Professional Documents
Culture Documents
Ly Thuyet IPSEC
Ly Thuyet IPSEC
IPSec VPN
LI M U
Ngy nay vi s bng n ca ngnh cng ngh thng tin em li cho chng ta
nhiu iu mi m, to cho mi quan h cng vic trong x hi ngy cng tin li
hn, cho php cc nhn vin lm vic mt cch hiu qu ti nh v cho php mt
doanh nghip kt ni mt cch an ton ti cc i l ca h cng cc hng hp tc.
Cng ngh khng ngng pht trin v lun gp phn ci thin c s h tng mng
ca chng ta. Gp phn bo m cho cng vic ca chng ta c an ton hn.
Mt trong nhng cng ngh m hin nay c cc doanh nghip, cc cng ty, cc
hng thng mi, hin nay u s dng ph bin, l cng ngh Virtual
Private Network (VPN). Cng ngh mng ring o m rng phm vi ca cc
mng LAN (Local Area Network) m khng cn bt k ng dy no. Ti nguyn
trung tm c th kt ni n t nhiu ngun nn tit kim c chi ph v thi
gian .
Trong vn bo m an ninh gia cc mng l vn cn quan tm nht hin
nay. Mt trong nhng gii php m bo tnh bo mt ca mng VPN l IPSec.
Tuy cng ngh ny khng phi l cn mi nhng n c ng dng rt rng ri
trong nhiu doanh nghip, cng ty, Giao thc IPSec cho php vic truyn ti d
liu c m ho an ton qua mng cng cng.
Trong bi thc tp ny, em tho lun v cng ngh IPSec, mt cng ngh kh ph
bin bo m an ninh trong mng VPN m nhiu ni, nhiu cng ty trin
khai.
V kin thc v kinh nghim cn hn ch, nn khng trnh khi nhng sai st
trong bi bo co ny. Rt mong c s ng gp kin ca cc thy c v cc
bn.
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
LI CM N
hon thnh tt qu trnh thc tp, em nhn c
nhiu s ng gp ca cc thy trong VnPro v cc bn.
c bit em mun gi li cm n n :
Xin cm n thy ng Quang Minh Ban Gim c
Trung Tm VnPro . Chnh nh s ng tip nhn ca
thy to iu kin cho em c c hi hc tp ngoi thc
t. Cm n thy ch dy cho em phong cch sng n
tc phong lm vic em chun b cho cng vic sau ny.
Cm n thy nh hng cho em hon thnh tt trong
thi gian thc tp.
Xin cm n cc anh phng k thut ht lng nhit tnh
cung cp thit b em hon thnh tt cc bi Lab trong
qu trnh thc tp.
Xin cm n ton th cng ty VnPro to cho em mi
trng thc tp tt.
Cui cng xin gi li cm n n cc thy c trong b mn
in T Vin Thng trng i hc giao thng Vn ti
Tp.H Ch Minh gip cho em c c hi c thc tp
trong mi trng thc t.
Trn Trng
Vi Th Mu
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
NHN XT CA N V THC TP
----------o0o-------H tn sinh vin : VI TH MU
MSSV :
DV03035
Lp :
DV03
Kho hc : 2003 - 2008
Thi gian thc tp : 6 tun
T :
03 / 03 / 2008 n 11 / 04 / 2008
n v thc tp : Trung tm tin hc VNPRO.
149/1D, Ung Vn Khim, Phng 25, Qun Bnh Thnh,
Tp.HCM
ti thc tp :
Tm hiu v Trin khai IPSec trong Virtual Private Network
GV hng dn : Thy ng Quang Minh
..........................................................................................................................................
Nhn xt ca n v thc tp : ..........................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
..........................................................................................................................................
Tp.HCM, ngy thng nm 2008
Ban Gim c
.
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
Vi Th Mu
.
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
NHT K THC TP
Tun 1 : Ngy 3/3 8/3/2008
Tm hiu l thuyt v thc hnh bi lab c bn :
-
Thc hin cu hnh trn 2 Router, to 1 knh Private gia 2 mng Lan ca 2
Router qua mt mi trng Public
vit bo co
vit bo co
Tm hiu v CA Server
Tm hiu l thuyt
Vit bo co
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
MC LC
PHN 1 : L THUYT ................................................................................................ 8
CHNG I : GII THIU V MNG RING O ....................................................... 8
I.
