conf t: Cisco IPSec VPN rešenja u mrežama poslovnih korisnika

Dragan Novaković – Cisco Srbija dnovakov@cisco.com

Presentation_ID

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1

Agenda
1. Pregled VPN IPSec tehnologije 2. Konfiguracija ISAKMP/IKE Faza 1 3. Konfiguracija ISAKMP/IKE Faza 2 4. GRE 5. IPsec Profili 7. DMVPN

6. IPsec Virtual Tunel Interfejsi 8. Group Encrypted Transport VPN

2
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Pregled IPSec VPN

BANK

Tuneliranje
IPSec GRE

Enkripcija
DES 3DES AES

Autentikacija
RSA digitalni sertifikati Pre-shared ključevi

Integritet

HMAC-MD5 HMAC-SHA-1
3

Presentation_ID

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Agenda
1. Pregled VPN IPSec tehnologije 2. Konfiguracija ISAKMP/IKE Faza 1 3. Konfiguracija ISAKMP/IKE Faza 2 4. GRE 5. IPsec Profiles 7. DMVPN

6. IPsec Virtual Tunnel Interfaces 8. Group Encrypted Transport VPN

4
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

ISAKMP/IKE Faza 1
Router(config)# [no] crypto isakmp enable Router(config)# crypto isakmp policy priority Router(config-isakmp)# hash {sha | md5} Router(config-isakmp)# group {1 | 2 | 5}

Router(config-isakmp)# encryption {des | 3des | aes} Router(config-isakmp)# authentication {rsa-sig | rsaencr | pre-share} Router(config-isakmp)# lifetime seconds

5
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

16.2. All rights reserved.1.171. Inc. Cisco Confidential .0/24 Backbone RouterB 10.1.1.20 RouterA 10.Konfiguracija ISAKMP/IKE Faza 1 172.172.0/24 RouterA(config)# crypto isakmp policy 1 RouterA(config-isakmp)# auth pre-share RouterA(config-isakmp)# encryption 3des RouterA(config-isakmp)# group 2 RouterA(config-isakmp)# lifetime 86400 RouterA(config)# crypto isakmp policy 2 RouterA(config-isakmp)# auth pre-share RouterA(config-isakmp)# hash md5 RouterB(config)# crypto isakmp policy 1 RouterB(config-isakmp)# auth pre-share RouterB(config-isakmp)# hash md5 RouterB(config)# crypto isakmp policy 2 RouterB(config-isakmp)# auth pre-share RouterB(config-isakmp)# encryption 3des RouterB(config-isakmp)# group 2 RouterB(config-isakmp)# lifetime 86400 6 Presentation_ID © 2008 Cisco Systems.16.10 172.

1.1.2.20 RouterB(config)# crypto isakmp 0 key cisco123abc address 172.10 7 Presentation_ID © 2008 Cisco Systems.20 RouterA 10.172.16.0/24 Backbone RouterB 10.172.171.1. All rights reserved. Inc.171.16.Konfiguracija ISAKMP/IKE Faza 1 172.0/24 RouterA(config)# crypto isakmp 0 key cisco123abc address 172.16.10 172. Cisco Confidential .16.

Data Encryption Standard (56 bit keys). Inc. no volume limit encryption algorithm: DES . Cisco Confidential .Advanced Encryption Standard Message Digest 5 hash algorithm: authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) Default protection suite lifetime: 86400 seconds. All rights reserved. no volume limit 8 Presentation_ID © 2008 Cisco Systems. Secure Hash Standard hash algorithm: authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds. encryption algorithm: AES .show crypto isakmp policy Router# show crypto isakmp policy Global IKE policy Protection suite of priority 10 (128 bit keys).

IPsec Virtual Tunnel Interfaces 8. GRE 5.Agenda 1. Konfiguracija ISAKMP/IKE Faza 1 3. Cisco Confidential . DMVPN 6. All rights reserved. Konfiguracija ISAKMP/IKE Faza 2 4. Inc. Group Encrypted Transport VPN 9 Presentation_ID © 2008 Cisco Systems. IPsec Profiles 7. Pregled VPN IPSec tehnologije 2.

All rights reserved...transform-set-name6] Router(config-crypto-m)# set security-association idle-time seconds 10 Presentation_ID © 2008 Cisco Systems.ISAKMP/IKE Faza 2 Router(config)# crypto map map_name seq_# ipsec-isakmp Router(config-crypto-m)# match address ACL_name_or_# Router(config-crypto-m)# set peer {hostname | IP_address} Router(config-crypto-m)# set pfs [group1 | group2 | group5] Router(config-crypto-m)# set transform-set transform_set_name1 [transform-set-name2. Cisco Confidential Router(config-crypto-m)# set security-association lifetime {seconds seconds | kilobytes kilobytes} . Inc.

