×××安全实验集
|
|
|
实验一: L2L ×××
Rack01 ××× ----R1-----R5----R3----
-192.168.1.1/24-loop0-r1-s0:218.87.15.1-----218.87.15.5-s0/1-r5-s0/3:202.101.53.5----202.101.53.3-s0-r3-loop0:192.168.3.3/24-
通讯点和加密点分析:
通讯点:192.168.1.1/24-------------192.168.3.1/24 加密点:218.87.15.1/24-------------202.101.53.3/24 中间路由器需要有加密点的路由:
internet只需要知道218.87.15.1和202.101.53.3的路由 加密设备需要:
1.对端加密点的路由 202.101.53.0 (r1而言) 2.感兴趣流目的的路由 (也就是对端通讯点) 192.168.3.0/24 (r1而言) s:218.87.15.1 d:202.101.53.3 | esp | s:192.168.1.1 d:192.168.3.1 | pyload | esp-trail | r1:
en
conf t host r1 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s0 defa int s1 defa int e0 no int loop0 int loop0 ip add 192.168.1.1 255.255.255.0 int s0 ip add 218.87.15.1 255.255.255.0 no sh exit ip route 202.101.53.0 255.255.255.0 218.87.15.5 end conf t crypto isakmp policy 10
hash md5 authentication pre-share group 2 crypto isakmp key cisco address 202.101.53.3
crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 202.101.53.3 set transform-set ts match address myvpn interface Serial0
ip address 218.87.15.1 255.255.255.0 crypto map mymap ip access-list extended myvpn
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 end r5: en
conf t host r5 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s0/0 defa int s0/1 defa int s0/2 defa int s0/3 defa int e0/0 no int loop0 int s0/1 ip add 218.87.15.5 255.255.255.0 clock r 64000 no sh int s0/3 ip add 202.101.53.5 255.255.255.0 clock r 64000 no sh exit end r3:
en
conf t host r3 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s0 defa int s1 defa int e0 no int loop0 int loop0 ip add 192.168.3.1 255.255.255.0 int s0 ip add 202.101.53.3 255.255.255.0 no sh exit ip route 218.87.15.0 255.255.255.0 202.101.53.5 end conf t crypto isakmp policy 20 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 218.87.15.1 crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 218.87.15.1 set transform-set myts match address vpn interface Serial0
ip address 202.101.53.3 255.255.255.0 crypto map mymap ip access-list extended vpn
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 end ======================================================================================================= 实验二: ISAKMP Profile ××× ISAKMP Profile (拓展学习),IOS:12.3(升级前为12.24 5 T); 适应于总部与各种不同需求的分部做×××,如总部r1需与分部一r3做L2L-×××, 同时r1又需与另一分部r4做拨号×××,还可能与另一分部r6做DM×××: step1:路由:
r1:
ip route 0.0.0.0 0.0.0.0 218.87.15.5 r3:
ip route 0.0.0.0 0.0.0.0 202.101.53.5 step2:isakmp策略:
r1: crypto isakmp policy 10 hash md5 authentication pre-share crypto keyring cisco pre-shared-key address 202.101.53.3 key 0 cisco crypto isakmp profile cisco match identity address 202.101.53.3 keyring cisco r3: crypto isakmp policy 10 hash md5 authentication pre-share crypto keyring cisco pre-shared-key address 218.87.15.1 key 0 cisco crypto isakmp profile cisco match identity address 218.87.15.1 keyring cisco step3:IPSec 策略: r1: crypto ipsec transform-set ts esp-des esp-md5-hmac r3:
crypto ipsec transform-set ts esp-des esp-md5-hmac step4:感兴趣流: r1: ip access-list extended vpn permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 r3:
ip access-list extended vpn permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 step5:定义并应用crypto map r1: crypto map mymap 10 ipsec-isakmp
set peer 202.101.53.3 set transform-set ts match address vpn set isakmp-profile cisco int s0 crypto map mymap r3: crypto map mymap 10 ipsec-isakmp set peer 218.87.15.1 set transform-set ts match address vpn set isakmp-profile cisco int s0 crypto map mymap -----------
安全×××模拟器上效果: r1:
en
conf t host r1 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int e0/0 no int loop0 int loop0 ip add 192.168.1.1 255.255.255.0 int s1/0 ip add 218.87.15.1 255.255.255.0 no sh exit ip route 202.101.53.0 255.255.255.0 218.87.15.5 ip route 192.168.3.0 255.255.255.0 218.87.15.5 end conf t crypto isakmp policy 10
hash md5 authentication pre-share group 2 crypto keyring cisco
pre-shared-key address 202.101.53.3 key 0 cisco crypto isakmp profile cisco match identity address 202.101.53.3 keyring cisco crypto ipsec transform-set ts esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp
set peer 202.101.53.3 set transform-set ts match address myvpn set isakmp-profile cisco interface Serial1/0
