네트워크/Security 2015. 2. 16. 18:26
@ DMVPN(Dynamic
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://en.wikipedia.org/wiki/Dmvpn
1. R1, R2, R3에서 MGRE와 NHRP를 이용하여 터널을 구성하여라.
@ R2 (Hub 라우터)
int tunnel 123 ip address 172.16.1.2 255.255.255.0 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source s1/0 tunnel mode gre multipoint tunnel key 1234 no ip split-horizon eigrp 100 no ip next-hop-self eigrp 100 ! router eigrp 100 network 172.16.1.2 0.0.0.0
|
@ R1 (Spoke 라우터)
int tunnel 123 ip address 172.16.1.1 255.255.255.0 ip nhrp authentication cisco ip nhrp map 172.16.1.2 13.13.9.2 ip nhrp map multicast 13.13.9.2 ip nhrp network-id 1 ip nhrp nhs 172.16.1.2 tunnel source s1/0 tunnel mode gre multipoint tunnel key 1234 ! router eigrp 100 network 172.16.1.1 0.0.0.0 |
@ R3 (Spoke 라우터)
int tunnel 123 ip address 172.16.1.3 255.255.255.0 ip nhrp authentication cisco ip nhrp map 172.16.1.2 13.13.9.2 ip nhrp map multicast 13.13.9.2 ip nhrp network-id 1 ip nhrp nhs 172.16.1.2 tunnel source s1/0 tunnel mode gre multipoint tunnel key 1234 ! router eigrp 100 network 172.16.1.3 0.0.0.0 |
2. R1, R2, R3에서 MGRE와 NHRP 관련 정보를 확인하여라.
① R1, R2, R3에서 NHRP를 이용한 넥스트-홉 정보 및 터널 정보를 확인하여라.
R1#show ip nhrp
172.16.1.2/32 via 172.16.1.2, Tunnel123 created
Type: static, Flags: used
NBMA address: 13.13.9.2
R2#show ip nhrp
172.16.1.1/32, Tunnel123 created
Type: incomplete, Flags: negative
Cache hits: 4
172.16.1.3/32, Tunnel123 created
Type: incomplete, Flags: negative
Cache hits: 4
R3#show ip nhrp
172.16.1.2/32 via 172.16.1.2, Tunnel123 created
Type: static, Flags: used
NBMA address: 13.13.9.2
② R4에서 R5(150.3.13.254)로 Ping을 전송하여, R1과 R3 간에 터널이 자동으로 구성되는지 확인하여라.
R4#ping 150.3.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.3.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/87/96 ms
R1#show ip nhrp
172.16.1.2/32 via 172.16.1.2, Tunnel123 created
Type: static, Flags: nat used
NBMA address: 13.13.9.2
172.16.1.3/32 via 172.16.1.3, Tunnel123 created
Type: dynamic, Flags: router nat
NBMA address: 13.13.9.3
3. R1, R2, R3에서 IPSec을 이용하여 DMVPN을 구성하여라.
@ R1, R2, R3
crypto isakmp policy 10
encryption 3des
hash md5
group 2
authentication pre-share
!
crypto isakmp key 6 cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set CISCO esp-3des esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set CISCO
!
int tunnel 123
tunnel protection ipsec profile DMVPN
4. R1,R2,R3에서 DMVPN 관련 정보를 확인하여라.
① R4에서 R5(150.3.13.254)와 R2(13.13.12.2)로 Ping을 전송하여, IPSec을 이용하여 패켓이 전송되는지 확인하
여라.
R4#ping 150.3.13.254 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 150.3.13.254, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 72/78/92 ms
R4#
R4#ping 13.13.12.2 repeat 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 13.13.12.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (20/20), round-trip min/avg/max = 44/53/80 ms
② R1에서 IPSec 관련 정보를 확인하여라.
