Scribd Logo
Upload

Welcome to Scribd!

  • 2 views

    5-Ex.4b - VPN-22-03-2024

    Uploaded by

    Shreyansh Chaubey

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    5-Ex.4b - VPN-22-03-2024

    Uploaded by

    Shreyansh Chaubey
    2 views6 pages

    Original Title

    5-EX.4B - VPN-22-03-2024

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    2 views6 pages

    5-Ex.4b - VPN-22-03-2024

    Uploaded by

    Shreyansh Chaubey

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 6

    Initial Setup

    1/ Use a crossover cable to connect the routers together. We are using


    the 1941 Routers for this topology.

    2/ Connect the other devices together using a straight through cable


    connection.

    3/ Perform initial router configuration.

    Configure the interface IP addresses on the routers and a default route


    on R_01 and R_03 pointing to the R_02 router. The R_02 router acts
    as an internet provider and has no knowledge of other networks
    except its directly connected network.
    1 hostname R_01
    interface g0/1
    2 ip address 172.16.1.1 255.255.255.0
    3 no shut
    4 interface g0/0
    5 ip address 100.100.100.1 255.255.255.0
    no shut
    6 exit
    7 ip route 0.0.0.0 0.0.0.0 100.100.100.2
    8
    9 hostname R_02
    10 interface g0/1
    ip address 100.100.200.2 255.255.255.0
    11 no shut
    12 interface g0/0
    13 ip address 100.100.100.2 255.255.255.0
    14 no shut
    exit
    15
    16 hostname R_03
    17 interface g0/1
    18 ip address 172.16.3.1 255.255.255.0
    19 no shut
    20 interface g0/0
    ip address 100.100.200.1 255.255.255.0
    21 no shut
    22 exit
    23 ip route 0.0.0.0 0.0.0.0 100.100.200.2
    24
    25
    26
    27
    28

    4/ Ensure that the laptops have static IP addresses configured.


    Laptop0 should have IP 172.16.1.100/24. Laptop1 should have
    172.16.3.100/24. Attempt pinging across from Laptop0 to Laptop1.
    This should fail as R_02 does not know how to route this traffic.
    1 !Laptop0
    2 ping 172.16.3.100
    3
    4 !Laptop1
    5 ping 172.16.1.100

    5/ Activate licensing on the edge routers. Ensure that you have the
    security license enabled on R_01 and R_03.
    1 show version
    2 license boot module c1900 technology-package securityk9
    3 copy run start
    4 reload
    show version
    5

    IPSec VPN Configuration


    For the IPSec Tunnel to come up. The configuration on both ends
    need to be match for both Phase 1 and Phase 2 to be successful. The
    tunnel will be formed between R_01 and R_03.

    1/ Setup an ACL that will specify which interesting traffic will be


    allowed to pass through the tunnel.
    1 !R_01
    2 access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
    3
    4 !R_03
    access-list 100 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
    5

    2/ Setup Phase 1 of the IPSec Tunnel. In this part, we define the


    ISAKMP policy and specify that we will use a preshared key. This is
    also defined in this case.
    1
    2 !R_01
    3 crypto isakmp policy 10
    4 encryption aes 256
    authentication pre-share
    5 group 5
    6 !
    7 crypto isakmp key Secret-2020 address 100.100.200.1
    8
    9 !R_03
    10 crypto isakmp policy 10
    encryption aes 256
    11 authentication pre-share
    12 group 5
    13 !
    14 crypto isakmp key Secret-2020 address 100.100.100.1
    15

    3/ Next, we setup phase 2 of the IPSec Tunnel (IPsec Transform-set).


    This is where the IKE negotiation takes place. We will be using 256 bit
    AES encryption with hash message authentication code providing
    confidentiality, integrity and authentication.
    1 ! R_01
    2 crypto ipsec transform-set R_01-R_03 esp-aes 256 esp-sha-hmac
    3
    4 ! R_03
    5 crypto ipsec transform-set R_03-R_01 esp-aes 256 esp-sha-hmac

    4/ All we need to do next is to tie Phase 1 and Phase 2 together by


    defining the crypto map
    1 !R_01
    crypto map IPSEC-CRYPTOMAP 100 ipsec-isakmp
    2 set peer 100.100.200.1
    3 set pfs group5
    4 set security-association lifetime seconds 86400
    5 set transform-set R_01-R_03
    6 match address 100
    7
    !R_03
    8 crypto map IPSEC-CRYPTOMAP 100 ipsec-isakmp
    9 set peer 100.100.100.1
    10 set pfs group5
    11 set security-association lifetime seconds 86400
    set transform-set R_03-R_01
    12 match address 100
    13
    14
    15

    5/ We then activate IPSec on the outbound interface by applying the


    crypto map to the interface.
    1 !R_01
    2 interface GigabitEthernet0/0
    3 crypto map IPSEC-CRYPTOMAP
    4
    5 !R_03
    6 interface GigabitEthernet0/0
    crypto map IPSEC-CRYPTOMAP
    7

    6/ For the tunnel to comeuppance, we need to start pings through the


    tunnel. Attempt pinging across from Laptop0 to Laptop1. The pings
    may initially fail, but if all configuration is accurate, the pings should
    succeed after a couple of tries.
    1 !Laptop0
    2 ping 172.16.3.10
    3
    4 !Laptop1
    5 ping 172.16.1.10

    7/ Finally, lets verify that the tunnel is up and running using the below
    commands:
    1 !R_01
    2 show crypto ipsec sa
    3
    4 !R_03
    5 show crypto ipsec sa

    Output of Phase 2 being successful is shown below


    1 R_01#show crypto ipsec sa
    2
    interface: GigabitEthernet0/0
    3 Crypto map tag: IPSEC-MAP, local addr 100.100.100.1
    4
    5 protected vrf: (none)
    6 local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
    7 remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
    current_peer 100.100.200.1 port 500
    8 PERMIT, flags={origin_is_acl,}
    9 #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
    10 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
    11 #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    12 #pkts not decompressed: 0, #pkts decompress failed: 0
    13 #send errors 1, #recv errors 0
    14
    15 local crypto endpt.: 100.100.100.1, remote crypto endpt.:100.100.200.1
    16 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
    current outbound spi: 0xD0212CD7(3491835095)
    17
    18 inbound esp sas:
    19 spi: 0x90BB08EE(2428176622)
    20 transform: esp-aes 256 esp-sha-hmac ,
    21 in use settings ={Tunnel, }
    22 conn id: 2005, flow_id: FPGA:1, crypto map: IPSEC-MAP
    sa timing: remaining key lifetime (k/sec): (4525504/86381)
    23 IV size: 16 bytes
    24 replay detection support: N
    25 Status: ACTIVE
    26
    27 inbound ah sas:
    28
    inbound pcp sas:
    29
    30 outbound esp sas:
    31 spi: 0xD0212CD7(3491835095)
    32 transform: esp-aes 256 esp-sha-hmac ,
    33 in use settings ={Tunnel, }
    34 conn id: 2006, flow_id: FPGA:1, crypto map: IPSEC-MAP
    sa timing: remaining key lifetime (k/sec): (4525504/86381)
    35 IV size: 16 bytes
    36 replay detection support: N
    37 Status: ACTIVE
    38
    39 outbound ah sas:
    40
    41 outbound pcp sas:
    42

    You might also like