Difference between revisions of "Cisco IPsec"
From HackerNet
Helikopter (talk | contribs) (Created page with "IPsec (RFC 4301) är en teknik för att skydda datakommunikation. Det finns i tunnel och transport mode beroende på om det ska tunnlas och krypteras eller endast krypteras. I...") |
Helikopter (talk | contribs) |
||
| Line 3: | Line 3: | ||
Se även [[Cisco_ASA_VPN|ASA VPN]]. | Se även [[Cisco_ASA_VPN|ASA VPN]]. | ||
| − | + | =Konfiguration= | |
| − | ISAKMP Policies | + | IKEv1, ISAKMP Policies |
crypto isakmp policy 10 | crypto isakmp policy 10 | ||
| − | + | encryption aes 256 | |
authentication pre-share | authentication pre-share | ||
| − | group | + | group 20 |
| + | lifetime 86400 | ||
| + | show crypto isakmp policy | ||
PSK Authentication | PSK Authentication | ||
crypto isakmp key S3cr3ts address 3.3.3.3 | crypto isakmp key S3cr3ts address 3.3.3.3 | ||
| + | show crypto isakmp key | ||
| + | '''Fas 2''' med Static Crypto Map och RRI | ||
crypto ipsec transform-set PHASE2 esp-aes esp-sha-hmac | crypto ipsec transform-set PHASE2 esp-aes esp-sha-hmac | ||
mode tunnel | mode tunnel | ||
| − | |||
ip access-list extended CRYPTO | ip access-list extended CRYPTO | ||
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 | permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 | ||
| Line 47: | Line 50: | ||
permit ip host 3.3.3.3 host 2.2.2.2 | permit ip host 3.3.3.3 host 2.2.2.2 | ||
deny ip any any | deny ip any any | ||
| + | |||
| + | ==IKEv2== | ||
| + | IKEv2 har inbyggt stöd för NAT traversal och ID är alltid skyddat till skillnad från IKEv1 aggressive mode. | ||
| + | |||
| + | Key ring | ||
| + | crypto ikev2 keyring IKEv2_KEYRING | ||
| + | peer SITE2 | ||
| + | address 3.3.3.3 | ||
| + | pre-shared-key local PSK01 | ||
| + | pre-shared-key remote PSK02 | ||
| + | |||
| + | Proposal | ||
| + | crypto ikev2 proposal IKEv2_PROPOSAL | ||
| + | encryption aes-cbc-256 | ||
| + | integrity sha512 | ||
| + | group 20 | ||
| + | show crypto ikev2 proposal | ||
| + | ''Används aes-gcm måste prf köras på båda sidor.'' | ||
| + | |||
| + | Profile | ||
| + | crypto ikev2 profile IKEv2_PROFILE | ||
| + | match identity remote address 3.3.3.3 255.255.255.255 | ||
| + | identity local address 2.2.2.2 | ||
| + | authentication remote pre-share | ||
| + | authentication local pre-share | ||
| + | keyring local IKEv2_KEYRING | ||
| + | show crypto ikev2 profile | ||
| + | |||
| + | Policy | ||
| + | crypto ikev2 policy IKEv2_POLICY | ||
| + | proposal IKEv2_PROPOSAL | ||
| + | show crypto ikev2 policy | ||
| + | |||
| + | Transform set | ||
| + | crypto ipsec transform-set SITE2 esp-aes 256 esp-sha-hmac | ||
| + | show crypto ipsec transform-set | ||
| + | |||
| + | Crypto map | ||
| + | crypto map IKEv2_MAP 1000 ipsec-isakmp | ||
| + | set peer 3.3.3.3 | ||
| + | set transform-set SITE2 | ||
| + | match address CRYPTO | ||
| + | interface gi2 | ||
| + | crypto map IKEv2_MAP | ||
| + | show crypto map | ||
| + | |||
| + | Verify | ||
| + | show crypto ikev2 sa | ||
| + | |||
'''Others''' <br/> | '''Others''' <br/> | ||
Revision as of 20:21, 22 May 2016
IPsec (RFC 4301) är en teknik för att skydda datakommunikation. Det finns i tunnel och transport mode beroende på om det ska tunnlas och krypteras eller endast krypteras. IPsec funkar med IPv4/IPv6 och kan köras över en GRE-tunnel. Virtual Tunnel Interface (VTI) är routebara interface som används för att terminera IPsec-tunnlar, detta gör IPsec flexibelt och det kan användas både för unicast och multicast.
Se även ASA VPN.
Konfiguration
IKEv1, ISAKMP Policies
crypto isakmp policy 10 encryption aes 256 authentication pre-share group 20 lifetime 86400 show crypto isakmp policy
PSK Authentication
crypto isakmp key S3cr3ts address 3.3.3.3 show crypto isakmp key
Fas 2 med Static Crypto Map och RRI
crypto ipsec transform-set PHASE2 esp-aes esp-sha-hmac mode tunnel ip access-list extended CRYPTO permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map VPNMAP 10 ipsec-isakmp set peer 3.3.3.3 set transform-set PHASE2 set reverse-route distance 10 match address CRYPTO
Interface
interface GigabitEthernet0/1 description Internet ip address 2.2.2.2 255.255.255.0 ip access-group out-in in no ip unreachables ip nat outside crypto map VPNMAP
interface GigabitEthernet0/2 description Inside ip address 192.168.1.1 255.255.255.0 ip nat inside
NAT
ip nat inside source list nat interface GigabitEthernet0/1 overload
Se även NAT.
Exempt
ip access-list extended nat-exempt deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any
ACL
ip access-list extended out-in permit ip host 3.3.3.3 host 2.2.2.2 deny ip any any
IKEv2
IKEv2 har inbyggt stöd för NAT traversal och ID är alltid skyddat till skillnad från IKEv1 aggressive mode.
Key ring
crypto ikev2 keyring IKEv2_KEYRING peer SITE2 address 3.3.3.3 pre-shared-key local PSK01 pre-shared-key remote PSK02
Proposal
crypto ikev2 proposal IKEv2_PROPOSAL encryption aes-cbc-256 integrity sha512 group 20 show crypto ikev2 proposal
Används aes-gcm måste prf köras på båda sidor.
Profile
crypto ikev2 profile IKEv2_PROFILE match identity remote address 3.3.3.3 255.255.255.255 identity local address 2.2.2.2 authentication remote pre-share authentication local pre-share keyring local IKEv2_KEYRING show crypto ikev2 profile
Policy
crypto ikev2 policy IKEv2_POLICY proposal IKEv2_PROPOSAL show crypto ikev2 policy
Transform set
crypto ipsec transform-set SITE2 esp-aes 256 esp-sha-hmac show crypto ipsec transform-set
Crypto map
crypto map IKEv2_MAP 1000 ipsec-isakmp set peer 3.3.3.3 set transform-set SITE2 match address CRYPTO interface gi2 crypto map IKEv2_MAP show crypto map
Verify
show crypto ikev2 sa
Others
Se också: GETVPN
