النتائج 1 إلى 8 من 8

الموضوع: سؤال على موضوع ال VPN Connection

  1. #1
    عضو
    تاريخ التسجيل
    Feb 2006
    المشاركات
    24
    الدولة: Iraq
    معدل تقييم المستوى
    0

    Thumbs up سؤال على موضوع ال VPN Connection



    السلام عليكم

    ممكن نربط اكثر من نت ورك في اماكن مختلفة مثل اكثر من محافظة او مدينة عن طريق ال VPN Connection بدون استخدام PIX Fierwall يعني نعمل كوتفكر على الراوتر وبس ؟؟؟؟؟؟

  2. #2
    عضو الصورة الرمزية BENDAOUD7
    تاريخ التسجيل
    Jul 2007
    المشاركات
    793
    الدولة: Algeria
    معدل تقييم المستوى
    11

    رد: سؤال على موضوع ال VPN Connection

    اولا ما هي الأجهزة التي ستستعملها راوترات؟
    عموما اذا كان عندك راوتر يلزمك ios ip advances security و كذلك 2 ip address public static و ال bandwith مهم أيضا بالنظر لل traffic الذي سيتم تبادله
    أما فيما يخص ال configuration فهناك عدة أنواع منها
    ال site to site يعني شركة مثلا مربوطة مع كل فروعها عن طريق ال vpn و تكون permanent connection
    و هناك client to site و هنا ال client يمكن أن يكون إما راوتر معاه ip address public dynamic او end user مثلا ويندوز xp
    إذا كنت تريد تطوير معلوماتك فأنصحك بالcommand line أما اذا كنت مستعجل من أجل الحل فما عليك إلا بال sdm Security Device Manager

    و أي خدمة عرب هاردوير موجود من أجل ذلك

    اللهم وفقني لحفظ القرآن
    موضوعي حول ال virtualisation مع VMware
    http://www.arabhardware.net/forum/sh...d.php?t=215569
    تعرف على شهادة الأنستركتور CCSI
    http://www.arabhardware.net/forum/sh...54#post1851054

  3. #3
    عضو
    تاريخ التسجيل
    Feb 2006
    المشاركات
    24
    الدولة: Iraq
    معدل تقييم المستوى
    0

    رد: سؤال على موضوع ال VPN Connection

    السلام عليكم

    شكرا جزيلا على هذه المعلومات مبدأيا انا غير مستعجل وبالنسبة للاجهزة المستخدمة هي سيسكو راوتر 2600
    ومثل ما تفضلت الربط هو site to site

  4. #4
    عضو الصورة الرمزية BENDAOUD7
    تاريخ التسجيل
    Jul 2007
    المشاركات
    793
    الدولة: Algeria
    معدل تقييم المستوى
    11

    رد: سؤال على موضوع ال VPN Connection

    اذا احتجت أي شيء لا تتردد

    اللهم وفقني لحفظ القرآن
    موضوعي حول ال virtualisation مع VMware
    http://www.arabhardware.net/forum/sh...d.php?t=215569
    تعرف على شهادة الأنستركتور CCSI
    http://www.arabhardware.net/forum/sh...54#post1851054

  5. #5
    عضو
    تاريخ التسجيل
    Feb 2006
    المشاركات
    24
    الدولة: Iraq
    معدل تقييم المستوى
    0

    رد: سؤال على موضوع ال VPN Connection

    السلام عليكم

    شكرا جزيلا بن داوود لكن الى الان لم ارى الكونفكربشن لل VPN Connecation ؟؟؟؟

  6. #6
    عضو الصورة الرمزية abo Abdullah
    تاريخ التسجيل
    Jul 2008
    المشاركات
    211
    معدل تقييم المستوى
    0

    Lightbulb رد: سؤال على موضوع ال VPN Connection

    هذه إعدادات VPN site-to-site


    http://www.vpnc.org/InteropProfiles/cisco-ios.txt



    Cisco IOS VPN Configuration

    Scenario 1: Gateway-to-gateway with preshared secrets

    The following is a typical gateway-to-gateway VPN that uses a preshared
    secret for authentication.