Gii Thiu ...................................................................................................... 8
II.
Phn Loi VPN ............................................................................................... 8
1. Phn loi ...................................................................................... 8
2. VPN i vi doanh nghip ........................................................... 9
3. cng ngh VPN v m hnh OSI ................................................ 14
CHNG II : CNG NGH IP SECURITY ................................................................ 17
I.
Tm Hiu V Giao Thc IPSec ...................................................................... 17
1. Khi v IPSec ............................................................................ 17
2. C ch hot ng ca giao thc IPSec ....................................... 17
3. C ch hot ng ca IKE ......................................................... 19
II.
C Ch Hot ng Ca Giao thc AH v ESP ............................................. 19
1. Khi qut ................................................................................... 19
2. Tng quan v AH v ESP Header .............................................. 20
3. Authentication Header ............................................................... 20
4. Encapsulation Security Payload ................................................. 24
5. Cc Mode chnh ca giao thc IPSec ......................................... 29
CHNG III : PUBLIC KEY INFRASTRUCTURE ................................................... 33
I.
Tng Quan v PKI ........................................................................................ 33
II.
Cc Thnh Phn ca PKI .............................................................................. 33
1. Cc thnh phn va PKI ..................................................... 33
2. Mc ch v chc nng ca PKI ......................................... 34
III.
C S H Tng Ca PKI ............................................................................... 35
1. Cc bc m ho ............................................................... 35
2. Cc bc kim tra .............................................................. 36
CHNG IV : DYNAMIC MULTIPOINT VIRTUAL PRIVATE NETWORK........... 37
I.
Khi Qut V DMVPN.................................................................................. 37
1. DMVPN l g? ............................................................................ 37
2. u im ca DMVPN ............................................................... 37
3. Cng ngh s dng trong DMVPN ............................................. 38
4. Hot ng ca DMVPN.............................................................. 38
5. nh tuyn vi DMVPN ............................................................. 38
6. DMVPN Phase .......................................................................... 39
II.
Cu Hnh DMVPN ....................................................................................... 41
1. Cu hnh IPSec .......................................................................... 41
2. Cu hnh mGRE Hub ................................................................. 41
3. Cu hnh mGRE Spoke .............................................................. 42
III.
Next Hop Resolution Protocol ...................................................................... 42
1. Tng tc NHRP v NBMA ....................................................... 42
2. Li ch ca NHRP cho NBMA ................................................... 43
3. Next Hop Server Resolution ...................................................... 43
4. NHRP s dng vi DMVPN....................................................... 44
5. S ng k NHRP....................................................................... 45
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
PHN 1 : L THUYT
CHNG I : GII THIU V MNG RING O
I. Gii Thiu :
VPN (Virtual Private Network) l cng ngh cung cp mt phng thc giao tip
an ton gia cc mng ring da vo k thut gi l tunneling to ra mt mng
ring trn nn Internet. V bn cht, y l qu trnh t ton b gi tin vo trong
mt lp header cha thng tin nh tuyn c th truyn qua mng trung gian.
VPN l mt mng ring s dng mt mng chung kt ni cng vi cc site (cc
mng ring l) hay nhiu ngi s dng t xa. Thay cho vic s dng mt kt ni
thc, chuyn dng nh ng leased line, mi VPN s dng cc kt ni o c
dn qua ng internet t mng ring ca cng ty ti cc site ca cc nhn vin t
xa.
Mt phng php chung c tm thy trong VPN l : Generic Routing
Encapsulation (GRE). Giao thc m ho nh tuyn GRE cung cp c cu ng
gi giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti
(Carrier Protocol). N bao gm thng tin v loi gi tin ang m ha v thng tin
v kt ni gia my ch vi my khch.
