.

2022-03-28 19:53:08 +02:00 · 2022-03-28 19:53:08 +02:00 · 46c5ff0cec
commit 46c5ff0cec
7 changed files with 636 additions and 0 deletions
--- a/FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt
+++ b/FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt
@ -0,0 +1,62 @@
+R1(config)#ip http server 
+
+R1(config)#crypto pki server R1CA
+R1(cs-server)#issuer-name cn="R1CA"
+R1(cs-server)#grant auto
+R1(cs-server)#no shutdown
+
+R1(config)#ip domain name NWL.LAB
+R1(config)#crypto pki trustpoint R1CLIENT
+R1(ca-trustpoint)#enrollment url http://192.168.1.1
+R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM
+R1(config)#crypto pki authenticate R1CLIENT
+R1(config)#crypto pki enroll R1CLIENT
+
+
+R1(config)#aaa new-model
+
+R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local
+R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local 
+
+R1(config)#username test password mojehaslo
+
+R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
+R1(config-ikev2-author-policy)#pool VPN_POOL
+R1(config-ikev2-author-policy)#def-domain CONTOSO.COM
+R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255
+R1(config-ikev2-author-policy)#dns 1.1.1.1
+R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10
+
+	
+R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL 
+R1(config-ikev2-proposal)#encryption aes-cbc-256
+R1(config-ikev2-proposal)#integrity sha256
+R1(config-ikev2-proposal)#group 14
+	
+R1(config)#crypto ikev2 policy default
+R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL
+
+R1(config)#crypto ikev2 profile IKEV2_PROFILE
+R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$*
+R1(config-ikev2-profile)#authentication local rsa-sig
+R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
+R1(config-ikev2-profile)#pki trustpoint R1-CLIENT
+R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
+R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
+R1(config-ikev2-profile)#virtual-template 1
+
+R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac      
+R1(cfg-crypto-trans)#mode tunnel
+
+R1(config)#crypto ipsec profile IKEV2_PROFILE
+R1(ipsec-profile)#set transform-set TRANSFORM_SET
+R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE
+
+R1(config)#interface Virtual-Template1 type tunnel
+R1(config-if)#ip unnumbered Loopback0
+R1(config-if)#ip mtu 1400
+R1(config-if)#tunnel mode ipsec ipv4
+R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE
+
+
+
--- a/FlexVPN/flexvpn1.txt
+++ b/FlexVPN/flexvpn1.txt
@ -0,0 +1,37 @@
+crypto ikev2 keyring KEYR1
+peer R2
+address 198.51.100.2 
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+
+crypto ikev2 profile Profil1
+match identity remote address 198.51.100.2 255.255.255.255
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+
+
+crypto ikev2 proposal ikeprop1
+integrity sha256 sha384 sha512
+group 14 15
+encryption aes-cbc-128 aes-cbc-256
+
+crypto ikev2 policy ikepol1
+proposal ikeprop1
+
+ip access-list extended ACLR2
+permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto map CM1 10 ipsec-isakmp
+match address ACLR2
+set peer 198.51.100.2
+set transform-set TR1
+set ikev2-profile Profil1
+
+
+int g0/1
+crypto map CM1
+
--- a/FlexVPN/flexvpn2.txt
+++ b/FlexVPN/flexvpn2.txt
@ -0,0 +1,87 @@
+Dla R1 i R2:
+
+no int tunnel 1
+no router ospf 1
+
+
+Dla R1:
+interface Loopback1
+ ip address 172.16.1.1 255.255.255.0
+
+############################################
+Dla R1:
+crypto ikev2 keyring KEYR1
+peer R2
+address 198.51.100.2 
