Mainos / Advertisement:

Ero sivun ”IPsec/en” versioiden välillä

Kohteesta Taisto
Siirry navigaatioon Siirry hakuun
(Ak: Uusi sivu: interface FastEthernet0/1 description *areallydullboy* ip address 192.168.100.1 255.255.255.0 ip nat inside)
(Ak: Uusi sivu: And we're in.)
 
(15 välissä olevaa versiota samalta käyttäjältä ei näytetä)
Rivi 26: Rivi 26:
 
   ip nat inside
 
   ip nat inside
  
Otetaan käyttöön aaa new-model yksinkertaisesti
+
We enable aaa new-model simply by running the command
aaa new-model
+
  aaa new-model
  
Nyt ei ole kyse mistää aa-kerhosta vaan aaa tulee sanoista (authentication-authorization-accounting) eli sitä tarvitaan usein kuin touhoutaan todennuksen kanssa.
+
We aren't talking about an AA-club, AAA stand for authentication-authorization-accounting. It is often used when fiddling with authentication and the likes.
  
Nyt määritellään kirjautumislähteet paikalliseksi eikä esim radiukselta.
+
Now we define logins to be locally sourced and not for instance from a radius server.
aaa authentication login IPsecE local
+
  aaa authentication login IPsecE local
aaa authorization network IPsecO local
+
  aaa authorization network IPsecO local
  
Käsketään reititintä ehdottomasti käyttämään esp-3des esp-md5-hmac salausta.
+
We tell the router to ALWAYS use esp-3des esp-md5-hmac encryption.
crypto ipsec transform-set Esimerkki esp-3des esp-md5-hmac
+
  crypto ipsec transform-set Example esp-3des esp-md5-hmac
  
Luodaan dynaaminen kenttä joka laittaa ipsecin käyttämään esimerkkisalausta.
+
We create a dynamic field which makes ipsec use example encryption.
crypto dynamic-map TestiMap 7
+
  crypto dynamic-map TestMap 7
   set transform-set Esimerkki
+
   set transform-set Example
  
Tehdään isakmp käytäntö jossa määritellään yhteyden säätöjä:
+
We make a isakmp policy which defines the connection's tweaks:
crypto isakmp policy 7
+
  crypto isakmp policy 7
 
   encr 3des
 
   encr 3des
 
   authentication pre-share
 
   authentication pre-share
 
   group 2
 
   group 2
  
Sitten luodaan ryhmä ipseciä varten
+
Then we create a group for ipsec
crypto isakmp client configuration group Testaajat
+
  crypto isakmp client configuration group Testers
   key Avain
+
   key Key
   pool testipool
+
   pool testpool
 
   netmask 255.255.255.0
 
   netmask 255.255.255.0
  
Tehdään osoiteavaruus nimellä testipool, josta tulee osoitteet asiakkaille.
+
We make an address space by the name testpool which gives addresses to clients.
ip local pool testipool 192.168.70.20 192.168.70.30
+
  ip local pool testpool 192.168.70.20 192.168.70.30
  
Tehdään taas kartta ja tutkitaan mitä olemme tehneet.  
+
Again we make a map and inspect the work we have done.
crypto map ipsecmap client authentication list IpsecE
+
  crypto map ipsecmap client authentication list IpsecE
crypto map ipsecmap isakmp authorization list IpsecO
+
  crypto map ipsecmap isakmp authorization list IpsecO
crypto map ipsecmap client configuration address respond
+
  crypto map ipsecmap client configuration address respond
crypto map ipsecmap 7 ipsec-isakmp dynamic TestiMap
+
  crypto map ipsecmap 7 ipsec-isakmp dynamic TestMap
  
NAT tarvitsee vielä pistää pystyyn.
+
We still need to setup NAT:
ip access-list extended nonat
+
  ip access-list extended nonat
 
   deny ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255
 
   deny ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255
 
   permit ip any any
 
   permit ip any any
Rivi 71: Rivi 71:
  
  
Tehdään vielä käyttäjä.
+
We still make a user.
username johannes password 0 Qwerty1
+
  username johannes password 0 Qwerty1
  
  
Testataan nyt VPN:äämme
+
Now we test our VPN
  
Laitetaan tiedot kohdalleen
+
We put the information in their place. The picture has the credentials from the original Finnish manual but you can just substitute them with the ones from this manual's configuration which we did above. Testers / Key / 10.10.10.2 / johannes / Qwerty1
  
 
[[Tiedosto:Vpn1.jpg]]
 
[[Tiedosto:Vpn1.jpg]]
  
  
Ja sisälle päästiin.
+
And we're in.
  
 
[[Tiedosto:Vpn2.jpg]]
 
[[Tiedosto:Vpn2.jpg]]

Nykyinen versio 27. elokuuta 2015 kello 07.02

{{#allow-groups:user}}

Muut kielet:
English • ‎suomi

We make a cisco 2811 router into an ipsec host.

General info

WAN interface: fa0/0

LAN interface: fa0/1


Configuring

First we setup our network connections

interface FastEthernet0/0
 description *allworkandnoplaymakestranslatoradullboy*
 ip address 10.10.10.2 255.255.255.0
 ip nat outside
 ipv6 ospf cost 1
 crypto map ipsecmap
interface FastEthernet0/1
 description *areallydullboy*
 ip address 192.168.100.1 255.255.255.0
 ip nat inside

We enable aaa new-model simply by running the command

 aaa new-model

We aren't talking about an AA-club, AAA stand for authentication-authorization-accounting. It is often used when fiddling with authentication and the likes.

Now we define logins to be locally sourced and not for instance from a radius server.

 aaa authentication login IPsecE local
 aaa authorization network IPsecO local

We tell the router to ALWAYS use esp-3des esp-md5-hmac encryption.

 crypto ipsec transform-set Example esp-3des esp-md5-hmac

We create a dynamic field which makes ipsec use example encryption.

 crypto dynamic-map TestMap 7
 set transform-set Example 

We make a isakmp policy which defines the connection's tweaks:

 crypto isakmp policy 7
 encr 3des
 authentication pre-share
 group 2

Then we create a group for ipsec

 crypto isakmp client configuration group Testers
 key Key
 pool testpool
 netmask 255.255.255.0

We make an address space by the name testpool which gives addresses to clients.

 ip local pool testpool 192.168.70.20 192.168.70.30

Again we make a map and inspect the work we have done.

 crypto map ipsecmap client authentication list IpsecE
 crypto map ipsecmap isakmp authorization list IpsecO
 crypto map ipsecmap client configuration address respond
 crypto map ipsecmap 7 ipsec-isakmp dynamic TestMap

We still need to setup NAT:

 ip access-list extended nonat
 deny ip 192.168.100.0 0.0.0.255 192.168.70.0 0.0.0.255
 permit ip any any
ip nat inside source list nonat interface FastEthernet0/0 overload


We still make a user.

 username johannes password 0 Qwerty1


Now we test our VPN

We put the information in their place. The picture has the credentials from the original Finnish manual but you can just substitute them with the ones from this manual's configuration which we did above. Testers / Key / 10.10.10.2 / johannes / Qwerty1

Vpn1.jpg


And we're in.

Vpn2.jpg

Mainos / Advertisement: