From 46c5ff0cec6328a0f525179ef6d7cf8205eae4e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaros=C5=82aw=20Karcewicz?= Date: Mon, 28 Mar 2022 19:53:08 +0200 Subject: [PATCH] . --- FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt | 62 +++++++++ FlexVPN/flexvpn1.txt | 37 +++++ FlexVPN/flexvpn2.txt | 87 ++++++++++++ FlexVPN/flexvpn3.txt | 105 ++++++++++++++ FlexVPN/flexvpn4.txt | 116 ++++++++++++++++ FlexVPN/flexvpn5.txt | 138 +++++++++++++++++++ ip_source_guard.txt | 91 ++++++++++++ 7 files changed, 636 insertions(+) create mode 100644 FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt create mode 100644 FlexVPN/flexvpn1.txt create mode 100644 FlexVPN/flexvpn2.txt create mode 100644 FlexVPN/flexvpn3.txt create mode 100644 FlexVPN/flexvpn4.txt create mode 100644 FlexVPN/flexvpn5.txt create mode 100644 ip_source_guard.txt diff --git a/FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt b/FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt new file mode 100644 index 0000000..016f1df --- /dev/null +++ b/FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt @@ -0,0 +1,62 @@ +R1(config)#ip http server + +R1(config)#crypto pki server R1CA +R1(cs-server)#issuer-name cn="R1CA" +R1(cs-server)#grant auto +R1(cs-server)#no shutdown + +R1(config)#ip domain name NWL.LAB +R1(config)#crypto pki trustpoint R1CLIENT +R1(ca-trustpoint)#enrollment url http://192.168.1.1 +R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM +R1(config)#crypto pki authenticate R1CLIENT +R1(config)#crypto pki enroll R1CLIENT + + +R1(config)#aaa new-model + +R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local +R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local + +R1(config)#username test password mojehaslo + +R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY +R1(config-ikev2-author-policy)#pool VPN_POOL +R1(config-ikev2-author-policy)#def-domain CONTOSO.COM +R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255 +R1(config-ikev2-author-policy)#dns 1.1.1.1 +R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10 + + +R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL +R1(config-ikev2-proposal)#encryption aes-cbc-256 +R1(config-ikev2-proposal)#integrity sha256 +R1(config-ikev2-proposal)#group 14 + +R1(config)#crypto ikev2 policy default +R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL + +R1(config)#crypto ikev2 profile IKEV2_PROFILE +R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$* +R1(config-ikev2-profile)#authentication local rsa-sig +R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate +R1(config-ikev2-profile)#pki trustpoint R1-CLIENT +R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN +R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY +R1(config-ikev2-profile)#virtual-template 1 + +R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac +R1(cfg-crypto-trans)#mode tunnel + +R1(config)#crypto ipsec profile IKEV2_PROFILE +R1(ipsec-profile)#set transform-set TRANSFORM_SET +R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE + +R1(config)#interface Virtual-Template1 type tunnel +R1(config-if)#ip unnumbered Loopback0 +R1(config-if)#ip mtu 1400 +R1(config-if)#tunnel mode ipsec ipv4 +R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE + + + diff --git a/FlexVPN/flexvpn1.txt b/FlexVPN/flexvpn1.txt new file mode 100644 index 0000000..a266574 --- /dev/null +++ b/FlexVPN/flexvpn1.txt @@ -0,0 +1,37 @@ +crypto ikev2 keyring KEYR1 +peer R2 +address 198.51.100.2 +pre-shared-key local Cisco +pre-shared-key remote Cisco + + +crypto ikev2 profile Profil1 +match identity remote address 198.51.100.2 255.255.255.255 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 + + +crypto ikev2 proposal ikeprop1 +integrity sha256 sha384 sha512 +group 14 15 +encryption aes-cbc-128 aes-cbc-256 + +crypto ikev2 