13장. VPN 중부대학교 정보보호학과 이병천 교수

네트워크의 종류 공중망(Public Network) 사설망(Private Network) 가격이 저렴 네트워크를 공동으로 이용. 보안에 취약 사설망(Private Network) 공중망보다 가격이 비쌈 네트워크를 독립적으로 이용. 보안성이 우수 가상사설망(Virtual Private Network, VPN) 공중망에서 터널링 기술을 이용하여 사설망처럼 이용할 수 있도록 하는 기술 값싸게 보안통신을 이용할 수 있음

VPN의 응용 안전한 기업 업무환경 구축 VoIP 네트워크: 인터넷전화 IPTV, 비디오 회의 본사-지사간의 안전한 네트워크 연결 재택근무: 집에서 회사 서버에 안전하게 접속 필요 VoIP 네트워크: 인터넷전화 IPTV, 비디오 회의

VPN의 종류 GRE(Generic Route Encapsulation) DMVPN(Dynamic Multipoint VPN) MPLS(multiprotocol label switching) SSL(secure socket layer)

IPSec VPN vs. SSL VPN

IPSec VPN vs. SSL VPN

VPN의 보안 기능 암호프로토콜 이용하여 인증, 보안, 기밀성 유지 키의 이용 암호 알고리즘 대칭키 암호화 (Symmetric Encryption): PSK(Pre-shared key) – 공유키 이용 디피-헬만(Diffie-Hellman) – 온라인 키합의 방식 비대칭키 암호화 (Asymmetric Encryption): 인증서 이용 암호 알고리즘 대칭키 암호: DES, 3DES, AES 비대칭키 암호: RSA 해쉬암고리즘: HMAC, MD5, SHA-1

VPN의 보안 기능 연결되는 장치간의 인증 및 보안연계(SA, security association) 프로토콜 ISAKMP (Internet security association and key management protocol) IKE (Internet key exchange) 인증 및 암호화 프로토콜 AH(Authentication Header): 데이터의 인증 및 무결성 ESP(Encapsulation Security Payload): 데이터 암호화

AH, ESP ESP 헤더 AH 헤더

그림13-1. VPN 실습 토폴로지

라우터 설정 R2(config)#interface FastEthernet0/0 R2(config-if)#no shutdown R2(config-if)#ip address 12.12.12.1 255.255.255.0 R2(config-if)#exit R2(config)#interface Serial0/3/0 R2(config-if)#ip address 203.230.7.2 255.255.255.0 R2(config)#interface Serial0/3/1 R2(config-if)#clock rate 1000000 R2(config-if)#ip address 150.183.235.1 255.255.255.0 R2(config)#int lo 0 R2(config-if)#ip add 2.2.2.2 255.255.255.0 R2(config)#router ospf 7 R2(config-router)#network 2.2.2.2 0.0.0.0 a 0 R2(config-router)#network 12.12.12.1 0.0.0.0 a 0 R2(config-router)#network 203.230.7.2 0.0.0.0 a 0 R2(config-router)#network 150.183.235.1 0.0.0.0 a 0 R1(config)#interface FastEthernet0/0 R1(config-if)#no shutdown R1(config-if)#ip address 11.11.11.1 255.255.255.0 R1(config-if)#exit R1(config)#interface FastEthernet0/1 R1(config-if)#ip address 21.21.21.1 255.255.255.0 R1(config)#interface Serial0/3/0 R1(config-if)#clock rate 1000000 R1(config-if)#ip address 203.230.7.1 255.255.255.0 R1(config)#int lo 0 R1(config-if)#ip add 1.1.1.1 255.255.255.0 R1(config)#router ospf 7 R1(config-router)#network 1.1.1.1 0.0.0.0 a 0 R1(config-router)#network 11.11.11.1 0.0.0.0 a 0 R1(config-router)#network 21.21.21.1 0.0.0.0 a 0 R1(config-router)#network 203.230.7.1 0.0.0.0 a 0 R3(config)#interface FastEthernet0/0 R3(config-if)#no shutdown R3(config-if)#ip address 13.13.13.1 255.255.255.0 R3(config-if)#exit R3(config)#interface FastEthernet0/1 R3(config-if)#ip address 23.23.23.1 255.255.255.0 R3(config)#interface Serial0/3/0 R3(config-if)#ip address 150.183.235.2 255.255.255.0 R3(config)#int lo 0 R3(config-if)#ip add 3.3.3.3 255.255.255.0 R3(config)#router ospf 7 R3(config-router)#network 3.3.3.3 0.0.0.0 a 0 R3(config-router)#network 13.13.13.1 0.0.0.0 a 0 R3(config-router)#network 23.23.23.1 0.0.0.0 a 0 R3(config-router)#network 150.183.235.2 0.0.0.0 a 0