0/24 crypto ipsec transform-set RTRB esp-aes esp-md5-hmac crypto map mymap 10 ipsec-isakmp set peer 172.20 match address RTRB interface Ethernet0/0 crypto map mymap set transform-set RTRB Backbone RouterB 10.20 RouterA 10.171. All rights reserved.Statička kripto mapa 172.172.2.10 match address RTRA interface Ethernet0/0 crypto map mymap set transform-set RTRA 11 Presentation_ID © 2008 Cisco Systems.0/24 crypto ipsec transform-set RTRA esp-aes esp-md5-hmac crypto map mymap 10 ipsec-isakmp set peer 172.16.1.10 172.16.1. Inc. Cisco Confidential .171.16.16.1.172.

Inc.Static vs. All rights reserved. Cisco Confidential . Dynamic Crypto Map Site_A ISP crypto map vpn 10 IPSec-isakmp set peer Site_A set transform-set … crypto map vpn 20 IPSec-isakmp match address 101 Static Crypto Map Site_B crypto map vpn 10 IPSec-isamkp dynamic dynamap set transform-set … Dynamic Crypto Map set peer Site_B set transform-set … match address 102 crypto dynamic-map dynamap 10 12 Presentation_ID © 2008 Cisco Systems.

Inc. 51 UDP port 4500 13 Presentation_ID © 2008 Cisco Systems.Filtering/Access Control IKE ESP. All rights reserved. AH NAT-T UDP port 500 IP protokol 50. Cisco Confidential .

Inc. All rights reserved.Filtriranje IPsec saobraćaja 1. Router(config)# crypto map map_name seq_# ipsec-isakmp 2. Router(config-crypto-map)# set ip access-group {ACL_# | ACL_name} {in | out} 14 Presentation_ID © 2008 Cisco Systems. Cisco Confidential .

6. 5. Ako IP paket nije enkriptovan prosleñuje se dalje Ako je IP paket enkriptovan deenkriptuje se Deenkriptovan paket se proverava na opcionalnu ulaznu ACL u crypto mapi Deenkriptovan IP paket se prosleñuje dalje 15 Presentation_ID © 2008 Cisco Systems. 2. 3. Drop IP paket se proverava u reverznoj crypto map ACL. a nije.Tok ulaznog enkriptovanog paketa Reverse Crypto Map ACL 3 Inbound Access Crypto Map ACL 6 Packet Forwarding inbound ACL Layer 2 Decapsulation 2 1 5 4 IPSec Decryption Drop Drop 1. odbacuje se IP paket se proverava u ulaznoj interfejs ACL. Inc. Cisco Confidential . All rights reserved. ako paket treba da doñe enkriptovan. 4.

2. i markiraju za enkripciju IP paketi koji nisu markirani za enkripciju se proveravaju u izlaznoj interfejs ACL IP paketi koji su markirani za enkripciju se proveravaju u opcionalnoj crypto ACL IP paket se enkriptuje Enkriptovani IP paketi se proveravaju u izlaznoj interfejs ACL IP paket se enkapsulira u Layer 2 16 Drop Presentation_ID © 2008 Cisco Systems. 3. 5.Tok izlaznog enkriptovanog paketa 2 Outbound ACL Layer 2 Encapsulation Outbound Access Crypto Map ACL 6 Crypto Map ACL 1 3 4 5 IPSec Encryption Drop 1. Cisco Confidential . Izlazni IP paketi se proveravaju u crypto map ACL. 6. All rights reserved. 4. Inc.

Pregled VPN IPSec tehnologije 2. Konfiguracija ISAKMP/IKE Faza 1 3. Konfiguracija ISAKMP/IKE Faza 2 4. Cisco Confidential . Inc. IPsec Virtual Tunnel Interfaces 8. All rights reserved. DMVPN 6. IPsec Profiles 7. GRE 5.Agenda 1. Group Encrypted Transport VPN 17 Presentation_ID © 2008 Cisco Systems.

sa kojim IPsec može da radi. Inc. All rights reserved. Generic Route Encapsulation (GRE) tuneliranje. Cisco Confidential .Ne-Unicast saobraćaj Jedan od problema sa IPsec da on podržava samo unicast saobraćaj. 18 Presentation_ID © 2008 Cisco Systems. multikast i broadkast paketi ne prolaze kroz data SA Inicijalno rešenje za ovakav problem je bila enkapsulacija multikast ili broadkast paketa u unicast paket.

Inc. Cisco Confidential . Tunel interfejs nije vezan ni za kakav fizički interfejs ili protokol već se samo koristi za potrebe enkapsulacije L3 IP HDR Data GRE Tunnel IP GRE HDR HDR IP Data HDR IP HDR IPSec Tunnel ESP HDR IP HDR GRE HDR IP Data HDR IP HDR Data Encrypted 19 Presentation_ID © 2008 Cisco Systems. All rights reserved.GRE tuneliranje GRE enkapsulira originalni paket u novi paket pravljenje tunel (virtual/logical) interfejsa.

