Configuration IPSec de routeur CISCO 1721
Fermé
christophe33
Messages postés
14
Date d'inscription
vendredi 8 juin 2007
Statut
Membre
Dernière intervention
11 septembre 2007
-
25 juil. 2007 à 11:35
boudagokou - 10 mars 2009 à 09:36
boudagokou - 10 mars 2009 à 09:36
A voir également:
- Configuration IPSec de routeur CISCO 1721
- Ethernet n'a pas de configuration ip valide - Guide
- Configuration chromecast - Guide
- Panneau de configuration - Guide
- Retablir configuration usine chromecast - Guide
- 192.168.1.1 configuration du routeur - Guide
3 réponses
@(#)Configuring IPsec on Cisco routers 10 MAY 2000 Rob Thomas robt@cymru.com
Configuring IPsec on Cisco routers
I have included a simple IPSEC configuration. This may not be the exact
configuration any given site may use. However, it does provide the basics
of IPsec configuration on a Cisco router.
The setup (in fine ASCII art) is:
Sun SPARC 20
192.168.80.9/24
|
192.168.80.222/24
Cisco 2514
192.168.10.1/30
|
192.168.10.2/30
Cisco 2514
10.10.10.1/24
The test was a ping and a telnet from 192.168.0.9 to 10.10.10.1. The
routing was all static.
Here is the configuration for one of the IPSEC-enabled routers, with
comments.
Note the differences between the snoop output. When there is no IPsec
configured, the packets flow as one would expect. However, when IPsec
is running, the packets flow within an IPSEC "tunnel" between 192.168.10.1
and 192.168.10.2, regardless of the actual source and destination
addresses.
! @(#)IPsec Cisco router configuration 10 MAY 2000 Rob Thomas robt@cymru.com
!
crypto isakmp policy 1
! Set the crypto policy to ISAKMP, priority 1.
hash md5
! Use MD5 as the authentication algorithm (instead
! of SHA, which is slower yet more secure).
authentication pre-share
! Utilize the hard-coded key "123FOO123".
!
crypto isakmp key 123FOO123 address 192.168.10.2
! Set the key and the peer with whom to share the
! key. Be careful not to share this with anyone!
!
crypto ipsec transform-set OURIPS esp-des esp-md5-hmac
! Create a transform set called OURIPS that utilizes
! ESP (Encapsulating Security Payload) encrypted with
! DES and authenticated with MD5. In this case, we
! will encrypt only the payload of the packet, not the
! header.
!
crypto map IPSEC-TO-RMT local-address Ethernet0
! Specify that the crypto map called IPSEC-TO-RMT
! will use the local-address on E0 for identification
! purposes. This is not always necessary, but makes
! for nice documentation.
!
crypto map IPSEC-TO-RMT 1 ipsec-isakmp
! Map IPSEC-TO-RMT, sequence number 1, that uses
! ISAKMP for key exchange.
set peer 192.168.10.2
! Our remote peer
set transform-set OURIPS
! Apply the proper transform set (q.v.)
match address IPSEC-TUN
! Only IPSEC the packets that match the extended
! ACL named IPSEC-TUN
ip access-list extended IPSEC-TUN
! Build an ACL to use for IPSEC.
remark IPSEC ACL
! Comments are good. :-)
permit ip any any
! This is a bit misleading. While it will attempt
! to ESP encrypt all packets, multicast packets can
! not be encrypted with IPSEC. For multicast pack-
! ets, a GRE tunnel must be used. Recall that most
! routing protocols use multicast (OSPF, RIP v2) for
! the routing updates.
interface Ethernet0
ip address 192.168.10.1 255.255.255.252
no ip redirects
no ip proxy-arp
no ip mroute-cache
crypto map IPSEC-TO-RMT
! Apply the crypto map IPSEC-TO-RMT to the e0
! interface.
Snoop before IPSEC configuration:
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
Snoop after IPSEC configuration:
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136,
ID=243
192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136,
ID=625
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136,
ID=244
192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136,
ID=628
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136,
ID=245
Rob Thomas, robt@cymru.com
http://www.enteract.com/~robt
Configuring IPsec on Cisco routers
I have included a simple IPSEC configuration. This may not be the exact
configuration any given site may use. However, it does provide the basics
of IPsec configuration on a Cisco router.