라우팅 테이블 확인 R1#show ip route 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 2.0.0.0/32 is subnetted, 1 subnets O 2.2.2.2 [110/65] via 203.230.7.2, 16:22:43, Serial0/3/0 3.0.0.0/32 is subnetted, 1 subnets O 3.3.3.3 [110/129] via 203.230.7.2, 00:11:12, Serial0/3/0 11.0.0.0/24 is subnetted, 1 subnets C 11.11.11.0 is directly connected, FastEthernet0/0 12.0.0.0/24 is subnetted, 1 subnets O 12.12.12.0 [110/65] via 203.230.7.2, 16:22:43, Serial0/3/0 13.0.0.0/24 is subnetted, 1 subnets O 13.13.13.0 [110/129] via 203.230.7.2, 00:11:12, Serial0/3/0 21.0.0.0/24 is subnetted, 1 subnets C 21.21.21.0 is directly connected, FastEthernet0/1 23.0.0.0/24 is subnetted, 1 subnets O 23.23.23.0 [110/129] via 203.230.7.2, 00:11:12, Serial0/3/0 150.183.0.0/24 is subnetted, 1 subnets O 150.183.235.0 [110/128] via 203.230.7.2, 00:13:17, Serial0/3/0 C 203.230.7.0/24 is directly connected, Serial0/3/0 R2#show ip route 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/65] via 203.230.7.1, 16:23:51, Serial0/3/0 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 3.0.0.0/32 is subnetted, 1 subnets O 3.3.3.3 [110/65] via 150.183.235.2, 00:12:24, Serial0/3/1 11.0.0.0/24 is subnetted, 1 subnets O 11.11.11.0 [110/65] via 203.230.7.1, 16:23:51, Serial0/3/0 12.0.0.0/24 is subnetted, 1 subnets C 12.12.12.0 is directly connected, FastEthernet0/0 13.0.0.0/24 is subnetted, 1 subnets O 13.13.13.0 [110/65] via 150.183.235.2, 00:12:24, Serial0/3/1 21.0.0.0/24 is subnetted, 1 subnets O 21.21.21.0 [110/65] via 203.230.7.1, 16:23:51, Serial0/3/0 23.0.0.0/24 is subnetted, 1 subnets O 23.23.23.0 [110/65] via 150.183.235.2, 00:12:24, Serial0/3/1 150.183.0.0/24 is subnetted, 1 subnets C 150.183.235.0 is directly connected, Serial0/3/1 C 203.230.7.0/24 is directly connected, Serial0/3/0 R3#show ip route 1.0.0.0/32 is subnetted, 1 subnets O 1.1.1.1 [110/129] via 150.183.235.1, 00:13:57, Serial0/3/0 2.0.0.0/32 is subnetted, 1 subnets O 2.2.2.2 [110/65] via 150.183.235.1, 00:13:57, Serial0/3/0 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 11.0.0.0/24 is subnetted, 1 subnets O 11.11.11.0 [110/129] via 150.183.235.1, 00:13:57, Serial0/3/0 12.0.0.0/24 is subnetted, 1 subnets O 12.12.12.0 [110/65] via 150.183.235.1, 00:13:57, Serial0/3/0 13.0.0.0/24 is subnetted, 1 subnets C 13.13.13.0 is directly connected, FastEthernet0/0 21.0.0.0/24 is subnetted, 1 subnets O 21.21.21.0 [110/129] via 150.183.235.1, 00:13:57, Serial0/3/0 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, FastEthernet0/1 150.183.0.0/24 is subnetted, 1 subnets C 150.183.235.0 is directly connected, Serial0/3/0 O 203.230.7.0/24 [110/128] via 150.183.235.1, 00:13:57, Serial0/3/0

GRE 터널링 GRE(Generic Route Encapsulation) - Cisco 에서 개발한 터널링 프로토콜 Tunnel 12 Tunnel 21 Tunnel 32 Tunnel 23 GRE(Generic Route Encapsulation) - Cisco 에서 개발한 터널링 프로토콜

터널 설정 방법 R1(config)#int tunnel 12 터널 인터페이스 생성 R1(config-if)#ip add 163.180.116.1 255.255.255.0 터널 인터페이스의 IP주소 설정 R1(config-if)#tunnel source s0/3/0 터널은 가상 인터페이스를 사용하는데 실제 패킷이 전송될 물리적 인터페이스를 설정 R1(config-if)#tunnel destination 203.230.7.2 터널의 도착지 주소 설정 R1(config-if)#exit

터널 설정 방법 각 라우터에 터널링에 이용할 루프백 인터페이스 1번 추가 - 111.111.111.1/24 - 122.122.122.1/24 - 133.133.133.1/24 터널링 설정 - Tunnel 12: 163.180.116.1 - Tunnel 21: 163.180.116.2 - Tunnel 23: 163.180.117.1 - Tunnel 32: 163.180.117.2 터널간 RIPv2 를 이용해 라우팅 설정 122.122.122.1/24 163.180.116.1 163.180.116.2 163.180.117.1 163.180.117.2 133.133.133.1/24