Router(config-if)# tunnel mode mode 20 Presentation_ID © 2008 Cisco Systems. Router(config-if)# keepalive [seconds [retries]] 5. Router(config-if)# tunnel destination {IP_address_of_dst_router | name_of_dst_router} 4. Inc. Cisco Confidential .GRE Tunnel konfiguracija 1. Router(config-if)# tunnel source {IP_address_on_router | interface_name_on_router} 3. All rights reserved. Router(config)# interface tunnel port_# 2.

255 area 0 network 192.1.0 0.255.1.1.2.2 ip access-list extended perimeter permit udp host 192.1.0 ip access-group perimeter in router ospf 1 network 192.255.1.255.1.168.1.0.1 interface Ethernet0/1 ip address 192.255 area 1 network 192.1.1 interface Ethernet0/1 ip address 192.255 area 1 ip route 0.168.1 tunnel destination 193.3.1.255 area 1 ip route 0.1.1.0.1 eq 500 permit esp host 192.254/24 interface Tunnel0 ip address 192.0 0.1.1.1.2.1.2 ip access-list extended perimeter permit udp host 193.1.255.1.1.0 tunnel source 192.168.1 192.168.1 tunnel destination 192.1.1.255.2.254/24 interface Tunnel0 ip address 192.1 255.1 host 192.1.2 255.255.0.Primer: GRE i OSPF 192.1 deny ip any any 21 .0.1 permit gre host 192.1 192.1.1 host 192.0.168.1 host 193.1.0.0.1.1.1.1 host 193.1.168.1.1.3.1.1.1.254 255.1.1 255.168.0.1.168.0.255.1 255.0 ip access-group perimeter in router ospf 1 network 192.1. Cisco Confidential 193.0 tunnel source 193.254 255.1.1 host 192.0 interface Ethernet0/0 ip address 192.255.0 0.0 193.0 interface Ethernet0/0 ip address 193.0.1 eq 500 permit esp host 193.1 deny ip any any Presentation_ID © 2008 Cisco Systems.255.1.1.0.1 host 193.0.0.0 192.168.168.0.0 0.1.0 0.1.0.3.255. All rights reserved.3.255.1.1.1.1.0 0. Inc.1 permit gre host 193.1.1.255.0.1.

1.1.2 192.168.254/24 C 192.1.1 192.1. All rights reserved.2.0/32 is subnetted. Inc.3.1.1.1.3.1.254 [110/11112] via 192.0.168.168. Tunnel0 S* 0. Tunnel0 C 192.1.168.0/0 [1/0] via 193.0/24 is directly connected.168. 00:04:53. Ethernet0/1 193.1 192.2. 1 subnets O IA 192.0/24 is directly connected.0.1.1.168.254/24 RTR A Cisco Confidential RTR B 22 Presentation_ID © 2008 Cisco Systems. .1. Ethernet0/0 192.RTR B Routing Tabela RTRB# show ip route C 193.168.0/24 is directly connected.

1.168.1.1.1.1.1.1.1 set transform-set RTRtran match address cryptoACL interface Ethernet0/0 crypto map mymap ip access-list extended perimeter no permit gre host 192.1 23 .1.1 crypto ipsec transform-set RTRtran esp-aes espsha-hmac mode transport crypto map mymap 10 ipsec-isakmp set peer 192.1.1.1 Presentation_ID © 2008 Cisco Systems.1.1.1.1.254/24 crypto isakmp policy 10 encryption aes 128 hash sha authentication pre-share group 2 crypto isakmp key cisco123 address 193.1.1.1.1.2.1.3(8)T i noviji no permit gre host 193.1.1 noxauth ip access-list extended cryptoACL permit gre host 192.1.1 host 192.168.1.1.1 192.1 set transform-set RTRtran match address cryptoACL interface Ethernet0/0 crypto map mymap ip access-list extended perimeter ! Ako je IOS 12.1.1 host 193.GRE over IPSec konfiguracija 192. All rights reserved.1 host 193.1.1 noxauth ip access-list extended cryptoACL permit gre host 193.1 host 192. Cisco Confidential 193.1.1.1.1. Inc.254/24 crypto isakmp policy 10 encryption aes 128 hash sha authentication pre-share group 2 crypto isakmp key cisco123 address 192.1 crypto ipsec transform-set RTRtran esp-aes espsha-hmac mode transport crypto map mymap 10 ipsec-isakmp set peer 193.1 192.