ip address 218.87.15.1 255.255.255.0 crypto map mymap ip access-list extended myvpn
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 end r2(r5): en
conf t host r5 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int s1/2 defa int s1/3 defa int e0/0 no int loop0 int s1/1 ip add 218.87.15.5 255.255.255.0 clock r 64000 no sh int s1/0 ip add 202.101.53.5 255.255.255.0 clock r 64000 no sh exit end r3:
en
conf t host r3 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int e0/0 no int loop0 int loop0 ip add 192.168.3.1 255.255.255.0 int s1/1 ip add 202.101.53.3 255.255.255.0 clock r 64000 no sh exit ip route 218.87.15.0 255.255.255.0 202.101.53.5 ip route 192.168.1.0 255.255.255.0 202.101.53.5 end conf t crypto isakmp policy 20 hash md5 authentication pre-share group 2 crypto keyring cisco
pre-shared-key address 218.87.15.1 key 0 cisco crypto isakmp profile cisco match identity address 218.87.15.1 keyring cisco crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 218.87.15.1 set transform-set myts match address vpn set isakmp-profile cisco interface Serial1/1
ip address 202.101.53.3 255.255.255.0 crypto map mymap ip access-list extended vpn
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 end ---------------
GRE OVER IPSEC ------- L2L ==========================================================================================================
实验三: IPSec Profile ×××
IPSec Profile(拓展学习) IOS:12.4;适用于×××站点间要跑动态路由协议 r1:
en
conf t host r1 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s0 defa int s1 defa int e0 no int loop0 int loop0 ip add 192.168.1.1 255.255.255.0 int s0 ip add 218.87.15.1 255.255.255.0 no sh exit ip route 202.101.53.0 255.255.255.0 218.87.15.5 end conf t crypto isakmp policy 10
hash md5 authentication pre-share group 2 crypto isakmp key cisco address 202.101.53.3
crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto ipsec profile ipspro
set transform-set ts exit int tunnel 0
tunnel mode ipsec ipv4 ip add 192.168.13.1 255.255.255.0 tunnel source s0 tunnel destination 202.101.53.3 tunnel protection ipsec profile ipspro interface Serial0
ip address 218.87.15.1 255.255.255.0 end
r5: en
conf t host r5 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s0/0 defa int s0/1 defa int s0/2 defa int s0/3 defa int e0/0 no int loop0 int s0/1 ip add 218.87.15.5 255.255.255.0 clock r 64000 no sh int s0/3 ip add 202.101.53.5 255.255.255.0 clock r 64000 no sh exit end r3:
en
conf t host r3 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s0 defa int s1 defa int e0 no int loop0 int loop0 ip add 192.168.3.1 255.255.255.0 int s0 ip add 202.101.53.3 255.255.255.0 no sh exit ip route 218.87.15.0 255.255.255.0 202.101.53.5 end conf t crypto isakmp policy 20 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 218.87.15.1 crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto ipsec profile ipspro
set transform-set cisco exit int tunnel 0
tunnel mode ipsec ipv4 ip add 192.168.13.3 255.255.255.0 tunnel source s0 tunnel destination 218.87.15.1 tunnel protection ipsec profile ipspro interface Serial0
ip address 202.101.53.3 255.255.255.0 end
----------------------------------------------------------------------------------------------------- Crypto map 对密文或明文入方向的流量的处理:
====================================================================================
是否感兴趣流 是否加密 有无map action N/A 是 有 解密 是 不 有 drop 是 是 没有 forward N/A 是 没有 解密 ---如r1通过s0口(有map)发包给r3的s0口,r3通过s1口(有map)回包给r1的s1口 建议每个接口都启crypto map , 因为启了crypto map 的接口对不配置的感兴趣流没有影响.
-----------------------------------------------------------------------------------------------------
实验四:动态Dynamic ×××
Dynamic ××× 适用于中心站点IP固定,分支办事处××× IP地址不固定(如都是CISCO产品建议使用EZ×××,如分支办事处非思科产品建议使用该方式),该方式分支办事处配置同实验一中的L2L分支办事处配置,中心站点配置区别如下:
r1:
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto dynamic-map dmap 10
set transform-set cisco match add vpn ---------------------------该行可省略 exit crypto map smap 10 ipsec-isakmp dynamic dmap int s0 crypto map smap ------------------------------------该方式应为分支主动发起流量才行,中心站点被动建×××。动态×××不安全
------------------------------------------------------------------------------------------------------------------- 实验五:IPSec over GRE (拓展学习)
该方式工作中使用较少,这里讲解方便大家理解数据包在被路由器加密前的处理过程,和crypto map 撞击的方式.
