Cem Kemal Erbaş Cem Kemal Erbaş
- Cihaz isim ve Ip address yapılandırması.
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router1
[Router1]interface serial 0/0/1
[Router1-Serial0/0/1]ip address 10.0.12.1 24
[Router1-Serial0/0/1]interface LoopBack 0
[Router1-LoopBack0]ip address 10.0.1.1 24
[Router1]interface loopback 1
[Router1-LoopBack1]ip address 10.0.11.11 24
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router2
[Router2]interface serial 0/0/1
[Router2-Serial0/0/1]ip address 10.0.12.2 24
[Router2-Serial0/0/1]interface serial 0/0/2
[Router2-Serial0/0/2]ip address 10.0.23.2 24
[Router2-Serial0/0/2]interface LoopBack0
[Router2-LoopBack0]ip address 10.0.2.2 24
system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Router3
[Router3]interface serial 0/0/2
[Router3-Serial0/0/2]ip address 10.0.23.3 24
[Router3-Serial0/0/2]interface loopback 0
[Router3-LoopBack0]ip address 10.0.3.3 24
[Router3]interface loopback 1
[Router3-LoopBack1]ip address 10.0.33.33 24 - OSPF yapılandırması.
[Router1]ospf router-id 10.0.1.1
[Router1-ospf-1]area 0
[Router1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0]network 10.0.1.0 0.0.0.255
[Router1-ospf-1-area-0.0.0.0]network 10.0.11.0 0.0.0.255
[Router2]ospf router-id 10.0.2.2
[Router2-ospf-1]area 0
[Router2-ospf-1-area-0.0.0.0]network 10.0.2.0 0.0.0.255
[Router2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255
[Router2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[Router3]ospf router-id 10.0.3.3
[Router3-ospf-1]area 0
[Router3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255
[Router3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255
[Router3-ospf-1-area-0.0.0.0]network 10.0.33.0 0.0.0.255
OSPF komşuluklarının kurulduğunu kontrol edelim.
[Router2]display ospf peer brief
OSPF Process 1 with Router ID 10.0.2.2
Peer Statistic Information
—————————————————————————-
Area Id Interface Neighbor id State
0.0.0.0 Serial0/0/1 10.0.1.1 Full
0.0.0.0 Serial0/0/2 10.0.3.3 Full
—————————————————————————-
[Router1]display ip routing-table
Route Flags: R – relay, D – download to fib
——————————————————————————
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 10 1562 D 10.0.12.2 Serial0/0/1
10.0.3.3/32 OSPF 10 3124 D 10.0.12.2 Serial0/0/1
10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1
10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial0/0/1
10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial0/0/1
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial0/0/1
10.0.23.0/24 OSPF 10 3124 D 10.0.12.2 Serial0/0/1
10.0.33.33/32 OSPF 10 3124 D 10.0.12.2 Serial0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[Router3]display ip routing-table
Route Flags: R – relay, D – download to fib
——————————————————————————
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 OSPF 10 3124 D 10.0.23.2 Serial0/0/2
10.0.2.2/32 OSPF 10 1562 D 10.0.23.2 Serial0/0/2
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.11.11/32 OSPF 10 3124 D 10.0.23.2 Serial0/0/2
10.0.12.0/24 OSPF 10 3124 D 10.0.23.2 Serial0/0/2
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial0/0/2
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial0/0/2
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial0/0/2
10.0.33.0/24 Direct 0 0 D 10.0.33.33 LoopBack1
10.0.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 - ACL yapılandırması.
[Router1]acl 3001
[Router1-acl-adv-3001]rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
[Router3]acl 3001
[Router3-acl-adv-3001]rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.1.0 0.0.0.255
4.IPsec VPN konfigürasyonu.
IPsec proposal oluşturmak ve kullanılacak güvenlik protokollerini belirtmek için IPsec proposal moduna girelimve ayarlarını yapılandıralım .
Cihazlarında aynı protokollerde olmasına dikkat edelim.