    10.5.6.0/24 172.23.9.0/24
    | |
    --| |--
    | +-----------+ /-^-^-^-^--\ +-----------+ |
    |-----| Gateway A |=====| Internet |=====| Gateway B |-----|
    | AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
    --| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
    | |

    Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's
    LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has
    the address 14.15.16.17.

    Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway
    B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN
    interface address, 172.23.9.1, can be used for testing IPsec but is not
    needed for configuring Gateway A.

    The IKE Phase 1 parameters used in Scenario 1 are:

    * Main mode
    * TripleDES
    * SHA-1
    * MODP group 2 (1024 bits)
    * pre-shared secret of "hr5xb84l6aa9r6"
    * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

    The IKE Phase 2 parameters used in Scenario 1 are:

    * TripleDES
    * SHA-1
    * ESP tunnel mode
    * MODP group 2 (1024 bits)
    * Perfect forward secrecy for rekeying
    * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
    * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and
    172.23.9.0/24, using IPv4 subnets

    To set up Gateway A for this scenario, use the following steps:

    Cisco IOS includes IPSec support, beginning with early versions of IOS
    Version 12; however the commands have changed during the evolution of IOS
    Version 12 point releases. The following example uses the current release
    version, Cisco IOS Version 12.2(T4.

    This example uses a Cisco 1700 series router, which has one ethernet port
    and one serial port. The ethernet port, FastEthernet0, will be the outside,
    or Internet-facing interface. The serial port, Serial0, will be the inside
    interface. (This is just an example. Your interfaces may be different.)

    All configuration changes are volatile, and immediate, until the "write"
    command is executed, when the configuration is saved to flash and will be
    reloaded after a reboot. At any time, you may examine the running
    configuration with the command "show running-configuration", or view the
    saved configuration with the command "show config". Most commands can be
    abbreviated. Use a ? at the prompt or in a command to see options.


    Configure IP on the interfaces:

    Router# config term
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# int fa0
    Router(config-if)# ip address 14.15.16.17 255.255.255.0
    Router(config-if)# speed auto
    Router(config-if)# ^Z
    Router# config term
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# int ser0
    Router(config-if)# ip address 10.5.6.1 255.255.255.0
    Router(config-if)# no shutdown
    Router(config-if)# ^Z
    Router#

    Define the default route:

    Router# config term
    Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
    Router(config)# exit

    Cisco supports only one IKE policy per router, so you must design one which
    is acceptable to all systems you are going to interoperate with. Assign it
    an ordering number of 5. If you wanted to have more than one proposal in
    the policy, the proposals would be given in order defined by this policy
    order number. Configure the IKE Policy:

    Router# config term
    Router(config)# crypto isakmp policy 5
    Router(config-isakmp)# encryption 3des
    Router(config-isakmp)# group 2
    Router(config-isakmp)# hash sha
    Router(config-isakmp)# lifetime 28800
    Router(config-isakmp)# authentication pre-share
    Router(config-isakmp)# exit

    Since multiple peers will share the same IKE policy, you must match each
    peer with its pre-shared secret:

    Router# config term
    Router(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
    Router(config-isakmp)# exit

    The IPSEC transform will be combined later with the rest of the IPSEC policy
    in a crypto map command. In this command, "STRONG" is just a label. Labels
    are CASE-SENSITIVE. Define the IPSEC transform:

    Router# config term
    Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
    Router(config-isakmp)# exit

    Cisco IOS uses access lists for SPD entries. Many features of access lists
    (.e.g. TCP flag checking) don't work in IPSEC. This kind of access list
    MUST be labelled with a 3-digit number. The netmask in Cisco access lists
    are inverted. Nobody knows why, they just are. This list says "all traffic
    from 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create the
    IPSEC access list:

    Router# config term
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
    Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
    Router(config)# exit

