This commit is contained in:
Jarosław Karcewicz 2022-03-28 19:53:08 +02:00
commit 46c5ff0cec
7 changed files with 636 additions and 0 deletions

View File

@ -0,0 +1,62 @@
R1(config)#ip http server
R1(config)#crypto pki server R1CA
R1(cs-server)#issuer-name cn="R1CA"
R1(cs-server)#grant auto
R1(cs-server)#no shutdown
R1(config)#ip domain name NWL.LAB
R1(config)#crypto pki trustpoint R1CLIENT
R1(ca-trustpoint)#enrollment url http://192.168.1.1
R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM
R1(config)#crypto pki authenticate R1CLIENT
R1(config)#crypto pki enroll R1CLIENT
R1(config)#aaa new-model
R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local
R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local
R1(config)#username test password mojehaslo
R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
R1(config-ikev2-author-policy)#pool VPN_POOL
R1(config-ikev2-author-policy)#def-domain CONTOSO.COM
R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255
R1(config-ikev2-author-policy)#dns 1.1.1.1
R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10
R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL
R1(config-ikev2-proposal)#encryption aes-cbc-256
R1(config-ikev2-proposal)#integrity sha256
R1(config-ikev2-proposal)#group 14
R1(config)#crypto ikev2 policy default
R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL
R1(config)#crypto ikev2 profile IKEV2_PROFILE
R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$*
R1(config-ikev2-profile)#authentication local rsa-sig
R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
R1(config-ikev2-profile)#pki trustpoint R1-CLIENT
R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
R1(config-ikev2-profile)#virtual-template 1
R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(config)#crypto ipsec profile IKEV2_PROFILE
R1(ipsec-profile)#set transform-set TRANSFORM_SET
R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE
R1(config)#interface Virtual-Template1 type tunnel
R1(config-if)#ip unnumbered Loopback0
R1(config-if)#ip mtu 1400
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE

37
FlexVPN/flexvpn1.txt Normal file
View File

@ -0,0 +1,37 @@
crypto ikev2 keyring KEYR1
peer R2
address 198.51.100.2
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 198.51.100.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
crypto ikev2 proposal ikeprop1
integrity sha256 sha384 sha512
group 14 15
encryption aes-cbc-128 aes-cbc-256
crypto ikev2 policy ikepol1
proposal ikeprop1
ip access-list extended ACLR2
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto map CM1 10 ipsec-isakmp
match address ACLR2
set peer 198.51.100.2
set transform-set TR1
set ikev2-profile Profil1
int g0/1
crypto map CM1

87
FlexVPN/flexvpn2.txt Normal file
View File

@ -0,0 +1,87 @@
Dla R1 i R2:
no int tunnel 1
no router ospf 1
Dla R1:
interface Loopback1
ip address 172.16.1.1 255.255.255.0
############################################
Dla R1:
crypto ikev2 keyring KEYR1
peer R2
address 198.51.100.2
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 198.51.100.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
Dla R2:
crypto ikev2 keyring KEYR1
peer R1
address 192.0.2.1
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 192.0.2.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
Dla R1:
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
int tun 12
ip add 10.0.12.1 255.255.255.0
tunnel source 192.0.2.1
tunnel destination 198.51.100.2
tunnel protection ipsec profile IPprof1
tunnel mode ipsec ipv4
Dla R2:
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
int tun 12
ip add 10.0.12.2 255.255.255.0
tunnel source 198.51.100.2
tunnel destination 192.0.2.1
tunnel protection ipsec profile IPprof1
tunnel mode ipsec ipv4
Dla R1:
router eigrp 1
network 10.0.12.0 0.0.0.255
network 172.16.1.0 0.0.0.255
Dla R2:
router eigrp 1
network 10.0.12.0 0.0.0.255
network 172.16.2.0 0.0.0.255

