Bypassing GRE
IPSec VI, Æ®·¡ÇÈ ¾ÏÈ£È 'OK!'
QoS »çÀü ºÐ·ù ¡¦ Æ÷ÀÎÆ® Åõ ¸ÖƼÆ÷ÀÎÆ® ½Ã³ª¸®¿À °¡´É
½Ã½ºÄÚ IOS IPSec °¡»ó ÀÎÅÍÆäÀ̽º´Â IP À¯´Ïij½ºÆ®¿Í ¸ÖƼij½ºÆ® Æ®·¡ÇÈÀ» Àü¼ÛÇÏ´Â Á¤Àû VPN(»çÀÌÆ®¿¡¼ »çÀÌÆ®°£)À̳ª µ¿Àû VPN(Easy VPN ȤÀº Çãºê ¾Ø ½ºÆ÷Å© ½Ã³ª¸®¿À)À» ±¸ÃàÇϴµ¥ »ç¿ëµÉ ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ °æ¿ì GRE(Generic Routing Encapsulation)¸¦ »ç¿ëÇÒ ÇÊ¿ä°¡ ¾ø´Ù. ½Ã½ºÄÚ IOS ¼ÒÇÁÆ®¿þ¾î ¸±¸®Áî 12.3(14)T¿¡ µµÀÔµÈ ÀÌ ±â´ÉÀ» ÅëÇØ IPSecÀº °¢ÀÚ ÀÎÅÍÆäÀ̽º¸¦ ¼ÒÀ¯ÇÒ ¼ö ÀÖÀ¸¸ç, IPSec ¿ä¾àÈ(encapsulation) ±â´ÉÀ¸·Î ÀÎÅÍÆäÀ̽º¸¦ µ¿ÀûÀ¸·Î ¸¸µé±â À§ÇØ °¡»ó ÅÛÇø´À» È°¿ëÇÑ´Ù. IPSec °¡»óÀÎÅÍÆäÀ̽º(Virtual Interface; VI)´Â ½Ã½ºÄÚ IOS ¼ÒÇÁÆ®¿þ¾î¸¦ ¿î¿µÇÏ´Â ¶ó¿ìÅÍ Ç÷§Æû¿¡¼ »ç¿ëµÉ ¼ö ÀÖ´Ù.
ÀϹÝÀûÀ¸·Î IPSecÀº ¾ÏÈ£È(ESP) ÀÛ¾÷°ú »çÀÌÆ® Åõ »çÀÌÆ®¿¡¼ Æ÷ÀÎÆ® Åõ Æ÷ÀÎÆ® IP Æ®·¡ÇÈ ÀÎÁõ, ¸®¸ðÆ® ¾×¼¼½º VPN ½Ã³ª¸®¿À¿¡ »ç¿ëµÈ´Ù. ¶ó¿ìÅÍ´Â ¿ì¼± GRE ³»ºÎ ÆÐŶÀ» ¿ä¾àÇÏ°í, °¢ ÆÐŶ ±³È¯¿ëÀ¸·Î 4¹ÙÀÌÆ® GRE ¿À¹öÇìµå¸¦ ÀÌ¿ëÇØ GRE/IP À¯´Ïij½ºÆ® ÆÐŶÀ» ¾ÏÈ£ÈÇÑ´Ù. ÀÌ´Â ¿ø°Ý ÇǾ GRE¸¦ ÀÌÇØÇÒ ¼ö ÀÖ´Ù´Â °¡Á¤ ÇÏ¿¡ ½ÇÇàµÈ´Ù(¿¹: ¸ÖƼº¥´õ ȯ°æ). IPSec °¡»ó ÅͳΠÀÎÅÍÆäÀ̽º(virtual tunnel interface, VTI)´Â ÀÌ·¯ÇÑ ·¹°Å½Ã GRE/IPSec ½ÇÇà ¹®Á¦¸¦ ó¸®Çϱâ À§ÇØ ÇÑ °¡Áö ¼Ö·ç¼ÇÀ» Á¦°øÇÑ´Ù<±×¸² 1ÂüÁ¶>.