GRE 在最外面。该实验可以解决×××中原来不能解决的动态路由问题,但12.4的IOS解决方式更好(参见前实验三) GRE 注意:
1.tunnel 起来的前提是只要有路由到达destination地址则tunnel 会 up,但不一定能拼通该地址; 2.动态路由宣告时可以对tunnel宣告,也可以对tunnel后的内网如loopback口宣告,但不能对tunnel source口宣告,否则会产生递归路由,一下up一下down; 原因: 218.87.15.1 202.101.53.3 | gre | 192.168.1.1 192.168.3.1 查目标地址的路由,走隧道而封装GRE,之后又查路由,又进行封装,这样不停循环 int tunnel 0
crymap map mymap ---------------------必须加上 int s0 crymap map mymap ---------------------建议加上,能够阻止未加密的感兴趣流进入 包的处理过程:
1. 192.168.1.1的包抵达router, 原始包 s:192.168.1.1 d:192.168.3.1 2. 查询:路由表 结果:送到tunnel接口 3. 撞击上tunnel 口上的map <匹配上感兴趣流> 4. 触发加密 <加密后s:218.87.15.1 d:202.101.53.3 esp s:192.168.1.1 d:192.168.3.1> 5. 加密后的新包继续查询:路由表 结果:送出物理接口s0 6. 虽然物理口有crypto map ,但因为新包不能匹配上感兴趣流,所以直接穿出物理口,送往目的地 7. 最终包结构: < s:218.87.15.1 d:202.101.53.3 | esp | s:192.168.1.1 d:192.168.3.1 > ------------------------------------------------------------------------------------------------- ×××指PEER时改掉原来的源目地址: r1: loopback1:1.1.1.1 (对端新的peer地址) r3: loopback1:3.3.3.3 (对端新的peer地址)
r1:tunnel0--192.168.13.1----------------------------r3:tunnel0--192.168.13.3 crypto map mymap local-address loopback1 ------------vpn 的更新源由原来的s0改为loop1后需加上该语句 s:218.87.15.1 d:202.101.53.3 gre s:1.1.1.1 d:3.3.3.3 esp s:192.168.1.1 d:192.168.3.1 ------IPSec over GRE (gre 在外 )
crypto isakmp key cisco address 3.3.3.3
r1#ping 192.168.3.1 sour 192.168.1.1
r1:eigrp tun0 loo0 loo1
r3:eigrp tun0 loo0 loo1 安全×××模拟器上效果:
r1:
en
conf t host r1 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int e0/0 no int loop0 int loop0 ip add 192.168.1.1 255.255.255.0 int loop1 ip add 1.1.1.1 255.255.255.0 ip ospf network point-to-point int s1/0 ip add 218.87.15.1 255.255.255.0 no sh exit ip route 0.0.0.0 0.0.0.0 218.87.15.5 end conf t int tunnel 0
ip add 192.168.13.1 255.255.255.0 tunnel source s1/0 tunnel destination 202.101.53.3 crypto map mymap exit crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto keyring cisco
pre-shared-key address 3.3.3.3 key 0 cisco crypto isakmp profile cisco match identity address 3.3.3.3 keyring cisco crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap local-address loopback1 crypto map mymap 10 ipsec-isakmp
set peer 3.3.3.3 set transform-set ts match address myvpn set isakmp-profile cisco exit router ospf 100 router-id 1.1.1.1 network 1.1.1.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 network 192.168.13.1 0.0.0.0 area 0 exit interface Serial1/0 ip address 218.87.15.1 255.255.255.0 crypto map mymap ip access-list extended myvpn
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 end r2(r5): en
conf t host r5 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int s1/2 defa int s1/3 defa int e0/0 no int loop0 int s1/1 ip add 218.87.15.5 255.255.255.0 clock r 64000 no sh int s1/0 ip add 202.101.53.5 255.255.255.0 clock r 64000 no sh exit end r3:
en
conf t host r3 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int e0/0 no int loop0 int loop0 ip add 192.168.3.1 255.255.255.0 int loop1 ip add 3.3.3.3 255.255.255.0 ip ospf network point-to-point int s1/1 ip add 202.101.53.3 255.255.255.0 clock r 64000 no sh exit ip route 0.0.0.0 0.0.0.0 202.101.53.5 end conf t int tunnel 0 ip add 192.168.13.3 255.255.255.0 tunnel source s1/1 tunnel destination 218.87.15.1 crypto map mymap exit crypto isakmp policy 20 hash md5 authentication pre-share group 2 crypto keyring cisco
pre-shared-key address 1.1.1.1 key 0 cisco crypto isakmp profile cisco match identity address 1.1.1.1 keyring cisco crypto ipsec transform-set myts esp-des esp-md5-hmac
crypto map mymap local-address loopback1