policy ikepol1 +proposal ikeprop1 + +ip access-list extended ACLR2 +permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto map CM1 10 ipsec-isakmp +match address ACLR2 +set peer 198.51.100.2 +set transform-set TR1 +set ikev2-profile Profil1 + + +int g0/1 +crypto map CM1 + diff --git a/FlexVPN/flexvpn2.txt b/FlexVPN/flexvpn2.txt new file mode 100644 index 0000000..6e8350d --- /dev/null +++ b/FlexVPN/flexvpn2.txt @@ -0,0 +1,87 @@ +Dla R1 i R2: + +no int tunnel 1 +no router ospf 1 + + +Dla R1: +interface Loopback1 + ip address 172.16.1.1 255.255.255.0 + +############################################ +Dla R1: +crypto ikev2 keyring KEYR1 +peer R2 +address 198.51.100.2 +pre-shared-key local Cisco +pre-shared-key remote Cisco + + +crypto ikev2 profile Profil1 +match identity remote address 198.51.100.2 255.255.255.255 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 + + +Dla R2: +crypto ikev2 keyring KEYR1 +peer R1 +address 192.0.2.1 +pre-shared-key local Cisco +pre-shared-key remote Cisco + + +crypto ikev2 profile Profil1 +match identity remote address 192.0.2.1 255.255.255.255 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 + + + +Dla R1: +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + + +int tun 12 +ip add 10.0.12.1 255.255.255.0 +tunnel source 192.0.2.1 +tunnel destination 198.51.100.2 +tunnel protection ipsec profile IPprof1 +tunnel mode ipsec ipv4 + + + +Dla R2: +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + + +int tun 12 +ip add 10.0.12.2 255.255.255.0 +tunnel source 198.51.100.2 +tunnel destination 192.0.2.1 +tunnel protection ipsec profile IPprof1 +tunnel mode ipsec ipv4 + + +Dla R1: +router eigrp 1 +network 10.0.12.0 0.0.0.255 +network 172.16.1.0 0.0.0.255 + +Dla R2: +router eigrp 1 +network 10.0.12.0 0.0.0.255 +network 172.16.2.0 0.0.0.255 + + + diff --git a/FlexVPN/flexvpn3.txt b/FlexVPN/flexvpn3.txt new file mode 100644 index 0000000..620bb0f --- /dev/null +++ b/FlexVPN/flexvpn3.txt @@ -0,0 +1,105 @@ +FLexVPN HUB-SPOKE +Dla R2, R3, R4: +crypto ikev2 keyring KEYR1 +peer R1 +address 192.0.2.1 +pre-shared-key local Cisco +pre-shared-key remote Cisco + +crypto ikev2 profile Profil1 +match identity remote address 192.0.2.1 255.255.255.255 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + +##### + +Dla R2: +int loopback 3 +ip add 2.2.2.2 255.255.255.255 + +Dla R3: +int loopback 3 +ip add 3.3.3.3 255.255.255.255 + +Dla R4: +int loopback 3 +ip add 4.4.4.4 255.255.255.255 + +Dla wszystkich Spoke (R2, R3, R4): +int tun 12 +ip unnumbered loopback 3 +tunnel source g0/1 +tunnel destination 192.0.2.1 +tunnel protection ipsec profile IPprof1 + +##### +Koncentrator (R1): + +crypto ikev2 keyring KEYR1 +peer ANYROUTER +address 0.0.0.0 +pre-shared-key local Cisco +pre-shared-key remote Cisco + +crypto ikev2 profile Profil1 +match identity remote address 0.0.0.0 0.0.0.0 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 +virtual-template 1 + + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + +int loopback 3 +ip add 1.1.1.1 255.255.255.255 + +interface virtual-template 1 type tunnel +tunnel source g0/1 +ip unnumbered loopback 3 +tunnel protection ipsec profile IPprof1 + +#### +Dla R1: +router eigrp 1 +network 1.1.1.1 0.0.0.0 + +Dla R2: +router eigrp 1 +network 2.2.2.2 0.0.0.0 +network 172.16.2.0 0.0.0.255 +network 192.168.2.0 0.0.0.255 + +Dla R3: +router eigrp 1 +network 3.3.3.3 0.0.0.0 +network 172.16.3.0 0.0.0.255 +network 192.168.3.0 0.0.0.255 + +Dla R4: +router eigrp 1 +network 4.4.4.4 0.0.0.0 +network 172.16.4.0 0.0.0.255 +network 192.168.4.0 0.0.0.255 + + + + + + + + + + + diff --git a/FlexVPN/flexvpn4.txt b/FlexVPN/flexvpn4.txt new file mode 100644 index 0000000..c677d0e --- /dev/null +++ b/FlexVPN/flexvpn4.txt @@ -0,0 +1,116 @@ +FLexVPN HUB-SPOKE +Dla R2, R3, R4: +crypto ikev2 keyring KEYR1 +peer R1 +address 