반응형

 

 

 

 

📌 Site to Site

참고자료

- https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html#wp1017619

 

 

✏️ IKEv2 장점

  • IKEv2를 사용하면 인증에 EAP 사용가능
  • IKEv2는 시퀀스 번호와 확인 응답을 사용하여 신뢰성과 상태 관리 가능
  • 서비스 거부(DoS) 공격 복원력
  • IKEv2는 DPD(Dead Peer Detection) 및 NAT-T(Network Address Translation-Traversal)에 대한 기본 제공 지원을 제공합니다. URL 및 해시를 통해 인증서를 참조하여 조각화를 방지할 수 있습니다.

 

 

ISAKMP (Internet Key Exchange = IKEv2)

  • 1️⃣ 설정 장비#1 (정적 IP 설정)

 

참고자료

- https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html#GUID-8412F9B6-A3E2-4C28-A6E3-1A995FF71500

 

 

 

1. 인터페이스 구성(Lan, Wan)

  • 내부 및 외부 네트워크 peer 장비에 모두 연결되어 있는지 확인
  • 보통 Loopback 인터페이스를 만들어서 터널 사용
interface GigabitEthernet0/0
 description ## 외부 및 터널 IP ##
 ip address 172.17.1.1 255.255.255.252
 no shutdown

interface GigabitEthernet0/1
 description ## 내부 서버 IP ##
 ip address 10.20.10.1 255.255.255.0
 no shutdown

 

 

2. VPN 트래픽에 대한 ACL 구성

  • 터널을 위한 ACL 설정
access-list 100 remark tunnel ACL
access-list 100 permit gre host 172.17.1.1 host 172.17.1.2

 

 

3. IKEv2 Proposal 구성

  • no crypto ikev2 proposal default : 기본 proposal 지우기
  • crypto ikev2 proposal <proposal name>
  • encryption <encryption type>
    • 3des
    • aes-cbc-128
    • aes-cbc-192
    • aes-cbc-256
  • integrity <algorithm type>
    • SHA-2 family 256-bit
  • group <Diffie-Hellman (DH) group>
    • 1--768-bit DH
    • 2--1024-bit DH
    • 5--1536-bit DH
    • 14--Specifies the 2048-bit DH group.
    • 15--Specifies the 3072-bit DH group.
    • 16--Specifies the 4096-bit DH group.
    • 19--Specifies the 256-bit elliptic curve DH (ECDH) group.
    • 20--Specifies the 384-bit ECDH group.
    • 24--Specifies the 2048-bit DH group.
no crypto ikev2 proposal default
crypto ikev2 proposal jinsu_proposal
 encryption aes-cbc-256
 integrity sha256
 group 14

 

 

4. IKEv2 Policy 구성

  • no crypto ikev2 policy default : 기본 policy 지우기
  • crypto ikev2 policy <policy name>
  • proposal <proposal name>
no crypto ikev2 policy default
crypto ikev2 policy jinsu_policy
  proposal jinsu_proposal

 

 

5. IKEv2 Keyring 구성

  • crypto ikev2 keyring <keyring name>
  • peer <peer name>
  • address <상대방 외부 IP>
  • pre-shared-key <키 생성>
crypto ikev2 keyring jinsu_key
 peer jinsu_pr
  address 172.17.1.2
  pre-shared-key auhjinsu123

 

 

6. IKEv2 Profile 구성

  • crypto ikev2 profile <profile name>
  • match identity remote address <상대방 외부IP>
  • identity local address <내부 IP>
  • authentication local <authentication method>
  • authentication remote <authentication method>
  • keyring <keyring name>
crypto ikev2 profile jinsu_profile
 match identity remote address 172.17.1.2 255.255.255.255
 identity local address 172.17.1.1
 authentication local pre-share
 authentication remote pre-share
 keyring jinsu_key

 

 

7. transform-set 구성

  • 보안 프로토콜과 알고리즘 설정
  • crypto ipsec transform-set <Set-Name>
crypto ipsec transform-set auhjinsu esp-aes 256 esp-sha256-hmac
 mode tunnel

 

 

8. crypto map 생성 후 인터페이스에 설정

  • crypto map <Map Name> <Number> ipsec-isakmp
  • set peer <상대방 IP>
  • set transform-set <transform-set Name>
  • set ikev2-profile <profile name>
  • match address <ACL Number>
crypto map jinsu_map 10 ipsec-isakmp
 set peer 172.17.1.2
 set transform-set auhjinsu
 set ikev2-profile jinsu_profile
 match address 100
  • 터널 맺을 외부 인터페이스에 Map 설정
  • crypto map <Map Name>
interface GigabitEthernet0/0
 crypto map jinsu_map

 

 

9. 터널 인터페이스 설정

  • interface Tunnel<Number>
  • ip address <Tunnel IP>
  • tunnel source <외부 IP>
  • tunnel destination <상대방 source IP>
interface Tunnel12345
 ip address 10.255.100.1 255.255.255.252
 no ip redirects
 ip mtu 1400
 keepalive 3 3
 tunnel source 172.17.1.1
 tunnel destination 172.17.1.2

