VPN安全试验集合.docx
《VPN安全试验集合.docx》由会员分享,可在线阅读,更多相关《VPN安全试验集合.docx(24页珍藏版)》请在冰豆网上搜索。
VPN安全试验集合
实验一:
L2LVPN
Rack01 VPN ----R1-----R5----R3----
-192.168.1.1/24-loop0-r1-s0:
218.87.15.1-----218.87.15.5-s0/1-r5-s0/3:
202.101.53.5----202.101.53.3-s0-r3-loop0:
192.168.3.3/24-
通讯点和加密点分析:
通讯点:
192.168.1.1/24-------------192.168.3.1/24
加密点:
218.87.15.1/24-------------202.101.53.3/24
中间路由器需要有加密点的路由:
internet只需要知道218.87.15.1和202.101.53.3的路由
加密设备需要:
1.对端加密点的路由202.101.53.0(r1而言)
2.感兴趣流目的的路由(也就是对端通讯点)192.168.3.0/24(r1而言)
s:
218.87.15.1 d:
202.101.53.3|esp|s:
192.168.1.1 d:
192.168.3.1 |pyload|esp-trail|
r1:
en
conft
hostr1
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0
defaints1
defainte0
no intloop0
intloop0
ipadd192.168.1.1255.255.255.0
ints0
ipadd218.87.15.1255.255.255.0
nosh
exit
iproute202.101.53.0255.255.255.0218.87.15.5
end
conft
cryptoisakmppolicy10
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress202.101.53.3
cryptoipsectransform-settsesp-desesp-md5-hmac
cryptomapmymap10ipsec-isakmp
setpeer202.101.53.3
settransform-setts
matchaddressmyvpn
interfaceSerial0
ipaddress218.87.15.1255.255.255.0
cryptomapmymap
ipaccess-listextendedmyvpn
permitip192.168.1.00.0.0.255192.168.3.00.0.0.255
end
r5:
en
conft
hostr5
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0/0
defaints0/1
defaints0/2
defaints0/3
defainte0/0
no intloop0
ints0/1
ipadd218.87.15.5255.255.255.0
clockr64000
nosh
ints0/3
ipadd202.101.53.5255.255.255.0
clockr64000
nosh
exit
end
r3:
en
conft
hostr3
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0
defaints1
defainte0
no intloop0
intloop0
ipadd192.168.3.1255.255.255.0
ints0
ipadd202.101.53.3255.255.255.0
nosh
exit
iproute218.87.15.0255.255.255.0202.101.53.5
end
conft
cryptoisakmppolicy20
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress218.87.15.1
cryptoipsectransform-setmytsesp-desesp-md5-hmac
cryptomapmymap10ipsec-isakmp
setpeer218.87.15.1
settransform-setmyts
matchaddressvpn
interfaceSerial0
ipaddress202.101.53.3255.255.255.0
cryptomapmymap
ipaccess-listextendedvpn
permitip192.168.3.00.0.0.255192.168.1.00.0.0.255
end
=======================================================================================================
实验二:
ISAKMPProfileVPN
ISAKMPProfile(拓展学习),IOS:
12.3(升级前为12.245T);适应于总部与各种不同需求的分部做VPN,如总部r1需与分部一r3做L2L-VPN,同时r1又需与另一分部r4做拨号VPN,还可能与另一分部r6做DMVPN:
step1:
路由:
r1:
iproute0.0.0.00.0.0.0218.87.15.5
r3:
iproute0.0.0.00.0.0.0202.101.53.5
step2:
isakmp策略:
r1:
cryptoisakmppolicy10
hashmd5
authenticationpre-share
cryptokeyringcisco
pre-shared-keyaddress202.101.53.3key0cisco
cryptoisakmpprofilecisco
matchidentityaddress202.101.53.3
keyringcisco
r3:
cryptoisakmppolicy10
hashmd5
authenticationpre-share
cryptokeyringcisco
pre-shared-keyaddress218.87.15.1key0cisco
cryptoisakmpprofilecisco