[Router1]ipsec proposal tran1
[Router1-ipsec-proposal-tran1]esp authentication-algorithm sha1
[Router1-ipsec-proposal-tran1]esp encryption-algorithm 3des
[Router3]ipsec proposal tran1
[Router3-ipsec-proposal-tran1]esp authentication-algorithm sha1
[Router3-ipsec-proposal-tran1]esp encryption-algorithm 3des
Yapılandırmanın doğruluğunu kontrol etmek için display ipsec proposal komutunu kullanalım.
display ipsec proposal
Number of proposals: 1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA1-HMAC-96
Encryption 3DES
display ipsec proposal
Number of proposals: 1
IPSec proposal name: tran1
Encapsulation mode: Tunnel
Transform : esp-new
ESP protocol : Authentication SHA1-HMAC-96
Encryption 3DES - IPsec Policy konfigürasyonu.
[Router1]ipsec policy P1 10 manual
[Router1-ipsec-policy-manual-P1-10]security acl 3001
[Router1-ipsec-policy-manual-P1-10]proposal tran1
[Router1-ipsec-policy-manual-P1-10]tunnel remote 10.0.23.3
[Router1-ipsec-policy-manual-P1-10]tunnel local 10.0.12.1
[Router1-ipsec-policy-manual-P1-10]sa spi outbound esp 54321
[Router1-ipsec-policy-manual-P1-10]sa spi inbound esp 12345
[Router1-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
[Router1-ipsec-policy-manual-P1-10]sa string-key inbound esp simple huawei
[Router3]ipsec policy P1 10 manual
[Router3-ipsec-policy-manual-P1-10]security acl 3001
[Router3-ipsec-policy-manual-P1-10]proposal tran1
[Router3-ipsec-policy-manual-P1-10]tunnel remote 10.0.12.1
[Router3-ipsec-policy-manual-P1-10]tunnel local 10.0.23.3
[Router3-ipsec-policy-manual-P1-10]sa spi outbound esp 12345
[Router3-ipsec-policy-manual-P1-10]sa spi inbound esp 54321
[Router3-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei
[Router3-ipsec-policy-manual-P1-10] sa string-key inbound esp simple huawei
Display IPsec policy komutuyla konfigürasyonu kontrol edelim.
display ipsec policy
IPSec policy group: “P1”
Using interface:
Sequence number: 10
Security data flow: 3001
Tunnel local address: 10.0.12.1
Tunnel remote address: 10.0.23.3
Qos pre-classify: Disable
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
display ipsec policy
IPSec policy group: “P1”
Using interface:
Sequence number: 10
Security data flow: 3001
Tunnel local address: 10.0.23.3
Tunnel remote address: 10.0.12.1
Qos pre-classify: Disable
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: huawei
ESP encryption hex key:
ESP authentication hex key:
6.Interface’lere IPsec Policy uygulamak.
Interfacelerde fiziksel olarak IPsec olusturalm.
[Router1]interface Serial 0/0/1
[Router1-Serial0/0/1]ipsec policy P1
[Router3]interface Serial 0/0/2
[Router3-Serial0/0/2]ipsec policy P1
- Cihazlar arası bağlantıları kontrol edlim.
Cihazlar arası bağlantıları test ettikten sonra IPsec konfigürasyonlarnıda gözlemleyelim.
ping -a 10.0.11.11 10.0.33.33
PING 10.0.33.33: 56 data bytes, press CTRL_C to break
Reply from 10.0.33.33: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 10.0.33.33: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.33.33: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.0.33.33: bytes=56 Sequence=4 ttl=254 time=100 ms
Reply from 10.0.33.33: bytes=56 Sequence=5 ttl=254 time=50 ms
— 10.0.33.33 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/70/100 ms
display ipsec statistics esp
Inpacket count : 0
Inpacket auth count :0
Inpacket decap count : 0
Outpacket count :0
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count :0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count :0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
Sadece IPsec VPN trafiğini gözlemleyelim.
ping -a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=30 ms
— 10.0.3.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/70 ms
display ipsec statistics esp
Inpacket count : 5
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 5
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count :0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
8.ACL i yeniden tanımlayalım.