R1#show crypto session
Crypto session current status
Interface: Tunnel123
Session status: UP-ACTIVE
Peer: 13.13.9.2 port 500
IKE SA: local 13.13.9.1/500 remote 13.13.9.2/500 Active
IPSEC FLOW: permit 47 host 13.13.9.1 host 13.13.9.2
Active SAs: 2, origin: crypto map
Interface: Tunnel123
Session status: UP-ACTIVE
Peer: 13.13.9.3 port 500
IKE SA: local 13.13.9.1/500 remote 13.13.9.3/500 Active
IPSEC FLOW: permit 47 host 13.13.9.1 host 13.13.9.3
Active SAs: 2, origin: crypto map
R1#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Se1/0 IPsec 3DES+MD5 0 42 13.13.9.1
2 Se1/0 IPsec 3DES+MD5 44 0 13.13.9.1
3 Se1/0 IPsec 3DES+MD5 0 10 13.13.9.1
4 Se1/0 IPsec 3DES+MD5 10 0 13.13.9.1
1001 Se1/0 IKE MD5+3DES 0 0 13.13.9.1
1002 Se1/0 IKE MD5+3DES 0 0 13.13.9.1
③ R2에서 IPSec 관련 정보를 확인하여라.
R2#show crypto session
Crypto session current status
Interface: Tunnel123
Session status: UP-ACTIVE
Peer: 13.13.9.1 port 500
IKE SA: local 13.13.9.2/500 remote 13.13.9.1/500 Active
IPSEC FLOW: permit 47 host 13.13.9.2 host 13.13.9.1
Active SAs: 2, origin: crypto map
Interface: Tunnel123
Session status: UP-ACTIVE
Peer: 13.13.9.3 port 500
IKE SA: local 13.13.9.2/500 remote 13.13.9.3/500 Active
IPSEC FLOW: permit 47 host 13.13.9.2 host 13.13.9.3
Active SAs: 2, origin: crypto map
R2#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu123 IPsec 3DES+MD5 0 45 13.13.9.2
2 Tu123 IPsec 3DES+MD5 44 0 13.13.9.2
3 Se1/0 IPsec 3DES+MD5 0 20 13.13.9.2
4 Se1/0 IPsec 3DES+MD5 21 0 13.13.9.2
1001 Tu123 IKE MD5+3DES 0 0 13.13.9.2
1002 Se1/0 IKE MD5+3DES 0 0 13.13.9.2
④ R3에서 IPSec 관련 정보를 확인하여라.
R3#show crypto session
Crypto session current status
Interface: Tunnel123
Session status: UP-ACTIVE
Peer: 13.13.9.1 port 500
IKE SA: local 13.13.9.3/500 remote 13.13.9.1/500 Active
IPSEC FLOW: permit 47 host 13.13.9.3 host 13.13.9.1
Active SAs: 2, origin: crypto map
Interface: Tunnel123
Session status: UP-ACTIVE
Peer: 13.13.9.2 port 500
IKE SA: local 13.13.9.3/500 remote 13.13.9.2/500 Active
IPSEC FLOW: permit 47 host 13.13.9.3 host 13.13.9.2
Active SAs: 2, origin: crypto map
R3#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu123 IPsec 3DES+MD5 0 22 13.13.9.3
2 Tu123 IPsec 3DES+MD5 22 0 13.13.9.3
3 Tu123 IPsec 3DES+MD5 0 10 13.13.9.3
4 Tu123 IPsec 3DES+MD5 10 0 13.13.9.3
1001 Tu123 IKE MD5+3DES 0 0 13.13.9.3
1002 Tu123 IKE MD5+3DES 0 0 13.13.9.3
5. Tunnel 123 인터페이스 정보를 확인하여라.
R1#show int tunnel 123
Tunnel123 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.1.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 13.13.9.1 (Serial1/0), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP
Key 0x4D2, sequencing disabled
Checksumming of packets disabled
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN")
~ 중간 생략 ~
R2#show int tunnel 123
Tunnel123 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.1.2/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 13.13.9.2 (Serial1/0), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP
Key 0x4D2, sequencing disabled
Checksumming of packets disabled
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN")
~ 중간 생략 ~
R3#show int tunnel 123
Tunnel123 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.1.3/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 13.13.9.3 (Serial1/0), destination UNKNOWN
Tunnel protocol/transport multi-GRE/IP
Key 0x4D2, sequencing disabled
Checksumming of packets disabled
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "DMVPN")
~ 중간 생략 ~
'네트워크 > Security' 카테고리의 다른 글
PKI(CA) & IPSec VPN(RSA Signature) (0) | 2015.02.16 |
---|---|
EZVPN (0) | 2015.02.16 |
GRE over IPSec VPN (0) | 2015.02.16 |
Site-to-Site IPSec VPN (0) | 2015.02.16 |
GRE Tunnel (0) | 2015.02.16 |