터널 설정 Rip version 2 라우팅 설정 터널 설정 터널 설정 R1(config)#int tunnel 12 R1(config-if)#ip add 163.180.116.1 255.255.255.0 R1(config-if)#tunnel source s0/3/0 R1(config-if)#tunnel destination 203.230.7.2 R1(config-if)#exit 터널 설정 R2(config)#interface tunnel 21 R2(config-if)#ip add 163.180.116.2 255.255.255.0 R2(config-if)#tunnel source s0/3/0 R2(config-if)#tunnel destination 203.230.7.1 R2(config-if)#exit R1(config)#int lo 1 R1(config-if)#ip add 111.111.111.1 255.255.255.0 R1(config-if)#exit R1(config)#router rip R1(config-router)#version 2 R1(config-router)#no auto-summary R1(config-router)#network 111.111.111.1 R1(config-router)#network 163.180.116.1 R1(config-router)#exit R2(config-if)#interface tunnel 23 R2(config-if)#ip add 163.180.117.1 255.255.255.0 R2(config-if)#tunnel source s0/3/1 R2(config-if)#tunnel destination 150.183.235.2 R2(config-if)#exit 터널 설정 R3(config)#interface tunnel 32 R3(config-if)#ip add 163.180.117.2 255.255.255.0 R3(config-if)#tunnel source s0/3/0 R3(config-if)#tunnel destination 150.183.235.1 R3(config-if)#exit R2(config)#int lo 1 R2(config-if)#ip add 122.122.122.1 255.255.255.0 R2(config-if)#exit R2(config)#router rip R2(config-router)#version 2 R2(config-router)#no auto-summary R2(config-router)#network 122.122.122.1 R2(config-router)#network 163.180.116.2 R2(config-router)#network 163.180.117.1 R2(config-router)#exit R3(config)#int lo 1 R3(config-if)#ip add 133.133.133.1 255.255.255.0 R3(config-if)#exit R3(config)#router rip R3(config-router)#version 2 R3(config-router)#no auto-summary R3(config-router)#network 133.133.133.1 R3(config-router)#network 163.180.117.2 R3(config-router)#exit Rip version 2 라우팅 설정

터널링 결과 – 라우팅테이블 OSPF – 물리적 인터페이스에 설정 RIP – 가상 터널인터페이스에 설정 R1#show ip route rip 122.0.0.0/24 is subnetted, 1 subnets R 122.122.122.0 [120/1] via 163.180.116.2, 00:00:22, Tunnel12 133.133.0.0/24 is subnetted, 1 subnets R 133.133.133.0 [120/2] via 163.180.116.2, 00:00:22, Tunnel12 163.180.0.0/24 is subnetted, 2 subnets R 163.180.117.0 [120/1] via 163.180.116.2, 00:00:22, Tunnel12 R2#show ip route rip 111.0.0.0/24 is subnetted, 1 subnets R 111.111.111.0 [120/1] via 163.180.116.1, 00:00:22, Tunnel21 133.133.0.0/24 is subnetted, 1 subnets R 133.133.133.0 [120/1] via 163.180.117.2, 00:00:02, Tunnel23 R3#show ip route rip 111.0.0.0/24 is subnetted, 1 subnets R 111.111.111.0 [120/2] via 163.180.117.1, 00:00:17, Tunnel32 122.0.0.0/24 is subnetted, 1 subnets R 122.122.122.0 [120/1] via 163.180.117.1, 00:00:17, Tunnel32 163.180.0.0/24 is subnetted, 2 subnets R 163.180.116.0 [120/1] via 163.180.117.1, 00:00:17, Tunnel32 OSPF – 물리적 인터페이스에 설정 RIP – 가상 터널인터페이스에 설정

터널링 결과 - Traceroute 물리 인터페이스를 통해 연결 터널 인터페이스를 통해 연결 R1#traceroute 13.13.13.2 Type escape sequence to abort. Tracing the route to 13.13.13.2 1 203.230.7.2 9 msec 3 msec 4 msec 2 150.183.235.2 7 msec 11 msec 8 msec 3 13.13.13.2 16 msec 15 msec 15 msec 물리 인터페이스를 통해 연결 R1#traceroute 133.133.133.1 Type escape sequence to abort. Tracing the route to 133.133.133.1 1 163.180.116.2 15 msec 1 msec 3 msec 2 163.180.117.2 9 msec 20 msec 4 msec 터널 인터페이스를 통해 연결