The setup (in fine ASCII art) is:
Sun SPARC 20
192.168.80.9/24
|
192.168.80.222/24
Cisco 2514
192.168.10.1/30
|
192.168.10.2/30
Cisco 2514
10.10.10.1/24
The test was a ping and a telnet from 192.168.0.9 to 10.10.10.1. The
routing was all static.
Here is the configuration for one of the IPSEC-enabled routers, with
comments.
Note the differences between the snoop output. When there is no IPsec
configured, the packets flow as one would expect. However, when IPsec
is running, the packets flow within an IPSEC "tunnel" between 192.168.10.1
and 192.168.10.2, regardless of the actual source and destination
addresses.
! @(#)IPsec Cisco router configuration 10 MAY 2000 Rob Thomas robt@cymru.com
!
crypto isakmp policy 1
! Set the crypto policy to ISAKMP, priority 1.
hash md5
! Use MD5 as the authentication algorithm (instead
! of SHA, which is slower yet more secure).
authentication pre-share
! Utilize the hard-coded key "123FOO123".
!
crypto isakmp key 123FOO123 address 192.168.10.2
! Set the key and the peer with whom to share the
! key. Be careful not to share this with anyone!
!
crypto ipsec transform-set OURIPS esp-des esp-md5-hmac
! Create a transform set called OURIPS that utilizes
! ESP (Encapsulating Security Payload) encrypted with
! DES and authenticated with MD5. In this case, we
! will encrypt only the payload of the packet, not the
! header.
!
crypto map IPSEC-TO-RMT local-address Ethernet0
! Specify that the crypto map called IPSEC-TO-RMT
! will use the local-address on E0 for identification
! purposes. This is not always necessary, but makes
! for nice documentation.
!
crypto map IPSEC-TO-RMT 1 ipsec-isakmp
! Map IPSEC-TO-RMT, sequence number 1, that uses
! ISAKMP for key exchange.
set peer 192.168.10.2
! Our remote peer
set transform-set OURIPS
! Apply the proper transform set (q.v.)
match address IPSEC-TUN
! Only IPSEC the packets that match the extended
! ACL named IPSEC-TUN
ip access-list extended IPSEC-TUN
! Build an ACL to use for IPSEC.
remark IPSEC ACL
! Comments are good. :-)
permit ip any any
! This is a bit misleading. While it will attempt
! to ESP encrypt all packets, multicast packets can
! not be encrypted with IPSEC. For multicast pack-
! ets, a GRE tunnel must be used. Recall that most
! routing protocols use multicast (OSPF, RIP v2) for
! the routing updates.
interface Ethernet0
ip address 192.168.10.1 255.255.255.252
no ip redirects
no ip proxy-arp
no ip mroute-cache
crypto map IPSEC-TO-RMT
! Apply the crypto map IPSEC-TO-RMT to the e0
! interface.
Snoop before IPSEC configuration:
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
192.168.80.9 -> 10.10.10.1 ICMP Echo request
10.10.10.1 -> 192.168.80.9 ICMP Echo reply
Snoop after IPSEC configuration:
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136,
ID=243
192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136,
ID=625
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136,
ID=244
192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136,
ID=628
192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136,
ID=245
Rob Thomas, robt@cymru.com
http://www.enteract.com/~robt
pour configurer un vpn ipsec sur un routeur cisco, pour un premier temps tu dois faire une config d base sur ton routeur.ensuite tu dois definir le type de crypto ,dans notre cas ipsec,puis le transform-set "par exempl ton nom ensuite le type de protocole esp que tu utilise.
ainsi, tu pourras aussi definir un mode tunnel.
puis tu crées les acl énsuite tu vas mapper l'acl q tu as crée avc le crypto.
si t'as des complications tu pourras m'ecrire à gokouroselin@hotmail.fr é jt donnerai d plus amples informations
ainsi, tu pourras aussi definir un mode tunnel.
puis tu crées les acl énsuite tu vas mapper l'acl q tu as crée avc le crypto.
si t'as des complications tu pourras m'ecrire à gokouroselin@hotmail.fr é jt donnerai d plus amples informations