Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Lab Report Ipsec

    Enviado por

    v4meet
    108 visualizações11 páginas
    The lab report summarizes setting up an IPSec VPN between two Cisco routers in Toronto and Vancouver using pre-shared keys. The steps included: 1. Configuring IKE phase 1 policies on each router with 3DES encryption, MD5 hash, and a pre-shared key. 2. Configuring IPSec phase 2 parameters including a transform set and access control lists to permit traffic between the VPN sites. 3. Applying the crypto maps to interfaces and verifying the IPSec configuration. Wireshark analysis showed that while AH revealed packet information, 3DES encryption prevented information disclosure, demonstrating it as more secure.

    Descrição original:

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    DOC, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    The lab report summarizes setting up an IPSec VPN between two Cisco routers in Toronto and Vancouver using pre-shared keys. The steps included: 1. Configuring IKE phase 1 policies on each router with 3DES encryption, MD5 hash, and a pre-shared key. 2. Configuring IPSec phase 2 parameters including a transform set and access control lists to permit traffic between the VPN sites. 3. Applying the crypto maps to interfaces and verifying the IPSec configuration. Wireshark analysis showed that while AH revealed packet information, 3DES encryption prevented information disclosure, demonstrating it as more secure.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato DOC, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    108 visualizações11 páginas

    Lab Report Ipsec

    Enviado por

    v4meet
    The lab report summarizes setting up an IPSec VPN between two Cisco routers in Toronto and Vancouver using pre-shared keys. The steps included: 1. Configuring IKE phase 1 policies on each router with 3DES encryption, MD5 hash, and a pre-shared key. 2. Configuring IPSec phase 2 parameters including a transform set and access control lists to permit traffic between the VPN sites. 3. Applying the crypto maps to interfaces and verifying the IPSec configuration. Wireshark analysis showed that while AH revealed packet information, 3DES encryption prevented information disclosure, demonstrating it as more secure.

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato DOC, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 11

    LAB REPORT Comp2105

    Site-Site IPSec using Pre-Shared Keys

    SECTION B

    Site-Site IPSec using Pre-Shared Keys:

    Objective:
    The purpose of this lab was to setup site-site VPN (Virtual Private Network) using IPSec protocols such as DES and AH.

    Requirement:
    Two 1800 series CISCO Routers for both sites of VPN, for Internet Router we can use 2600 Series CISCO Router. Also as we need switch in Toronto side, we used 1801 router which has switch ports.

    Procedure:
    In this scenario we setup VPN between Toronto and Vancouver routers, the steps were as follow: *The following configuration is for Toronto router, the same configuration has been done for Vancouver router too.

    Prepare to configure Virtual Private Network (VPN) Support Configure Internet Key Exchange (IKE) phase one Configure IPSec parameters phase two Configure IKE parameters and verify IKE and IP Security (IPSec) configuration Verify and test IPSec configuration

    Step 1: Prepare to Configure VPN Support

    1. Setup the lab scenario 2. Disable Wireless Access or other connections 3. IP settings assignment 4. Connectivity testing (between two VPN terminators)

    Step 2: Configure IKE Parameters

    1. Enable IKE/ISAKMP on the router by using crypto isakmp enable in

    configuration mode. 2. Create an IKE policy to use pre-shared keys by completing the following sub-steps: a. Set the policy priority and enter config-isakmp mode.
    3

    Toronto(config)#crypto isakmp policy 110

    b. Set authentication and select pre-shared keys for this VPN Toronto(config-isakmp)#authentication pre-share
    c. Set Data encryption standard (IKE encryption)

    Toronto(config-isakmp)#encryption 3des d. Set the Diffie-Hellman group. Toronto(config-isakmp)#group 1


    e. Set the hash algorithm and select message digest five for hash algorithm.

    Toronto(config-isakmp)#hash md5
    f.

    Set the IKE security association (SA) lifetime for 24 hours Toronto(config-isakmp)#lifetime 86400

    g. Set up the pre-shared key and peer address.