Cisco Confidential .GRE over IPSec Evolucija konfiguracije Pre 12.2(13)T. Inc. crypto mape su se primenjivale i na GRE tunel interfejs i na fizički interfejs Od 12.2(13)T crypto map se primenjuje na fizičkom interfejsu ili tunnel protection IPSec profile na tunel interfejsu 24 Presentation_ID © 2008 Cisco Systems. All rights reserved.

Cisco Confidential . DMVPN 6. Pregled VPN IPSec tehnologije 2. GRE 5. IPsec Profili 7. Konfiguracija ISAKMP/IKE Faza 2 4. Inc. Konfiguracija ISAKMP/IKE Faza 1 3. All rights reserved. IPsec Virtual Tunnel Interfaces 8.Agenda 1. Group Encrypted Transport VPN 25 Presentation_ID © 2008 Cisco Systems.

U slučaju kada remote peer-ovi imaju slične parametre konekcija. PFS grupe.2(13)T. identity tipove i lifetime SA. Cisco Confidential . 26 Presentation_ID © 2008 Cisco Systems. All rights reserved. apstrakuju informacije iz kripto mapa Profil se onda poziva u kripto mapi ili na tunel interfejsima Profil može da sadrži transform setove.IPsec Profili IPsec profili. Inc. profili čine konfiguraciju daleko jednostavnijom. predstavljeni sa IOS 12.

0 172.0.254/24 crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 172.3.1 ! crypto ipsec transform-set trans2 esp-3des esp-md5-hmac ! crypto map vpnmap2 local-address Ethernet1 crypto map vpnmap2 10 IPSec-isakmp set peer 193.168.1 ip route 0.1 255. All rights reserved.1.1 255.255.255.1 set transform-set trans2 match address 110 interface Ethernet1 ip address 192.1 ! access-list 110 permit gre host 192.175. Inc.1.2(13)T i noviji IOSi crypto ipsec profile vpnprof set transform-set trans2 ! interface Ethernet1 ip address 193.16.255.255.0.1 193.0.1.1.1.2 255. Cisco Confidential .168.1 host 193.1.1 192.1.0 0.0.255.0 193.0 crypto map vpnmap2 interface Tunnel0 ip address 192.1.1.2.175.0.255.1.0 interface Tunnel0 ip address 192.0 ip mtu 1400 tunnel source Ethernet1 tunnel destination 192.1.1.1 ******crypto map vpnmap2******** ip route 0.1.255.168.0 0.3.1.0.1.0 ip mtu 1400 tunnel source Ethernet1 tunnel destination 193.255.1.GRE over IPSec konfiguracija 192.16.254/24 crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco47 address 193.0.1.1.168.1.1 255.75 ! crypto ipsec transform-set trans2 esp-3des esp-md5hmac 12.1 192.1.1.2 tunnel protection ipsec profile vpnprof 27 Presentation_ID © 2008 Cisco Systems.1.1.0.

0/30 Tunnel0 .168. Inc. access control liste.1. i druge ruting f-je Poboljšana VPN interoperabilnost © 2008 Cisco Systems.1 . Cisco Confidential 192.168.3(14)T – pojednostavljuje VPN 2. 3.1 1. . 5.1 192. i GRE Jednostavniji VPN dizajn: Skalabiniji od GRE 1:1 odnos izmeñu tunela i sajtova VTI podržava Quality of Service (QoS). 28 . All rights reserved. Presentation_ID konfiguraciju eliminišući crypto mape.100.168. 4.2 . Koncept predstavljen u IOS 12. multicast.0/24 IPSec Static Virtual Tunnel Interfaces .0/24 .2.Virtual Tunnel Interface 192.

Enkriptovani paketi se prosleñuju izlaznom interfejsu IP Ulazni Interface 3. Inc. All rights reserved. Cisco Confidential Izlazni Interface . Paketi se rutiraju ka VTI Ulazni Izlazni Interfejs 29 Presentation_ID © 2008 Cisco Systems.Tok izlaznog paketa 1. IP paket ulazi u ruter IPSec Ruter Cisco IOS Router Forwarding Engine Enkripcijia 4. Enkriptovani paketi se prosleñuju Forwarding Engine VTI 2.

Tok ulaznog paketa 1. All rights reserved. Inc. Forwarding Engine odreñuje za koga je paket i šalje ga IPSec za dekripciju 3. Cisco Confidential Izlazni Interface . Paketi se šalju ka izlaznom interfejsu IP Ulazni Interface VTI IPSec dekripcija 2. IPSec dekriptuje pakete i povezuje sa VTI SA informacijama ulaz izlazni interfejs 30 Presentation_ID © 2008 Cisco Systems. Enkriptovani IP paket ulazi u ruter Inside the IPSec Router Cisco IOS Router Forwarding Engine 4.