IPSec VI¿¡´Â Á¤Àû VI¿Í µ¿Àû VI¶ó´Â µÎ °¡Áö À¯ÇüÀÌ ÀÖ´Ù. Á¤Àû VI´Â Æ÷ÀÎÆ® Åõ Æ÷ÀÎÆ® IPSec/GRE ÅͳÎÀ» ¼³Á¤ÇÒ ¶§ ÇÑ °¡Áö ½Ã³ª¸®¿À¸¦ Ä¿¹öÇÑ´Ù. ¹Ý¸é µ¿Àû VI´Â Æ÷ÀÎÆ® Åõ Æ÷ÀÎÆ®¿Í Æ÷ÀÎÆ® Åõ ¸ÖƼÆ÷ÀÎÆ® À¯Çü ½Ã³ª¸®¿À¸¦ ¸ðµÎ ¼³Á¤ÇÒ ¼ö ÀÖ´Ù. ±â¾÷µé°ú Åë½Å¼ºñ½º »ç¾÷ÀÚ ¸ðµÎ IPSec VIÀ» »ç¿ëÇÒ ¶§ ¸¹Àº ÇýÅÃÀ» º¼ ¼ö ÀÖ´Ù. ´ÙÀ½ »ç·Ê´Â ¿À·¡µÈ GRE/IPSec°ú IPSec VI ¼³Á¤ °£ÀÇ Â÷À̸¦ ÀÌÇØÇϴµ¥ µµ¿òÀÌ µÉ °ÍÀÌ´Ù.
|
|
 |
|
|
|
±×¸²1. ¾ÏÈ£È/¾ÏÈ£Çص¶ µÇ¾î¾ßÇÏ´Â Àιٿîµå & ¾Æ¿ô¹Ù¿îµå ÆÐŶÀº ¶ó¿ìÅ͸¦ ºüÁ®³ª°¡±â Àü¿¡ VI·Î Àü¼ÛµÈ´Ù.
|
GRE/IPSec ¼³Á¤
7206-VTI-1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 7206-VTI-1
!
!
clock timezone PST-8
ip subnet-zero
ip domain name cisco.com
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
authentication pre
encryption aes 256
!
crypto ipsec transform-set test esp-aes 256 esp-
sha-hmac
crypto map test 10 ipsec-isakmp
set peer 20.1.1.2
set transform-set test
match address 101
!
!
interface Tunnel10
ip address 10.10.10.1 255.255.255.252
ip mtu 1420
tunnel source Ethernet1/0
tunnel destination 20.1.1.2
crypto map test
!
interface Ethernet0/0
ip address 20.1.1.1 255.255.255.0
crypto map test
!
ip classless
no ip http server
!
!
access-list 101 permit gre host 20.1.1.1 host
20.1.1.2
!
´ë¾ÈÀû VTI ¼³Á¤
7206-VTI-1:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 7206-VTI-1
!
clock timezone PST-8
ip subnet-zero
ip domain name cisco.com
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
authentication pre-share
encryption aes 256
crypto ipsec transform-set test esp-aes 256 esp-
sah-hmac
crypto ipsec profile vpn
set transform-set myset
crypto isakmp key cisco address 20.1.1.2
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.252
tunnel mode ipsec ipv4
tunnel source Ethernet1/0
tunnel destination 20.1.1.2
tunnel protection ipsec profile vpn
!
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet1/0
ip address 20.1.1.1 255.255.255.0
|
|
|
|
|
|
±×¸²2. IPSec VI´Â IPSec Åͳο¡¼ ¼ºê³Ý ¿À¹ö·¡ÇÎ ¹®Á¦¸¦ ÇØ°áÇØÁØ´Ù.
|
ÁÖÀÇ»çÇ×
µ¿Àû VI´Â ½ºÇÁ¸®Æ® Åͳθµ(Split tunneling)µµ Áö¿øÇÏ´Â ¹Ý¸é Á¤Àû VI´Â ¾Ö´Ï-Åõ-¾Ö´Ï(any-to-any) ÇÁ·Ï½Ã ID ¹æ½Ä¸¸ Á¦°øÇÑ´Ù.GRE/IPSec°ú´Â ´Þ¸® Á¤Àû VI´Â ºñ(Þª)IP Æ®·¡ÇÈÀ» ¾ÏÈ£ÈÇϴµ¥ »ç¿ëµÉ ¼ö ¾ø´Ù.