    Toronto(config)#crypto isakmp key cisco1234 address 120.1.1.2


    *Configuration for Vancouver Router in g step is as follow:

    Vancouver(config)#crypto isakmp key cisco1234 address 110.1.1.1

    Step 3 Configure IPSec Parameters


    1. Configure transform sets and security association Parameters Toronto(config)# crypto ipsec transform-set mine ah-md5hmac Set the mode to tunnel. Toronto(cfg-crypto-trans)#mode tunnel Check the configuration. Toronto# show crypto ipsec transform-set mine

    Configure crypto access lists The ACL should encrypt traffic between perimeter routers. Use the following parameters: Toronto(config)#access-list 120 permit ip host 192.168.2.1 host 10.1.1.2
    *Configuration for Vancouver Router in this step is as follow:

    Vancouver(config)# access-list 120 permit ip host 10.1.1.2 host 192.168.2.1 2. Configure crypto maps Set the name of the map, the map number, and the type of key exchange to be used. Toronto(config)# crypto map mymap 10 ipsec-isakmp Specify the extended ACL to use with this map. Toronto(config-crypto-map)# match address 120 Specify the transform set defined earlier. Toronto(config-crypto-map)#set transform-set mine Assign the VPN peer using the host name or IP address of the peer. Toronto(config-crypto-map)#set peer 120.1.1.2 Vancouver(config-crypto-map)#set peer 110.1.1.1

    3. Apply the crypto map to an interface Toronto(config)#interface vlan 1 Assign the crypto map to the interface. Toronto(config-if)#crypto map mymap
    *Configuration for Vancouver Router in this step is as follow:

    Vancouver(config)#interface Ethernet 0 Vancouver(config-if)#crypto map mymap


    5

    Analyzer:
    To compare two different IPSec protocol we needed analyzer. In Toronto router we used 1801 CISCO router that has switch ports. We implemented SPAN configuration in the router.

    Toronto (1801 Router)


    Toronto#show run Building configuration... Current configuration : 1514 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Toronto ! boot-start-marker boot-end-marker ! ! no aaa new-model ! monitor session 1 source interface Fa1 monitor session 1 destination interface Fa2 ! resource policy ! ! ! ip cef ! ! ! ! ! ! ! ! crypto isakmp policy 110 6

    authentication pre-share ! crypto isakmp policy 111 encr 3des hash md5 authentication pre-share crypto isakmp key cisco1 address 120.1.1.2 ! ! crypto ipsec transform-set mine esp-des crypto ipsec transform-set mine1 ah-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 120.1.1.2 set transform-set mine match address 120 ! ! ! interface FastEthernet0 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! ! ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto ! 7

    interface Vlan1 ip address 110.1.1.1 255.255.255.0 crypto map mymap ! ip route 0.0.0.0 0.0.0.0 110.1.1.2 ! ! no ip http server no ip http secure-server ! access-list 120 permit ip host 192.168.2.1 host 10.1.1.2 ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! End

    Vancouver (1801 Router)


    Vancouver#show run Building configuration... Current configuration : 1375 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Vancouver ! boot-start-marker boot-end-marker ! ! 8

    no aaa new-model ! resource policy ! ! ! ip cef ! ! ! ! ! ! ! ! crypto isakmp policy 111 encr 3des hash md5 authentication pre-share crypto isakmp key cisco1 address 110.1.1.1 ! ! crypto ipsec transform-set mine esp-des crypto ipsec transform-set mine1 ah-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 110.1.1.1 set transform-set mine match address 120 ! ! ! ! interface FastEthernet0 ip address 120.1.1.2 255.255.255.0 duplex auto speed auto crypto map mymap ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 9

    ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto ! interface Vlan1 ip address 10.1.1.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 120.1.1.1 ! ! no ip http server no ip http secure-server ! access-list 120 permit ip host 10.1.1.2 host 192.168.2.1 ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! End

    10

    Observation:
    Our group could be able to implement IPSec VPN successfully, and ping from two sites, and also by using Wireshark in analyzer, we could compare AH and DES. At first we setup AH and we recognized that it is not secure we could be able to figure out all the information in Wireshark but in DES configuration it was impossible to find any information; therefore, DES is more secure.

    11

    Você também pode gostar