VPN LLAB

VPN VPN- LAB MANUAL
Section 3 – VPN
GOAL OF THE LAB
Virtual Private Networks is intended to help you master the VPN technologies that are
available on IOS and the ASA. You will be configuring Site-to-Site, Remote Access, DMVPN,
GetVPN, CA and Flex VPNs along with some advanced features related to these
technologies.
It is recommended that you create your own diagram at the beginning of each lab so any
potential information you find useful during your preparations can be reflected on this
drawing, making it much easier when you step into the real lab.
Multiple topology drawings are available for this chapter.
General Rules: - This lab will focus strictly on the Virtual Private Networks. You will need to
pre-configure the network with the base configuration files.
LAB-3.1: - SITE TO SITE VPN
1
VPN VPN- LAB MANUAL
LAB-SETUP
 Configure R14, R15 & R16(ISP) with the IP mentioned in the table
 Configure the telnet on the respective routers using password “cisco”
 For the Internet, the Default routes on R14 and R15 with the next hop as
corresponding interface IP of R16.
Device Interface IP
R14 Gi0/0 1.1.1.1/24

Loopback1 192.168.1.1
R15 Gi0/0 2.2.2.2/24

Loopback1 192.168.2.2
R16 Gi0/0 1.1.1.2/24

Gi0/1 2.2.2.1/24
Configuration on Router: -
R14:
hostname R14
2
VPN VPN- LAB MANUAL
interface gi0/0
no shut
ip address 1.1.1.1 255.255.255.0
interface loop 1
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.2
R15:
hostname R15
interface gi0/0
no shut
ip address 2.2.2.2 255.255.255.0
interface loop 1
ip address 192.168.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 2.2.2.1
3
VPN VPN- LAB MANUAL
R16:
hostname R16
interface gi0/0
no shut
ip address 1.1.1.2 255.255.255.0
interface gi0/1
no shut
ip address 2.2.2.1 255.255.255.0
Verifications:
R14#show ip int br
Interface IP-Address OK? Method Status

Protocol
GigabitEthernet0/0 1.1.1.1 YES manual up up
Loopback1 192.168.1.1 YES manual up up
R15#show ip route static
S* 0.0.0.0/0 [1/0] via 1.1.1.2
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected , GigabitEthernet0/0
4
VPN VPN- LAB MANUAL
L 1.1.1.1/32 is directly connected, GigabitEthernet0/0
C 192.168.1.0/24 is directly connected, Loopback1
L 192.168.1.1/32 is directly connected, Loopback1
R15# show ip interface brief

Protocol
S* 0.0.0.0/0 [1/0] via 2.2.2.1
R16#show ip int br
Interface IP-Address OK? Method Status Protocol
R14#ping 2.2.2.2
Type escape sequence to abort.
5
VPN VPN- LAB MANUAL
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
R15#ping 1.1.1.1
!!!!!
TASK1 SITE TO SITE IPSEC VPN (IOS-IOS) R14-R15
 Configure basic Site to Site IPSec VPN in Main Mode to protect traffic
between IP addresses 192.168.1.1 and 192.168.2.2 using the following policy:
ISAKMP Policy IPSec Policy
Authentication: Pre-share Encryption: esp-aes

Encryption: AES Hash: SHA
Hash: SHA
DH Group: 5
Lifetime: 1800
6
VPN VPN- LAB MANUAL
R14:
crypto isakmp policy 10
encryption aes
authentication pre-share
hash sha
group 5
lifetime 1800
crypto isakmp key cisco address 2.2.2.2
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
ip access-list extended VPN
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map CMAP 10 ipsec-isakmp
set transform-set TS
set peer 2.2.2.2
match address VPN
interface gi0/0
7
VPN VPN- LAB MANUAL
crypto map CMAP
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol, port 500) for
establishing ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec
tunnel.
R15:
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key cisco address 1.1.1.1
mode tunnel
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
8
VPN VPN- LAB MANUAL
set peer 1.1.1.1
match address VPN
interface gi0/0
crypto map CMAP
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
ISAKMP is enabled and working. The router will be processing IKE packets (UDP protocol, port 500) for
establishing ISAKMP “auxiliary” tunnel which will be used to negotiate securely parameters of an IPSec
tunnel.
R14#debug crypto isakmp
Crypto ISAKMP debugging is on
R14#ping 192.168.1.1 source 192.168.2.2
“The first ICMP packet triggers ISAKMP process as this is our interesting traffic
matching our ACL. Before actually start sending IKE packets to the peer the
router first checks if there is any local SA (Security Association) matching that
traffic. Note that this check is against IPSec SA not IKE SA.OK, no SA means there
must be IKE packet send out.”
9
VPN VPN- LAB MANUAL
Packet sent with a source address of 192.168.1.1
*Apr 6 12:33:13.420: ISAKMP: (0):SA request profile is (NULL)
*Apr 6 12:33:13.421: ISAKMP: (0):Created a peer struct for 2.2.2.2, peer port
500
*Apr 6 12:33:13.421: ISAKMP: (0):New peer created peer = 0xDA5D530