192.0.2.1 +pre-shared-key local Cisco +pre-shared-key remote Cisco + +crypto ikev2 profile Profil1 +match identity remote address 192.0.2.1 255.255.255.255 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 +aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1 + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + + +aaa new-model +aaa authorization network default local + +crypto ikev2 authorization policy AUTHPOLICY1 +route set interface + + +##### + + +Dla wszystkich Spoke (R2, R3, R4): +int tun 12 +ip address negotiated +tunnel source g0/1 +tunnel destination 192.0.2.1 +tunnel protection ipsec profile IPprof1 + +##### +Koncentrator (R1): + +crypto ikev2 keyring KEYR1 +peer ANYROUTER +address 0.0.0.0 +pre-shared-key local Cisco +pre-shared-key remote Cisco + + + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + +int loopback 3 +ip add 1.1.1.1 255.255.255.0 + +interface virtual-template 1 type tunnel +tunnel source g0/1 +ip unnumbered loopback 3 +tunnel protection ipsec profile IPprof1 + + +ip local pool PULAIP 1.1.1.2 1.1.1.10 + +aaa new-model +aaa authorization network default local + +crypto ikev2 authorization policy AUTHPOLICY1 +pool PULAIP +route set interface + +crypto ikev2 profile Profil1 +match identity remote address 0.0.0.0 0.0.0.0 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 +virtual-template 1 +aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1 + + +#### +Dla R1: +router eigrp 1 +network 1.1.1.0 0.0.0.255 + +Dla R2: +router eigrp 1 +network 1.1.1.0 0.0.0.255 +network 172.16.2.0 0.0.0.255 +network 192.168.2.0 0.0.0.255 + +Dla R3: +router eigrp 1 +network 1.1.1.0 0.0.0.255 +network 172.16.3.0 0.0.0.255 +network 192.168.3.0 0.0.0.255 + +Dla R4: +router eigrp 1 +network 1.1.1.0 0.0.0.255 +network 172.16.4.0 0.0.0.255 +network 192.168.4.0 0.0.0.255 + + + + + + + + + + + diff --git a/FlexVPN/flexvpn5.txt b/FlexVPN/flexvpn5.txt new file mode 100644 index 0000000..86c2f06 --- /dev/null +++ b/FlexVPN/flexvpn5.txt @@ -0,0 +1,138 @@ +FLexVPN SPOKE-SPOKE +Dla R2, R3, R4: + +crypto ikev2 keyring KEYR1 +peer ANYPEER +address 0.0.0.0 +pre-shared-key local Cisco +pre-shared-key remote Cisco + +crypto ikev2 profile Profil1 +match identity remote address 0.0.0.0 0.0.0.0 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 +aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1 + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + + +aaa new-model +aaa authorization network default local + +crypto ikev2 authorization policy AUTHPOLICY1 +route set interface + + +##### + + +Dla wszystkich Spoke (R2, R3, R4): +int tun 12 +ip address negotiated +tunnel source g0/1 +tunnel destination 192.0.2.1 +tunnel protection ipsec profile IPprof1 +ip nhrp network-id 1 +ip nhrp shortcut virtual-template 12 + + +int virtual-template 12 type tunnel +ip unnumbered tunnel 12 +tunnel source g0/1 +ip nhrp network-id 1 +ip nhrp shortcut virtual-template 12 +tunnel protection ipsec profile IPprof1 + + + + +##### +Koncentrator (R1): + + +int loopback 3 +ip add 1.1.1.1 255.255.255.0 + +ip local pool PULAIP 1.1.1.2 1.1.1.10 + +aaa new-model +aaa authorization network default local + + +crypto ikev2 authorization policy AUTHPOLICY1 +pool PULAIP +route set interface + + +crypto ikev2 keyring KEYR1 +peer ANYPEER +address 0.0.0.0 +pre-shared-key local Cisco +pre-shared-key remote Cisco + +crypto ikev2 profile Profil1 +match identity remote address 0.0.0.0 0.0.0.0 +authentication local pre-share +authentication remote pre-share +keyring local KEYR1 +virtual-template 1 +aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1 + +crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes + +crypto ipsec profile IPprof1 +set transform-set TR1 +set ikev2-profile Profil1 + + + +interface virtual-template 1 type tunnel +tunnel source g0/1 +ip unnumbered