Yeslab安全实验室2012新春特大优惠活动
Yeslab上海安全网真真实录像
Yeslab上海实验室(图片)
1.庆祝Yeslab安全实验室已经连续一次PASS 34名安全CCIE,这个时间,这个世界上,最接近IE的地方,就在Yeslab安全实验室!
2.上海Yeslab新一轮CCSP课程,将于12月26日开讲,前两轮课程免费试听。
3.上海Yeslab安全正式对外招生,下面是课程原始价格。
A.安全CCIE原价¥19800
---主要课程由教主通过网真授课,欢迎试听。
---教主承诺每一轮(约两个月)会到上海来讲一门本地课程。
---送vSphere 5.x本地课程。
---送后续教徒计划和数据中心课程(承诺每两个月到上海至少讲一门课)。
B.安全CCIE冲刺班(仅版本)¥15800
C.安全CCSP¥6800
D.前3月在原价基础之上9折优惠,前10人报名享受88折优惠。
本周日下午三点(2011.12.25),北京上海Yeslab同步开讲,现任明教教主《PKI通俗演义》,通过最浅显的语言介绍PKI(数字证书)的工作原理!希望上海与北京安全学员关注此课程,欢迎到上海Yeslab试听,同样感受网真教学的乐趣。
北京Yeslab咨询QQ:1960692353
北京QQ技术群:67298191
上海Yeslab咨询QQ:2540198237
上海QQ技术群:199681046
???? 最近发现很多新特性只能在ISR G2上才能够支持了,所以为了学习15.1T之后的安全特性,特意购买了两台1921。最近应该会出不少关于ISR G2安全特性的博文,今天这篇只是一个开始。
???? 从ISR G2和ASA 8.4开始,Cisco就支持IKE V2的IPSec VPN了,ASA 8.4的配置以前已经发布过相关博文了,这次主要介绍ISR G2上IKE V2 IPSec VPN的配置,Cisco给在IOS上的IKE V2的IPSec VPN取了一个全新的,给力的名字,叫做Flex VPN。包含了很多内容,突然发现变化真的很大,配置和以前相比可以说是完全不一样了。下面是Flex VPN的第三个部分,Flex VPN的Server与Client配置,这个技术应该会替代传统的EzVPN和DMVPN,而且它是一个公有技术,兼容性会很好,例如Windows7不用安装任何客户端就能够拨号到Flex VPN Server上来,今天共享的仅仅是Flex VPN的硬件客户端,关于Windows7的拨号我会在后续部分继续介绍。
实验一:预共享密钥认证+本地AAA
hostname Yeslab-CA
!
aaa new-model
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool ippool
dns 100.1.1.1
wins 100.1.1.1
banner ^CWelcome to Yeslab^C
def-domain yeslab.net
backup-gateway yeslabgw1.yeslab.net
backup-gateway yeslabgw2.yeslab.net
backup-gateway yeslabgw3.yeslab.net
route set access-list 5
!
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
? address 202.100.1.1
? pre-shared-key local yeslabccies
? pre-shared-key remote yeslabccies
!
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.1 255.255.255.255
identity local address 202.100.1.100
authentication local pre-share
authentication remote pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group override psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
ip local pool ippool 123.1.1.100 123.1.1.200
!
access-list 5 permit 100.1.1.0 0.0.0.255
!
end
=================================
hostname Client
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
route set access-list 5
!
crypto ikev2 keyring Yeslab-IKEv2-Keyring
peer Flex-VPN
? address 202.100.1.100
? pre-shared-key local yeslabccies
? pre-shared-key remote yeslabccies
!????????
crypto ikev2 profile Yeslab-IKEv2-Profile
match identity remote address 202.100.1.100 255.255.255.255
identity local address 202.100.1.1
authentication local pre-share
authentication remote pre-share
keyring local Yeslab-IKEv2-Keyring
aaa authorization group override psk list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
!
crypto ikev2 client flexvpn Yeslab-Flex-Client
? peer 1 202.100.1.100
? client connect Tunnel0
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
interface GigabitEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
!
access-list 5 permit 1.1.1.0 0.0.0.255
?
