Scribd Logo
Upload

Welcome to Scribd!

  • 17 views

    Lab3 IPSec

    Uploaded by

    Danar
    The document provides instructions for configuring IPsec VPN tunnels between routers to secure communications at the IP layer. It outlines the necessary background on IPsec, required tools, and step-by-step configuration procedures for setting up point-to-point IPsec tunnels using pre-shared keys between various router pairs. The configuration includes establishing IKE policies, transforms, access lists, crypto maps, and applying the maps to interfaces. It also provides commands to verify the IPsec security associations have been successfully established.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Lab3 IPSec

    Uploaded by

    Danar
    17 views13 pages
    The document provides instructions for configuring IPsec VPN tunnels between routers to secure communications at the IP layer. It outlines the necessary background on IPsec, required tools, and step-by-step configuration procedures for setting up point-to-point IPsec tunnels using pre-shared keys between various router pairs. The configuration includes establishing IKE policies, transforms, access lists, crypto maps, and applying the maps to interfaces. It also provides commands to verify the IPsec security associations have been successfully established.

    Original Description:

    Original Title

    Lab3_IPSec

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides instructions for configuring IPsec VPN tunnels between routers to secure communications at the IP layer. It outlines the necessary background on IPsec, required tools, and step-by-step configuration procedures for setting up point-to-point IPsec tunnels using pre-shared keys between various router pairs. The configuration includes establishing IKE policies, transforms, access lists, crypto maps, and applying the maps to interfaces. It also provides commands to verify the IPsec security associations have been successfully established.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    17 views13 pages

    Lab3 IPSec

    Uploaded by

    Danar
    The document provides instructions for configuring IPsec VPN tunnels between routers to secure communications at the IP layer. It outlines the necessary background on IPsec, required tools, and step-by-step configuration procedures for setting up point-to-point IPsec tunnels using pre-shared keys between various router pairs. The configuration includes establishing IKE policies, transforms, access lists, crypto maps, and applying the maps to interfaces. It also provides commands to verify the IPsec security associations have been successfully established.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 13

    Lab: Configuring IPsec

    Objectives
    To be able to setup point to point VPN tunnel using IPsec.

    Background
    IPsec is a protocol suite for securing communications in the IP layer.

    What you Need


    • Client to telnet to the routers – Putty for Windows
    Steps:

    Please follow the steps below. Note that the examples use R13 and R15 to set up the VPN. Use your
    assigned IP addresses accordingly.

    1. Create the ISAKMP policy.

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit

    2. Create the pre-shared key.

    crypto isakmp key Tr@ining123 address 172.16.11.66

    3. Configure IPsec transform set. Let us use the name ESP-AES-SHA to identify this.
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit

    4. Configure an access list to match the traffic that will be encrypted.


    access-list 101 permit ip 172.16.16.0 0.0.0.255 172.16.20.0 0.0.0.255

    5. Create a map with name LAB-VPN to glue it all together


    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.66
    exit

    6. Now apply this map LAB-VPN on a WAN interface.

    APNIC Training Security Lab Page 1 of 13


    Lab: Configuring IPsec

    int fa 0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    7. Do the same configuration on the other router. For reference, here is the complete configuration
    for R15.

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.2
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.16.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.2
    exit
    int fa0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    8. Now verify that the IPsec tunnel has been successfully configured. Here are the verification
    commands to use:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    9. The configuration for IPv6 IPsec tunnel should also be similar. Please see template below.

    APNIC Training Security Lab Page 2 of 13


    Lab: Configuring IPsec

    IPv6 VPN between R13 and R15

    R13

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:18::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:8000::/48 2406:6400:A000::/48
    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:18::2
    exit
    int fa 0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R15

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:10::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:A000::/48 2406:6400:8000::/48
    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:10::2
    exit
    int fa0/1

    APNIC Training Security Lab Page 3 of 13


    Lab: Configuring IPsec

    ipv6 crypto map IPV6-LAB-VPN


    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    APNIC Training Security Lab Page 4 of 13


    Lab: Configuring IPsec

    IPv4 VPN between R14 and R16

    R14

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.98
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.18.0 0.0.0.255 172.16.22.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.98
    exit
    int fa 0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R16

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.34
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.22.0 0.0.0.255 172.16.18.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.34
    exit
    int fa0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    APNIC Training Security Lab Page 5 of 13


    Lab: Configuring IPsec

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    IPv6 VPN between R14 and R16

    R14

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:1c::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:9800::/48 2406:6400:b800::/48
    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:1c::2
    exit
    int fa 0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R16

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:14::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:b800::/48 2406:6400:9800::/48

    APNIC Training Security Lab Page 6 of 13


    Lab: Configuring IPsec

    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:14::2
    exit
    int fa0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    APNIC Training Security Lab Page 7 of 13


    Lab: Configuring IPsec

    IPv4 VPN between R19 and R17

    R19

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.130
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.28.0 0.0.0.255 172.16.24.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.130
    exit
    int fa 0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R17

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.194
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.24.0 0.0.0.255 172.16.28.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.194
    exit
    int fa0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    APNIC Training Security Lab Page 8 of 13


    Lab: Configuring IPsec

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    IPv6 VPN between R19 and R17

    R19

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:20::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:e000::/48 2406:6400:c000::/48
    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:20::2
    exit
    int fa 0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R17

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:28::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:c000::/48 2406:6400:e000::/48

    APNIC Training Security Lab Page 9 of 13


    Lab: Configuring IPsec

    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:28::2
    exit
    int fa0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    APNIC Training Security Lab Page 10 of 13


    Lab: Configuring IPsec

    IPv4 VPN between R20 and R18

    R20

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.162
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.30.0 0.0.0.255 172.16.26.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.162
    exit
    int fa 0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R18

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address 172.16.11.226
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    access-list 101 permit ip 172.16.26.0 0.0.0.255 172.16.30.0 0.0.0.255
    crypto map LAB-VPN 10 ipsec-isakmp
    match address 101
    set transform-set ESP-AES-SHA
    set peer 172.16.11.226
    exit
    int fa0/1
    crypto map LAB-VPN
    exit
    exit
    wr

    APNIC Training Security Lab Page 11 of 13


    Lab: Configuring IPsec

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    IPv6 VPN between R20 and R18

    R20

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:24::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:f800::/48 2406:6400:d800::/48
    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:24::2
    exit
    int fa 0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    R18

    config t
    crypto isakmp policy 1
    authentication pre-share
    encryption aes
    hash sha
    group 5
    exit
    crypto isakmp key Tr@ining123 address ipv6 2406:6400:2c::2/128
    crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
    exit
    ipv6 access-list MATCH-IPV6
    permit 2406:6400:d800::/48 2406:6400:f800::/48

    APNIC Training Security Lab Page 12 of 13


    Lab: Configuring IPsec

    exit
    crypto map ipv6 IPV6-LAB-VPN 10 ipsec-isakmp
    match address MATCH-IPV6
    set transform-set ESP-AES-SHA
    set peer 2406:6400:2c::2
    exit
    int fa0/1
    ipv6 crypto map IPV6-LAB-VPN
    exit
    exit
    wr

    Verification Command:

    sh crypto ipsec sa
    sh crypto isakmp peers
    sh crypto isakmp sa

    APNIC Training Security Lab Page 13 of 13

    You might also like