воскресенье, 14 апреля 2013 г.

SK Cisco: VPN IPSec over GRE with EIGRP


Router HQ:
crypto isakmp policy 1
authentication pre-share
hash sha
group 2
lifetime 7200

crypto isakmp key 0 Cisco address 200.0.0.2 no-xauth
crypto ipsec transform-set HQ-SET esp-aes esp-sha-hmac
mode tunnel

crypto ipsec profile IPSEC_PROFILE
set transform-set HQ-SET

interface Tunnel 0
ip address 10.0.0.1 255.255.255.252
tunnel source f0/0
tunnel destination 200.0.0.2
tunnel path-mtu-discovery
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE


- EIGRP routing:
router eigrp 1
no auto-summary
network 10.0.0.1 0.0.0.0
network 172.16.0.0 0.0.0.255



 Router Spoke1: 
- ipsec:
crypto isakmp policy 1
authentication pre-share
hash sha
group 2
lifetime 7200


crypto isakmp key 0 Cisco address 200.0.0.1 no-xauth
crypto ipsec transform-set SPOKE1-SET esp-aes esp-sha-hmac
mode tunnel


crypto ipsec profile IPSEC_PROFILE
set transform-set  SPOKE1- SET


interface Tunnel 0
ip address 10.0.0.2 255.255.255.252
tunnel source f0/0
tunnel destination 200.0.0.1
tunnel path-mtu-discovery
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE




EIGRP routing:
router eigrp 1
no auto-summary
network 10.0.0.2 0.0.0.0
network 172.16.0.0 0.0.0.255


Verify:

show ip interface brief
show ip eigrp neibour
show ip route
show crypto isakmp sa
show crypto ipsec sa

sho crypto ipsec sa peer 85.93.155.166 | i caps

show crypto ipsec default transform-set

sh crypto session brief
sh ip int | inc line protocol|access list is [^ ]+$
show run | inc ^interface|ip address

Debuging:


debug crypto isakmp
debug crypto ipsec
debug crypto tunnel


ACL если блокируются порты:

ip access-list extended ACL-VPN-LOG
 permit udp host 85.93.155.166 host 85.249.4.250 eq 1701 log
 permit udp host 85.93.155.166 host 85.249.4.250 eq 1723 log
 permit tcp host 85.93.155.166 host 85.249.4.250 eq 1723 log
 permit icmp host 85.93.155.166 host 85.249.4.250 log
 permit gre host 85.93.155.166 host 85.249.4.250 log
 permit esp host 85.93.155.166 host 85.249.4.250 log
 permit ahp host 85.93.155.166 host 85.249.4.250 log
 permit udp host 85.93.155.166 host 85.249.4.250 eq isakmp log
 permit tcp host 85.93.155.166 host 85.249.4.250 log
 permit udp host 46.188.18.113 host 85.249.4.250 eq 1701 log
 permit udp host 46.188.18.113 host 85.249.4.250 eq 1723 log
 permit tcp host 46.188.18.113 host 85.249.4.250 eq 1723 log
 permit icmp host 46.188.18.113 host 85.249.4.250 log
 permit gre host 46.188.18.113 host 85.249.4.250 log
 permit esp host 46.188.18.113 host 85.249.4.250 log
 permit ahp host 46.188.18.113 host 85.249.4.250 log
 permit udp host 46.188.18.113 host 85.249.4.250 eq isakmp log
 permit tcp host 46.188.18.113 host 85.249.4.250 log
 permit tcp any any eq 9051 log
 permit udp host 85.93.155.166 host 85.249.4.250 eq non500-isakmp log
 permit ip any any

Автор: на
Ярлыки: , , , ,

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)