II. Phn loi VPN:
1. Phn loi VPN bao gm:
SVTT : Vi Th Mu
BO CO TTTN
IPSec VPN
VPN Technology
Layer 7, Application
Layer 6, Presentaion
N/A
Layer 5, Session
N/A
Layer 4, Transport
Layer 3, Network
IPSEC Deployment,
MPLS VPNs
Layer 2, datalink
Layer 1, physical
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
10
BO CO TTTN
IPSec VPN
b. VPN site-to-site
-
SVTT : Vi Th Mu
11
BO CO TTTN
IPSec VPN
Site 1
Site 6
Site 2
Site 5
Site 3
Site 4
c. Extranet:
-
SVTT : Vi Th Mu
12
BO CO TTTN
IPSec VPN
Corporate
network
Supplier
Network1
supplier1
Supplier
Network2
Supplier
Network3
supplier2
supplier3
13
BO CO TTTN
IPSec VPN
Thun li ca Extranet :
-
Mt s bt li ca Extranet:
-
SVTT : Vi Th Mu
14
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
15
BO CO TTTN
-
IPSec VPN
Bng vic kt ni nhiu mng con vi cc giao thc khc nhau trong mi
trng c mt giao thc chnh. GRE tunneling cho php cc giao thc khc
c th thun li trong vic nh tuyn trong gi IP.
Enterprise network
c. IPsec
Enterprise network
remote network
SVTT : Vi Th Mu
16
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
17
BO CO TTTN
IPSec VPN
Chnh sch ny phi c cu hnh ging nhau cho c hai bn tham gia VPN. N
c gii hn bao gm cc chnh sch:
- Phng php pht Key (Key distribution method) : cu hnh th cng
hoc cu hnh cho CA cung cp
- Phng php xc thc (Authentication method) : phn ln c xc
nh bng phng php pht key . thng thng s dng phng php
pre-share keys
- a ch IP v tn ca cc bn tham gia (IP address and hostname of
peers ) : IP cn c bit xc nh cc bn tham gia, v qun l danh
sch truy cp trn thit b cc bn tham gia bit c thng tin ln
nhau. cu hnh IPSec trn thit b phi y tn min (FQDN) nh cu
hnh trn a ch IP.
- Cc tham s chnh sch IKE (IKE policy parameters) : cc tham s c
thit lp trn phase 1 ca IKE. Chnh sch IKE bao gm cc thng s
sau :
o Thut ton m ho : DES/3DES
o Thut ton hash : MD5/SHA-1
o Phng php xc thc : preshared, RSA encryption, RSA
signature
o Key trao i : D-H Group 1/ D-H Group 2
o thi gian tn ti IKE SA : mc nh l 86400 giy
B2 : Thit lp chnh sch IPSec :
tin cy ca IPSec v kh nng xc thc c ng dng p traffic bit
thng qua gia cc bn. Ta c th gi tt c traffic qua IPSec tunnel, nhng c th
kh t c ht cht lng, do ta nn chn nhng chnh sch cn p qua IPSec
tunnel. Khi ta chn thc thi IPSec tunnel, c hai u cui phi thc hin cc chnh
sch ging nhau. Cc chnh sch cho IPSec bao gm :
- IPSec Protocol : AH hoc ESP
- Authentication : MD5 hoc SHA-1
- Encryption : DES hoc 3DES
- Transform or Transform set : ah-sha-hmac esp-3des esp-md5-hmac hoc
kt hp mt trong cc gii thut ny.
- Identify traffic to be protected : giao thc, ngun, ch v port
- SA establishment : cu hnh th cng hoc hoc cu hnh IKE
B3: Kim tra cu hnh hin hnh
Thc hin kim tra cu hnh IPSec hin c trn thit b trnh tnh trng cc
thng s cu hnh i lp nhau.
B4 : Kim tra mng trc IPSec : ta thc hin kim tra bng cch : thc hin ping
n cc thit b c cu hnh IPSec.
B5 : Cc giao thc v cc Port hot ng trong IPSec :
SVTT : Vi Th Mu
18
BO CO TTTN
-
IPSec VPN
3. C ch hot ng ca IKE
IKE c chc nng trao i Key gic cc thit b tham gia VPN v trao i
chnh sch an ninh gia cc thit b v t ng tha thun cc chnh sch an
ninh gia cc thit b tham gia.
Trc khi trao i knh truyn key thit lp knh truyn o, IPSec s xc
thc xem mnh ang trao i vi ai.
Trong qu trnh trao i Key IKE dng thut ton m ho bt i xng gm:
Public Key v private Key bo v vic trao i key gia cc thit b tham
gia VPN.
V sau trao i chnh sch an ninh gia cc thit b. Nhng chnh sch an
ninh trn cc thit b gi l Security Association (SA).