peer_handle = 0x80000002
*Apr 6 12:33:13.422: ISAKMP: (0):Locking peer struct 0xDA5D530, refcount 1

for isakmp_initiator
*Apr 6 12:33:13.422: ISAKMP: (0):local port 500, remote port 500
*Apr 6 12:33:13.423: ISAKMP: (0):set new node 0 to QM_IDLE
*Apr 6 12:33:13.425: ISAKMP: (0):insert sa successfully sa = CBA6CB8
*Apr 6 12:33:13.426: ISAKMP: (0):Can not start Aggressive mode, trying Main
mode.
“The router has started IKE Main Mode (it is a default)”
*Apr 6 12:33:13.426: ISAKMP: (0):found peer pre-shared key matching 2.2.2.2
“Pre-shared key for remote peer has been found. ISAKMP will use it to
authenticate the peer during one of the last stages of IKE Phase 1. “
*Apr 6 12:33:13.428: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 6 12:33:13.428: ISAKMP: (0):constructed NAT-T vendor-07 ID

10
VPN VPN- LAB MANUAL
*Apr 6 12:33:13.429: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC,

IKE_SA_REQ_MM
*Apr 6 12:33:13.430: ISAKMP: (0):Old State = IKE_READY New State =

IKE_I_MM1
*Apr 6 12:33:13.430: ISAKMP: (0):beginning Main Mode exchange
*Apr 6 12:33:13.431: ISAKMP-PAK: (0):sending packet to 2.2.2.2 my_port 500

peer_port 500 (I) MM_NO_STATE
“The router initiating IKE exchange is called “the initiator”. The router
responding to IKE request is called “the responder”. The initiator (R1) has sent
ISAKMP policy along with vendor specific IDs which are a part of IKE packet
payload. MM_NO_STATE indicates that ISAKMP SA has been created, but
nothing else has happened yet. “
*Apr 6 12:33:13.431: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 6 12:33:13.488: ISAKMP-PAK: (0):received packet from 2.2.2.2 dport 500

sport 500 Global (I) MM_NO_STATE
“The responder (R2) has responded with IKE packet that contains negotiated
ISAKMP policy along with its vendor specific IDs. Note that the IKE Main Mode
state is still MM_NO_STATE. “
11
VPN VPN- LAB MANUAL
*Apr 6 12:33:13.493: ISAKMP: (0):Input = IKE_MESG_FROM_PEER,

IKE_MM_EXCH
*Apr 6 12:33:13.494: ISAKMP: (0):Old State = IKE_I_MM1 New State =

IKE_I_MM2
*Apr 6 12:33:13.497: ISAKMP: (0):processing SA payload. message ID = 0
*Apr 6 12:33:13.498: ISAKMP: (0):processing vendor id payload
*Apr 6 12:33:13.498: ISAKMP: (0):vendor ID seems Unity/DPD but major 69

mismatch
*Apr 6 12:33:13.499: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 6 12:33:13.500: ISAKMP: (0):local preshared key found
*Apr 6 12:33:13.500: ISAKMP: (0):Scanning profiles for xauth ...
*Apr 6 12:33:13.501: ISAKMP: (0):Checking ISAKMP transform 1 against priority

10 policy
*Apr 6 12:33:13.501: ISAKMP: (0): encryption AES-CBC
*Apr 6 12:33:13.501: ISAKMP: (0): keylength of 128
*Apr 6 12:33:13.502: ISAKMP: (0): hash SHA
*Apr 6 12:33:13.502: ISAKMP: (0): default group 5
*Apr 6 12:33:13.503: ISAKMP: (0): auth pre-share
*Apr 6 12:33:13.503: ISAKMP: (0): life type in seconds
*Apr 6 12:33:13.503: ISAKMP: (0): life duration (basic) of 1800
*Apr 6 12:33:13.504: ISAKMP: (0):atts are acceptable. Next payload is 0
12
VPN VPN- LAB MANUAL
“The router is processing ISAKMP parameters that have been sent as the
reply.Vendor IDs are processed to determine if peer supports e.g. NAT-
Traversal, Dead Peer Detection feature. ISAKMP policy is checked against
policies defined locally.
“atts are acceptable” indicates that ISAKMP policy matches with remote peer.
Remember that comparing the policy that has been obtained from remote peer
with locally defined polices starting from the lowest index (number) of policy
defined in the running config. “
*Apr 6 12:33:13.504: ISAKMP: (0):Acceptable atts:actual life: 0
*Apr 6 12:33:13.504: ISAKMP: (0):Acceptable atts:life: 0
*Apr 6 12:33:13.505: ISAKMP: (0):Basic life_in_seconds:1800
*Apr 6 12:33:13.505: ISAKMP: (0):Returning Actual lifetime: 1800
*Apr 6 12:33:13.506: ISAKMP: (0):Started lifetime timer: 1800.
“The lifetime timer has been started. Note that default value of “lifetime” is used
(86400 seconds). This is lifetime for ISAKMP SA. Note that IPSEC SAs have their
own lifetime parameters which may be defined as number of seconds or
kilobytes of transmitted traffic.”