1. All rights reserved.1.255.16. Cisco Confidential .16.172.255.171.255.10 172.255 31 Presentation_ID © 2008 Cisco Systems.16.255 crypto isakmp key df*li^gj*al address 172.1.255.2.0/24 crypto isakmp policy 1 hash sha group 5 authentication pre-shared encr aes 256 crypto isakmp policy 1 hash sha group 5 authentication pre-shared encr aes 256 crypto isakmp key df*li^gj*al address 172.10 netmask 255.20 netmask 255.172.20 Router1 10. Inc.16.0/24 Backbone Router2 10.VTI konfiguracija: IKE (Faza 1) 172.171.

1.0 tunnel0 crypto ipsec transform-set tset aes_sha espaes 256 esp-sha-hmac crypto ipsec profile VTI set transform-set tset ip route 10.1.0 255. Inc.1.16.16.0/24 crypto ipsec transform-set tset aes_sha esp-aes 256 esp-sha-hmac crypto ipsec profile VTI set transform-set tset ip route 10.171.0/24 Backbone Router2 10.1.255.IPSec (Faza 2) 172.255.172.1.0 tunnel0 32 Presentation_ID © 2008 Cisco Systems.255.10 172. Cisco Confidential .2. All rights reserved.0 255.2.1.20 Router1 10.255.

16.2.10 172.255.10 tunnel protection ipsec profile VTI 33 Presentation_ID © 2008 Cisco Systems.16.0/24 Backbone Router2 10.20 tunnel destination 172.16.16.172.255.171. Inc.2 255. All rights reserved.0/24 interface Tunnel0 ip address 10.0 tunnel mode ipsec ipv4 tunnel source 172.0 tunnel mode ipsec ipv4 tunnel source 172.172.10.10.20 tunnel protection ipsec profile VTI interface Tunnel0 ip address 10.255.171.1.10.1 255.16.10.171.10 tunnel destination 172.16. Cisco Confidential .255.20 Router1 10.172.1.1.Apply VPN Configuration 172.

Pregled VPN IPSec tehnologije 2. Cisco Confidential . GRE 5. Konfiguracija ISAKMP/IKE Faza 1 3. IPsec Virtual Tunnel Interfaces 8. Inc. Group Encrypted Transport VPN 34 Presentation_ID © 2008 Cisco Systems. All rights reserved. Konfiguracija ISAKMP/IKE Faza 2 4. IPsec Profiles 7. DMVPN 6.Agenda 1.

Šta je Dynamic Multipoint VPN ? 1. Inc. All rights reserved. DMVPN je Cisco IOS software rešenje za pravljenje IPsec+GRE VPNova na jednostavan. Cisco Confidential . dinamički i skalabilan način 2. Oslanja se na dve tehnologije Next Hop Resolution Protocol (NHRP) Multipoint GRE Tunnel Interface Pravi distribuiranu bazu koja mapira VPN (tunnel interface) u realnu (public interface) adresu GRE interface koji podržava multiple GRE/IPsec tunele i krajnje ureñaje Podržava dinamičko kreiranje tunela Smanjuje veličinu i kompleksnost konfiguracije 35 Presentation_ID © 2008 Cisco Systems.

ali ne i ka drugim spoke ruterima. Dinamički spoke-to-spoke tunel se prave preko mGRE interfejsa. Inc. Oni se registruju kao klijenti na NHRP serveru (hub). on traži preko NHRP pravu (outside) adresu destinacionog ureñaja Sada spoke može da inicira dinamički GRE/IPsec tunel ka odredišnom spoke ruteru.DMVPN – način rada Spoke ruter pravi dinamički permanentni GRE/IPsec tunel ka habu. Cisco Confidential . Po razmeni saobraćaja spoke-to-spoke tunel se briše 36 Presentation_ID © 2008 Cisco Systems. Kad spoke želi da pošalje paket ka mreži iza nekog drugog spoke rutera . All rights reserved.

0.168.168.1 200. All rights reserved.2.0. 192.0.168.168.1 Conn.0.1 Conn.1 10.1.0.1 202.0.1.1.1/24 10.0.1 10.1. 10.1 10.0.1 10.1.0. Cisco Confidential .1.168.0.0. Inc.1.12 Spoke B 192.12 Physical: (dynamic) 201.11 10.1.0.0/24 10.168.12 201.0. 10.1.0/24 192.0.0.2.0.0/24 192.168.0.1.168.1.1/24 NHRP mapping Routing Table Physical: 200.1.1.1 200.168.11 10.168.1.1/24 Spoke A Physical: 202.1.0.168.0.0.0/24 192.1.0/24 37 Presentation_ID © 2008 Cisco Systems.1 Tunnel0: 10.1 Tunnel0: 10.0.0.0/24 192.11 192.1.0.0.0/24 192.1 Conn.Primer:NHRP Registracija = Dynamic permanent IPsec tunnels 192.0/24 192.0.168.0.0.0/24 192.0.1 (dynamic) Tunnel0: 10.2.2.0.1.1 192.0.

