четверг, 22 сентября 2011 г.

ipsec+gre+tunnel+ospf

###############  R1 ################

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key TUN1_adasdsdgdjhgjdhfjdhj address 11.11.11.11
crypto isakmp key TUN2_adasdsdgdjhgjdhfjdhj address 22.22.22.22
!
!
crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac
!
crypto ipsec profile TUN-AES256
 set transform-set AES256-MD5
!
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.1 255.255.255.252
 tunnel source 1.1.1.1
 tunnel destination 11.11.11.11
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface Tunnel2
 ip address 10.0.2.1 255.255.255.252
 tunnel source 2.2.2.2
 tunnel destination 22.22.22.22
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 1.1.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 2.2.2.2 255.255.255.0
 negotiation auto
!
interface FastEthernet3/0
 ip address 10.2.200.5 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet3/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 10
 log-adjacency-changes
 network 10.0.0.0 0.0.255.255 area 0
 network 10.2.200.4 0.0.0.3 area 0
!
ip route 11.11.11.11 255.255.255.255 GigabitEthernet1/0
ip route 22.22.22.22 255.255.255.255 GigabitEthernet2/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

###############  R2 ################

!


!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key TUN1_adasdsdgdjhgjdhfjdhj address 1.1.1.1
crypto isakmp key TUN2_adasdsdgdjhgjdhfjdhj address 2.2.2.2
!
!
crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac
!
crypto ipsec profile TUN-AES256
 set transform-set AES256-MD5
!
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.2 255.255.255.252
 tunnel source 11.11.11.11
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface Tunnel2
 ip address 10.0.2.2 255.255.255.252
 tunnel source 22.22.22.22
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 11.11.11.11 255.255.255.0
 negotiation auto
 crypto map TO_MEGAFON
!
interface GigabitEthernet2/0
 ip address 22.22.22.22 255.255.255.0
 negotiation auto
 crypto map TO_MEGAFON
!
interface FastEthernet3/0
 ip address 1.1.36.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet3/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 10
 log-adjacency-changes
 redistribute static
 network 10.0.0.0 0.0.255.255 area 0
!
ip route 1.1.1.1 255.255.255.255 GigabitEthernet1/0
ip route 2.2.2.2 255.255.255.255 GigabitEthernet2/0
ip route 192.168.4.0 255.255.255.0 FastEthernet3/0
no ip http server
no ip http secure-server
!
!
!
ip access-list extended SECURED-TUN_1
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end


###############  R3 ################

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 1.1.1.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 11.11.11.12 255.255.255.0
 negotiation auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end
 
###############  R4 ################

!



!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 22.22.22.23 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 2.2.2.3 255.255.255.0
 negotiation auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end


###############  R6 ################

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.252
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
 
###############  R7 ################     

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 1.1.36.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 192.168.4.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 10.2.200.4 255.255.255.252 FastEthernet1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
 
###############  R10 ################    

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.4.21 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end



вторник, 20 сентября 2011 г.

cisco+freeradius (на Debian squeezy)

настройки Cisco 871 (192.168.4.176)

aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default
 action-type start-stop
 group radius
!
aaa accounting network default
 action-type start-stop
 group radius
!
radius-server host 192.168.4.212 auth-port 1812 acct-port 1813 key $$$$$

настройки freeradius (192.168.4.212)

root@aaa-serv:/etc/freeradius# egrep -v "#" clients.conf
client localhost {
        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
}

client 192.168.4.176 {
        secret          = $$$$$
        nastype         = cisco
}

root@aaa-serv:/etc/freeradius# egrep -v "#" users

user_cisco        NAS-IP-Address == 192.168.4.176
                cisco-avpair = "shell:priv-lvl=15"

пятница, 9 сентября 2011 г.

ip sla, ipsec и event manager


Заметку делаю для себя, чтоб не забыть.
Итак, столкнулся с тем, что track отбивает маршрут, но сессия ipsec висит. Соответственно, пока её не прибить, трафик не ходит по новому маршруту с новым тунелем.
Проблему решил с помощью event manager. Настраивалось все на 2811.

track timer interface 5
track timer ip route 5
!
track 1 ip sla 10 reachability
!
канала для сети 192.168.125.0/24 два, оба через ipsec, основной канал по радиолинку через 10.11.12.13, и второй через инет по дефолтному маршруту.
ip route 192.168.125.0 255.255.255.0 10.11.12.13 track 1
ip route 0.0.0.0 0.0.0.0 10.9.8.7
когда линк по радио-каналу есть, работает основной маршрут для этой сети, в отсутствие линка, работает маршрут через инет.
ip sla 10
icmp-echo 10.11.12.13 source-interface FastEthernet0/1
timeout 2000
threshold 2
frequency 10
ip sla schedule 10 life forever start-time now
теперь собственно нужно отбить сессию ipsec, что проделывается следующим образом
event manager applet app-sla-10
description #crypto down if radio channel unav#
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "clear crypto session remote 10.11.12.13"
event manager applet app-sla-11
description #crypto down if radio channel av#
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "clear crypto session remote 10.9.8.6"
Вот таким образом всё работает. При пропадании линка через радио-модем, маршрут через него пропадает и ipsec сессия прибивается, соответственно, поднимается новая сессия ipsec по каналу через инет и работает основной маршрут. При появлении радио-линка все возвращается на круги своя.
Удачи в настройках.
© shadow_alone

среда, 27 апреля 2011 г.