mismatch
*Apr 6 12:33:13.508: ISAKMP: (0):Input = IKE_MESG_INTERNAL,

IKE_PROCESS_MAIN_MODE
13
VPN VPN- LAB MANUAL

IKE_I_MM2
“IKE Phase 1 (Main Mode) message 3 The third message is sent out containing
KE (Key Exchange) information for DH (Diffie-Hellman) secure key exchange
process.“

peer_port 500 (I) MM_SA_SETUP

IKE_PROCESS_COMPLETE

IKE_I_MM3
"4th message has been received from the peer. This message contains KE
payload and base on that information both peers can generate a common
session key to be used in securing further communication. The pre-shared key
configured locally for the peer is used in this calculation. After receiving this
message peers can also be able to determine if there is a NAT along the path."

sport 500 Global (I) MM_SA_SETUP

IKE_MM_EXCH
14
VPN VPN- LAB MANUAL

IKE_I_MM4
“MM_SA_SETUP” idicates that the peers have agreed on parameters for the
ISAKMP SA.
*Apr 6 12:33:14.304: ISAKMP: (0):processing KE payload. message ID = 0
*Apr 6 12:33:14.316: ISAKMP: (0):processing NONCE payload. message ID = 0
*Apr 6 12:33:14.318: ISAKMP: (1001):vendor ID is Unity
*Apr 6 12:33:14.319: ISAKMP: (1001):vendor ID is DPD
*Apr 6 12:33:14.320: ISAKMP: (1001):speaking to another IOS box!
*Apr 6 12:33:14.320: ISAKMP: (1001):received payload type 20
*Apr 6 12:33:14.321: ISAKMP: (1001):His hash no match - this node outside NAT
*Apr 6 12:33:14.322: ISAKMP: (1001):No NAT Found for self or peer


IKE_I_MM4
15
VPN VPN- LAB MANUAL
“IKE Phase 1 (Main Mode) message 5. Fifth message is used for sending out
authentication information the peer. This information is transmitted under the
protection of the common shared secret. “
*Apr 6 12:33:14.327: ISAKMP: (1001):Send initial contact
*Apr 6 12:33:14.328: ISAKMP: (1001):SA is doing
*Apr 6 12:33:14.328: ISAKMP: (1001):pre-shared key authentication using id

type ID_IPV4_ADDR
*Apr 6 12:33:14.328: ISAKMP: (1001):ID payload
next-payload : 8
type :1
*Apr 6 12:33:14.329: ISAKMP: (1001): address : 1.1.1.1
*Apr 6 12:33:14.329: ISAKMP: (1001): protocol : 17
port : 500
length : 12
*Apr 6 12:33:14.330: ISAKMP: (1001):Total payload length: 12
*Apr 6 12:33:14.331: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port

500 peer_port 500 (I) MM_KEY_EXCH
“MM_KEY_EXCH” indicates that the peers have exchanged Diffie-Hellman public

keys and have generated a shared secret. The ISAKMP SA remains
unauthenticated. Note that the process of authentication has been just started.
16
VPN VPN- LAB MANUAL


IKE_I_MM5
IKE Phase 1 (Main Mode) message 6. The peer identity is verified by the local
router and SA is established. This message finishes ISAKMP Main Mode (Phase
I) and the status is changed to IKE_P1_COMPLETE.
*Apr 6 12:33:14.783: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport

500 sport 500 Global (I) MM_KEY_EXCH
*Apr 6 12:33:14.783: ISAKMP: (1001):processing ID payload. message ID = 0
next-payload : 8
type :1
port : 500
length : 12
*Apr 6 12:33:14.783: ISAKMP: (0):peer matches *none* of the profiles
*Apr 6 12:33:14.783: ISAKMP: (1001):processing HASH payload. message ID = 0
*Apr 6 12:33:14.785: ISAKMP: (1001):SA authentication status:
authenticated
*Apr 6 12:33:14.785: ISAKMP: (1001):SA has been authenticated with 2.2.2.2
*Apr 6 12:33:14.785: ISAKMP: (0):Trying to insert a peer 1.1.1.1/2.2.2.2/500/,

17
VPN VPN- LAB MANUAL
*Apr 6 12:33:14.786: ISAKMP: (0): and inserted successfully DA5D530.
“The peer has been authenticated now. Note that SA number has been
generated and inserted into SADB along with the information relevant to the
peer which has been agreed during IKE Main Mode.”