터널링을 통한 트래픽 분산과 제어 PC1과 PC2 사이의 통신은 터널을 통해 이루어지도록 설정

라우터 설정 R1(config)#interface FastEthernet0/0 R1(config-if)#no shutdown R1(config-if)#ip address 1.1.1.1 255.255.255.0 R1(config-if)#exit R1(config)#interface Serial0/3/0 R1(config-if)#clock rate 1000000 R1(config-if)#ip address 203.230.7.1 255.255.255.0 R1(config)#router rip R1(config-router)#version 2 R1(config-router)#network 1.1.1.0 R1(config-router)#network 203.230.7.0 R1(config-router)#network 150.183.235.0 R1(config-router)#exit R1(config)#int tunnel 1 R1(config-if)#ip add 150.183.235.1 255.255.255.0 R1(config-if)#tunnel source s0/3/0 R1(config-if)#tunnel destination 203.230.7.2 R1(config)#ip route 2.2.2.0 255.255.255.0 150.183.235.2 R2(config)#interface FastEthernet0/0 R2(config-if)#no shutdown R2(config-if)#ip address 2.2.2.1 255.255.255.0 R2(config-if)#exit R2(config)#interface Serial0/3/0 R2(config-if)#ip address 203.230.7.2 255.255.255.0 R2(config)#router rip R2(config-router)#version 2 R2(config-router)#network 2.2.2.0 R2(config-router)#network 203.230.7.0 R2(config-router)#network 150.183.235.0 R2(config-router)#exit R2(config)#int tunnel 2 R2(config-if)#ip add 150.183.235.2 255.255.255.0 R2(config-if)#tunnel source s0/3/0 R2(config-if)#tunnel destination 203.230.7.1 R2(config)#ip route 1.1.1.0 255.255.255.0 150.183.235.1

경로 확인 목적지가 203.230.7.2인 경우에는 물리적인 인터페이스로 연결 PC>tracert 203.230.7.2 Tracing route to 203.230.7.2 over a maximum of 30 hops: 1 6 ms 5 ms 4 ms 1.1.1.1 2 10 ms 4 ms 17 ms 203.230.7.2 Trace complete. PC>tracert 2.2.2.2 Tracing route to 2.2.2.2 over a maximum of 30 hops: 1 3 ms 2 ms 3 ms 1.1.1.1 2 10 ms 2 ms 4 ms 150.183.235.2 3 10 ms 12 ms 8 ms 2.2.2.2 목적지가 203.230.7.2인 경우에는 물리적인 인터페이스로 연결 목적지가 2.2.2.2인 경우에는 터널 인터페이스로 연결

GRE + IPSec VPN GRE 터널링은 데이터 보안성이 없음 IPSec VPN을 GRE와 함께 사용하여 보안성 향상 가능 ISAKMP 정책 Authentication: pre-share Encryption: AES 256 Hash: sha Lifetime: 3600초 IPSec 정책 대상트래픽: 각 라우터의 시리얼 인터페이스를 통해 나가는 모 든 트래픽 Encapsulation: esp-3des Encryption: esp-aes 256 Hash: esp-md5-hmac

GRE + IPSec VPN 그림 13-4. GRE 터널을 이용한 IPSec VPN 설정 토폴로지 ipsec transform-set STRONG Crypto map VPN1 ACL 110 Crypto map VPN2 ACL 120 2901 라우터 이용

라우터 설정 포트별 ip주소 설정 터널 설정 License 설정 저장, 재부팅 Isakmp policy 설정 교재 내용에 에러 있으니 주의 포트별 ip주소 설정 터널 설정 License 설정 저장, 재부팅 Isakmp policy 설정 Ipsec transform-set 설정 (name: STRONG) Isakmp key 설정 (key: cisco123) Crypto map 설정 (name: VPN) Access-list 설정 인터페이스에 VPN 설정 라우팅

R1 포트별 ip주소 설정 터널 설정 Router(config)#hostname R1 R1(config)#interface GigabitEthernet0/0 R1(config-if)#no shutdown R1(config-if)#ip address 203.230.7.1 255.255.255.0 R1(config-if)#exit R1(config)#interface GigabitEthernet0/1 R1(config-if)#ip address 203.230.8.1 255.255.255.0 R1(config)#interface Serial0/0/0 R1(config-if)#clock rate 1000000 R1(config-if)#ip address 203.230.9.1 255.255.255.0 R1(config)#int tunnel 12 R1(config-if)#ip add 10.10.10.1 255.255.255.0 R1(config-if)#tunnel source s0/0/0 R1(config-if)#tunnel destination 203.230.9.2