105
FlexVPN/flexvpn3.txt Normal file
View File

@ -0,0 +1,105 @@
FLexVPN HUB-SPOKE
Dla R2, R3, R4:
crypto ikev2 keyring KEYR1
peer R1
address 192.0.2.1
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 192.0.2.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
#####
Dla R2:
int loopback 3
ip add 2.2.2.2 255.255.255.255
Dla R3:
int loopback 3
ip add 3.3.3.3 255.255.255.255
Dla R4:
int loopback 3
ip add 4.4.4.4 255.255.255.255
Dla wszystkich Spoke (R2, R3, R4):
int tun 12
ip unnumbered loopback 3
tunnel source g0/1
tunnel destination 192.0.2.1
tunnel protection ipsec profile IPprof1
#####
Koncentrator (R1):
crypto ikev2 keyring KEYR1
peer ANYROUTER
address 0.0.0.0
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 0.0.0.0 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
virtual-template 1
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
int loopback 3
ip add 1.1.1.1 255.255.255.255
interface virtual-template 1 type tunnel
tunnel source g0/1
ip unnumbered loopback 3
tunnel protection ipsec profile IPprof1
####
Dla R1:
router eigrp 1
network 1.1.1.1 0.0.0.0
Dla R2:
router eigrp 1
network 2.2.2.2 0.0.0.0
network 172.16.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
Dla R3:
router eigrp 1
network 3.3.3.3 0.0.0.0
network 172.16.3.0 0.0.0.255
network 192.168.3.0 0.0.0.255
Dla R4:
router eigrp 1
network 4.4.4.4 0.0.0.0
network 172.16.4.0 0.0.0.255
network 192.168.4.0 0.0.0.255

116
FlexVPN/flexvpn4.txt Normal file
View File

@ -0,0 +1,116 @@
FLexVPN HUB-SPOKE
Dla R2, R3, R4:
crypto ikev2 keyring KEYR1
peer R1
address 192.0.2.1
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 192.0.2.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
aaa new-model
aaa authorization network default local
crypto ikev2 authorization policy AUTHPOLICY1
route set interface
#####
Dla wszystkich Spoke (R2, R3, R4):
int tun 12
ip address negotiated
tunnel source g0/1
tunnel destination 192.0.2.1
tunnel protection ipsec profile IPprof1
#####
Koncentrator (R1):
crypto ikev2 keyring KEYR1
peer ANYROUTER
address 0.0.0.0
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
int loopback 3
ip add 1.1.1.1 255.255.255.0
interface virtual-template 1 type tunnel
tunnel source g0/1
ip unnumbered loopback 3
tunnel protection ipsec profile IPprof1
ip local pool PULAIP 1.1.1.2 1.1.1.10
aaa new-model
aaa authorization network default local
crypto ikev2 authorization policy AUTHPOLICY1
pool PULAIP
route set interface
crypto ikev2 profile Profil1
match identity remote address 0.0.0.0 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
virtual-template 1
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
####
Dla R1:
router eigrp 1
network 1.1.1.0 0.0.0.255
Dla R2:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
Dla R3:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 192.168.3.0 0.0.0.255
Dla R4:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
network 192.168.4.0 0.0.0.255