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+
+crypto ikev2 profile Profil1
+match identity remote address 198.51.100.2 255.255.255.255
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+
+
+Dla R2:
+crypto ikev2 keyring KEYR1
+peer R1
+address 192.0.2.1
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+
+crypto ikev2 profile Profil1
+match identity remote address 192.0.2.1 255.255.255.255
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+
+
+
+Dla R1:
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+
+int tun 12
+ip add 10.0.12.1 255.255.255.0
+tunnel source 192.0.2.1
+tunnel destination 198.51.100.2
+tunnel protection ipsec profile IPprof1
+tunnel mode ipsec ipv4
+
+
+
+Dla R2:
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+
+int tun 12
+ip add 10.0.12.2 255.255.255.0
+tunnel source 198.51.100.2
+tunnel destination 192.0.2.1
+tunnel protection ipsec profile IPprof1
+tunnel mode ipsec ipv4
+
+
+Dla R1:
+router eigrp 1
+network 10.0.12.0 0.0.0.255
+network 172.16.1.0 0.0.0.255
+
+Dla R2:
+router eigrp 1
+network 10.0.12.0 0.0.0.255
+network 172.16.2.0 0.0.0.255
+
+
+
--- a/FlexVPN/flexvpn3.txt
+++ b/FlexVPN/flexvpn3.txt
@ -0,0 +1,105 @@
+FLexVPN HUB-SPOKE
+Dla R2, R3, R4:
+crypto ikev2 keyring KEYR1
+peer R1
+address 192.0.2.1
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+crypto ikev2 profile Profil1
+match identity remote address 192.0.2.1 255.255.255.255
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+#####
+
+Dla R2:
+int loopback 3
+ip add 2.2.2.2 255.255.255.255
+
+Dla R3:
+int loopback 3
+ip add 3.3.3.3 255.255.255.255
+
+Dla R4:
+int loopback 3
+ip add 4.4.4.4 255.255.255.255
+
+Dla wszystkich Spoke (R2, R3, R4):
+int tun 12
+ip unnumbered loopback 3
+tunnel source g0/1
+tunnel destination 192.0.2.1
+tunnel protection ipsec profile IPprof1
+
+#####
+Koncentrator (R1):
+
+crypto ikev2 keyring KEYR1
+peer ANYROUTER
+address 0.0.0.0
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+crypto ikev2 profile Profil1
+match identity remote address 0.0.0.0 0.0.0.0
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+virtual-template 1
+
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+int loopback 3
+ip add 1.1.1.1 255.255.255.255
+
+interface virtual-template 1 type tunnel
+tunnel source g0/1
+ip unnumbered loopback 3
+tunnel protection ipsec profile IPprof1
+
+####
+Dla R1:
+router eigrp 1
+network 1.1.1.1 0.0.0.0
+
+Dla R2:
+router eigrp 1
+network 2.2.2.2 0.0.0.0
+network 172.16.2.0 0.0.0.255
+network 192.168.2.0 0.0.0.255
+
+Dla R3:
+router eigrp 1
+network 3.3.3.3 0.0.0.0
+network 172.16.3.0 0.0.0.255
+network 192.168.3.0 0.0.0.255
+
+Dla R4:
+router eigrp 1
+network 4.4.4.4 0.0.0.0
+network 172.16.4.0 0.0.0.255
+network 192.168.4.0 0.0.0.255
+
+
+
+
+
+
+
+
+
+
+
--- a/FlexVPN/flexvpn4.txt
+++ b/FlexVPN/flexvpn4.txt
@ -0,0 +1,116 @@
+FLexVPN HUB-SPOKE
+Dla R2, R3, R4:
+crypto ikev2 keyring KEYR1
+peer R1
+address 192.0.2.1
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+crypto ikev2 profile Profil1
+match identity remote address 192.0.2.1 255.255.255.255
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+
+aaa new-model
+aaa authorization network default local
+
+crypto ikev2 authorization policy AUTHPOLICY1
+route set interface
+
+
+#####
+
+
+Dla wszystkich Spoke (R2, R3, R4):
+int tun 12
+ip address negotiated
+tunnel source g0/1
+tunnel destination 192.0.2.1
+tunnel protection ipsec profile IPprof1
+
+#####
+Koncentrator (R1):
+
+crypto ikev2 keyring KEYR1
+peer ANYROUTER
+address 0.0.0.0
