Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

LAB-VPN IPSec GRE Backup

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    LAB-VPN IPSec GRE Backup

    Mô hình:
    Dùng 3 router 2800 giả lập
    Yêu cầu của bài:
    - Gắn cáp theo sơ đồ hình vẽ.
    - Router HO và Branch là các router có hỗ trợ VPN.
    - Một GRE IPSec tunnels sẽ được tạo giữa router HO và router Branch.
    - Giao thức định tuyến động EIGRP sẽ được dùng giữa các routers.
    - Metric của EIGRP sẽ đuợc thao tác sao cho EIGRP ưu tiên đường đi thông qua leased line. Thao tác này được thực hiện thông qua cấu hình thông số delay của các interface serials và interface tunnels. Delay của serial là 100. Delay của interface tunnel là 500 (ms).
    - Khả năng dự phòng dựa vào đặc tính của các giao thức IGP, trong trường hợp này là EIGRP. Nếu đường leased line bị sự cố, router branch sẽ nhận thấy còn một đường đi khác về mạng HO thông qua tunnels.
    Attached Files
    Last edited by ngocky; 24-03-2008, 11:51 PM.
    Tags: None
  • #2
    Router 1 (Head Office)
    ----------------------------
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    !
    no ip dhcp use vrf connected
    !
    !
    no ip domain lookup
    no ip ips deny-action ips-interface
    !
    no ftp-server write-enable
    !
    !
    !
    crypto isakmp policy 1
    authentication pre-share
    crypto isakmp key cisco address 194.168.123.7
    no crypto isakmp ccm
    !
    !
    crypto ipsec transform-set vnpro esp-3des
    !
    crypto map vnpro local-address FastEthernet0/0
    crypto map vnpro 10 ipsec-isakmp
    set peer 194.168.123.7
    set transform-set vnpro
    match address 100
    !
    !
    !
    !
    interface Tunnel0
    ip address 10.0.1.1 255.255.255.0
    delay 500
    tunnel source FastEthernet0/0
    tunnel destination 194.168.123.7
    crypto map vnpro
    !
    interface Loopback0
    ip address 10.0.0.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address 193.168.123.6 255.255.255.0
    delay 100
    duplex auto
    speed auto
    crypto map vnpro
    !
    interface FastEthernet0/1
    ip address 192.168.123.6 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial0/1/0
    no ip address
    shutdown
    clockrate 2000000
    !
    interface Serial0/2/0
    no ip address
    shutdown
    clockrate 2000000
    !
    router eigrp 100
    network 10.0.0.0
    network 192.168.123.0
    no auto-summary
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 193.168.123.7
    !
    !
    ip http server
    no ip http secure-server
    !
    access-list 100 permit gre host 193.168.123.6 host 194.168.123.7
    !
    !
    !
    control-plane
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    line aux 0
    line vty 0 4
    privilege level 15
    no login
    line vty 5 15
    privilege level 15
    no login
    !
    end

    Comment

    • #3
      Router 2 (Branch Office)
      ---------------------------
      version 12.3
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname Branch
      !
      boot-start-marker
      boot-end-marker
      !
      !
      no aaa new-model
      !
      resource policy
      !
      mmi polling-interval 60
      no mmi auto-configure
      no mmi pvc
      mmi snmp-timeout 180
      ip subnet-zero
      ip cef
      !
      !
      no ip dhcp use vrf connected
      !
      !
      no ip domain lookup
      no ip ips deny-action ips-interface
      !
      no ftp-server write-enable
      !
      !
      !
      crypto isakmp policy 1
      authentication pre-share
      crypto isakmp key cisco address 193.168.123.6
      no crypto isakmp ccm
      !
      !
      crypto ipsec transform-set mine esp-3des
      !
      crypto map gre-tunnel local-address FastEthernet0/0
      crypto map gre-tunnel 10 ipsec-isakmp
      set peer 193.168.123.6
      set transform-set mine
      match address 100
      !
      !
      !
      !
      interface Tunnel1
      ip address 10.0.1.2 255.255.255.0
      delay 500
      tunnel source 194.168.123.7
      tunnel destination 193.168.123.6
      crypto map gre-tunnel
      !
      interface Loopback0
      ip address 10.0.2.1 255.255.255.255
      !
      interface FastEthernet0/0
      ip address 194.168.123.7 255.255.255.0
      duplex auto
      speed auto
      crypto map gre-tunnel
      !
      interface FastEthernet0/1
      ip address 192.168.123.7 255.255.255.0
      delay 100
      duplex auto
      speed auto
      !
      interface Serial0/1/0
      no ip address
      shutdown
      no fair-queue
      clockrate 2000000
      !
      router eigrp 100
      network 10.0.1.0 0.0.0.255
      network 10.0.2.0 0.0.0.255
      network 192.168.123.0
      no auto-summary
      !
      ip classless
      ip route 0.0.0.0 0.0.0.0 194.168.123.6
      !
      !
      ip http server
      no ip http secure-server
      !
      access-list 100 permit gre host 194.168.123.7 host 193.168.123.6
      !
      !
      !
      !
      control-plane
      !
      !
      !
      line con 0
      password cisco
      login
      line aux 0
      line vty 0 4
      password cisco
      login
      line vty 5 15
      password cisco
      login
      !
      end

