νƒœκ·Έ 보관물: VPN

Network

IPSec VPN 2: μ„€μ •(Site-to-Site IPSEC, GRE over IPSec VPN)

λŒ“κΈ€ 남기기

‘IPSec VPN 1’μ—μ„œ ν•™μŠ΅ν•œ κ°œλ…μ„ λ°”νƒ•μœΌλ‘œ μ—¬λŸ¬κ°€μ§€ VPN을 섀정해보도둝 ν•˜μž.

  1. Site-to-Site IPSec VPN
  2. GRE over IPSec VPN

1. Site-to-Site IPSec VPN

[μ„€μ •]
– IKE 1단계 ISAKMP SA 및 κ³΅μœ ν‚€ μ„€μ • (R4, R5)

R4(config)# crypto isakmp policy 10
R4(config-isakmp)# encryption 3des
R4(config-isakmp)# hash md5
R4(config-isakmp)# authentication pre-share
R4(config-isakmp)# lifetime 2600
R4(config-isakmp)# group2
R4(config-isakmp)# exit
R4(config)# 
R4(config)# crypto isakmp key cisco address 13.13.12.2

R5(config)# crypto isakmp policy 10
R5(config-isakmp)# encryption 3des
R5(config-isakmp)# hash md5
R5(config-isakmp)# authentication pre-share
R5(config-isakmp)# lifetime 2600
R5(config-isakmp)# group2
R5(config-isakmp)# exit
R5(config)# 
R5(config)# crypto isakmp key cisco address 13.13.10.1

– IKE 2단계 IPSec SA μ„€μ • (R4,R5)

R4(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 172.30.1.0 0.0.0.255
R4(config)# crypto ipsec transform-set CISCO esp-3des esp-sha-hmac
R4(config)# 
R4(config)# crypto map IPSEC 10 ipsec-isakmp
R4(config-crypto-map)# set peer 13.13.12.2
R4(config-crypto-map)# set transform-set CISCO
R4(config-crypto-map)# match address 100
R4(config-crypto-map)# exit
R4(config)# 
R4(config)# int fa0/0
R4(config)# crypto map IPSEC

R5(config)# access-list 100 permit ip 172.30.1.0 0.0.0.255 192.168.0.0 0.0.0.255
R5(config)# crypto ipsec transform-set CISCO esp-3des esp-sha-hmac
R5(config)# 
R5(config)# crypto map IPSEC 10 ipsec-isakmp
R5(config-crypto-map)# set peer 13.13.10.1
R5(config-crypto-map)# set transform-set CISCO
R5(config-crypto-map)# match address 100
R5(config-crypto-map)# exit
R5(config)# 
R5(config)# int fa0/0
R5(config)# crypto map IPSEC

[λ™μž‘ 확인]
– R4 PC β†’ R5 PC둜 PING ν…ŒμŠ€νŠΈ ν›„ isakmp sa 확인.

‘show crypto isakmp sa’λ₯Ό ν–ˆμ„ λ•Œ, dst와 srcκ°€ μ‘°νšŒλ˜λŠ” κ±Έ 확인할 수 μžˆλ‹€.

– μ •μ±… λ‚΄μš© 확인 (μˆœμ„œλŒ€λ‘œ 1단계, 2단계)

2. GRE over IPSec VPN

GRE over IPSec VPN은 Tunnel 만 μΆ”κ°€ κ΅¬μ„±ν•˜λŠ” 것 μ™Έμ—λŠ”Site-to-Site와 크게 λ‹€λ₯΄μ§€ μ•Šλ‹€.

[μ„€μ •]
– Tunnel Interface ꡬ성

R4(config)# int tunnel 10
R4(config-if)# ip addr 10.250.10.1 255.255.255.240
R4(config-if)# tunnel source 13.13.10.1
R4(config-if)# tunnel destination 13.13.12.2
R4(config-if)# exit
R4(config)#
R4(config)# ip route 172.30.1.0 255.255.255.0 tunnel 10

R4(config)# int tunnel 10
R4(config-if)# ip addr 10.250.10.2 255.255.255.240
R4(config-if)# tunnel source 13.13.12.2
R4(config-if)# tunnel destination 13.13.10.1
R4(config-if)# exit
R4(config)#
R4(config)# ip route 192.168.0.0 255.255.255.0 tunnel 10

– IKE 1단계 ISAKMP SA 및 κ³΅μœ ν‚€ μ„€μ • (R4, R5)
Site-to-Site IPSec VPN μ„€μ • μ°Έκ³ 

– IKE 2단계 IPSec SA μ„€μ • (R4,R5)
Site-to-Site IPSec VPN μ„€μ • μ°Έκ³