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+int loopback 3
+ip add 1.1.1.1 255.255.255.0
+
+interface virtual-template 1 type tunnel
+tunnel source g0/1
+ip unnumbered loopback 3
+tunnel protection ipsec profile IPprof1
+
+
+ip local pool PULAIP 1.1.1.2 1.1.1.10
+
+aaa new-model
+aaa authorization network default local
+
+crypto ikev2 authorization policy AUTHPOLICY1
+pool PULAIP
+route set interface
+
+crypto ikev2 profile Profil1
+match identity remote address 0.0.0.0 0.0.0.0
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+virtual-template 1
+aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
+
+
+####
+Dla R1:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+
+Dla R2:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+network 172.16.2.0 0.0.0.255
+network 192.168.2.0 0.0.0.255
+
+Dla R3:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+network 172.16.3.0 0.0.0.255
+network 192.168.3.0 0.0.0.255
+
+Dla R4:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+network 172.16.4.0 0.0.0.255
+network 192.168.4.0 0.0.0.255
+
+
+
+
+
+
+
+
+
+
+
--- a/FlexVPN/flexvpn5.txt
+++ b/FlexVPN/flexvpn5.txt
@ -0,0 +1,138 @@
+FLexVPN SPOKE-SPOKE
+Dla R2, R3, R4:
+
+crypto ikev2 keyring KEYR1
+peer ANYPEER
+address 0.0.0.0
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+crypto ikev2 profile Profil1
+match identity remote address 0.0.0.0 0.0.0.0
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+
+aaa new-model
+aaa authorization network default local
+
+crypto ikev2 authorization policy AUTHPOLICY1
+route set interface
+
+
+#####
+
+
+Dla wszystkich Spoke (R2, R3, R4):
+int tun 12
+ip address negotiated
+tunnel source g0/1
+tunnel destination 192.0.2.1
+tunnel protection ipsec profile IPprof1
+ip nhrp network-id 1
+ip nhrp shortcut virtual-template 12
+
+
+int virtual-template 12 type tunnel 
+ip unnumbered tunnel 12
+tunnel source g0/1
+ip nhrp network-id 1
+ip nhrp shortcut virtual-template 12
+tunnel protection ipsec profile IPprof1
+
+
+
+
+#####
+Koncentrator (R1):
+
+
+int loopback 3
+ip add 1.1.1.1 255.255.255.0
+
+ip local pool PULAIP 1.1.1.2 1.1.1.10
+
+aaa new-model
+aaa authorization network default local
+
+
+crypto ikev2 authorization policy AUTHPOLICY1
+pool PULAIP
+route set interface
+
+
+crypto ikev2 keyring KEYR1
+peer ANYPEER
+address 0.0.0.0
+pre-shared-key local Cisco
+pre-shared-key remote Cisco
+
+crypto ikev2 profile Profil1
+match identity remote address 0.0.0.0 0.0.0.0
+authentication local pre-share
+authentication remote pre-share
+keyring local KEYR1
+virtual-template 1
+aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
+
+crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
+
+crypto ipsec profile IPprof1
+set transform-set TR1
+set ikev2-profile Profil1
+
+
+
+interface virtual-template 1 type tunnel
+tunnel source g0/1
+ip unnumbered loopback 3
+tunnel protection ipsec profile IPprof1
+ip nhrp network-id 1
+ip nhrp redirect
+
+
+
+
+
+
+####
+Dla R1:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+
+Dla R2:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+network 172.16.2.0 0.0.0.255
+network 192.168.2.0 0.0.0.255
+
+Dla R3:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+network 172.16.3.0 0.0.0.255
+network 192.168.3.0 0.0.0.255
+
+Dla R4:
+router eigrp 1
+network 1.1.1.0 0.0.0.255
+network 172.16.4.0 0.0.0.255
+network 192.168.4.0 0.0.0.255
+
+
+
+
+
+
+
+
+
+
+
--- a/ip_source_guard.txt
+++ b/ip_source_guard.txt
@ -0,0 +1,91 @@
+Router:
+hostname R1
+!