      Comment

      • #4
        Kiểm tra hoạt động:

        Dùng lệnh “Show crypto isakmp sa” kiểm tra thiết lập kênh VPN

        R1#show crypto isakmp sa
        dst src state conn-id slot status
        194.168.123.7 193.168.123.6 QM_IDLE 1 0 ACTIVE

        Branch#show crypto isakmp sa
        dst src state conn-id slot status
        194.168.123.7 193.168.123.6 QM_IDLE 1 0 ACTIVE

        Note: Ở cột State “QM-IDLE” có nghĩa là kênh VPN đã được thiết lập
        Dùng lệnh “Show crypto engine connections active”

        R1#show crypto engine connections active

        ID Interface IP-Address State Algorithm Encrypt Decrypt
        1 Tunnel0 10.0.1.1 set HMAC_SHA+DES_56_CB 0 0
        3001 Tunnel0 193.168.123.6 set 3DES 42 0
        3004 Tunnel0 193.168.123.6 set 3DES 0 42


        Branch#show crypto engine connections active

        ID Interface IP-Address State Algorithm Encrypt Decrypt
        1 FastEthernet0/0 194.168.123.7 set HMAC_SHA+DES_56_CB 0 0
        3001 FastEthernet0/0 194.168.123.7 set 3DES 66 0
        3004 FastEthernet0/0 194.168.123.7 set 3DES 0 67

        Comment

        • #5
          ok testtttt

          Comment

          • #6
            chao anh

            anh co' the up hinh khong anh , khong mo duoc hinh de xem
            thanks

            Comment

            • #7
              CO the up lai cho minh cai hinh LAB duoc ko? Thx!

              Comment

              • #8
                Cho em hoi: sau khi thuc hien cau hinh theo huong dan cua bai LAB, em duoc ket qua nhu sau

                - Khi chua shutdown int s1/0

                Code:
                Jul 22 18:03:04.135: %SYS-5-CONFIG_I: Configured from console by console
CENTER#traceroute 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1 192.168.123.7 76 msec *  16 msec
CENTER#
Jul 22 18:03:13.487: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 22 18:03:17.127: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
CENTER#
                ==>Khong biet sao chu cai thang int tunnel 1 cu down, up hoai

                Code:
                BRANCH#
Jul 22 18:03:14.759: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) vrf/dest_addr= /194.168.123.6, src_addr= 193.168.123.6, prot= 47
BRANCH#traceroute 10.0.0.1 source 10.0.2.1

Type escape sequence to abort.
Tracing the route to 10.0.0.1

  1 192.168.123.6 40 msec *  20 msec
BRANCH#
                - Khi shutdown int s1/0

                Code:
                CENTER(config)#int s1/0
CENTER(config-if)#sh
CENTER(config-if)#shutdown 
CENTER(config-if)#
Jul 22 17:52:46.235: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.123.7 (Serial1/0) is down: interface down
CENTER(config-if)#
Jul 22 17:52:48.159: %LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
CENTER(config-if)#
Jul 22 17:52:48.159: %ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down 
Jul 22 17:52:49.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
CENTER(config-if)#shutdown ^Z
CENTER#traceroute 10.0.2.1 source 10.0.0.1
Jul 22 17:53:02.671: %SYS-5-CONFIG_I: Configured from console by console
CENTER#traceroute 10.0.2.1 source 10.0.0.1

Type escape sequence to abort.
Tracing the route to 10.0.2.1

  1  *  *  * 
  2  *  *  * 
  3  *  *  * 
  4 
Jul 22 17:53:31.991: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded *  * 
Jul 22 17:53:35.979: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency * 
  5  *  *  * 
  6  *  *  * 
  7  *  *  * 
  8  *  *  * 
  9  *  *  * 
 10  *  *  * 
 11  *  *  * 
 12  *  *  * 
 13  * 
Jul 22 17:54:55.495: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded * 
Jul 22 17:54:59.867: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency * 
 14  *  *  * 
 15  *  *  * 
 16  *  *  * 
 17  *  *  * 
 18  *  *  * 
 19  *  *  * 
 20  *  *  * 
 21  *  *  * 
 22  *  * 
Jul 22 17:56:19.383: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded * 
 23 
Jul 22 17:56:21.987: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency *  *  * 
 24  *  *  * 
 25  *  *  * 
 26 
CENTER#
Jul 22 17:57:41.503: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 22 17:57:44.771: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
CENTER#
Jul 22 17:59:04.291: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is down: retry limit exceeded
CENTER#
Jul 22 17:59:08.911: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.0.1.2 (Tunnel1) is up: new adjacency
                Anh em cho em nhan xet ket qua tren nhe!:X
                Last edited by lenhung; 22-07-2011, 07:07 PM.

                Comment

                Previous template Next
                Working...
                X