IKE_MM_EXCH

IKE_I_MM6


IKE_I_MM6


IKE_P1_COMPLETE
*Apr 6 12:33:14.802: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of

584614645
*Apr 6 12:33:14.803: ISAKMP: (1001):QM Initiator gets spi
18
VPN VPN- LAB MANUAL

500 peer_port 500 (I) QM_IDLE
*Apr 6 12:33:14.808: ISAKMP: (1001):Node 584614645, Input =

IKE_MESG_INTERNAL, IKE_INIT_QM
*Apr 6 12:33:14.809: ISAKMP: (1001):Old State = IKE_QM_READY New State =

IKE_QM_I_QM1

IKE_PHASE1_COMPLETE
*Apr 6 12:33:14.809: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State

= IKE_P1_COMPLETE
"IKE Phase 2 (Quick Mode) message 2Second QM message is a response from

the peer. It contains IPSec policy chosen by the peer and peer’s proxy ID. This is
a next place where something can go wrong if the Proxy IDs are different on
both sides of the tunnel. The router cross-checks if its Proxy ID is a mirrored
peer’s Proxy ID."

500 sport 500 Global (I) QM_IDLE
“The state of IKE is “QM_IDLE”. This indicates that the ISAKMP SA is idle. It
remains authenticated with its peer and may be used for subsequent quick
mode exchanges. It is in a quiescent state. “
19
VPN VPN- LAB MANUAL
*Apr 6 12:33:14.865: ISAKMP: (1001):processing HASH payload. message ID =

584614645
*Apr 6 12:33:14.866: ISAKMP: (1001):processing SA payload. message ID =

584614645
*Apr 6 12:33:14.866: ISAKMP: (1001):Checking IPSec proposal 1
*Apr 6 12:33:14.867: ISAKMP: (1001):transform 1, ESP_AES
*Apr 6 12:33:14.867: ISAKMP: (1001): attributes in transform:
*Apr 6 12:33:14.867: ISAKMP: (1001): encaps is 1 (Tunnel)
*Apr 6 12:33:14.868: ISAKMP: (1001): SA life type in seconds
*Apr 6 12:33:14.868: ISAKMP: (1001): SA life duration (basic) of 3600
*Apr 6 12:33:14.868: ISAKMP: (1001): SA life type in kilobytes
*Apr 6 12:33:14.869: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Apr 6 12:33:14.871: ISAKMP: (1001): authenticator is HMAC-SHA
*Apr 6 12:33:14.871: ISAKMP: (1001): key length is 128
*Apr 6 12:33:14.871: ISAKMP: (1001):atts are acceptable.
“The routers are negotiating parameters for IPSec tunnel which will be used for
traffic transmission. These parameters are defined by “crypto ipsec transform-
set” command. Note that lifetime values of IPSec SA are visible at this moment.
You are able to set it both: globally or in the crypto map entry. “Attr are
acceptable” indicates that IPSec parameters defined as IPSec transform-set
match at the both sides. “
20
VPN VPN- LAB MANUAL
*Apr 6 12:33:14.873: ISAKMP: (1001):processing NONCE payload. message ID =

584614645
*Apr 6 12:33:14.873: ISAKMP: (1001):processing ID payload. message ID =

584614645

584614645

IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Apr 6 12:33:14.875: ISAKMP: (1001):Old State = IKE_QM_I_QM1 New State =

IKE_QM_IPSEC_INSTALL_AWAIT
*Apr 6 12:33:14.898: ISAKMP-ERROR: (0):Failed to find peer index node to

update peer_info_list
*Apr 6 12:33:14.901: ISAKMP: (1001):Received IPSec Install callback...

proceeding with the negotiation
*Apr 6 12:33:14.901: ISAKMP: (1001):Successfully installed IPSEC SA