loopback 3 +tunnel protection ipsec profile IPprof1 +ip nhrp network-id 1 +ip nhrp redirect + + + + + + +#### +Dla R1: +router eigrp 1 +network 1.1.1.0 0.0.0.255 + +Dla R2: +router eigrp 1 +network 1.1.1.0 0.0.0.255 +network 172.16.2.0 0.0.0.255 +network 192.168.2.0 0.0.0.255 + +Dla R3: +router eigrp 1 +network 1.1.1.0 0.0.0.255 +network 172.16.3.0 0.0.0.255 +network 192.168.3.0 0.0.0.255 + +Dla R4: +router eigrp 1 +network 1.1.1.0 0.0.0.255 +network 172.16.4.0 0.0.0.255 +network 192.168.4.0 0.0.0.255 + + + + + + + + + + + diff --git a/ip_source_guard.txt b/ip_source_guard.txt new file mode 100644 index 0000000..5c81b89 --- /dev/null +++ b/ip_source_guard.txt @@ -0,0 +1,91 @@ +Router: +hostname R1 +! +ip dhcp pool MY_POOL + network 192.168.1.0 255.255.255.0 +! +ip cef +! +interface FastEthernet0/0 + ip address 192.168.1.254 255.255.255.0 +! +end + + +Przełącznik (router podłączony na porcie g0/1): +hostname SW1 +! +ip dhcp snooping vlan 1 +no ip dhcp snooping information option +ip dhcp snooping +! +interface GigabitEthernet0/1 + switchport mode access + spanning-tree portfast + ip dhcp snooping trust +! +interface GigabitEthernet0/2 + switchport mode access + spanning-tree portfast +! +interface GigabitEthernet0/3 + switchport mode access + spanning-tree portfast +! +interface GigabitEthernet0/4 + switchport mode access + spanning-tree portfast +! +end + + +Konfigurujemy "IP Source Guard" dla komputera podłączonego na porcie g0/2: +SW1(config)#interface GigabitEthernet 0/2 +SW1(config-if)#ip verify source + +SW1#show ip verify source +Interface Filter-type Filter-mode IP-address Mac-address Vlan Log +--------- ----------- ----------- --------------- ----------------- ---- --- +Gi0/2 ip active 192.168.1.1 1 disabled + + +SW1 zezwala teraz tylko na źródłowy adres IP 192.168.1.1 (bo taki PC dostanie pierwszy z brzegu) na interfejsie GigabitEthernet 0/2. Pole adresu MAC jest puste, także w tej chwili przełącznik sprawdza tylko źródłowy adres IP. Można jednak również sprawdzać źródłowy adres MAC. +Do tego celu trzeba wykorzystać jeszcze mechanizm port-security: +SW1(config)#interface GigabitEthernet 0/2 +SW1(config-if)#switchport port-security +SW1(config-if)#ip verify source port-security + +SW1#show ip verify source +Interface Filter-type Filter-mode IP-address Mac-address Vlan Log +--------- ----------- ----------- --------------- ----------------- ---- --- +Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled + + +Załóżmy, że skonfigurujemy na porcie G0/3 kolejny PC, który będzie mieć statycznie przypisane dane adresowe: +SW1(config)#interface GigabitEthernet 0/3 +SW1(config-if)#switchport port-security +SW1(config-if)#ip verify source port-security + +SW1#show ip verify source +Interface Filter-type Filter-mode IP-address Mac-address Vlan Log +--------- ----------- ----------- --------------- ----------------- ---- --- +Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled +Gi0/3 ip-mac active deny-all deny-all 1 + +Jeżeli teraz z tego powyższego komputera spróbujemy wykonać jakąkolwiek transmisję (choćby ping), to nie pwoiedzie się, będzie blokowane. + + + +Możemy również przypisać statycznie adres mac oraz adres IP do zadanego portu, np. dla portu G0/4: +SW1(config)#interface GigabitEthernet 0/4 +SW1(config-if)#switchport port-security +SW1(config-if)#ip verify source port-security +SW1(config)#ip source binding 0011.aabb.0088 vlan 1 192.168.1.200 interface GigabitEthernet 0/4 + + +SW1#show ip verify source +Interface Filter-type Filter-mode IP-address Mac-address Vlan Log +--------- ----------- ----------- --------------- ----------------- ---- --- +Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled +Gi0/3 ip-mac active deny-all deny-all 1 +Gi0/4 ip-mac active 192.168.1.200 00:16:C7:BE:0E:C8 1 disabled \ No newline at end of file