Article VPN and remote work
Paweł Jaroszewicz | 2013-01-01

Konfiguracja VPN z protokołem IPsec dla bezpiecznego przesyłania danych

Niniejszy artykuł poświęcony zostanie tematyce związanej z bezpiecznym przesyłaniem danych wewnątrz firmy oraz z innych lokalizacji. Mobilność współcześnie jest ważnym czynnikiem warunkującym rozwój firm. Opisane rozwiązanie znacznie wpływa na możliwości komunikacji oraz jej jakość i bezpieczeństwo.

W celu tworzenia szyfrowanej wirtualnej sieci prywatnej należy wykonać następujące kroki:

  • Uwierzytelnienie obu stron komunikacji wobec siebie za pomocą jednej z poniższych metod:
    • Hasło znane obu stronom (shared secret) – użyte w konfiguracji,
    • Podpisy RSA (ręcznie wymieniamy klucze publiczne),
    • Certyfikaty X.509 (najbardziej uniwersalna),
  • Nawiązanie bezpiecznego kanału dla potrzeb IKE nazywanego ISAKMP SA (Security Associacion),
  • Bezpieczne uzgodnienie kluczy kryptograficznych oraz parametrów tuneli IPsec,
  • Ewentualna ich renegocjacja, co określony czas.

C1-komputer, C2- komputer.

Rysunek 1 C1-komputer, C2- komputer.

Konfiguracja Ruterów R1 i R2 na rysunku nr 1 wygląda następująco:

  • W ruterze R1:

R1>enable

R1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#hash md5

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#exit

R1(config)#crypto isakmp key zaq12wsx address 192.168.1.20

R1(config)#crypto ipsec transform-set transform esp-des esp-md5-hmac

R1(cfg-crypto-trans)#exit

R1(config)#crypto map mapa 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

R1(config-crypto-map)#set peer 192.168.1.20

R1(config-crypto-map)#set transform-set transform

R1(config-crypto-map)#match address 100

R1(config-crypto-map)#exit

R1(config)#access-list 100 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

R1(config)#interface f2/0

R1(config-if)#crypto map mapa

R1(config-if)#

*Jun 12 16:47:33.719: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1(config-if)#exit

  • W ruterze R2:

R2>enable

R2#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#crypto isakmp policy 1

R2(config-isakmp)#hash md5

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#exit

R2(config)#crypto isakmp key zaq12wsx address 192.168.1.10

R2(config)#crypto ipsec transform-set transform esp-des esp-md5-hmac

R2(cfg-crypto-trans)#exit

R2(config)#crypto map mapa 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

R2(config-crypto-map)#set peer 192.168.1.10

R2(config-crypto-map)#set transform-set transform

R2(config-crypto-map)#match address 100

R2(config-crypto-map)#exit

R2(config)#access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

R2(config)#interface f2/0

R2(config-if)#crypto map mapa

R2(config-if)#

*Jun 12 16:47:33.719: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2(config-if)#exit

W konfiguracji acces-list 100 były podawane adresy IP sieci, które będą się łączyć przez tunel stworzony za pomocą R1 i R2. Dla hostów ustawiono więc odpowiednio adresy:

  • C1: 10.1.0.11 z maską 255.255.0.0 i bramą 10.1.0.10, adresu interfejsu FastEthernet R1, do którego był podłączony C1.
  • C2: 10.2.0.21 z maską 255.255.0.0 i bramą 10.2.0.20, adresu interfejsu FastEthernet R2, do którego był podłączony C2.

Tak skonfigurowane urządzenia i komputery nawiązują łączność tworząc wirtualną sieć prywatną:

R1#show crypto isakmp sa

dst             src             state          conn-id slot

192.168.1.20    192.168.1.10    QM_IDLE              1    0

Zestawiona powyżej sieć może być odpowiednio filtrowana, można nadawać priorytety za pomocą access list. Stosując np. polecenie na obu ruterach:

access-list 100 deny   tcp any any eq ftp

access-list 100 deny   tcp any eq ftp-data any

access-list 100 permit tcp 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

priority-list 10 protocol ip high udp 53

Dzięki takiemu ustaleniu priorytetu przesyłanie danych protokołu UDP ma w sieci najwyższy priorytet i dane są przesyłane w pierwszej kolejności. Przekłada się to na wydajność sieci. Przesyłane dane, które nie zawierają się w liście priorytetu są kolejkowane dopóki najwyższy priorytet przesyła dane co może być również szkodliwe dla sieci. Pakiety, które mają niższy priorytet są kolejkowane i dopóki przesyłane są dane o najwyższym priorytecie pozostałe czekają.

Sposobów priorytetyzowania jest wiele m.in. CQ, czyli Custom Queueing i CBWFQ, czyli Class-Based WFQ (najbardziej wydajny, jednak potrzebuje znacznie większej mocy obliczeniowej).