R1 License 설정 저장, 재부팅 R1(config)#license boot module c2900 technology-package securityk9 PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN. Use of this product feature requires an additional license from Cisco, together with an additional payment. You may use this product feature on an evaluation basis, without payment to Cisco, for 60 days. Your use of the product, including during the 60 day evaluation period, is ………………… ACCEPT? [yes/no]: y % use 'write' command to make license boot config take effect on next boot %LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been accepted. UDI=CISCO2901/K9:FTX1524VE24-; StoreIndex=0:Evaluation License Storage R1(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900 Next reboot level = securityk9 and License = securityk9 R1(config)#do write Building configuration... [OK] R1(config)#exit R1#reload Proceed with reload? [confirm]ySystem Bootstrap, Version 15.1(4)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2010 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO2901/K9 platform with 524288 Kbytes of main memory Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC disabled

R1 Isakmp policy 설정 Ipsec transform-set 설정 (name: STRONG) Isapkm key 설정 (key: cisco123) Crypto map 설정 (name: VPN) Access-list 설정 인터페이스에 VPN 설정 라우팅 설정 R1 R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption aes 256 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#lifetime 36000 R1(config-isakmp)#hash sha R1(config-isakmp)#exit R1(config)#crypto ipsec transform-set STRONG esp-3des esp-md5-hmac R1(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 R1(config)#crypto map VPN1 110 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#set peer 203.230.9.2 R1(config-crypto-map)#set transform-set STRONG R1(config-crypto-map)#match address 110 R1(config-crypto-map)#exit R1(config)#access-list 110 permit gre host 203.230.9.1 host 203.230.9.2 R1(config)#int s0/0/0 R1(config-if)#crypto map VPN1 *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)#exit R1(config)# R1(config)#router ospf 7 R1(config-router)#network 203.230.7.1 0.0.0.0 area 0 R1(config-router)#network 203.230.8.1 0.0.0.0 area 0 R1(config-router)#network 203.230.9.1 0.0.0.0 area 0 R1(config-router)#network 10.10.10.1 0.0.0.0 area 0 R1(config-router)#exit Isakmp policy 설정 Ipsec transform-set 설정 (name: STRONG) Isapkm key 설정 (key: cisco123) Crypto map 설정 (name: VPN1) Access-list 설정 인터페이스에 VPN1 설정 라우팅 설정

Isakmp policy 설정 R1(config)#crypto isakmp policy 10 암호화: AES 256-bit Isakmp policy 설정 인증: PSK 공유키 방식 R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption aes 256 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#lifetime 36000 R1(config-isakmp)#hash sha 유효시간(초) 해시함수: SHA

Ipsec transform-set 설정 (name: STRONG) R1(config)#crypto ipsec transform-set STRONG esp-3des esp-md5-hmac Transform-set 이름

R1(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 Pre-shared key 모든 주소에 대해 적용 R1(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 Crypto map 이름 Crypto map 설정 (name: VPN1) Crypto map 엔트리 번호 R1(config)#crypto map VPN1 110 ipsec-isakmp R1(config-crypto-map)#set peer 203.230.9.2 R1(config-crypto-map)#set transform-set STRONG R1(config-crypto-map)#match address 110 R1(config-crypto-map)#exit 암호화통신 허가된 상대방 주소 Transform-set 이름 접근제어리스트 번호 Access-list 설정 R1(config)#access-list 110 permit gre host 203.230.9.1 host 203.230.9.2 ACL 번호 프로토콜 출발지 호스트 목적지 호스트

R2 포트별 ip주소 설정 터널 설정 R2(config)#interface Serial0/0/0 R2(config-if)#no shutdown R2(config-if)#ip address 203.230.9.2 255.255.255.0 R2(config-if)#exit R2(config)#interface Serial0/0/1 R2(config-if)#clock rate 1000000 R2(config-if)#ip address 203.230.10.1 255.255.255.0 R2(config)#int tunnel 12 R2(config-if)#ip add 10.10.10.2 255.255.255.0 R2(config-if)#tunnel source s0/0/0 R2(config-if)#tunnel destination 203.230.9.1 R2(config)#int tunnel 23 R2(config-if)#ip add 11.11.11.1 255.255.255.0 R2(config-if)#tunnel source s0/0/1 R2(config-if)#tunnel destination 203.230.10.2

R2 License 설정 저장, 재부팅 R2(config)#license boot module c2900 technology-package securityk9 PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN. Use of this product feature requires an additional license from Cisco, together with an additional payment. You may use this product feature on an evaluation basis, without payment to Cisco, for 60 days. Your use of the product, including during the 60 day evaluation period, is ………………… ACCEPT? [yes/no]: y % use 'write' command to make license boot config take effect on next boot %LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been accepted. UDI=CISCO2901/K9:FTX1524VE24-; StoreIndex=0:Evaluation License Storage R2(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900 Next reboot level = securityk9 and License = securityk9 R2(config)#do write Building configuration... [OK] R2(config)#exit R2#reload Proceed with reload? [confirm]ySystem Bootstrap, Version 15.1(4)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2010 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO2901/K9 platform with 524288 Kbytes of main memory Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC disabled

