28 août 2009

Basic IPsec Virtual Tunnel Interface - VTI


Le but est de monter un tunnel IPSec entre deux routeurs en utilisant des VTI.
La clé partagée est: 1234.




hostname R1
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key 1234 address 10.2.2.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS-1 esp-aes 256
!
crypto ipsec profile VTI
 set transform-set TS-1
!
interface Tunnel0
 description *** Vers Tunnel 1 premium ***
 ip unnumbered Loopback0
 ip mtu 1380
 ip tcp adjust-mss 1340
 tunnel source Loopback0
 tunnel destination 10.2.2.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Loopback10
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 10
 redistribute connected
 network 10.1.1.1 0.0.0.0
 no auto-summary
!
ip route 10.2.2.1 255.255.255.255 192.168.1.2
!


La configuration est identique sur R2.

R1#show crypto ipsec sa


interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.1.1.1


protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16017, #pkts encrypt: 16017, #pkts digest: 16017
#pkts decaps: 15918, #pkts decrypt: 15918, #pkts verify: 15918
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0


local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xCF2A12E(217227566)


inbound esp sas:
spi: 0x8C8AD70B(2357909259)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4596558/1206)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0xCF2A12E(217227566)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4596542/1204)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE


outbound ah sas:


outbound pcp sas:
R1#
-
Libellés : ,

NTP - ACL

NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...

  • Unicast Reverse Path Forwarding (uRPF)
    Unicast Reverse Path Forwarding (uRPF) uRPF est une feature permettant d'éviter l'IP Spoofing. Lorsque urpf est activé sur une in...
  • NTP - ACL
    NTP - Network Time Protocol Packet types: -  Control messages : don't bother with this. -  NTP request/update messages: used for time sy...
  • Basic IPsec Virtual Tunnel Interface - VTI
    Le but est de monter un tunnel IPSec entre deux routeurs en utilisant des VTI. La clé partagée est: 1234. hostname R1 ! crypto isakm...