ACL’i OSPF i tanımlatmak için yeniden tanımlıyoruz.
[Router1]acl 3001
[Router1-acl-adv-3001]rule 5 permit ospf source any destination any
[Router3]acl 3001
[Router3-acl-adv-3001]rule 5 permit ospf source any destination any
Komşulukları kotrol ediyoruz.
display ospf peer brief
OSPF Process 1 with Router ID 10.0.1.1
Peer Statistic Information
—————————————————————————-
Area Id Interface Neighbor id State
0.0.0.0 Serial0/0/1 10.0.2.2 Init
—————————————————————————-
display ip routing-table
Route Flags: R – relay, D – download to fib
——————————————————————————
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.0/24 Direct 0 0 D 10.0.1.1 LoopBack0
10.0.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.2.2/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1
10.0.3.3/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1
10.0.11.0/24 Direct 0 0 D 10.0.11.11 LoopBack1
10.0.11.11/32 Direct 0 0 D 127.0.0.1 LoopBack1
10.0.12.0/24 Direct 0 0 D 10.0.12.1 Serial0/0/1
10.0.12.1/32 Direct 0 0 D 127.0.0.1 Serial0/0/1
10.0.12.2/32 Direct 0 0 D 10.0.12.2 Serial0/0/1
10.0.23.0/24 OSPF 0 0 D 10.0.12.2 Serial0/0/1
10.0.33.33/32 OSPF 0 0 D 10.0.12.2 Serial0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
display ospf peer brief
OSPF Process 1 with Router ID 10.0.3.3
Peer Statistic Information
—————————————————————————-
Area Id Interface Neighbor id State
0.0.0.0 Serial0/0/2 10.0.2.2 Init
—————————————————————————-
display ip routing-table
Route Flags: R – relay, D – download to fib
——————————————————————————
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.1.1/32 OSPF 0 0 D 10.0.23.2 Serial0/0/2
10.0.2.2/32 OSPF 0 0 D 10.0.23.2 Serial0/0/2
10.0.3.0/24 Direct 0 0 D 10.0.3.3 LoopBack0
10.0.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.0.11.11/32 OSPF 0 0 D 10.0.23.2 Serial0/0/2
10.0.12.0/24 OSPF 0 0 D 10.0.23.2 Serial0/0/2
10.0.23.0/24 Direct 0 0 D 10.0.23.3 Serial0/0/2
10.0.23.2/32 Direct 0 0 D 10.0.23.2 Serial0/0/2
10.0.23.3/32 Direct 0 0 D 127.0.0.1 Serial0/0/2
10.0.33.0/24 Direct 0 0 D 10.0.33.33 LoopBack1
10.0.33.33/32 Direct 0 0 D 127.0.0.1 LoopBack1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Sonuç…..
dis current-configuration
#
sysname Router2
#
interface Serial0/0/1
link-protocol ppp
ip address 10.0.12.2 255.255.255.0
#
interface Serial0/0/2
link-protocol ppp
ip address 10.0.23.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ospf 1 router-id 10.0.2.2
area 0.0.0.0
network 10.0.2.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 10.0.23.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return
display current-configuration
#
sysname Router3
#
acl number 3001
rule 5 permit ospf
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy P1 10 manual
security acl 3001
proposal tran1
tunnel local 3.23.0.10
tunnel remote 1.12.0.10
sa spi inbound esp 835977216
sa string-key inbound esp simple huawei
sa spi outbound esp 959447040
sa string-key outbound esp simple huawei
#
interface Serial0/0/2
link-protocol ppp
ip address 10.0.23.3 255.255.255.0
ipsec policy P1
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0
#
interface LoopBack1
ip address 10.0.33.33 255.255.255.0
#
ospf 1 router-id 10.0.3.3
area 0.0.0.0
network 10.0.23.0 0.0.0.255
network 10.0.3.0 0.0.0.255
network 10.0.33.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