R2 Isakmp policy 설정 Ipsec transform-set 설정 (name: STRONG) Isapkm key 설정 (key: cisco123) Crypto map 설정 (name: VPN) Access-list 설정 인터페이스에 VPN 설정 라우팅 설정 R2 Isakmp policy 설정 R2(config)#crypto isakmp policy 10 R2(config-isakmp)#encryption aes 256 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#lifetime 36000 R2(config-isakmp)#hash sha R2(config-isakmp)#exit R2(config)#crypto ipsec transform-set STRONG esp-3des esp-md5-hmac R2(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 R2(config)#crypto map VPN1 110 ipsec-isakmp R2(config-crypto-map)#set peer 203.230.9.1 R2(config-crypto-map)#set transform-set STRONG R2(config-crypto-map)#match address 110 R2(config-crypto-map)#exit R2(config)#crypto map VPN2 120 ipsec-isakmp R2(config-crypto-map)#set peer 203.230.10.2 R2(config-crypto-map)#match address 120 R2(config)#access-list 110 permit gre host 203.230.9.2 host 203.230.9.1 R2(config)#access-list 120 permit gre host 203.230.10.1 host 203.230.10.2 R2(config)#int s0/0/0 R2(config-if)#crypto map VPN1 R2(config-if)#exit R2(config)#int s0/0/1 R2(config-if)#crypto map VPN2 R2(config)#router ospf 7 R2(config-router)#network 203.230.9.2 0.0.0.0 area 0 R2(config-router)#network 203.230.10.1 0.0.0.0 area 0 R2(config-router)#network 10.10.10.2 0.0.0.0 area 0 R2(config-router)#network 11.11.11.1 0.0.0.0 area 0 R2(config-router)#exit Ipsec transform-set 설정 (name: STRONG) Isapkm key 설정 (key: cisco123) Crypto map 설정 (name: VPN1, VPN2) Access-list 설정 인터페이스에 VPN1, VPN2 설정 라우팅 설정

R3 포트별 ip주소 설정 터널 설정 R3(config)#interface GigabitEthernet0/0 R3(config-if)#no shutdown R3(config-if)#ip address 203.230.11.1 255.255.255.0 R3(config-if)#exit R3(config)#interface GigabitEthernet0/1 R3(config-if)#ip address 203.230.12.1 255.255.255.0 R3(config)#interface Serial0/0/0 R3(config-if)#ip address 203.230.10.2 255.255.255.0 R3(config)#int tunnel 23 R3(config-if)#ip add 11.11.11.2 255.255.255.0 R3(config-if)#tunnel source s0/0/0 R3(config-if)#tunnel destination 203.230.10.1

R3 License 설정 저장, 재부팅 R3(config)#license boot module c2900 technology-package securityk9 PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN. Use of this product feature requires an additional license from Cisco, together with an additional payment. You may use this product feature on an evaluation basis, without payment to Cisco, for 60 days. Your use of the product, including during the 60 day evaluation period, is ………………… ACCEPT? [yes/no]: y % use 'write' command to make license boot config take effect on next boot %LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been accepted. UDI=CISCO2901/K9:FTX1524VE24-; StoreIndex=0:Evaluation License Storage R3(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900 Next reboot level = securityk9 and License = securityk9 R3(config)#do write Building configuration... [OK] R3(config)#exit R3#reload Proceed with reload? [confirm]ySystem Bootstrap, Version 15.1(4)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2010 by cisco Systems, Inc. Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB CISCO2901/K9 platform with 524288 Kbytes of main memory Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC disabled

R3 Isakmp policy 설정 Ipsec transform-set 설정 (name: STRONG) Isapkm key 설정 (key: cisco123) Crypto map 설정 (name: VPN) Access-list 설정 인터페이스에 VPN 설정 라우팅 설정 R3 R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption aes 256 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#lifetime 36000 R3(config-isakmp)#hash sha R3(config-isakmp)#exit R3(config)#crypto ipsec transform-set STRONG esp-3des esp-md5-hmac R3(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 R3(config)#crypto map VPN2 120 ipsec-isakmp R3(config-crypto-map)#set peer 203.230.10.1 R3(config-crypto-map)#set transform-set STRONG R3(config-crypto-map)#match address 120 R3(config-crypto-map)#exit R3(config)#access-list 120 permit gre host 203.230.10.2 host 203.230.10.1 R3(config)#int s0/0/0 R3(config-if)#crypto map VPN2 R3(config-if)#exit R3(config)#router ospf 7 R3(config-router)#network 203.230.11.1 0.0.0.0 area 0 R3(config-router)#network 203.230.12.1 0.0.0.0 area 0 R3(config-router)#network 203.230.10.2 0.0.0.0 area 0 R3(config-router)#network 11.11.11.2 0.0.0.0 area 0 R3(config-router)#exit Isakmp policy 설정 Ipsec transform-set 설정 (name: STRONG) Isapkm key 설정 (key: cisco123) Crypto map 설정 (name: VPN2) Access-list 설정 인터페이스에 VPN2 설정 라우팅 설정