Do , cc thit b trong qu trnh IKE s trao i vi nhau tt c nhng SA m
n c. V gia cc thit b ny t tm ra cho mnh nhng SA ph hp vi nht.
1
Router A
Router B
Router B Transforms
Router A Transforms
2
19
BO CO TTTN
IPSec VPN
B giao thc IPSec hot ng trn 2 mode chnh : Tunnel Mode v Transports
Mode.
- Khi giao thc IPSec hot ng Tunnel Mode th sau khi ng gi d
liu, giao thc ESP m ho ton b Payload, frame Header, IP Header
th n s thm mt IP Header mi vo gi tin trc khi forward i.
- Khi giao thc IPSec hot ng Transport Mode th IP Header vn
c gi nguyn v lc ny giao thc ESP s chn vo gia Payload v
IP Header ca gi tin.
2. Tng quan v ESP Header v AH Header
20
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
21
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
22
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
23
BO CO TTTN
IPSec VPN
24
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
25
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
26
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
27
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
28
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
29
BO CO TTTN
IPSec VPN
10.0.2.0/24
10.0.1.0/24
b. Tunnel mode :
Host A2
Host A3
...
Host An
n
Network A: 10.0.1.0/24
250
GW A
1.1.1.1
WAN
2.2.2.2
GW B
250
1
Host B1
Network B: 10.0.2.0/24
2
Host B2
3
Host B3
...
Host Bm
SVTT : Vi Th Mu
30
BO CO TTTN
IPSec VPN
31
BO CO TTTN
-
IPSec VPN
SVTT : Vi Th Mu
AH
51
yes
Yes
No
yes
No
No
yes
No
32
ESP
50
Yes
yes
Yes
yes
yes
No
No
yes
BO CO TTTN
IPSec VPN
33
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
34
BO CO TTTN
IPSec VPN
Bc 1:
dng gii thut bm thay i thng ip cn
truyn i. kt qu ta c mt message digest. Dng gii thut
MD5 (message digest 5) ta c digest c chiu di 128 bit, dng
gii thut SHA (Secure Hash Algorithm) ta c chiu di 160 bit.
Bc 2:
s dng kha private key ca ngi gi
m ha message digest thu c bc 1. Thng thng bc
ny dng gii thut RSA ( hay DSA, RC2, 3DES, ). Kt qu thu
c gi l digital signature ca thng ip ban u.
Bc 3:
s dng public key ca ngi nhn m
ho nhng thng tin cn gi i.
Bc 4:
Gp digital signature vo message c m ho v gi i. Nh
vy sau khi k nhn digital signature vo message c m
ho, mi s thay i trn message s b pht hin trong giai on
SVTT : Vi Th Mu
35
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
36
BO CO TTTN
CHNG IV:
NETWORK
IPSec VPN
DYNAMIC
MULTIPOINT
VIRTUAL
PRIVATE
ta c [n(n-1)/2] = 6 tunnels
SVTT : Vi Th Mu
37
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
38
BO CO TTTN
IPSec VPN
phase 2:
Trong phase 2 NHRP khi ng NHC-to-NHS tunnel v giao thc nh
tuyn ng thng c s dng pht thng tin nh tuyn tt c cc
mng m Hub c v tt c cc spoke. Cc thng tin ny l : ip next hop ca
spoke ch v h tr ring mng ch.
Khi 1 gi tin c forward n s ti outbound interface v ip next hop t
bng nh tuyn mu . Nu interface NHRP l interface outbound n s tm
NHRP mapping vo IP next hop . Nu khng c s trng khp ca bng
NHRP mapping, th NHRP c kch khi gi NHRP resolution request
n thng tin mapping (a ch IP next hop n a ch vt l layer). NHRP
registration reply packet cha thng tin mapping ny v khi thng tin ny
c nhn cc spoke s cung cp y thng tin ng gi d liu chnh
xc gi trc tip n spoke u xa qua c s h tng mng.
Phase 3:
NHRP khi ng NHC v NHS tunnel v giao thc nh tuyn ng c
dng pht thng tin nh tuyn ca tt c cc mng m tt c cc spoke
c n Hub. Sau hub s gi li bng thng tin nh tuyn ny n cc
spoke, nhng trong trng hp ny hub c th tng kt li thng tin nh
tuyn . N s t IP next hop ca tt c cc mng ch n NHS (hub). iu
ny lm gim lng thng tin trong bng giao thc nh tuyn cn phn
phi t Hub n cc spoke, gim vic cp nht giao thc nh tuyn ang
chy trn hub.