实验二:数字签名认证+本地AAA
hostname Yeslab-CA
!
aaa new-model
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
clock timezone GMT 8 0
!
ip domain name yeslab.net
!
crypto pki server Yeslab-CA
issuer-name cn=Yeslab-CA.yeslab.net,ou=YeslabSec,o=Yeslab
!
crypto pki trustpoint Yeslab-CA
revocation-check crl
rsakeypair Yeslab-CA
!
crypto pki trustpoint Flex-VPN
enrollment url http://202.100.1.100:80
subject-name cn=Yeslab-CA.yeslab.net,o=Yeslab
revocation-check crl
!
crypto pki certificate map cert-acl 10
subject-name co ou = yeslabsec
!
crypto pki certificate chain Yeslab-CA
certificate ca 01
------省略证书------
??????? quit
crypto pki certificate chain Flex-VPN
certificate 02
------省略证书------
??????? quit
certificate ca 01
------省略证书------
??????? quit
!
crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy
pool ippool
dns 100.1.1.1
wins 100.1.1.1
banner ^CWelcome to Yeslab^C
def-domain yeslab.net
backup-gateway yeslabgw1.yeslab.net
backup-gateway yeslabgw2.yeslab.net
backup-gateway yeslabgw3.yeslab.net
route set access-list 5
!
crypto ikev2 profile Yeslab-IKEv2-Profile
match certificate cert-acl
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint Flex-VPN
aaa authorization group override cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy
virtual-template 1
!
crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac
!
crypto ipsec profile Yeslab-IPSec-Profile
set transform-set Yeslab-IPSec-Trans
set ikev2-profile Yeslab-IKEv2-Profile
!
interface Loopback0
ip address 100.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
ip address 202.100.1.100 255.255.255.0
no shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile Yeslab-IPSec-Profile
!
ip local pool ippool 123.1.1.100 123.1.1.200
!
access-list 5 permit 100.1.1.0 0.0.0.255
!
ntp master
!
end
======================================================
hostname Client
!
aaa authentication login noacs line none
aaa authorization network Yeslab-Local-Group-Author-List local
!
clock timezone GMT 8 0
!
crypto pki trustpoint Flex-VPN
enrollment url http://202.100.1.100:80 subject-name cn=Client.yeslab.net,o=Yeslab revocation-check crl ! crypto pki certificate map cert-acl 10 subject-name co ou = yeslabsec ! crypto pki certificate chain Flex-VPN certificate 03 ------省略证书------ ??????? quit certificate ca 01 ------省略证书------ ??????? quit ! crypto ikev2 authorization policy Yeslab-IKEv2-Author-Policy route set access-list 5 !???????? crypto ikev2 profile Yeslab-IKEv2-Profile match certificate cert-acl authentication local rsa-sig authentication remote rsa-sig pki trustpoint Flex-VPN aaa authorization group override cert list Yeslab-Local-Group-Author-List Yeslab-IKEv2-Author-Policy ! crypto ikev2 client flexvpn Yeslab-Flex-Client ? peer 1 202.100.1.100 ? client connect Tunnel0 ! crypto ipsec transform-set Yeslab-IPSec-Trans esp-3des esp-sha-hmac ! crypto ipsec profile Yeslab-IPSec-Profile set transform-set Yeslab-IPSec-Trans set ikev2-profile Yeslab-IKEv2-Profile ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface Tunnel0 ip address negotiated tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile Yeslab-IPSec-Profile ! interface GigabitEthernet0/0 ip address 202.100.1.1 255.255.255.0 no shutdown ! access-list 5 permit 1.1.1.0 0.0.0.255 ! ntp server 202.100.1.100 ! end
