NR - EdgeRouter - EdgeRouter를 Cisco IPSEC에 VPN를 설정하기¶
download at 2017-02-07T01:10:40Z origin
주의 사항
- 2 장비 사이에 NAT 작업 등이 없어야 합니다.
토폴로지:
- EdgeRouter:
- WAN: 8.8.8.8
- LAN: 10.12.10.0/24 (로컬 서브넷)
- Cisco:
- WAN: 4.4.4.4
- LAN: 10.11.0.0/24 (원격 서브넷)
Cisco 장비에서 다음과 같이 작업합니다.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key YOURPRESHAREDKEYHERE address 8.8.8.8 no-xauth
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Ubnt Demo
set peer 8.8.8.8
set transform-set ESP-3DES-SHA1
match address 107
access-list 107 permit ip host 10.11.0.63 10.12.10.0 0.0.0.255
ER Lite에서 다음과 같이 작업합니다.
disable-uniqreqids
esp-group vpntunnel {
compression disable
lifetime 1800
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group vpntunnel {
lifetime 28800
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
site-to-site {
peer 4.4.4.4 {
authentication {
mode pre-shared-secret
pre-shared-secret YOURPRESHAREDKEYHERE
}
connection-type initiate
default-esp-group vpntunnel
ike-group HostedVoice
local-ip 8.8.8.8
tunnel 10 {
allow-nat-networks disable
allow-public-networks disable
esp-group vpntunnel
local {
subnet 10.12.10.0/24
}
remote {
subnet 10.11.0.63/32
}
}
}
}
ER 장비에서 사용된 명령어는 다음과 같습니다 (8.8.8.8과 4.4.4.4를 본인 설정에 맞는 주소로 변경해야합니다.)
configure
set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group vpntunnel
set vpn ipsec esp-group vpntunnel compression disable
set vpn ipsec esp-group vpntunnel lifetime 1800
set vpn ipsec esp-group vpntunnel mode tunnel
set vpn ipsec esp-group vpntunnel pfs disable
set vpn ipsec esp-group vpntunnel proposal 1
set vpn ipsec esp-group vpntunnel proposal 1 encryption 3des
set vpn ipsec esp-group vpntunnel proposal 1 hash sha1
set vpn ipsec ike-group vpntunnel
set vpn ipsec ike-group vpntunnel lifetime 28800
set vpn ipsec ike-group vpntunnel proposal 1
set vpn ipsec ike-group vpntunnel proposal 1 dh-group 2
set vpn ipsec ike-group vpntunnel proposal 1 encryption 3des
set vpn ipsec ike-group vpntunnel proposal 1 hash sha1
set vpn ipsec site-to-site peer 4.4.4.4
set vpn ipsec site-to-site peer 4.4.4.4 local-address 8.8.8.8
set vpn ipsec site-to-site peer 4.4.4.4 authentication mode
pre-shared-secret
set vpn ipsec site-to-site peer 4.4.4.4 authentication
pre-shared-secret mysecretkey
set vpn ipsec site-to-site peer 4.4.4.4 connection-type initiate
set vpn ipsec site-to-site peer 4.4.4.4 default-esp-group vpntunnel
set vpn ipsec site-to-site peer 4.4.4.4 ike-group vpntunnel
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1 esp-group vpntunnel
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1 local
prefix 10.12.10.0/24
set vpn ipsec site-to-site peer 4.4.4.4 tunnel 1 remote
prefix 10.11.0.63/32
commit
Note
원격 서브넷 명령어는 원격지의 1개의 IP와 통신을 가능하도록 하기 위해서 위와 같이 설정하였습니다. (/32 와 같은 설정으로도 변경이 가능합니다.)
로컬 NAT 룰을 원격 서브넷에서 제외해야 함을 잊지 마세요.
- jeff824