1 hub(config)# interface Tunnel<x> hub(config-if)# description Connection to SpokeX hub(config-if)# bandwidth 1000 hub(config-if)# ip address 10.hub(config)# crypto isakmp policy 1 hub(config-isakmp)# authentication pre-share hub(config-isakmp)# encryption aes hub(config-isakmp)# exit hub(config)# crypto isakmp key cisco123 address 0.1. Cisco Confidential Konfiguracija HUB rutera pre DMVPN hub(config)# interface Tunnel1 hub(config-if)# description Connection to Spoke1 hub(config-if)# bandwidth 1000 hub(config-if)# ip address 10.0.255.255.255.255.1 255.1 hub(config)# access-list <x+100> permit gre host 200.0.0.0.1.1 hub(config)# interface Ethernet0 hub(config-if)# description Internet Connection hub(config-if)# ip address 200.0.1. All rights reserved.0.0.0.1.1.0.1.168.252 hub(config-if)# ip mtu 1440 hub(config-if)# delay 1000 hub(config-if)# tunnel source Ethernet0 hub(config-if)# tunnel destination <200+x>.0.0 hub(config-if)# crypto map mymap hub(config)# interface Ethernet1 hub(config-if)# description Local LAN hub(config-if)# ip address 192.<4*x-1> 255.0 0.1.0.1 255.1.0 hub(config)# router ospf 1 hub(config-router)# network 10.0.1.255.255.0.1 hub(config-crypto-map)# set transform-set trans2 hub(config-crypto-map)# match address <x+100> Presentation_ID © 2008 Cisco Systems.255.1.1 host <200+x>.252 hub(config-if)# ip mtu 1440 hub(config-if)# delay 1000 hub(config-if)# tunnel source Ethernet0 hub(config-if)# tunnel destination 201.255 area 1 38 hub(config-router)# network 192.1.1 255.1.255.168.1 host 201.0.1.0 no-xauth hub(config)# access-list 101 permit gre host 200.0 0.0 0.0.0.1 hub(config)# crypto ipsec transform-set trans2 esp-aes esp-sha-hmac hub(cfg-crypto-trans)# mode transport hub(config)# crypto map mymap local-address Ethernet0 hub(config)# crypto map mymap 10 ipsec-isakmp hub(config-crypto-map)# set peer 201.1.1.1 hub(config-crypto-map)# set transform-set trans2 hub(config-crypto-map)# match address 101 hub(config)# crypto map mymap <x*10> ipsec-isakmp hub(config-crypto-map)# set peer <200+x>.1.1.255 area 0 .1. Inc.

Cisco Confidential hub(config-if)# ip nhrp network-id network_identifier hub(config-if)# ip nhrp map multicast dynamic 39 Presentation_ID . All rights reserved.DMVPN Hub Konfiguracija hub(config)# crypto ipsec profile profile_name hub(ipsec-profile)# set transform-set transform_set_name hub(config)# interface tunnel tunnel_# hub(config-if)# tunnel key key_# hub(config-if)# tunnel mode gre multipoint hub(config-if)# tunnel protection ipsec profile profile_name hub(config-if)# ip nhrp authentication string hub(config-if)# ip nhrp holdtime seconds © 2008 Cisco Systems. Inc.

All rights reserved. Cisco Confidential 40 Presentation_ID . Inc.DMVPN Spoke Konfiguracija spoke(config)# crypto ipsec profile profile_name spoke(ipsec-profile)# set transform-set transform_set_name spoke(config)# interface tunnel tunnel_# spoke(config-if)# tunnel mode gre multipoint spoke(config-if)# tunnel key key_# spoke(config-if)# tunnel protection ipsec profile profile_name spoke(config-if)# ip nhrp network-id network_identifier spoke(config-if)# ip nhrp authentication string spoke(config-if)# ip nhrp map hub_GRE_IP_address hub_external_interface_IP_address spoke(config-if)# ip nhrp map multicast hub_external_interface_IP_address spoke(config-if)# ip nhrp nhs hub_GRE_IP_address spoke(config-if)# ip nhrp holdtime seconds © 2008 Cisco Systems.

All rights reserved. Inc. Cisco Confidential .DMVPN Routing Konfiguracija EIGRP: hub(config)# interface tunnel tunnel_# hub(config-if)# no ip split-horizon eigrp AS_# OSPF: hub(config-if)# no ip next-hop-self eigrp AS_# hub(config) interface tunnel tunnel_# hub(config-if)# ip ospf priority #_>_1 hub(config-if)# ip ospf network broadcast 41 Presentation_ID © 2008 Cisco Systems.