패킷트레이서 재시작 필요 지금까지의 설정 내용을 저장하고 파일로 저장하고 패킷트레이서를 재시작 파일을 다시 읽어들임 패킷트레이서 프로그램 자체의 문제

결과 통신 성공

라우팅 테이블 원격 네트워크가 GRE 터널로 연결됨 R1#show ip route 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, Tunnel12 L 10.10.10.1/32 is directly connected, Tunnel12 11.0.0.0/24 is subnetted, 1 subnets O 11.11.11.0/24 [110/1064] via 10.10.10.2, 00:03:34, Tunnel12 203.230.7.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.7.0/24 is directly connected, GigabitEthernet0/0 L 203.230.7.1/32 is directly connected, GigabitEthernet0/0 203.230.8.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.8.0/24 is directly connected, GigabitEthernet0/1 L 203.230.8.1/32 is directly connected, GigabitEthernet0/1 203.230.9.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.9.0/24 is directly connected, Serial0/0/0 L 203.230.9.1/32 is directly connected, Serial0/0/0 O 203.230.10.0/24 [110/128] via 10.10.10.2, 00:03:34, Tunnel12 O 203.230.11.0/24 [110/129] via 10.10.10.2, 00:03:34, Tunnel12 O 203.230.12.0/24 [110/129] via 10.10.10.2, 00:03:34, Tunnel12 라우팅 테이블 R2#show ip route 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.10.0/24 is directly connected, Tunnel12 L 10.10.10.2/32 is directly connected, Tunnel12 11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 11.11.11.0/24 is directly connected, Tunnel23 L 11.11.11.1/32 is directly connected, Tunnel23 O 203.230.7.0/24 [110/65] via 10.10.10.1, 00:04:24, Tunnel12 O 203.230.8.0/24 [110/65] via 10.10.10.1, 00:04:24, Tunnel12 203.230.9.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.9.0/24 is directly connected, Serial0/0/0 L 203.230.9.2/32 is directly connected, Serial0/0/0 203.230.10.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.10.0/24 is directly connected, Serial0/0/1 L 203.230.10.1/32 is directly connected, Serial0/0/1 O 203.230.11.0/24 [110/65] via 11.11.11.2, 00:04:05, Tunnel23 O 203.230.12.0/24 [110/65] via 11.11.11.2, 00:04:05, Tunnel23 R3#show ip route 10.0.0.0/24 is subnetted, 1 subnets O 10.10.10.0/24 [110/1064] via 11.11.11.1, 00:04:35, Tunnel23 11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 11.11.11.0/24 is directly connected, Tunnel23 L 11.11.11.2/32 is directly connected, Tunnel23 O 203.230.7.0/24 [110/129] via 11.11.11.1, 00:04:35, Tunnel23 O 203.230.8.0/24 [110/129] via 11.11.11.1, 00:04:35, Tunnel23 O 203.230.9.0/24 [110/128] via 11.11.11.1, 00:04:35, Tunnel23 203.230.10.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.10.0/24 is directly connected, Serial0/0/0 L 203.230.10.2/32 is directly connected, Serial0/0/0 203.230.11.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.11.0/24 is directly connected, GigabitEthernet0/0 L 203.230.11.1/32 is directly connected, GigabitEthernet0/0 203.230.12.0/24 is variably subnetted, 2 subnets, 2 masks C 203.230.12.0/24 is directly connected, GigabitEthernet0/1 L 203.230.12.1/32 is directly connected, GigabitEthernet0/1 원격 네트워크가 GRE 터널로 연결됨

통신 경로 확인 - Tracert VPN을 통해 연결됨을 확인 1 0 ms 0 ms 0 ms 203.230.12.1

VPN 정보 확인하기 Show crypto ipsec transform-set Show crypto ipsec sa VPN이 적용된 인터페이스별로 VPN에 관한 모든 정보 확인 Show crypto isakmp policy ISAKMP 정책 확인 Show crypto isakmp sa VPN의 출발지, 도착지, 현재 상태 확인 Show crypto map VPN의 연결정보, ACL 확인 R2#show crypto ? ipsec Show IPSEC policy isakmp Show ISAKMP key Show long term public keys map Crypto maps

VPN 정보 – IPSec transform-set R2#show crypto ipsec transform-set Transform set STRONG: { { esp-3des esp-sha-hmac } will negotiate = { Tunnel, }, Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac } will negotiate = { Transport, }, Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }