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1 set transform-set myts match address vpn set isakmp-profile cisco exit router ospf 100 router-id 3.3.3.3 network 3.3.3.3 0.0.0.0 area 0 network 192.168.3.1 0.0.0.0 area 0 network 192.168.13.3 0.0.0.0 area 0 exit interface Serial1/1 ip address 202.101.53.3 255.255.255.0 crypto map mymap ip access-list extended vpn
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 end =====================================================================================================================
实验六:GRE over IPSec (拓展学习)
安全×××模拟器上效果:
r1:
en
conf t host r1 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int e0/0 no int loop0 int loop0 ip add 192.168.1.1 255.255.255.0 int loop1 ip add 1.1.1.1 255.255.255.0 ip ospf network point-to-point int s1/0 ip add 218.87.15.1 255.255.255.0 no sh exit ip route 0.0.0.0 0.0.0.0 218.87.15.5 end conf t
interface Serial1/0
ip address 218.87.15.1 255.255.255.0 exit int tunnel 0
ip add 192.168.13.1 255.255.255.0 tunnel source s1/0 tunnel destination 202.101.53.3 exit router ospf 100 router-id 1.1.1.1 network 1.1.1.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0 network 192.168.13.1 0.0.0.0 area 0 exit end conf t crypto isakmp policy 10 hash md5 authentication pre-share group 2 exit crypto isakmp key cisco address 202.101.53.3 crypto ipsec transform-set ts esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 202.101.53.3 set transform-set ts match address myvpn exit interface Serial1/0 crypto map mymap exit ip access-list extended myvpn permit gre any any end r2(r5): en
conf t host r5 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int s1/2 defa int s1/3 defa int e0/0 no int loop0 int s1/1 ip add 218.87.15.5 255.255.255.0 clock r 64000 no sh int s1/0 ip add 202.101.53.5 255.255.255.0 clock r 64000 no sh exit end r3:
en
conf t host r3 no ip routing ip routing no ip domain-lookup line con 0 logg sy exit defa int s1/0 defa int s1/1 defa int e0/0 no int loop0 int loop0 ip add 192.168.3.1 255.255.255.0 int loop1 ip add 3.3.3.3 255.255.255.0 ip ospf network point-to-point int s1/1 ip add 202.101.53.3 255.255.255.0 clock r 64000 no sh exit ip route 0.0.0.0 0.0.0.0 202.101.53.5 end conf t interface Serial1/1
ip address 202.101.53.3 255.255.255.0 exit int tunnel 0
ip add 192.168.13.3 255.255.255.0 tunnel source s1/1 tunnel destination 218.87.15.1 exit router ospf 100 router-id 3.3.3.3 network 3.3.3.3 0.0.0.0 area 0 network 192.168.3.1 0.0.0.0 area 0 network 192.168.13.3 0.0.0.0 area 0 end conf t
crypto isakmp policy 20 hash md5 authentication pre-share group 2 exit crypto isakmp key cisco address 218.87.15.1 crypto ipsec transform-set myts esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp set peer 218.87.15.1 set transform-set myts match address vpn exit interface Serial1/1 crypto map mymap exit ip access-list extended vpn permit gre any any end
r1#ping 192.168.3.1 source 192.168.1.1 repeat 20 s:218.87.15.1 d:202.101.53.3 esp s:218.87.15.1 d:202.101.53.3 gre s:192.168.1.1 d:192.168.3.1
包的处理过程: 1. 192.168.1.1的包抵达router, 原始包 s:192.168.1.1 d:192.168.3.1 2. 查询:路由表 结果:送到tunnel接口 3. tunnel 口上无map 查tunnel source 与 tunnel destination 4. 封装GRE,包结构: <s:218.87.15.1 d:202.101.53.3 gre s:192.168.1.1 d:192.168.3.1> 5. 查路由表: 202.101.53.3 符合默认路由,出口为s1/0 6. 物理口下有cryto map, 并符合感兴趣流即为GRE的流量 7. 触发加密 <加密后 s:218.87.15.1 d:202.101.53.3 esp s:218.87.15.1 d:202.101.53.3 gre s:192.168.1.1 d:192.168.3.1> 8. 加密后的新包继续查询:路由表 结果:送出物理接口s0
最终包结构:
< s:218.87.15.1 d:202.101.53.3 esp s:218.87.15.1 d:202.101.53.3 gre s:192.168.1.1 d:192.168.3.1 > ==================================================================================================================
|