7206-VTI-1#sh cry ips sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr
11.11.11.1
protected vrf: (none)
local ident (addr/mask/prot/port):
(0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port):
(0.0.0.0/0.0.0.0/0/0)
current_peer 11.11.11.2 port 500
PERMIT, flags={origin_is_acl,}
QoS »çÀü ºÐ·ù ±â´ÉÀ» °¡Áø VI
À½¼º°ú µ¥ÀÌÅÍ Æ®·¡ÇÈ °áÇÕÀÌ ¾ÏÈ£ÈµÉ ¶§ Æ®·¡ÇÈÀÌ Ãâ¹ßÇÑ °÷¿¡¼ ¾Æ¿ô¹Ù¿îµå ¹°¸®Àû ÀÎÅÍÆäÀ̽º´Â ½ÇÁ¦ Ç÷ο츦 º¸Áö ¾Ê´Â´Ù. ÀÌ ¶§ ¸ðµç °ÍÀº ´ÜÀÏ Ç÷οì·Î °£ÁֵDZ⠶§¹®ÀÌ´Ù. ½Ã½ºÄÚ IOS Å©¸³Åä(crypto) ½ÇÇàÀº À̸¦ ó¸®Çϱâ À§ÇØ QoS »çÀü ºÐ·ù ±â´ÉÀ» Á¦°øÇÏ°í ÀÖ´Ù. ÀÌ ±â´ÉÀ» ±¸ÇöÇϱâ À§ÇØ qos pre-classify ¶ó´Â ¸í·É¾î°¡ VI ÀÎÅÍÆäÀ̽º »ó¿¡¼ Àû¿ëµÅ¾ß ÇÑ´Ù. GRE/IPSec ½ÇÇà¿¡¼ »çÀü ºÐ·ù ±â´ÉÀ» »ç¿ëÇÏ·Á¸é VI¿¡¼ ÀÌ ¸í·É¾î¸¦ »ç¿ëÇÏ¸é µÈ´Ù.
¾Æ·¡ ¿¹¸¦ »ìÆì º¸ÀÚ. 50Kbps¶ó´Â ¾ÈÀüÇÏ°í ÀÎÁõµÈ ´ë¿ªÆøÀ» °¡Áø ¿ÏÀüÇÑ ¿ì¼±¼øÀ§ ´ë±â¿(priority queue)Àº 20000 ¹× 53000, 56000À» ÅëÇÑ 16384 Æ÷Æ®ÀÇ ¹üÀ§ ¾È¿¡¼ ¼Ò½º ÁÖ¼Ò 10.10.10.10ºÎÅÍ µµÂø ÁÖ¼Ò 10.10.10.20À¸·Î Àü¼ÛµÇ´Â Æ®·¡ÇÈ Àü¿ëÀ¸·Î ³²°ÜÁø´Ù. ´ÙÀ½ ¸í·É¿¡¼ ¸Ç ¸ÕÀú À½¼º Æ®·¡ÇÈ ´ë»óÀ» ¸ÅĪÇϱâ À§ÇØ ¾×¼¼½º ¸®½ºÆ® 102°¡ ¼³Á¤µÈ´Ù.
7206-1(config)# access-list 102 permit udp host
10.10.10.10 host 10.10.10.20 range 16384
20000
7206-1(config)# access-list 102 permit udp host
10.10.10.10 host 10.10.10.20 range 53000
56000
´ÙÀ½À¸·Î Ŭ·¡½º ¸Ê º¸À̽º(class map voice)°¡ Á¤Àǵǰí, Á¤Ã¥1À̶ó°í ºÒ¸®´Â Á¤Ã¥ ¸ÊÀÌ ¸¸µé¾îÁø´Ù. Ŭ·¡½º º¸À̽º¿ëÀÇ ¿ÏÀüÇÑ ¿ì¼±¼øÀ§ ´ë±â¿ÀÌ º¸Á¸µÇ°í, 20Kpbs ´ë¿ªÆøÀº Ŭ·¡½º ¹Ù(class bar)¿ëÀ¸·Î ¼³Á¤µÇ¸ç, µðÆúÆ® Ŭ·¡½º´Â WFQ(Weighted Fair Queuing)¿ëÀ¸·Î ¼³Á¤µÈ´Ù. ±×·± ´ÙÀ½ ¼ºñ½º-Á¤Ã¥ ¸í·É¾î´Â Á¤Ã¥ ¸ÊÀ» fa0/0¿¡ ÷ºÎÇÑ´Ù.