138
FlexVPN/flexvpn5.txt Normal file
View File

@ -0,0 +1,138 @@
FLexVPN SPOKE-SPOKE
Dla R2, R3, R4:
crypto ikev2 keyring KEYR1
peer ANYPEER
address 0.0.0.0
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 0.0.0.0 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
aaa new-model
aaa authorization network default local
crypto ikev2 authorization policy AUTHPOLICY1
route set interface
#####
Dla wszystkich Spoke (R2, R3, R4):
int tun 12
ip address negotiated
tunnel source g0/1
tunnel destination 192.0.2.1
tunnel protection ipsec profile IPprof1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 12
int virtual-template 12 type tunnel
ip unnumbered tunnel 12
tunnel source g0/1
ip nhrp network-id 1
ip nhrp shortcut virtual-template 12
tunnel protection ipsec profile IPprof1
#####
Koncentrator (R1):
int loopback 3
ip add 1.1.1.1 255.255.255.0
ip local pool PULAIP 1.1.1.2 1.1.1.10
aaa new-model
aaa authorization network default local
crypto ikev2 authorization policy AUTHPOLICY1
pool PULAIP
route set interface
crypto ikev2 keyring KEYR1
peer ANYPEER
address 0.0.0.0
pre-shared-key local Cisco
pre-shared-key remote Cisco
crypto ikev2 profile Profil1
match identity remote address 0.0.0.0 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local KEYR1
virtual-template 1
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
crypto ipsec profile IPprof1
set transform-set TR1
set ikev2-profile Profil1
interface virtual-template 1 type tunnel
tunnel source g0/1
ip unnumbered loopback 3
tunnel protection ipsec profile IPprof1
ip nhrp network-id 1
ip nhrp redirect
####
Dla R1:
router eigrp 1
network 1.1.1.0 0.0.0.255
Dla R2:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
Dla R3:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.3.0 0.0.0.255
network 192.168.3.0 0.0.0.255
Dla R4:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 172.16.4.0 0.0.0.255
network 192.168.4.0 0.0.0.255

91
ip_source_guard.txt Normal file
View File

@ -0,0 +1,91 @@
Router:
hostname R1
!
ip dhcp pool MY_POOL
network 192.168.1.0 255.255.255.0
!
ip cef
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
!
end
Przełącznik (router podłączony na porcie g0/1):
hostname SW1
!
ip dhcp snooping vlan 1
no ip dhcp snooping information option
ip dhcp snooping
!
interface GigabitEthernet0/1
switchport mode access
spanning-tree portfast
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/4
switchport mode access
spanning-tree portfast
!
end
Konfigurujemy "IP Source Guard" dla komputera podłączonego na porcie g0/2:
SW1(config)#interface GigabitEthernet 0/2
SW1(config-if)#ip verify source
SW1#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
--------- ----------- ----------- --------------- ----------------- ---- ---
Gi0/2 ip active 192.168.1.1 1 disabled
SW1 zezwala teraz tylko na źródłowy adres IP 192.168.1.1 (bo taki PC dostanie pierwszy z brzegu) na interfejsie GigabitEthernet 0/2. Pole adresu MAC jest puste, także w tej chwili przełącznik sprawdza tylko źródłowy adres IP. Można jednak również sprawdzać źródłowy adres MAC.
Do tego celu trzeba wykorzystać jeszcze mechanizm port-security:
SW1(config)#interface GigabitEthernet 0/2
SW1(config-if)#switchport port-security
SW1(config-if)#ip verify source port-security
SW1#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
--------- ----------- ----------- --------------- ----------------- ---- ---
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
Załóżmy, że skonfigurujemy na porcie G0/3 kolejny PC, który będzie mieć statycznie przypisane dane adresowe:
SW1(config)#interface GigabitEthernet 0/3
SW1(config-if)#switchport port-security
SW1(config-if)#ip verify source port-security
SW1#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
--------- ----------- ----------- --------------- ----------------- ---- ---
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
Gi0/3 ip-mac active deny-all deny-all 1
Jeżeli teraz z tego powyższego komputera spróbujemy wykonać jakąkolwiek transmisję (choćby ping), to nie pwoiedzie się, będzie blokowane.
Możemy również przypisać statycznie adres mac oraz adres IP do zadanego portu, np. dla portu G0/4:
SW1(config)#interface GigabitEthernet 0/4
SW1(config-if)#switchport port-security
SW1(config-if)#ip verify source port-security
SW1(config)#ip source binding 0011.aabb.0088 vlan 1 192.168.1.200 interface GigabitEthernet 0/4
SW1#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
--------- ----------- ----------- --------------- ----------------- ---- ---
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
Gi0/3 ip-mac active deny-all deny-all 1
Gi0/4 ip-mac active 192.168.1.200 00:16:C7:BE:0E:C8 1 disabled