close

最近大家動不動就在吵資訊安全,資訊安全是什麼啊?能吃嗎XD,今天來看看VPN這東東,相信許多公司都在用,通常用在兩個使用私有IPSite之間,許多人認為使用私有IP,一般外部IP無法存取,所以安全的啦,那就明文傳也沒差~例如:對外服務的站台都會使https,但對內服務的站台卻使用http(迷之音:公司內部安全的啦,搞那麼麻煩幹麻),不過大老板總是要cost down,現在兩個Site之間可以用ADSLFTTX等線路加上VPN服務(專線貴到靠北.....邊走),啊服務沒加密,VPN也沒加密,到時帳密被盜(哇,密碼是12XX56)是有可能地哦,因此建議使用加密的VPN較為安全

以下Lab使用GNS3模擬器

架構如下圖:

設定:

BASE SET:

R1~R3

============BASE SET============

conf t

ena s cisco

no ip domain-lo

service ti log da lo ms sh ye

ser ti log up

line con 0

pass cisco

logg sy

exec-ti 15 0

login

line vty 0 4

pass cisco

logg sy

exec-ti 15 0

login

============BASE SET============

 

IP & ROUTING SET

R1

============ IP & ROUTING SET============

conf t

int fa0/0

ip add 192.168.10.1 255.255.255.0

no sh

int fa1/0

ip add 192.168.1.1 255.255.255.0

no sh

exit

ip route 0.0.0.0 0.0.0.0 192.168.1.2

============IP & ROUTING SET============

 

R2

============ IP & ROUTING SET============

conf t

int fa1/0

ip add 192.168.1.2 255.255.255.0

no sh

int fa0/0

ip add 192.168.2.2 255.255.255.0

no sh

============ IP & ROUTING SET============

R3

============ IP & ROUTING SET============

conf t

int fa0/0

ip add 192.168.20.1 255.255.255.0

no sh

int fa1/0

ip add 192.168.2.1 255.255.255.0

no sh

exit

ip route 0.0.0.0 0.0.0.0 192.168.2.2

============ IP & ROUTING SET============

IPSEC SET

  1. 先設定ACL允許本地私有IP到遠端私有IP
  2. phase1設定

crypto isakmp policy 1

authentication pre-share

encryption 3des

group 2

hash sha

  1. phase2設定,ipsec
  2. 兩邊溝通用加密的密碼ccie
  3. 設定route map
  4. route map綁在fa1/0

//加密安全性3des>aes>des,效能則反之,自行評估

//演算法安全性sha > md5,效能反之,自行評估

//ipsec也是安全性與效能要自行評估

R1

============ IPSEC SET============

conf t

ip access-list extended VPN

permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

exit

crypto isakmp policy 1

authentication pre-share

encryption 3des                                     

group 2

hash sha                                                 

exit

crypto ipsec transform-set TS ah-sha-hmac esp-3des

exit

crypto isakmp key 6 ccie address 192.168.2.1

crypto map CMAP 1 ipsec-isakmp

set peer 192.168.2.1

set transform-set TS

match address VPN

exit

int fa1/0

crypto map CMAP

end

copy run start

============ IPSEC SET============

 

R3

============ IPSEC SET============

conf t

ip access-list extended VPN

permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

exit

crypto isakmp policy 1

authentication pre-share

encryption 3des                                     

group 2

hash sha                                                 

exit

crypto ipsec transform-set TS ah-sha-hmac esp-3des

exit

crypto isakmp key 6 ccie address 192.168.1.1

crypto map CMAP 1 ipsec-isakmp

set peer 192.168.1.1

set transform-set TS

match address VPN

exit

int fa1/0

crypto map CMAP

end

copy run start

============ IPSEC SET============

 

測試

ping 192.168.10.2 source 192.168.20.1,不小心通了(拍手),不會通記得買通樂(誤

 

sh crypto isakmp peers

sh crypto isakmp sa

看看封包是否有加密

 

大功告成啦~~感謝大家收看~

 

arrow
arrow
    文章標籤
    網路安全 網路技術 資訊安全
    全站熱搜
    創作者介紹
    創作者 wlhfor1975 的頭像
    wlhfor1975

    wlhfor1975的部落格

    wlhfor1975 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