0.0 no-xauth hub(config)# crypto isakmp keepalive 20 3 hub(config)# crypto ipsec transform-set trans2 espaes esp-sha-hmac hub(cfg-crypto-trans)# mode transport hub(cfg-crypto-trans)# exit hub(config)# crypto ipsec profile dmvpnprofile hub(ipsec-profile)# set transform-set trans2 hub(config)# interface tunnel0 hub(config-if)# description Connection to Spokes hub(config-if)# bandwidth 1000 hub(config-if)# ip address 10.0.255.1 255.0. Cisco Confidential .0.0 0.DMVPN Hub Konfiguracija hub(config)# crypto isakmp policy 1 hub(config-isakmp)# authentication pre-share hub(config-isakmp)# encryption aes hub(config)# crypto isakmp key cisco123 address 0.255.0.1.168.255.0 0.255.0.0 hub(config-if)# ip mtu 1436 hub(config-if)# delay 1000 hub(config-if)# ip ospf network broadcast hub(config-if)# ip ospf priority 2 hub(config-if)# ip nhrp authentication cisco123 hub(config-if)# ip nhrp map multicast dynamic hub(config-if)# ip nhrp network-id 100000 hub(config-if)# ip nhrp holdtime 600 hub(config-if)# tunnel source Ethernet0 hub(config-if)# tunnel mode gre multipoint hub(config-if)# tunnel key 100000 hub(config-if)# tunnel protection ipsec profile dmvpnprofile hub(config)# interface Ethernet0 hub(config-if)# description Internet Connection hub(config-if)# ip address 200.0 hub(config)# router ospf 1 hub(config-router)# network 10. All rights reserved.0.0.255 area 0 42 Presentation_ID © 2008 Cisco Systems.0.1.0.0 0.0. Inc.0.1 255.0.255.0 hub(config)# interface Ethernet1 hub(config-if)# description Local LAN hub(config-if)# ip address 192.0.255.255 area 1 hub(config-router)# network 192.168.1 255.

0.1 spokeX(config-if)# ip nhrp network-id 100000 spokeX(config-if)# ip nhrp holdtime 300 spokeX(config-if)# tunnel source Ethernet0 spokeX(config-if)# tunnel mode gre multipoint spokeX(config-if)# tunnel key 100000 spokeX(config-if)# tunnel protection ipsec profile dmvpnprofile spokeX(config)# interface Ethernet0 spokeX(config-if)# description Connection to Internet spokeX(config-if)# ip address dhcp hostname Spoke<x> spokeX(config)# interface Ethernet1 spokeX(config-if)# description Local LAN spokeX(config-if)# ip address 192.1.0.0.0.1 spokeX(config-if)# ip nhrp map 10.0 0.1.<x+1> 255. Cisco Confidential .255 area 1 43 Presentation_ID © 2008 Cisco Systems.255.<x>.0.0 no-xauth spokeX(config)# crypto isakmp keepalive 20 3 spokeX(config)# crypto ipsec transform-set trans2 esp-aes esp-sha-hmac spokeX(cfg-crypto-trans)# mode transport spokeX(cfg-crypto-trans)# exit spokeX(config)# crypto ipsec profile dmvpnprofile spokeX(ipsec-profile)# set transform-set trans2 spokeX(config)# interface tunnel0 spokeX(config-if)# description Connection to hub spokeX(config-if)# bandwidth 1000 spokeX(config-if)# ip address 10.0.1.0 0.<n>.DMVPN Spoke Konfiguracija spokeX(config)# crypto isakmp policy 1 spokeX(config-isakmp)# authentication pre-share spokeX(config-isakmp)# encryption aes spokeX(config)# crypto isakmp key cisco123 address 0.0.0.1.255 area 1 spokeX(config-router)# network 192.168.1 200.0 spokeX(config)# router ospf 1 spokeX(config-router)# network 10.1 255.0.255.0 0. Inc.1 spokeX(config-if)# ip nhrp nhs 10.0 spokeX(config-if)# ip mtu 1436 spokeX(config-if)# delay 1000 spokeX(config-if)# ip ospf network broadcast spokeX(config-if)# ip ospf priority 0 spokeX(config-if)# ip nhrp authentication cisco123 spokeX(config-if)# ip nhrp map multicast 200.0.0.0.0.168.0.255.0.255. All rights reserved.0.

GRE 5. Cisco Confidential . IPsec Virtual Tunnel Interfaces 8. Group Encrypted Transport VPN 44 Presentation_ID © 2008 Cisco Systems. Konfiguracija ISAKMP/IKE Faza 2 4. All rights reserved. DMVPN 6. Pregled VPN IPSec tehnologije 2.Agenda 1. Konfiguracija ISAKMP/IKE Faza 1 3. Inc. IPsec Profiles 7.

Group Security Functions Key Server • Validate Group Members • Manage Security Policy • Create Group Keys • Distribute Policy / Keys Key Server Routing Member • Forwarding • Replication • Routing Routing Members Group Member Group Member Group Member • Encryption Devices • Route Between Secure / Unsecure Regions • Multicast Participation Presentation_ID © 2008 Cisco Systems. Inc. All rights reserved. Group Member Group Member 45 Cisco Confidential .