matchidentityaddress218.87.15.1
keyringcisco
step3:
IPSec策略:
r1:
cryptoipsectransform-settsesp-desesp-md5-hmac
r3:
cryptoipsectransform-settsesp-desesp-md5-hmac
step4:
感兴趣流:
r1:
ipaccess-listextendedvpn
permitip192.168.1.00.0.0.255192.168.3.00.0.0.255
r3:
ipaccess-listextendedvpn
permitip192.168.3.00.0.0.255192.168.1.00.0.0.255
step5:
定义并应用cryptomap
r1:
cryptomapmymap10ipsec-isakmp
setpeer202.101.53.3
settransform-setts
matchaddressvpn
setisakmp-profilecisco
ints0
cryptomapmymap
r3:
cryptomapmymap10ipsec-isakmp
setpeer218.87.15.1
settransform-setts
matchaddressvpn
setisakmp-profilecisco
ints0
cryptomapmymap
-----------
安全VPN模拟器上效果:
r1:
en
conft
hostr1
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints1/0
defaints1/1
defainte0/0
no intloop0
intloop0
ipadd192.168.1.1255.255.255.0
ints1/0
ipadd218.87.15.1255.255.255.0
nosh
exit
iproute202.101.53.0255.255.255.0218.87.15.5
iproute192.168.3.0 255.255.255.0218.87.15.5
end
conft
cryptoisakmppolicy10
hashmd5
authenticationpre-share
group2
cryptokeyringcisco
pre-shared-keyaddress202.101.53.3key0cisco
cryptoisakmpprofilecisco
matchidentityaddress202.101.53.3
keyringcisco
cryptoipsectransform-settsesp-desesp-md5-hmac
cryptomapmymap10ipsec-isakmp
setpeer202.101.53.3
settransform-setts
matchaddressmyvpn
setisakmp-profilecisco
interfaceSerial1/0
ipaddress218.87.15.1255.255.255.0
cryptomapmymap
ipaccess-listextendedmyvpn
permitip192.168.1.00.0.0.255192.168.3.00.0.0.255
end
r2(r5):
en
conft
hostr5
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints1/0
defaints1/1
defaints1/2
defaints1/3
defainte0/0
no intloop0
ints1/1
ipadd218.87.15.5255.255.255.0
clockr64000
nosh
ints1/0
ipadd202.101.53.5255.255.255.0
clockr64000
nosh
exit
end
r3:
en
conft
hostr3
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints1/0
defaints1/1
defainte0/0
no intloop0
intloop0
ipadd192.168.3.1255.255.255.0
ints1/1
ipadd202.101.53.3255.255.255.0
clockr64000
nosh
exit
iproute218.87.15.0255.255.255.0202.101.53.5
iproute192.168.1.0255.255.255.0202.101.53.5
end
conft
cryptoisakmppolicy20
hashmd5
authenticationpre-share
group2
cryptokeyringcisco
pre-shared-keyaddress218.87.15.1key0cisco
cryptoisakmpprofilecisco
matchidentityaddress218.87.15.1
keyringcisco
cryptoipsectransform-setmytsesp-desesp-md5-hmac
cryptomapmymap10ipsec-isakmp
setpeer218.87.15.1
settransform-setmyts
matchaddressvpn
setisakmp-profilecisco
interfaceSerial1/1
ipaddress202.101.53.3255.255.255.0
cryptomapmymap
ipaccess-listextendedvpn
permitip192.168.3.00.0.0.255192.168.1.00.0.0.255
end
---------------
GREOVERIPSEC-------L2L
==========================================================================================================
实验三:
IPSecProfileVPN
IPSecProfile(拓展学习)IOS:
12.4;适用于VPN站点间要跑动态路由协议
r1:
en
conft
hostr1
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0