+ip dhcp pool MY_POOL
+ network 192.168.1.0 255.255.255.0
+!
+ip cef
+!
+interface FastEthernet0/0
+ ip address 192.168.1.254 255.255.255.0
+!
+end
+
+
+Przełącznik (router podłączony na porcie g0/1):
+hostname SW1
+!
+ip dhcp snooping vlan 1
+no ip dhcp snooping information option
+ip dhcp snooping
+!
+interface GigabitEthernet0/1
+ switchport mode access
+ spanning-tree portfast
+ ip dhcp snooping trust
+!
+interface GigabitEthernet0/2
+ switchport mode access
+ spanning-tree portfast
+!
+interface GigabitEthernet0/3
+ switchport mode access
+ spanning-tree portfast
+!
+interface GigabitEthernet0/4
+ switchport mode access
+ spanning-tree portfast
+!
+end
+
+
+Konfigurujemy "IP Source Guard" dla komputera podłączonego na porcie g0/2:
+SW1(config)#interface GigabitEthernet 0/2
+SW1(config-if)#ip verify source
+
+SW1#show ip verify source
+Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log
+---------  -----------  -----------  ---------------  -----------------  ----   ---
+Gi0/2      ip           active       192.168.1.1                         1      disabled
+
+
+SW1 zezwala teraz tylko na źródłowy adres IP 192.168.1.1 (bo taki PC dostanie pierwszy z brzegu) na interfejsie GigabitEthernet 0/2. Pole adresu MAC jest puste, także w tej chwili przełącznik sprawdza tylko źródłowy adres IP. Można jednak również sprawdzać źródłowy adres MAC.
+Do tego celu trzeba wykorzystać jeszcze mechanizm port-security:
+SW1(config)#interface GigabitEthernet 0/2
+SW1(config-if)#switchport port-security
+SW1(config-if)#ip verify source port-security
+
+SW1#show ip verify source
+Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log
+---------  -----------  -----------  ---------------  -----------------  ----   ---
+Gi0/2      ip-mac       active       192.168.1.1      00:11:22:44:33:AA  1      disabled
+
+
+Załóżmy, że skonfigurujemy na porcie G0/3 kolejny PC, który będzie mieć statycznie przypisane dane adresowe:
+SW1(config)#interface GigabitEthernet 0/3
+SW1(config-if)#switchport port-security
+SW1(config-if)#ip verify source port-security
+
+SW1#show ip verify source 
+Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log
+---------  -----------  -----------  ---------------  -----------------  ----   ---
+Gi0/2      ip-mac       active       192.168.1.1      00:11:22:44:33:AA  1      disabled
+Gi0/3      ip-mac       active       deny-all         deny-all           1
+
+Jeżeli teraz z tego powyższego komputera spróbujemy wykonać jakąkolwiek transmisję (choćby ping), to nie pwoiedzie się, będzie blokowane.
+
+
+
+Możemy również przypisać statycznie adres mac oraz adres IP do zadanego portu, np. dla portu G0/4:
+SW1(config)#interface GigabitEthernet 0/4
+SW1(config-if)#switchport port-security
+SW1(config-if)#ip verify source port-security
+SW1(config)#ip source binding 0011.aabb.0088 vlan 1 192.168.1.200 interface GigabitEthernet 0/4
+
+
+SW1#show ip verify source                               
+Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan   Log
+---------  -----------  -----------  ---------------  -----------------  ----   ---
+Gi0/2      ip-mac       active       192.168.1.1      00:11:22:44:33:AA  1      disabled
+Gi0/3      ip-mac       active       deny-all         deny-all           1
+Gi0/4      ip-mac       active       192.168.1.200    00:16:C7:BE:0E:C8  1      disabled