7206-1(config)# class-map voice
7206-1(config-cmap)# match access-group 102
7206-1(config)# policy-map policy1
7206-1(config-pmap)# class voice
7206-1(config-pmap-c)# priority 50
7206-1(config-pmap)# class bar
7206-1(config-pmap-c)# bandwidth 20
7206-1(config-pmap)# class class-default
7206-1(config-pmap-c)# fair-queue
7206-1(config)# interface fa0/0
7206-1(config-if)# service-policy output policy1
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
qos pre-classify
tunnel source GigabitEthernet0/1
tunnel destination 11.11.11.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn
NAT/ACL/IOS ¹æȺ® ±â´ÉÀ» °¡Áø IPSec VI
IPSec VI´Â Ŭ¸®¾î-ÅؽºÆ®(¿¹: ·ÎÄà LAN ³×Æ®¿öÅ© ¿À¹ö·¡ÇÎ ½Ã³ª¸®¿À) Æ®·¡ÇÈ »ó¿¡¼ ¼Ò½º/¸ñÀûÁö NAT(Network Address Translation)¸¦ ½ÇÇàÇϴµ¥ »ç¿ëµÉ ¼ö ÀÖ´Ù. ±× °÷¿¡¼ NAT°¡ Ŭ¸®¾î-ÅؽºÆ® Æ®·¡ÇÈ ¾ç Ãø¿¡¼ ½ÇÇàµÈ´Ù.
7206-VTI-1:
crypto isakmp policy 1
authentication pre-share
encryption aes 256
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-aes 256 esp-
sha-hmac
!
crypto ipsec profile vpn
set transform-set myset
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
ip nat outside
tunnel source GigabitEthernet0/1
tunnel destination 11.11.11.2
tunnel mode ipsec ipv4
tunnel protetion ipsec profile vpn
interface GogabitEthernet0/3
ip address 172.16. 255.255.255.0
load-interval 30
duplex auto
speed auto
media-type rj45
no negotiation auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.2
!
no ip http server
no ip http secure-server
!
ip nat inside source static 172.16.1.0 172.17.1.0
VI ´öºÐ¿¡ Àü/ÈÄ ¾ÏÈ£È Æ®·¡ÇÈ ÇÊÅ͸µÀ» ÄÁÆ®·ÑÇϱâ ÈξÀ ½¬¿ì¸ç, »çÀü ¾Ïȣȳª Â÷ÈÄ ¾ÏÈ£È Æ®·¡ÇÈÀº VI »ó¿¡¼ ÀÔ/Ãâ·Â ACLÀ» »ç¿ëÇØ ÇÊÅ͸µ ó¸®ÇÒ ¼ö ÀÖ´Ù. ¹Ý¸é ESP/IKE Æ®·¡ÇÈÀº Æ®·¡ÇÈÀÌ ¶ó¿ìÅ͸¦ µå³ªµå´Â ¹°¸®Àû ÀÎÅÍÆäÀ̽º »ó¿¡¼ ACLÀ» »ç¿ëÇÏ¸é¼ ÇÊÅ͸µµÈ´Ù. VPN Åͳο¡¼ È£½ºÆ®-B¿Í È£½ºÆ®-AÀÇ Ä¿¹Â´ÏÄÉÀ̼ÇÀ» º¸ÀåÇÏ°í, ÇÁ·Ï½Ã ID°¡ 'permit ip any any'¶ó´Â °¡Á¤ ÇÏ¿¡ È£½ºÆ® Åõ È£½ºÆ® Æ®·¡Çȸ¸ Çã¿ëÇϵµ·Ï ACLÀ» Á¤ÀÇÇϱ⠹ٶõ´Ù.