Khi data packet c forward, n s ti outbound interface v ip next hop
t bng nh tuyn mu nhp vo. Nu interface NHRP l interface
outbound th n s tm mapping NHRP vo IP next hop . Trong trng hp
SVTT : Vi Th Mu
39
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
40
BO CO TTTN
IPSec VPN
41
BO CO TTTN
IPSec VPN
42
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
43
BO CO TTTN
IPSec VPN
NHRP thng thun tin cho vic xy dng VPN. VPN bao gm : mng o
layer 3 c xy dng trn nn layer 3 mng thc t. cu trc m ta s dng
qua VPN l c lp i vi mng lp trn v cc giao thc m ta chy qua
hon ton c lp vi n. mng VPN (DMVPN) da trn GRE logical
tunnel m c th c bo v bng cch thm vo IPSec m ho GRE IP
tunnels.
kt ni n mng NBMA l mt hay nhiu trm m NHRP thc hin v
c xem nh l NHSs v NHCs. tt c cc Router chy h iu hnh cisco
SVTT : Vi Th Mu
44
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
45
BO CO TTTN
IPSec VPN
PHN II : THC HNH
SVTT : Vi Th Mu
46
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
47
BO CO TTTN
IPSec VPN
48
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
49
BO CO TTTN
IPSec VPN
Cc thit b bao gm: 2 Router 2800, 1 Switch 3550, 1 Windows server 2003
Client 1:
Router#config terminal
Router(config)#hostname client1
Client1(config)# interface f0/1
Client1(config-if)# ip address 172.30.2.2 255.255.255.0
Client1(config-if)# no shut
Client1(config-if)# exit
Client1(config)# interface f0/1
Client1(config-if)# ip address 192.168.1.2 255.255.255.0
Client1(config-if)# no shut
Client1(config-if)# exit
# cu hnh domain name cho Router
Client1(config)# ip domain-name cisco.com
Client1(config)# ip host caserver 172.30.1.2
# cu hnh trustpoint
Client1(config)# crypto ca trustpoint CA
Client1(ca-trustpoint)# enrollment url http://172.30.1.2/certsrv/mscep/mscep.dll
Client1(ca-trustpoint)# subject-name cn=client1@vnpro.org
Client1(ca-trustpoint)# exit
Client1(config)# crypto ca authenticate CA
#cu hnh VPN
Client1(config)# crypto isakmp policy 10
SVTT : Vi Th Mu
50
BO CO TTTN
IPSec VPN
51
BO CO TTTN
IPSec VPN
chn detail
4. Tch vo Internet Information Service (IIS)
SVTT : Vi Th Mu
52
BO CO TTTN
IPSec VPN
Bc 2: ci t dch v CA
1. vo start-->control panel--> add or remove program
2. trong mc add or remove program, nhn add/remove windowns components
3. Tch vo o certificates services
SVTT : Vi Th Mu
53
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
54
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
55
BO CO TTTN
IPSec VPN
8. sau khi nhn Next ta nhn c thng bo phi dng Internet Information
Service chn Yes
9. sau khi nhn Yes xut hin yu cu File I386 chn th mc c cha file I386
OK
SVTT : Vi Th Mu
56
BO CO TTTN
IPSec VPN
10. Trong qu trnh hon thnh ci t, nhn c thng bo chn Yes
SVTT : Vi Th Mu
57
BO CO TTTN
IPSec VPN
58
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
59
BO CO TTTN
IPSec VPN
60
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
61
BO CO TTTN
IPSec VPN
quit
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 172.30.3.2
set transform-set myset
match address 150
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.30.2.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface Serial0/1/0
no ip address
SVTT : Vi Th Mu
62
BO CO TTTN
IPSec VPN
shutdown
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 172.30.2.1
!
ip http server
no ip http secure-server
!
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
no login
!
scheduler allocate 20000 1000
!
end
Thc hin i vi client2
Client2# show run
Building configuration...
Current configuration : 5774 bytes
!
