec over GRE Tunnel
Intro
Most of enterprise today move to IPsec over GRE tunnel to save cost, but I'm not saying that
this technology already rule out MPLS, lease line, etc It depend on that site, ho! critical it is,
ho! stable the internet connection is "sually small office li#e sales that only have fe!
!or#ers use this to connect to corporate L$%
IPsec and GRE &unnel is ' different thing, !e'll go !ith IPsec first, then brief about GRE
then I'll give you an e(ample of IPsec over GRE tunnel
IPsec
&he three main point of IPsec is
$uthentication
)ata Integrity
*onfidentiality
Authentication
to ma#e sure you communicating or tal#ing to the right person
Data Integrity
to ma#e sure !hat you sending is received at the destination !ith the same shape, mean no
modification happen along the !ay
confidentiality
to ma#e sure !hat send not able to be seen by third party
What build an IPsec ?
+asically, IPsec is a combo of a fe! protocol
%egotiation , I-E
Security , $., ESP, ESP/$.
Encryption , )ES 0)ES, $ES
$uthentication , M)S, S.$
Protection , )., ).', ).1, ).2
2 ode of co!!unication
Trans"ort ode
&his mode is used !hen data need to be secure !ithin the L$%, maybe super important and
high confidentiality #ind of data
from the picture above, the encryption3protection only apply to layer 4 and above, this is
because this pac#et only travel !ithin the L$%, so there's no point to protect the ip pac#et
Secure communication happen bet!een t!o point, other party can't read the pac#et from
layer4 and above only, they still can read the IP layer
Tunnel ode
&his mode is used !hen pac#et need to travel across a public net!or#, !here it's dangerous
to let other to see the private3internal IP information
In this mode, encryption is done starting from IP header5layer06 and above to protect the
internal IP information, ne! public IP header then !ill be added so this pac#et can be routed
in public net!or#
The t#o ty"e of encry"tion $eys
Symmetric , each use same #ey to encrypt and decrypt data 5shared #ey6
$symmetric , public #ey to encrypt, private #ey to decrypt
Data Integrity
)ata integrity is to ma#e sure data is7untouched along the !ay to the destination &o ma#e
sure this, first data !ill be calculated using a formula to produce a value, then it'll be hashed
and send ed 8hen received in the other site, it'll be re7calculated again, if the value is same
as value that produced before, it's mean that the data is clean from any modification
&he ' phase to ma#e communication happen
I-E phase 9
:rom e(ample above, R9 !ant to initiate a connection, so R9 gonna !ith sending message 9
Message 9 , negotiate a matching I-E S$ policy bet!een peer to protect I-E e(change
Message ' , e(change ). #ey
Mesagge 0 , Ma#e sure they are !ho they are 5authentication6
+asically this phase is to setup a secure management channel for I-E phase '
I%E "hase 2
%egotiate and e(change IPSec Parameter protecting by e(isting e(isting I-E S$
Periodically renegotiate IPsec S$s to ensure security
)ata transfer also happen in this stage
E(ample , Step by step ho! to configure a secure IPsec
&' (etu" I(A%P "olicy )I%E Phase &*, the !anage!ent "hase
png(config)#crypto isakmp policy 50 // give policy number, the lower the higher priority
png(config-isakmp)#authentication pre-share // pre-share, both site much share the same key
png(config-isakmp)#encryption des
png(config-isakmp)#group // select group for !" key to use
png(config-isakmp)#hash sha
png(config)#crypto isakmp key cisco#$ add %#&0'&5(&$( // define the pre-share key here,
set address for the peer
2' (etu" IPsec transfor! set )I%E Phase 2*, basically this is #here #e define the set of
encry"tion and hash for the data to use
png(config)#crypto ipsec transform-set )*+),-+./ esp-des esp-sha-hmac
+' Define interesting traffic using access,list co!!and, here is #here #here #e define
#hich subnet or address that need to be for#arded to the IPsec channel