    Because IOS is a router first and an IPSEC gateway second, we have to tell
    IOS which interface to send packets on if the default route is not enough.
    In this scenario we don't need it, but in other situations you might need to
    define a route for the remote protected network:

    Router# config term
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17
    Router(config)# exit

    A crypto map binds all the assorted crypto parameters with a specific remote
    gateway. Several crypto maps bound to different remote gateways can be
    grouped together in one crypto map SET which is then bound to an outgoing
    interface. The number following the crypto map set name is the ordering of
    the map in the set. Bind the policy together with a crypto map, and give it
    the label CISCO:

    Router# config term
    Router(config)# crypto map CISCO 10 ipsec-isakmp
    % NOTE: This new crypto map will remain disabled until a peer
    and a valid access list have been configured.
    Router(config-crypto-map)# set security-association life seconds 3600
    Router(config-crypto-map)# set transform-set STRONG
    Router(config-crypto-map)# set pfs group2
    Router(config-crypto-map)# set peer 22.23.24.25
    Router(config-crypto-map)# match address 101
    Router(config-crypto-map)# exit

    Because Ciscos could have many interfaces, you have to bind the SPD to the
    outgoing interface:

    Router# config term
    Router(config)# interface fa0
    Router(config-if)# crypto map CISCO
    Router(config-if)# ^Z

    If you had multiple tunnels to multiple gateways, you would need to create a
    different access list for each tunnel, add an isakmp key entry for each
    gateway, and possibly create a different ipsec transform if your security
    policy is different. For example, let's say you have another remote peer at
    23.23.24.25, for which you have created access-list 102. You could then add
    a crypto map to the set created above:

    Router# config term
    Router(config)# crypto map CISCO 20 ipsec-isakmp
    % NOTE: This new crypto map will remain disabled until a peer
    and a valid access list have been configured.
    Router(config-crypto-map)# set security-association life seconds 3600
    Router(config-crypto-map)# set transform-set STRONG
    Router(config-crypto-map)# set pfs group2
    Router(config-crypto-map)# set peer 23.23.24.25
    Router(config-crypto-map)# match address 102
    Router(config-crypto-map)# exit

    Now the outgoing interface FastEthernet0 has both crypto maps, and it will
    compare traffic to each map in order to determine if the traffic requires
    encryption.

    Save the configuration:

    Router# write
    Building configuration...
    [OK]

    Here is the completed IPSEC part of the Cisco configuration:

    Router# show config
    !
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25
    !
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    !
    crypto map CISCO 101 ipsec-isakmp
    set peer 22.23.24.25
    set transform-set STRONG
    set pfs group2
    match address 101
    !
    interface FastEthernet0
    ip address 14.15.16.17 255.255.255.0
    speed auto
    crypto map CISCO
    !
    interface Serial0
    ip address 10.5.6.1 255.255.255.0
    !
    access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
    !

    Now, bring up a tunnel! The IOS ping command extensions will allow you to
    select the source interface, and hence IP address, of the ping:

    Router# ping
    Protocol [ip]:
    Target IP address: 172.23.9.10
    Repeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: serial0
    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:
    .....
    Success rate is 0 percent (0/5)

    Hmmmm ... what could be wrong? Let's check some basics:

    Router# show ip int brief
    Interface IP-Address OK? Method Status Protocol
    FastEthernet0 14.15.16.17 YES manual up up

    Serial0 10.5.6.1 YES manual down down

    Ah, the serial interface is down. I have to actually connect it up to something
    to bring the interface up. Now, the ping works and brings up the SAs.