 

 

 

 

 

 

 

  • 2️⃣ 설정 장비#2 (정적 IP 설정)

 

1. 인터페이스 구성(Lan, Wan)

  • 내부 및 외부 네트워크 peer 장비에 모두 연결되어 있는지 확인
  • 보통 Loopback 인터페이스를 만들어서 터널 사용
interface GigabitEthernet0/0
 description ## 외부 및 터널 IP ##
 ip address 172.17.1.2 255.255.255.252
 no shutdown

interface GigabitEthernet0/1
 description ## 내부 서버 IP ##
 ip address 192.168.1.1 255.255.255.0
 no shutdown

 

 

2. IKEv2 Proposal 구성

  • no crypto ikev2 proposal default : 기본 proposal 지우기
  • crypto ikev2 proposal <proposal name>
  • encryption <encryption type>
    • 3des
    • aes-cbc-128
    • aes-cbc-192
    • aes-cbc-256
  • integrity <algorithm type>
    • SHA-2 family 256-bit
  • group <Diffie-Hellman (DH) group>
    • 1--768-bit DH
    • 2--1024-bit DH
    • 5--1536-bit DH
    • 14--Specifies the 2048-bit DH group.
    • 15--Specifies the 3072-bit DH group.
    • 16--Specifies the 4096-bit DH group.
    • 19--Specifies the 256-bit elliptic curve DH (ECDH) group.
    • 20--Specifies the 384-bit ECDH group.
    • 24--Specifies the 2048-bit DH group.
no crypto ikev2 proposal default
crypto ikev2 proposal jinsu_proposal
 encryption aes-cbc-256
 integrity sha256
 group 14

 

 

3. IKEv2 Policy 구성

  • no crypto ikev2 policy default : 기본 policy 지우기
  • crypto ikev2 policy <policy name>
  • proposal <proposal name>
no crypto ikev2 policy default
crypto ikev2 policy jinsu_policy
  proposal jinsu_proposal

 

 

4. IKEv2 Keyring 구성

  • crypto ikev2 keyring <keyring name>
  • peer <peer name>
  • address <모든 대역>
  • pre-shared-key <키 생성>
crypto ikev2 keyring jinsu_key
 peer jinsu_pr
  address 0.0.0.0 0.0.0.0
  pre-shared-key auhjinsu123

 

 

5. IKEv2 Profile 구성

  • crypto ikev2 profile <profile name>
  • match identity remote address <모든 대역>
  • identity local address <내부 IP>
  • authentication local <authentication method>
  • authentication remote <authentication method>
  • keyring <keyring name>
crypto ikev2 profile jinsu_profile
 match identity remote any
 identity local address 172.17.1.2
 authentication local pre-share
 authentication remote pre-share
 keyring jinsu_key

 

 

6. transform-set 구성

  • 보안 프로토콜과 알고리즘 설정
  • crypto ipsec transform-set <Set-Name>
crypto ipsec transform-set auhjinsu esp-aes 256 esp-sha256-hmac
 mode tunnel

 

 

7. crypto dynamic-map, crypto map 생성

  • crypto dynamic-map <Map Name> <Number>
  • set transform-set <transform-set Name>
  • set ikev2-profile <profile name>
crypto dynamic-map jinsu_map 10
 set transform-set auhjinsu
 set ikev2-profile jinsu_profile
  • crypto map <map name> <number> ipsec-isakmp dynamic <dynamic map name>
crypto map jinsu_dynamic_map 10 ipsec-isakmp dynamic jinsu_map

 

 

8. 인터페이스에 crypto map 설정

  • 터널 맺을 외부 인터페이스에 Map 설정
  • crypto map <Map Name>
interface GigabitEthernet0/0
 crypto map jinsu_dynamic_map

 

 

9. 터널 인터페이스 설정

  • interface Tunnel<Number>
  • ip address <Tunnel IP>
  • tunnel source <외부 IP>
  • tunnel destination <상대방 source IP>
interface Tunnel12345
 ip address 10.255.100.2 255.255.255.252
 no ip redirects
 ip mtu 1400
 keepalive 3 3
 tunnel source 172.17.1.2
 tunnel destination 172.17.1.1

 

 

 

 

 

📌 옵션

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
  • lifetime seconds
    • 시간이 지정된 수명(초)이 경과하면 ipsec이 해제됩니다.
  • lifetime kilobytes
    • 트래픽 볼륨 수명으로 인해 지정된 트래픽 양(KB)이 보안 연결 키로 보호된 후 보안 연결 시간이 초과됩니다.
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 10000000
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 1024

 

 

 

 

 

 

반응형
저작자표시

'Network > CISCO' 카테고리의 다른 글

[Network] CISCO - AAA 설정  (0) 2023.10.08
[Network] CISCO - Switch MAC차단 설정  (1) 2023.10.08
[Network] CISCO - IPSEC (IKEv1) 설정  (1) 2023.10.08
[Network] CISCO - MTU 설정  (0) 2022.07.24
[Network] CISCO - EtherChannel 설정  (0) 2022.07.24

+ Recent posts

티스토리툴바