Cisco Confidential Group Member Group Member 46 . All rights reserved. Inc.Group Security Elements Key Encryption Key (KEK) Traffic Encryption Key (TEK) Group Member Key Server Group Policy Routing Members Group Member RFC3547: Group Domain of Interpretation (GDOI) Presentation_ID © 2008 Cisco Systems.

Group Security Association Članovi grupe dele zajednički SA SA važi za sve članove grupe VPN gw imaju isti status SA nije specifičan za pojedine članove već VPN gw rade zajedno na zaštiti saobraćaja Saobraćaj se razmenjuje izmeñu bilo kog VPN gw 47 Presentation_ID © 2008 Cisco Systems. Cisco Confidential . Inc. All rights reserved.

Osnovna GET VPN arhitektura korak 1: članovi grupe (GM) se “registruju” putem GDOI na Key Serveru (KS) KS autentikuje & autorizuje GM KS vraća skup IPsec SA koje GM treba da koriste GM3 GM2 GM1 GM4 GM5 GM6 GM9 GM8 GM7 KS 48 Presentation_ID © 2008 Cisco Systems. Inc. Cisco Confidential . All rights reserved.

Inc. Cisco Confidential . All rights reserved.Osnovna GET VPN arhitektura korak 2: Data Plane enkripcija GM razmenjuju enkriptovan saobraćaj koristeći grupne ključeve Koristi se IPSec Tunnel Mode sa “prezervacijom adresa” GM2 GM1 GM3 GM4 GM5 GM6 GM9 GM8 GM7 KS 49 Presentation_ID © 2008 Cisco Systems.

All rights reserved. GM3 GM2 GM1 GM4 GM5 GM6 GM9 GM8 GM7 KS 50 Presentation_ID © 2008 Cisco Systems. Cisco Confidential . Inc.Osnovna GET VPN arhitektura korak 3: Periodični Rekey proces KS šalje novi IPsec ključ pre no što važeći IPsec ključ istekne.

255 © 2007 Cisco Systems.255 10.CRYPTO ATTRIBUTES SELECTION <.0 0.GROUP MEMBER ENCRYPTION POLICY <.0 0.1 Group Member Authorization List (optional) ip access-list extended member-list permit <ks_peer_address> permit <gm_address> <.0 0.KEY SE RVER <.0.KS ADDRE SS crypto gdoi group secure-wan identity number 3333 server local rekey address ipv4 102 rekey retransmit 40 number 3 authorization address ipv4 member-list sa ipsec 1 profile gdoi-p match address ipv4 lans-only no replay address ipv4 <ks_address> Rekey Profile (needed multicast rekey only) access-list 102 permit any host 239.REKEY SOURCE / DESTINATION Encryption IPSec Proxy (mandatory) <.Key Server Key Server konfiguracija <.255 .255.0.255 232.0 0.255. All rights reserved.255.0.MULTICAST 51 BRKSEC-4012 13691_05_2007_c4 ip access-list extended lans-only <deny udp any eq 848 any eq 848 permit ip 10.UNICAST <.ENCRYPTION POLICY LAN-to-LAN <.192.GDOI IN CLEAR <.255.GM AUTH LIST <.1.0.255. 255 permit ip 10.0. Cisco Confidential .255. Inc.GROUP ID <.NO ANTI-REP LAY <.REKEY RE TRANSMITS <.0.0.255.GROUP ME MBER AUTHORIZATION <.REKEY AD DRESSES REKEY <.PEER KS <.0.SECURITY SSOCIATION A <.

Inc.14 255.255. All rights reserved.GROUP DENTITY FOR MEMBER I <.168. Cisco Confidential .GROUP MEMBERSHIP Group Member Association crypto gdoi group secure-wan identity number 3333 server address ipv4 <ks_address> BRKSEC-4012 13691_05_2007_c4 <.GROU ENCRYPTION P <.WAN ENC RYPTION Crypto Map Association to Group Security crypto map svn 10 gdoi set group secure-wan <.255.GRO CRYPTO MAP ENTRY UP <.KS ADDR TO REGISTER ESS 52 © 2007 Cisco Systems.252 crypto map svn <.1.Group Member Secured Group Member Interface interface Serial0/0 ip address 192.

Barselona Registrujte se © 2006 Cisco Systems. Januar 2010. Barselona 28-31. Mart 2010. All rights reserved.Cisco Networkers 25-28. Inc. Bahrein Cisco Networkers 25-28. Cisco Confidential 53 . Januar 2010.

Inc. All rights reserved.54 Presentation_ID © 2008 Cisco Systems. Cisco Confidential .