    Show the SAs with these commands:

    Router# show crypto isakmp sa
    dst src state conn-id slot
    14.15.16.17 22.23.24.25 QM_IDLE 1 0

    Router# show crypto ipsec sa

    interface: FastEthernet0
    Crypto map tag: CISCO, local addr. 14.15.16.17

    local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0)
    current_peer: 22.23.24.25
    PERMIT, flags={origin_is_acl,}
    # pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12
    # pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
    # send errors 0, # recv errors 0

    local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25
    path mtu 1500, media mtu 1500
    current outbound spi: 3C39A800

    inbound esp sas:
    spi: 0xD7228E4B(3609366091)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCO
    sa timing: remaining key lifetime (k/sec): (4607999/3574)
    IV size: 8 bytes
    replay detection support: Y

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
    spi: 0x3C39A800(1010411520)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCO
    sa timing: remaining key lifetime (k/sec): (4607999/3574)
    IV size: 8 bytes
    replay detection support: Y

    outbound ah sas:

    outbound pcp sas:


    The easiest way to clear SAs from a Cisco IOS system varies with version, but
    one of these two will generally work:

    RouterRouter# clear crypto isakmp
    RouterRouter# clear crypto sa

    To enable debugging in IOS, you must turn on the debug as well as turn on the
    debug monitor, which is normally the terminal you are logged in on:

    Router# debug crypto verbose
    Router# debug crypto isakmp
    Router# term monitor

    To disable debugging:
    Router# nodebug all
    Router# term no monitor
    رأيت الذنوب تميت القلوب *** وقد يورث الذل إدمانها
    وترك الذنوب حياة القلوب *** وخير لنفسك عصيانها


    Telecom Engineer

  7. #7
    عضو الصورة الرمزية BENDAOUD7
    تاريخ التسجيل
    Jul 2007
    المشاركات
    793
    الدولة: Algeria
    معدل تقييم المستوى
    11

    رد: سؤال على موضوع ال VPN Connection

    الأخ أبو عبدالله وفى و كفى
    الله يجازيه خير

    اللهم وفقني لحفظ القرآن
    موضوعي حول ال virtualisation مع VMware
    http://www.arabhardware.net/forum/sh...d.php?t=215569
    تعرف على شهادة الأنستركتور CCSI
    http://www.arabhardware.net/forum/sh...54#post1851054

  8. #8
    عضو الصورة الرمزية abo Abdullah
    تاريخ التسجيل
    Jul 2008
    المشاركات
    211
    معدل تقييم المستوى
    0

    رد: سؤال على موضوع ال VPN Connection



    لا شكر على واجب

    هذه إضافة كتاب تجد به شرحا عن VPN

    وللأمانة أشار إليه أحدهم في موضوع آخر

    http://www.arabhardware.net/forum/sh...d.php?t=136616

    هو الأخ: qobtan_3005

    رابط تحميل الكتاب:

    http://www.4shared.com/account/file/...ng__Guide.html
    رأيت الذنوب تميت القلوب *** وقد يورث الذل إدمانها
    وترك الذنوب حياة القلوب *** وخير لنفسك عصيانها


    Telecom Engineer

المواضيع المتشابهه

  1. سؤال فى موضوع DR/BDR
    بواسطة moaz mayhoub في المنتدى الأرشيف
    مشاركات: 1
    آخر مشاركة: 08-05-2013, 17:04
  2. سؤال بشأن Cisco Unity Connection
    بواسطة ahmedrami في المنتدى الأرشيف
    مشاركات: 1
    آخر مشاركة: 20-06-2010, 13:54
  3. سؤال على موضوع ال NAT
    بواسطة unica في المنتدى الأرشيف
    مشاركات: 1
    آخر مشاركة: 04-10-2009, 14:32
  4. سؤال : كيفية عمل trusted hosts فى ال SSH connection
    بواسطة adam black ice في المنتدى الأرشيف
    مشاركات: 0
    آخر مشاركة: 15-05-2008, 10:17
  5. سؤال بخصوص Remote Desktop Connection
    بواسطة الوهيبي في المنتدى الأرشيف
    مشاركات: 5
    آخر مشاركة: 23-12-2007, 14:14

الكلمات الدلالية لهذا الموضوع

المفضلات

ضوابط المشاركة

  • لا تستطيع إضافة مواضيع جديدة
  • لا تستطيع الرد على المواضيع
  • لا تستطيع إرفاق ملفات
  • لا تستطيع تعديل مشاركاتك
  •