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
ip access-group 109 in
ip nat outside
ip inspect myins out
tunnel source GigabitEthernet0/1
tunnel destination 11.11.11.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn
access-list 109 permit ip host 172.18.1.1 host
172.17.1.1
NAT, ACL°ú CBAC(Context-Based Access Control)ÀÌ ¸ðµÎ °áÇÕÇϸé IOS ÀÔ/Ãâ·Â ¼º´É ÇÁ·Î¼¼½ÌÀÇ Ç¥ÁØ ¼ø¼¸¦ µû¸£°Ô µÉ °ÍÀÌ´Ù. VIÀÇ °æ¿ì, ÀϹÝÀûÀ¸·Î Ŭ¸®¾î-ÅؽºÆ® Æ®·¡ÇÈ(»çÀü ¾ÏÈ£È) »ó¿¡¼ ±â´ÉÀ» ½ÇÇà½ÃÅ°´Âµ¥ »ç¿ëµÇ¸ç, ½ÇÁ¦ ¾Æ¿ô¹Ù¿îµå ¹°¸®Àû ÀÎÅÍÆäÀ̽º´Â ¾ÏÈ£È ±â´É ½ÇÇà ÈÄ¿¡ »ç¿ëµÈ´Ù.
µ¿Àû VI ¼³Á¤
µ¿Àû VIÀÇ °æ¿ì, ¿ø°Ý ¾×¼¼½º Easy VPNÀ̳ª Çãºê ¾Ø ½ºÆ÷Å© ¼³Á¤À» Áö¿øÇϱâ À§ÇØ ¿Â-´õ-ÇöóÀÌ(on-the-fly) VI »ç·Ê¸¦ ¸¸µå´Âµ¥ »ç¿ëµÈ´Ù. µ¿Àû VI ±â´ÉÀ» ÅëÇØ Easy VPN ÅͳÎÀº Easy VPN º»·¡ÀÇ ÀåÁ¡À» °è¼Ó Á¦°øÇÏ´Â µ¿½Ã¿¡ ¶ó¿ìÆà ÇÁ·ÎÅäÄÝ°ú ¸ÖƼij½ºÆ® Æ®·¡Çȵµ Àü¼ÛÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½¿¡ ³ª¿À´Â ½ÇÁ¦ Easy VPN »ç·Ê¸¦ ÂüÁ¶Ç϶ó.
Hub Router:
username afakhancisco passwd cisco123
aaa new-model
aaa session-id common
aaa authentication login users local
aaa authorization network users local
!
crypto isakmp client configuration group mygroup
key cisco
dns 10.10.10.1
wins 10.10.10.2
pool mypool
!
crypto isakmp profile csco-ezvpn
match identity group mygroup
client authentication list users
isakmp authorization list users
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set myset esp-aes 256 esp-
sha-hmac
!
crypto ipsec profile VTI-profile
set transform-set myset
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet2/0
description Egress Interface
ip address 192.1.1.1 255.255.255.0
!
interface Virtual-Templatel type tunnel
description Dynamic VI
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI-profile
!
ip local pool mypool 172.16.1.1 172.16.1.10
ip route 0.0.0.0 0.0.0.0 192.1.1.2
½ºÆ÷Å© ¶ó¿ìÅÍ´Â Á¤±âÀûÀ¸·Î Á¤Àû VI¸¦ °¡Áú ¼ö ÀÖ´Ù. IPSec VI·Î Á¡Â÷ À̵¿ÇÏ°Ô µÇ¸é ¸î °¡Áö ½Ã³ª¸®¿À°¡ ¼³Á¤µÉ ¼ö ÀÖ´Ù. ¿¹´Â ´ÙÀ½°ú °°´Ù :
- ÇÑ ÇǾî´Â Á¤Àû VI, »ó´ë ÇǾî´Â Á¤Àû Å©¸³Åä ¸ÊÀ¸·Î ±¸¼º.
ÇϳªÀÇ ÇǾ¼¸¸ ÄÚµå/¼³Á¤ ¾÷µ¥ÀÌÆ®°¡ ÇÊ¿äÇÏ´Ù. ¶ó¿ìÆà ÇÁ·ÎÅäÄÝ ½ÇÇàÀº ºÒ°¡.
- ¾çÂÊ ÇÇ¾î ¸ðµÎ Á¤Àû VI·Î ±¸¼º.
µÎ ¶ó¿ìÅÍ »ó¿¡¼ ÄÚµå/¼³Á¤ ¾÷µ¥ÀÌÆ®°¡ ÇÊ¿äÇϸç, IPSec³ª GRE Áß ÇÑ °¡Áö¸¦ ¼³Á¤ÇØ¾ß ÇÑ´Ù. ¶ó¿ìÆà ÇÁ·ÎÅäÄÝ, ¸ÖƼij½ºÆ® Æ®·¡ÇÈ µî ½ÇÇà °¡´É.
