IPsec-VPN

IPsec-VPN
SITE-TO-SITE & EASY

confidentiality 机密
data integrity  完整
authentication  认证

intern key exchange （IKE）
encapsulating security payload （ESP）
authorization header （AH）

original frame L2 IP L4 payload
transport mode L2 IP ESP-AH L4 payload
tunnel mode    L2 new-IP payESP-AH ip L4 ESP-AH payload

peer authorization methods：
username and password
otp （pin/tan）
biometric
preshared keys
digital certificates

show version (k9 k8)

R1

route 0.0.0.0 0.0.0.0 serial 0/0 （路由）

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 （感兴趣流量 isakmp sa）

crypto isakmp policy 10  （ike1 isakmp sa）
authentication pre-share
hash MD5
encryption des
group 2
lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.2
show isakmp policy

crypto ipsec transform-set SET esp-des esp-md5-hmac  （ike2 ipsec sa）
mode tunnel

drypto map VPN 10 ipsec-isakmp （把前面步骤结合)
set peer 200.1.1.2
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

R2
route 0.0.0.0 0.0.0.0 serial 0/0
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 10  （ike1 isakmp sa）
authentication pre-share
hash MD5
encryption des
#group 2
#lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.1
 

crypto ipsec transform-set SET esp-des esp-md5-hmac  （ike2 ipsec sa）
mode tunnel

drypto map VPN 10 ipsec-isakmp （把前面步骤结合)
set peer 200.1.1.1
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

debug crypto ipsec
show isakmp policy
show isakmp sa
show crypto ipsec sa
show crypto engine connections active
show crypto ipsec security-association-lifetime
clear crypto ipsec
clear crypto sa
clear crypto isakmp

优化安全
ike udp port 500
ESP and AH ip protocol number 50 and 51
NAT udp port 4500 tcp port number has to be configured

R1
access-list 102 permit esp host 200.1.1.2 host 200.1.1.1
#access-list 102 permit ahp host 200.1.1.2 host 200.1.1.1
access-list 102 permit udp host 200.1.1.2 host 200.1.1.1 eq isakmp
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
interface s 0/0
ip access-group 102 in

R2
access-list 102 permit esp host 200.1.1.1 host 200.1.1.2
#access-list 102 permit ahp host 200.1.1.1 host 200.1.1.2
access-list 102 permit udp host 200.1.1.1 host 200.1.1.2 eq isakmp
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
interface s 0/0
ip access-group 102 in

SDM软件使用

conf ter
ip http secure-server
show running-config
line vty 0 4
transport input ssh telnet
logging local
username DAVY privilege 15 password amanda

GRE （generic routing encapsulation）
支持多种网络协议
new-ip GRE(4字节) ip tcp data
GRE：flags protocol-type checksum offset key sequence-number
协议号47
 
R1
conf ter
interface tunnel 1
ip address 172.16.1.1 255.255.255.252 （为指定静态路由）
tunnel source serial 0/0（200.1.1.1）
tunnel destination 200.1.1.2
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 1

R2

conf ter
interface tunnel 2
ip address 172.16.1.2 255.255.255.252
tunnel source serial 0/0 (200.1.1.2)
tunnel destination 200.1.1.1
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 2

GRE over IPsec

tunnel mode：   ip esp ip GRE ip tcp data esp
transport mode：ip esp GRE ip tcp data esp (节约20个字节)

R1
conf ter
interface tunnel 1
ip address 172.16.1.1 255.255.255.252 （为指定静态路由）
tunnel source serial 0/0（200.1.1.1）
tunnel destination 200.1.1.2
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 1

#access-list 100 permit ip host 200.1.1.1 host 200.1.1.2
access-list 100 permit gre host 200.1.1.1 host 200.1.1.2 （比较细致）

crypto isakmp policy 10  （ike1 isakmp sa）
authentication pre-share
hash MD5
encryption des
group 2
lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.2
 
crypto ipsec transform-set SET esp-des esp-md5-hmac  （ike2 ipsec sa）
mode transport
exit

drypto map VPN 10 ipsec-isakmp （把前面步骤结合)
set peer 200.1.1.2
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

R2
conf ter
interface tunnel 2
ip address 172.16.1.2 255.255.255.252
tunnel source serial 0/0 (200.1.1.2)
tunnel destination 200.1.1.1
tunnel mode gre ip

route 0.0.0.0 0.0.0.0 tunnel 2

#access-list 100 permit ip host 200.1.1.2 host 200.1.1.1
access-list 100 permit gre host 200.1.1.2 host 200.1.1.1 （比较细致）

crypto isakmp policy 10  （ike1 isakmp sa）
authentication pre-share
hash MD5
encryption des
group 2
lifetime 86400
exit
crypto isakmp key DAVY address 200.1.1.1
 
crypto ipsec transform-set SET esp-des esp-md5-hmac  （ike2 ipsec sa）
mode transport
exit

drypto map VPN 10 ipsec-isakmp （把前面步骤结合)
set peer 200.1.1.1
match address 100
set transform-set SET
exit

interface serial 0/0 (接口调用)
crypto map VPN

基础上去掉静态路由协议 使用动态路由协议
R1
no route 0.0.0.0 0.0.0.0 tunnel 1

ip router eigrp 90
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255

R2
no route 0.0.0.0 0.0.0.0 tunnel 2

ip router eigrp 90
no auto-summary
network 172.16.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255

vpn-HA

failures
access link failure
remote peer failure
device failure
path failure
DPD报文

remote-end
R1 （master）
interface fastethernet 0/0
ip address 10.1.1.2 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 priority 150
R2 （backup）
interface fastethernet 0/0
ip address 10.1.1.3 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1

head-end
inter
conf ter
interface fastethernet 0/0
ip address 10.1.1.3 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 name VPNNA
standby track fastethernet 0/1
crypto map CM redundancy VPNNA （sso：stateful （IPsec stateful failure ，IPsec stateless  failure ））
crypto dynamic-map DM 10
set transform-set TS
reverse-route
crypto map CM 10 ipsec-isakmp dynamic DM
redundancy inter-device
scheme standby VPNNA
ipc rone default
association 1
protocol sotp
local-port 12345
local-ip 10.1.1.1.1
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 20
remote-port 12345
remote-ip 10.1.1.2

backup up a wan connection with ipsec vpn
静态路由（浮动路由AD）
动态路由

easy vpn（client 端）
SDM上配置
规划 R2为web服务器（s0/0 192.168.1.0/24） R1网关路由(s0/0 192.168.1.0/24 f0/0 192.168.16.0/24 pool:192.168.8.1-100) pc外网用户

conf ter
int f1/0
ip address 192.168.16.5 255.255.255.0
no shutdown
int s0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
ip http secure-server
line vty 0 4
transport input ssh telnet
login local
exit
username DAVY privilege 15 password wolf
（分割通道，local vlan，pool，验证账号密码）都在SDM上配置

R2
conf ter
int s0/0
ip address 192.168.1.2 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

line vty 0 4
no login
exit

（远程网关路由器R2）
ip http server
ip http authentication local
username DAVY privilege 15 password wolf