Support Online świadczy kompleksowe usługi informatyczne, w ramach których dba m.in. o zabezpieczenie firmowej sieci. Bezpieczne przesyłanie danych to podstawa funkcjonowania każdej organizacji. Jeśli interesuje Cię konfiguracja VPN krok po kroku to zgłoś się do nas. Chętnie pomożemy! Zakładka kontakt - kliknij TUTAJ.

Paweł Jaroszewicz -
Related articles
Case study
| migrations and backups Case Study: Implementing Hardened Backup in Microsoft Azure. Read more
Article
| career Employee training and development in Support Online Read more
Article
| migrations and backups Veeam Hardened Repository – What is it and how does it protect backups against ransomware in 2026? Read more
Your IT.
our
support.
Contact us

The administrator of your personal data is Support Online sp. z o.o. Your personal data will be processed to respond to your inquiry and, if you consent, also to send the SOL newsletter. You can read about the detailed rules for personal data processing by our organization in our Privacy Policy.

FAQ
What does an IT company do? What IT solutions do we use at Support Online? When is it worth using an IT company? Why is it worth hiring an IT company rather than a freelance IT specialist? What are the advantages of working with IT Support Online?

An IT company, or IT firm, deals with information technology in a broad sense. This includes, among other things:

  1. Software design and development: An IT company can create custom applications for other companies or software products for the mass market. Depending on their specialization, these can include mobile applications, desktop applications, web applications, or embedded systems.
  2. Consulting services: An IT company often provides experts to advise on implementing new technologies, optimizing business processes, or selecting appropriate technological solutions.
  3. Cloud solutions: Many IT companies specialize in implementing and managing cloud solutions, such as data storage, application hosting, and data analysis platforms.
  4. IT security: Protection against cyberattacks, security audits, implementing security policies, and network monitoring are just some of the IT companies' responsibilities in this area.
  5. IT infrastructure management: In this area, a company may manage servers, databases, networks, and endpoints.
  6. Technical Support and Service: An IT company may provide support for its own products or general IT support for other companies, managing their technology on a daily basis.
  7. Training: Many IT providers also offer training in software use and secure technology use.
  8. Hardware Solutions: Some IT companies may also provide and configure computer, server, or network hardware.

Depending on their specialization and size, an IT company may offer one, several, or all of the above solutions. When choosing a provider, it's important to thoroughly understand their services and tailor them to your individual needs.

At Support Online, we have been supporting companies for years with

  1. comprehensive user support (both on-site and remotely),
  2. we service computers, phones, tablets, and related network issues,
  3. we specialize in server administration: Windows, Linux/Unix,
  4. we support virtualizers such as KVM, Hyper-V, VMWare, and Proxmox,
  5. we support cloud services, particularly solutions such as Azure, Microsoft 365, and AWS,
  6. we monitor servers and devices on the internet,
  7. we consult on development, DRP, and support the stability of your business in the IT layer.

If you're looking for a good IT company, Support Online is the right place to grow your business.

It's worth using an IT company like Support Online when:

  1. You plan to implement new technologies or software in your company.
  2. You need specialized technology consulting.
  3. You want to optimize existing IT processes.
  4. You struggle with digital security issues.
  5. You need support in managing your IT infrastructure.
  6. You lack internal resources or expertise to implement certain technology projects.

Using external IT experts can bring benefits in terms of saving time and resources, and ensuring high-quality solutions.

Hiring an IT company like Support Online offers several key benefits over an IT freelancer:

  1. Support from the entire team: An IT company has a full team of specialists, from DevOps specialists and Cyber ​​Security Specialists to IT Helpdesk Specialists, who possess diverse skills and experience, enabling faster problem resolution and the implementation of more complex projects.
  2. Reliability and stability: IT companies have an established reputation and track record, which can translate into greater reliability and stability of services.
  3. Maintenance and support: An IT company can offer service contracts, warranties, and after-sales support, which may be more difficult to obtain from an individual freelancer.
  4. Resources: Companies have access to more resources, tools, and technologies that can accelerate and improve project execution.
  5. Long-term availability: The risk of a freelancer disappearing or changing careers is greater than the risk of a well-established company going out of business.

However, it's worth noting that the choice between a company and a freelancer depends on your specific needs and situation. If you value peace of mind and a quick response to unexpected problems, it is worth choosing an IT company such as Support Online.

Partnering with IT Support Online offers the following advantages:

  1. Professional IT outsourcing: The company guarantees high-quality IT outsourcing services for businesses of all sizes.
  2. Comprehensive IT support: IT Support Online provides comprehensive IT support that meets the diverse needs of businesses.
  3. Saves time and money: With our support, clients can focus on their core business activities while reducing the costs associated with information technology management.
  4. Serving a diverse range of businesses: The company specializes in serving both small and medium-sized enterprises and large corporations, demonstrating its flexibility and ability to adapt to diverse client needs.
  5. Leadership in IT outsourcing: The company is recognized as a leader in IT outsourcing, particularly in the Poznań and Warsaw regions.

By partnering with our company, IT Support Online, businesses can count on a high standard of service and professionalism at every stage of the relationship.

Free consultation
22 335 28 00