- Çãºê»çÀÌÆ®¿¡´Â µ¿Àû VI, ½ºÆ÷Å©»çÀÌÆ®¿¡´Â Á¤Àû Å©¸³Åä ¸Ê ±¸¼º.
ÇϳªÀÇ ¶ó¿ìÅÍ¿¡¼ ÄÚµå/¼³Á¤ ¾÷µ¥ÀÌÆ®°¡ ÇÊ¿äÇÏ´Ù. ¶ó¿ìÆà ÇÁ·ÎÅäÄÝ ½ÇÇàÀº ºÒ°¡.
- Çãºê »çÀÌÆ®¿¡´Â µ¿Àû VI, ½ºÆ÷Å©»çÀÌÆ®¿¡´Â Á¤Àû VI ±¸¼º.
µÎ °¡Áö ÇǾî Áß ÇÑ ±ºµ¥¿¡¼ ÄÚµå ¾÷±×·¹À̵å¿Í ¼³Á¤ÀÌ ÇÊ¿äÇÏ´Ù. ¶ó¿ìÆà ÇÁ·ÎÅäÄÝ, ¸ÖƼij½ºÆ®°¡ Áö¿øµÇ´Âµ¥, ÀϹÝÀûÀÎ Easy VPN ½Ã³ª¸®¿À¿Í´Â ´Þ¸® Çãºê »ó¿¡¼ RRI´Â ÇÊ¿ä ¾ø´Ù.
- IPSec VI
´ÜÀÏ ¶ó¿ìÅÍ »ó¿¡¼ ¹Ì¸® °øÀ¯µÈ º¹ÇÕ ¿ÍÀϵåÄ«µå¸¦ °®±â À§ÇÑ Â÷¼±Ã¥À¸·Î »ç¿ëµÉ ¼ö ÀÖ´Ù. ÀÌ´Â Åë½Å¼ºñ½º »ç¾÷ÀÚ°¡ ³×Æ®¿öÅ© ±â¹Ý VPNÀ» »ç¿ëÇÒ ¶§ ƯÈ÷ À¯¿ëÇÏ´Ù.
IPSec VI Æ®·¯ºí½´ÆÃ(¿¹½Ã¿Í µð¹ö±×)
7201-1#sh int tun0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 1.1.1.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload
1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 11.11.11.1 (GigabitEthernet0/1),
destination 11.11.11.2
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "vpn")
.......
7206-1#sh cry session
crypto session current status
interface : Tunnel10
session status : UP-ACTIVE
peer : 11.11.11.2 port 500
IKE SA : local 11.11.11.1/500 remote 11.11.11.2/500
Active
IPSEC FLOW : permit ip 0.0.0.0/0.0.0.0
0.0.0.0/0.0.0.0
Active SAs : 2, origin: crypto map
½Ç½Ã°£ µð¹ö±ëÀ» ¿øÇÑ´Ù¸é Å©¸³Åä °ü·Ã µð¹ö±×¸¦ ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù.
 |
MUHAMMAD AFAQ KHAN
¹«Çϸ¶µå ¾ÆÆÅ Ä(MUHAMMAD AFAQ KHAN)Àº ½Ã½ºÄÚÀÇ ºê·Îµå¹êµå, ¿¡Áö, ¹Ìµå·¹ÀÎÁö ¶ó¿ìÆà ºñÁî´Ï½º ºÎ¹® ±â¼ú ¸¶ÄÉÆà ÀÌ»ç·Î ±Ù¹«ÇÏ°í ÀÖ´Ù. °ú°Å¿¡´Â ½Ã½ºÄÚ º¸¾È/VPN TAC ºÎ¹®À» ´ã´çÇß´Ù. ¶ó¿ìÆÃ, ½ºÀ§Äª, º¸¾È, Åë½Å¼ºñ½º »ç¾÷ÀÚ Æ®·¢ ºÎ¹® CCIE ÀÚ°ÝÁõµµ º¸À¯ÇÏ°í ÀÖ´Ù. À̸ÞÀÏ ÁÖ¼Ò´Â afakhan@cisco.comÀÌ´Ù. |