Show crypto ipsec sa R2#show crypto ipsec sa interface: Serial0/0/0 Crypto map tag: VPN1, local addr 203.230.9.2 protected vrf: (none) local ident (addr/mask/prot/port): (203.230.9.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (203.230.9.1/255.255.255.255/47/0) current_peer 203.230.9.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 130, #pkts encrypt: 130, #pkts digest: 0 #pkts decaps: 132, #pkts decrypt: 132, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.230.9.2, remote crypto endpt.:203.230.9.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x7DCE4C31(2110671921) inbound esp sas: spi: 0x34D7194D(886511949) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2009, flow_id: FPGA:1, crypto map: VPN1 sa timing: remaining key lifetime (k/sec): (4525504/2690) IV size: 16 bytes replay detection support: N Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7DCE4C31(2110671921) conn id: 2010, flow_id: FPGA:1, crypto map: VPN1 outbound ah sas: outbound pcp sas: 계속 계속 interface: Serial0/0/1 Crypto map tag: VPN2, local addr 203.230.10.1 protected vrf: (none) local ident (addr/mask/prot/port): (203.230.10.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (203.230.10.2/255.255.255.255/47/0) current_peer 203.230.10.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 128, #pkts encrypt: 128, #pkts digest: 0 #pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.230.10.1, remote crypto endpt.:203.230.10.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1 current outbound spi: 0x040E7F3A(68058938) inbound esp sas: spi: 0x6F220173(1864499571) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: FPGA:1, crypto map: VPN2 sa timing: remaining key lifetime (k/sec): (4525504/2709) IV size: 16 bytes replay detection support: N Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x040E7F3A(68058938) conn id: 2002, flow_id: FPGA:1, crypto map: VPN2 outbound ah sas: outbound pcp sas: Show crypto ipsec sa

VPN 정보 – ISAKMP policy R2#show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 36000 seconds, no volume limit

VPN 정보 – ISAKMP sa R2#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 203.230.9.2 203.230.9.1 QM_IDLE 1074 0 ACTIVE IPv6 Crypto ISAKMP SA R2#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 203.230.9.1 203.230.9.2 QM_IDLE 1010 0 ACTIVE 203.230.10.2 203.230.10.1 QM_IDLE 1010 0 ACTIVE IPv6 Crypto ISAKMP SA R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 203.230.10.1 203.230.10.2 QM_IDLE 1063 0 ACTIVE IPv6 Crypto ISAKMP SA

VPN 정보 – crypto map R2#show crypto map Crypto Map VPN1 110 ipsec-isakmp Peer = 203.230.9.2 Extended IP access list 110 access-list 110 permit gre host 203.230.9.1 host 203.230.9.2 Current peer: 203.230.9.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ STRONG, } Interfaces using crypto map VPN1: Serial0/0/0 R2#show crypto map Crypto Map VPN1 110 ipsec-isakmp Peer = 203.230.9.1 Extended IP access list 110 access-list 110 permit gre host 203.230.9.2 host 203.230.9.1 Current peer: 203.230.9.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ STRONG, } Interfaces using crypto map VPN1: Serial0/0/0 Crypto Map VPN2 120 ipsec-isakmp Peer = 203.230.10.2 Extended IP access list 120 access-list 120 permit gre host 203.230.10.1 host 203.230.10.2 Current peer: 203.230.10.2 Interfaces using crypto map VPN2: Serial0/0/1 R3#show crypto map Crypto Map VPN2 120 ipsec-isakmp Peer = 203.230.10.1 Extended IP access list 120 access-list 120 permit gre host 203.230.10.2 host 203.230.10.1 Current peer: 203.230.10.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ STRONG, } Interfaces using crypto map VPN2: Serial0/0/0

13장 실습과제 실습1. GRE 터널링 실습 (그림 13-1) 실습2. 터널링을 통한 트래픽 분산과 제어 (그림 13-2) 실습2. 터널링을 통한 트래픽 분산과 제어 (그림 13-2) 실습3. GRE+IPSec VPN (그림 13-4)

13장 실습과제 실습 4. 윈도우7에서의 VPN 연결 실습 VPN 서버 VPN 클라이언트 제어판-> 제어판-> 네트워크 및 인터넷-> 네트워크 및 공유센터-> 어댑터 설정 변경-> Alt -> 파일 -> 새로 들어오는 연결-> 사용자 계정 선택 -> 인터넷을 통해-> 엑세스 허용 Ipconfig 로 ppp 연결 확인 제어판-> 네트워크 및 인터넷-> 네트워크 및 공유센터-> 새 연결 또는 네트워크 설정-> 회사에 연결-> 새 연결을 만듭니다-> 내 인터넷 연결 사용-> 인터넷 주소 입력-> VPN 연결-> 사용자 이름, 암호 입력 Ipconfig 로 ppp 연결 확인

13장 실습과제 연결 후 wireshark를 이용한 패킷 분석 VPN 연결을 이용하는 통신은 보안통신 ppp로 연결됨