! Last configuration change at 17:23:41 UTC Tue Apr 1 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname client2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
SVTT : Vi Th Mu
63
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
64
BO CO TTTN
IPSec VPN
quit
certificate ca 2AE3AB73C8740484449E6747E831C315
3082035E 30820246 A0030201 0202102A E3AB73C8 74048444 9E6747E8
31C31530
0D06092A 864886F7 0D010105 0500300D 310B3009 06035504 03130243
41301E17
0D303830 34303131 30303733 305A170D 31333034 30313130 31373039
5A300D31
0B300906 03550403 13024341 30820122 300D0609 2A864886 F70D0101
01050003
82010F00 3082010A 02820101 00CBA99B 66BE2E13 686D17E1 78F65707
ED7FC5BB
8B185DFC ACB0528C 98E34EA1 D8740992 3BCA5499 0F4560D0 FC812612
86F32EE4
BE2C9F25 8B1E1559 48105CF4 2BA982F1 25796414 F2B0C807 6E674F3C
26570EE5
6F3B8050 8A9F2B04 950053E5 F5E89D83 3F845E55 B8FC417A 7E928666
93DE60C0
16B17729 AF9D47C2 B2F38BC9 5A0A9BDC 8F082F5D 9E1A1C52 F38E527C
D3675A51
172C6B22 8D50D782 CD7DFF60 0894C803 D4E383E1 59512FFD A94B6A1B
0E20D5FF
19AFDBBA 19557ECE BD6AD9C7 3A291286 6BB769E2 732C4077 4DC8C494
03EC5B28
SVTT : Vi Th Mu
65
BO CO TTTN
IPSec VPN
quit
!
!
crypto isakmp policy 10
hash md5
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 172.30.2.2
set transform-set myset
match address 150
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
SVTT : Vi Th Mu
66
BO CO TTTN
IPSec VPN
speed auto
!
interface FastEthernet0/1
ip address 172.30.3.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip route 0.0.0.0 0.0.0.0 172.30.3.1
!
!
ip http server
no ip http secure-server
!
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
no login
!
scheduler allocate 20000 1000
end
client2# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 618FFBFC000000000004
Certificate Usage: General Purpose
Issuer:
cn=CA
Subject:
Name: client2.cisco.com
cn=client1@vnpro.org
SVTT : Vi Th Mu
67
BO CO TTTN
IPSec VPN
hostname=client2.cisco.com
CRL Distribution Points:
http://to-znjn4o6ro04h/CertEnroll/CA.crl
Validity Date:
start date: 10:10:13 UTC Apr 1 2008
end date: 10:20:13 UTC Apr 1 2009
Associated Trustpoints: CA
CA Certificate
Status: Available
Certificate Serial Number: 2AE3AB73C8740484449E6747E831C315
Certificate Usage: Signature
Issuer:
cn=CA
Subject:
cn=CA
CRL Distribution Points:
http://to-znjn4o6ro04h/CertEnroll/CA.crl
Validity Date:
start date: 10:07:30 UTC Apr 1 2008
end date: 10:17:09 UTC Apr 1 2013
Associated Trustpoints: CA
Thc hin Ping t PC 2 n PC 1 kim tra kt ni:
kt
qu l 2 PC kt ni c vi nhau.
SVTT : Vi Th Mu
68
BO CO TTTN
IPSec VPN
69
BO CO TTTN
IPSec VPN
SVTT : Vi Th Mu
70
BO CO TTTN
IPSec VPN
71
BO CO TTTN
IPSec VPN
72
BO CO TTTN
IPSec VPN
Hub(config-if)# exit
Hub(config)# interface f0/1
Hub(config-if)# ip address 192.168.0.1 255.255.255.0
Hub(config-if)# no shutdown
Hub(config-if)# exit
Hub(config)# interface f0/0
Hub(config-if)# ip address 172.30.2.1 255.255.255.0
Hub(config-if)# no shutdown
Hub(config-if)# exit
# nh tuyn dng giao thc EIGRP
Hub(config)# router eigrp 1
Hub(config-router)# network 10.0.0.0 0.0.0.255
Hub(config-router)# network 192.168.0.0 0.0.0.255
Hub(config-router)# no auto-summary
Kim tra kt qu
Thc hin ping t PC1 n PC2
SVTT : Vi Th Mu
73
BO CO TTTN
SVTT : Vi Th Mu
IPSec VPN
74