라우터 간에 IPSec을 사용하여 보안 트렁크 IAX2 연결을 설정하려고 합니다.
하지만 Wireshark로 스니핑 공격을 하면 모든 통화 정보가 표시됩니다!
IPsec은 잘 구성되어 있으며 http 패킷과 완벽하게 작동하지만 IAX2에는 영향을 미치지 않습니다.
R3 구성:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco@123 address 100.100.100.101
!
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer 100.100.100.101
set transform-set MY-SET
match address VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
!
interface FastEthernet1/0
ip address 100.100.100.100 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex half
crypto map IPSEC-SITE-TO-SITE-VPN
!
ip route 0.0.0.0 0.0.0.0 200.200.200.200
ip route 0.0.0.0 0.0.0.0 100.100.100.101
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source list 101 interface FastEthernet1/0 overload
ip nat inside source static tcp 192.168.10.2 4569 100.100.100.100 4569 extendable
ip nat inside source static tcp 192.168.10.2 5060 100.100.100.100 5060 extendable
ip nat inside source static tcp 192.168.10.2 5061 100.100.100.100 5061 extendable
!
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R4 구성:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco@123 address 100.100.100.100
!
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer 100.100.100.100
set transform-set MY-SET
match address VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
!
interface FastEthernet1/0
ip address 100.100.100.101 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex half
crypto map IPSEC-SITE-TO-SITE-VPN
!
ip route 0.0.0.0 0.0.0.0 100.100.100.100
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source list 101 interface FastEthernet1/0 overload
ip nat inside source static tcp 192.168.20.2 4569 100.100.100.101 4569 extendable
ip nat inside source static tcp 192.168.20.2 5060 100.100.100.101 5060 extendable
ip nat inside source static tcp 192.168.20.2 5061 100.100.100.101 5061 extendable
!
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
답변1
이 줄이 보이지만 액세스 목록 1이 없습니다.
!
ip nat inside source list 1 interface FastEthernet1/0 overload