VPNIPSec site to site

1,819 views

Published on

VPNIPSec et la commande ip route pour le routage

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,819
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
223
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

VPNIPSec site to site

  1. 1. Architecture Site to site :Fichiers de configuration VPN site à siteRouteur R1:version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R1!boot-start-markerboot-end-marker!no aaa new-model!resource policy!ip subnet-zeroip cef!no ip dhcp use vrf connected!no ip domain lookupno ip ips deny-action ips-interface!crypto isakmp policy 10
  2. 2. encr 3deshash md5authentication pre-sharegroup 5lifetime 1800crypto isakmp key miedkey address 172.16.3.253!crypto ipsec transform-set groupe3set esp-3des esp-md5-hmac!crypto map groupe3map 10 ipsec-isakmpset peer 172.16.3.253set transform-set groupe3setmatch address 101!interface FastEthernet0/0ip address 192.168.1.254 255.255.255.0! ip nat inside! ip virtual-reassemblyduplex half!interface Serial1/0ip address 196.1.95.254 255.255.255.0! ip nat outside! ip virtual-reassemblyserial restart-delay 0clock rate 64000crypto map groupe3map!interface Serial1/1no ip addressshutdownserial restart-delay 0!interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!ip classless
  3. 3. ip route 0.0.0.0 0.0.0.0 196.1.95.253no ip http serverno ip http secure-server!! ip nat inside source list 1 interface Serial1/0 overload! access-list 1 permit 192.168.1.0 0.0.0.255access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.4.0 0.0.0.255!control-plane!gatekeepershutdown!line con 0exec-timeout 0 0logging synchronousstopbits 1line aux 0stopbits 1line vty 0 4login!endRouteur R2:version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R2!boot-start-markerboot-end-marker!no aaa new-model!resource policy!ip subnet-zeroip cef
  4. 4. !no ip dhcp use vrf connected!no ip domain lookupno ip ips deny-action ips-interface!interface FastEthernet0/0no ip addressshutdownduplex half!interface Serial1/0ip address 196.1.95.253 255.255.255.0serial restart-delay 0!interface Serial1/1ip address 172.16.5.254 255.255.255.0serial restart-delay 0clock rate 64000!interface Serial1/2ip address 172.16.3.254 255.255.255.0serial restart-delay 0clock rate 64000!interface Serial1/3no ip addressshutdownserial restart-delay 0!ip classlessip route 172.16.6.0 255.255.255.0 172.16.5.253no ip http serverno ip http secure-server!control-plane!gatekeepershutdown!line con 0exec-timeout 0 0logging synchronousstopbits 1
  5. 5. line aux 0stopbits 1line vty 0 4!endRouteur R3:!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R3!boot-start-markerboot-end-marker!no aaa new-model!resource policy!ip subnet-zeroip cef!no ip dhcp use vrf connected!no ip domain lookupno ip ips deny-action ips-interface!interface FastEthernet0/0ip address 172.16.6.254 255.255.255.0duplex half!interface Serial1/0no ip addressshutdownserial restart-delay 0!interface Serial1/1ip address 172.16.5.253 255.255.255.0serial restart-delay 0!
  6. 6. interface Serial1/2no ip addressshutdownserial restart-delay 0!interface Serial1/3no ip addressshutdownserial restart-delay 0!ip classlessip route 172.16.3.0 255.255.255.0 172.16.5.254ip route 196.1.95.0 255.255.255.0 172.16.5.254no ip http serverno ip http secure-server!control-plane!gatekeepershutdown!line con 0exec-timeout 0 0logging synchronousstopbits 1line aux 0stopbits 1line vty 0 4!endRouteur R4:version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R4!boot-start-markerboot-end-marker!
  7. 7. no aaa new-model!resource policy!ip subnet-zeroip cef!!no ip dhcp use vrf connected!no ip domain lookupno ip ips deny-action ips-interface!crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 5lifetime 1800crypto isakmp key miedkey address 196.1.95.254!crypto ipsec transform-set groupe3set esp-3des esp-md5-hmac!crypto map groupe3map 10 ipsec-isakmpset peer 196.1.95.254set transform-set groupe3setmatch address 101!interface FastEthernet0/0ip address 172.16.4.254 255.255.255.0! ip nat inside! ip virtual-reassemblyduplex half!interface Serial1/0no ip addressshutdownserial restart-delay 0!interface Serial1/1no ip addressshutdownserial restart-delay 0!
  8. 8. interface Serial1/2ip address 172.16.3.253 255.255.255.0! ip nat outside! ip virtual-reassemblyserial restart-delay 0crypto map groupe3map!interface Serial1/3no ip addressshutdownserial restart-delay 0!ip classlessip route 0.0.0.0 0.0.0.0 172.16.3.254no ip http serverno ip http secure-server!! ip nat source list 1 interface Serial1/2 overload!! access-list 1 permit 172.16.4.0 0.0.0.255access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255!control-plane!gatekeepershutdown!line con 0exec-timeout 0 0logging synchronousstopbits 1line aux 0stopbits 1line vty 0 4!end
  9. 9. Vérification:Les réseaux privés peuvent désormais voir les réseaux publics:Mais le contraire nest pas possible:
  10. 10. De même les réseaux privés ne se voient pas entre eux:Nous allons dans la suite de ce TP mettre en place un VPN site à site entre le réseau privé 1et le réseau privé 2:
  11. 11. Les deux réseaux privés communiquent à présent entre eux:Extrait du résultat de la commande «show crypto ipsec sa»
  12. 12. Capture avec wiresharkLes communications entre les réseaux privés dont donc cryptées.

×