png(config)#ip access-list e0tended *1/-/2344*)
png(config-e0t-nacl)#permit ip #%&$&0&0 0&0&55&55 #'&#56&#&0 0&0&55&55
-' (etu" cry"to !a"
png(config)#crypto map 781-938 #0 ipsec-isakmp // give a name to the map
png(config-crypto-map)#set peer %#&0'&5(&$( // set the it:s peer
png(config-crypto-map)#match add *1/-/2344*) //set interest traffic
png(config-crypto-map)#set transform-set )*+),-+./ //set transform group
.' A""ly to the interface
png(config)#int fa 0/#
png(config-if)#crypto map 781-938
GRE Tunnel over IPsec
GRE tunnel is a standard tunneling method today, it's a logical interface and it's completely
non7secure +y combining GRE &unnel and IPsec !e can build a super secure lin# !ith a
simple and easy setup configuration $lso can for!ard routing update
I'll go straight to the e(ample , GRE over IPsec !ith EIGRP
&o create a tunnel, ma#e sure you have t!o public IP address that ping7able to each other In
this e(ample i ;ust assume 92999, 929'9 and 929'' is three public IP address
Sample *onf for png
<
version 9'4
service timestamps debug datetime msec
service timestamps log datetime msec
no service pass!ord7encryption
<
hostname png
<
boot7start7mar#er
boot7end7mar#er
<
no aaa ne!7model
memory7si=e iomem 1
ip cef
<
ip auth7pro(y ma(7nodata7conns 0
ip admission ma(7nodata7conns 0
<
<
crypto isa#mp policy 9
authentication pre7share
crypto isa#mp #ey cisco9'0 address >>>> >>>>
<
<
crypto ipsec transform7set strong esp70des esp7md17hmac
mode transport
<
crypto map vpn 9> ipsec7isa#mp
set peer 929'9
set transform7set strong
match address 99>
crypto map vpn '> ipsec7isa#mp
set peer 929''
match address 9'>
<
interface &unnel9
ip address 9?'9@A99 '11'11'11>
tunnel source :astEthernet>3>
tunnel destination 929'9
crypto map vpn
<
interface &unnel'
ip address 9?'9@A'9 '11'11'11>
tunnel destination 929''
crypto map vpn
<
interface :astEthernet>3>
ip address 92999 '11'11>>
crypto map vpn
duple( auto
speed auto
crypto map vpn
<interface :astEthernet>39
no ip address
shutdo!n
duple( auto
speed auto
<
router eigrp @>
net!or# 9?'9@A>> >>'11'11
auto7summary
no eigrp log7neighbor7changes
<
ip for!ard7protocol nd
<
<
ip http server
no ip http secure7server
<
access7list 99> permit gre host 92999 host 929'9
access7list 9'> permit gre host 92999 host 929''
control7plane
line con >
line au( >
line vty > 4
login
end
Sample *onf for cyb
<
version 9'4
<
hostname cyb
<
boot7start7mar#er
boot7end7mar#er
no aaa ne!7model
memory7si=e iomem 1
ip cef
<
crypto isa#mp #ey cisco9'0 address >>>> >>>>
<
<
mode transport
<
crypto map vpn 9> ipsec7isa#mp
set peer 92999
match address 99><
interface &unnel9
ip address 9?'9@A9' '11'11'11>
tunnel destination 92999
crypto map vpn
<
ip address 929'9 '11'11>>
duple( auto
speed auto
crypto map vpn
<
interface :astEthernet>39
no ip address
shutdo!n
duple( auto
speed auto
<
router eigrp @>
net!or# 9?'9@A>> >>'11'11
auto7summary
<
<
ip http server
<
access7list 99> permit gre host 929'9 host 92999
<
control7plane
<
line con >
line au( >
line vty > 4
login
<
<
end
Sample *onf for lab
<
version 9'4
<
hostname lab
<
boot7start7mar#er
boot7end7mar#er
<
<
no aaa ne!7model
memory7si=e iomem 1
ip cef
<
<
crypto isa#mp #ey cisco9'0 address >>>> >>>><
mode transport
<
crypto map vpn '> ipsec7isa#mp
set peer 92999
match address 9'>
<
interface &unnel'
ip address 9?'9@A'' '11'11'11>
tunnel destination 92999
crypto map vpn
<
ip address 929'' '11'11>>
duple( auto
speed auto
crypto map vpn
<
interface :astEthernet>39
no ip address
shutdo!n
duple( auto
speed auto
<
router eigrp @>
net!or# 9?'9@A>> >>'11'11
auto7summary
<
<
<
ip http server
<
access7list 9'> permit gre host 929'' host 92999
<
control7plane
<
line con >
line au( >
line vty > 4
login
<
end

IPsec - GNS3

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

IPsec - GNS3

Transféré par

Droits d'auteur :

Formats disponibles

IPsec, and IPsec over GRE Tunnel

Vous aimerez peut-être aussi