Cyber Security Lab 5DueGoalRequirementsThings you will need to knowRelevant IOS documentationLab ConfigurationStoring ConfigsTesting TrafficACS ServerHand-in Items- 1 -Cyber Security Lab 5DueMarch 16 at class. For this lab you may work by yourself, or work with a partner and submit a single lab write up.GoalPerform IPSec configuration on IOS routers.RequirementsTwo IPSec tunnel scenarios need to be configured. Both scenarios will use IKE. You may select the authentication mechanism and other protocols.Figure 1: First scenario The first is a symmetric scenario. Each peer’s configuration is the inverse of the other. Logically there are two tunnels. The HTTP traffic to the peer’s hosts should be authenticated but not encrypted, so it will go through the first tunnel. All other traffic should be authenticated and encrypted and will go through the second tunnel.Figure 2: Second scenario.The second is an asymmetric scenario. One router serves as the tunnel gateway. One host runs the VPN Client software to connect to the tunnel router, authenticate the user,- 2 -and dynamically negotiate its inside tunnel address. To configure the tunnel router, you will need to use the “mode configuration” and “xauth” commands described in the IKE handout. The client running on the host will be prompted to authenticate himself. Assuming the authentication is successful, the resulting tunnel should get a tunnel address assigned by the tunnel gateway. This address should be on the subnet of the router’s local machines (e.g., on the same subnet as H2 in this case).The ACS server will be configured with the fixed set of users from previous labs: alice, bob, carol, dave, ellen, and gus. Each user’s password is their user ID plus “-test”.Things you will need to knowRelevant IOS documentationYou will be working on IOS 12.3. The security portions of the configuration guides are at http://cisco.com/en/US/products/sw/iosswrel/ps5187/prod_configuration_guide09186a008017d583.html#wp999534We will walk through a simple static IPSec configuration during class on March 4 uses the steps in the IPSec and IKE chapters.Lab ConfigurationInitially the lab will be set up with one pair of tunnel routers. Once everyone is done with the firewall lab, two pairs of tunnel routers will be configured. As in the firewall lab, you can telnet to the router from the corresponding inside host. The telnet and enable passwords are “class-test”. “config term” will take you to configuration mode. “show run” will show you the current running config.- 3 -Figure 3: Initial IPSec lab configuration with 1 pair of routers- 4 -Figure 4: Final IPSec lab topology with two pairs of routers.Storing ConfigsWe will be using the tftp server at 192.168.100.100 to persistently store our configurations. Do not “write mem” and do not save changes to nvram when prompted on “reload”. “show run” shows the currently running config.The “copy” command both stores configs to the tftp server and loads them back into memory. To store your current running config to the tftp server, first make sure the file exists and is world writeable. Then issue:copy running-config tftp://192.168.100.100/ipsec/my-configTo bring your config back into member after rebooting issuecopy tftp://192.168.100.100/ipsec/my-config running-configTesting TrafficYou can use ethereal on the sniffing machine to make sure that your traffic is tunneled appropriately. Since we are in a switched environment, you will need to arpspoof one of the tunnel endpoints first to see all the traffic that arrives on his outside interface.On each of the tunnel routers you can issue the following command to look at the current state of the SA table:- 5 -show crypto engine connection activeACS ServerThe ACS Server is hosted on a VMWare virtual machine and is connected by a VLAN to the lab. Due to an OS version mix up, the server is not ready at the time this lab is handed out. I will post to the news group when the ACS server is configured.Hand-in Items1. Description of the design of the first scenario, e.g., protocols used and basic design.2. The pair of configuration files for the routers in the first scenario.3. Description of the design of the second scenario, e.g., protocols used and basic design.4. The configuration file for the router in the second scenario.5. Ethereal capture of tunneled
View Full Document
Unlocking...