defaints1
defainte0
no intloop0
intloop0
ipadd192.168.1.1255.255.255.0
ints0
ipadd218.87.15.1255.255.255.0
nosh
exit
iproute202.101.53.0255.255.255.0218.87.15.5
end
conft
cryptoisakmppolicy10
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress202.101.53.3
cryptoipsectransform-settsesp-desesp-md5-hmac
cryptoipsecprofileipspro
settransform-setts
exit
inttunnel0
tunnelmodeipsecipv4
ipadd192.168.13.1255.255.255.0
tunnelsources0
tunneldestination202.101.53.3
tunnelprotectionipsecprofileipspro
interfaceSerial0
ipaddress218.87.15.1255.255.255.0
end
r5:
en
conft
hostr5
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0/0
defaints0/1
defaints0/2
defaints0/3
defainte0/0
no intloop0
ints0/1
ipadd218.87.15.5255.255.255.0
clockr64000
nosh
ints0/3
ipadd202.101.53.5255.255.255.0
clockr64000
nosh
exit
end
r3:
en
conft
hostr3
noiprouting
iprouting
noipdomain-lookup
linecon0
loggsy
exit
defaints0
defaints1
defainte0
no intloop0
intloop0
ipadd192.168.3.1255.255.255.0
ints0
ipadd202.101.53.3255.255.255.0
nosh
exit
iproute218.87.15.0255.255.255.0202.101.53.5
end
conft
cryptoisakmppolicy20
hashmd5
authenticationpre-share
group2
cryptoisakmpkeyciscoaddress218.87.15.1
cryptoipsectransform-setmytsesp-desesp-md5-hmac
cryptoipsecprofileipspro
settransform-setcisco
exit
inttunnel0
tunnelmodeipsecipv4
ipadd192.168.13.3255.255.255.0
tunnelsources0
tunneldestination218.87.15.1
tunnelprotectionipsecprofileipspro
interfaceSerial0
ipaddress202.101.53.3255.255.255.0
end
-----------------------------------------------------------------------------------------------------
Cryptomap对密文或明文入方向的流量的处理:
====================================================================================
是否感兴趣流 是否加密 有无map action
N/A 是 有 解密
是 不 有 drop
是 是 没有 forward
N/A 是 没有 解密 ---如r1通过s0口(有map)发包给r3的s0口,r3通过s1口(有map)回包给r1的s1口
建议每个接口都启cryptomap,因为启了cryptomap的接口对不配置的感兴趣流没有影响.
-----------------------------------------------------------------------------------------------------
实验四:
动态DynamicVPN
DynamicVPN适用于中心站点IP固定,分支办事处VPNIP地址不固定(如都是CISCO产品建议使用EZVPN,如分支办事处非思科产品建议使用该方式),该方式分支办事处配置同实验一中的L2L分支办事处配置,中心站点配置区别如下:
r1:
cryptoisakmpkeyciscoaddress0.0.0.00.0.0.0
cryptodynamic-mapdmap10
settransform-setcisco
matchadd vpn---------------------------该行可省略
exit
cryptomapsmap10ipsec-isakmpdynamicdmap
ints0
cryptomapsmap
------------------------------------该方式应为分支主动发起流量才行,中心站点被动建VPN。
动态VPN不安全
-------------------------------------------------------------------------------------------------------------------
实验五:
IPSecoverGRE(拓展学习)
该方式工作中使用较少,这里讲解方便大家理解数据包在被路由器加密前的处理过程,和cryptomap撞击的方式.
GRE在最外面。
该实验可以解决VPN中原来不能解决的动态路由问题,但12.4的IOS解决方式更好(参见前实验三)
GRE注意:
1.tunnel起来的前提是只要有路由到达destination地址则tunnel会up,但不一定能拼通该地址;
2.动态路由宣告时可以对tunnel宣告,也可以对tunnel后的内网如loopback口宣告,但不能对tunnelsource口宣告,否
升级会员 