(SPI:0xEE7282CA) on GigabitEthernet0/0

500 peer_port 500 (I) QM_IDLE
"The IPSec SA have been created and inserted in the router’s security
associations database (SADB). SAs are distinguished by SPI values which are also
used to differentiate many tunnels terminated on the same router. Note that
two SPI values are generated for one tunnel: one SPI for inbound SA and one SPI
for outbound SA. SPI value is inserted in the ESP header of the packet leaving
the router. At the second side of the tunnel, SPI value inserted into the ESP
header enables the router to reach parameters and keys which have been
dynamically agreed during IKE negotiations or session key refreshment in case
of lifetime timeout. The SPI value is an index of entities in the router’s SADB."
21
VPN VPN- LAB MANUAL
*Apr 6 12:33:14.908: ISAKMP: (1001):deleting node 584614645 error FALSE

reason "No Error"

IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Apr 6 12:33:14.908: ISAKMP: (1001):Old State =

IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
R15#debug crypto isakmp
Crypto ISAKMP debugging is on

sport 500 Global (N) NEW SA
*Apr 6 12:33:11.901: ISAKMP: (0):Created a peer struct for 1.1.1.1, peer port
500
*Apr 6 12:33:11.901: ISAKMP: (0):New peer created peer = 0xEAD03B0

peer_handle = 0x80000002
*Apr 6 12:33:11.902: ISAKMP: (0):Locking peer struct 0xEAD03B0, refcount 1

for crypto_isakmp_process_block
*Apr 6 12:33:11.902: ISAKMP: (0):local port 500, remote port 500
*Apr 6 12:33:11.903: ISAKMP: (0):insert sa successfully sa = 103CAE40

IKE_MM_EXCH
*Apr 6 12:33:11.908: ISAKMP: (0):Old State = IKE_READY New State =

IKE_R_MM1
22
VPN VPN- LAB MANUAL
*Apr 6 12:33:11.912: ISAKMP: (0):processing SA payload. message ID = 0

mismatch

mismatch
*Apr 6 12:33:11.915: ISAKMP: (0):vendor ID is NAT-T v7

mismatch

mismatch
*Apr 6 12:33:11.918: ISAKMP: (0):local preshared key found
*Apr 6 12:33:11.919: ISAKMP: (0):Scanning profiles for xauth ...
*Apr 6 12:33:11.919: ISAKMP: (0):Checking ISAKMP transform 1 against priority

10 policy
*Apr 6 12:33:11.919: ISAKMP: (0): encryption AES-CBC
*Apr 6 12:33:11.920: ISAKMP: (0): keylength of 128
*Apr 6 12:33:11.920: ISAKMP: (0): hash SHA

23
VPN VPN- LAB MANUAL
*Apr 6 12:33:11.920: ISAKMP: (0): default group 5
*Apr 6 12:33:11.921: ISAKMP: (0): auth pre-share
*Apr 6 12:33:11.921: ISAKMP: (0): life type in seconds
*Apr 6 12:33:11.922: ISAKMP: (0): life duration (basic) of 1800
*Apr 6 12:33:11.922: ISAKMP: (0):atts are acceptable. Next payload is 0
*Apr 6 12:33:11.922: ISAKMP: (0):Acceptable atts:actual life: 1800
*Apr 6 12:33:11.923: ISAKMP: (0):Acceptable atts:life: 0
*Apr 6 12:33:11.923: ISAKMP: (0):Basic life_in_seconds:1800
*Apr 6 12:33:11.924: ISAKMP: (0):Returning Actual lifetime: 1800
*Apr 6 12:33:11.924: ISAKMP: (0):Started lifetime timer: 1800.

mismatch

mismatch

mismatch
24
VPN VPN- LAB MANUAL

mismatch

*Apr 6 12:33:11.930: ISAKMP: (0):Old State = IKE_R_MM1 New State =

IKE_R_MM1
*Apr 6 12:33:11.936: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

peer_port 500 (R) MM_SA_SETUP


IKE_R_MM2

sport 500 Global (R) MM_SA_SETUP

IKE_MM_EXCH

IKE_R_MM3
*Apr 6 12:33:11.986: ISAKMP: (0):processing KE payload. message ID = 0
*Apr 6 12:33:11.997: ISAKMP: (0):processing NONCE payload. message ID = 0
25
VPN VPN- LAB MANUAL
*Apr 6 12:33:12.000: ISAKMP: (1001):vendor ID is DPD
*Apr 6 12:33:12.001: ISAKMP: (1001):speaking to another IOS box!
*Apr 6 12:33:12.002: ISAKMP: (1001):vendor ID seems Unity/DPD but major

213 mismatch
*Apr 6 12:33:12.002: ISAKMP: (1001):vendor ID is XAUTH
*Apr 6 12:33:12.003: ISAKMP: (1001):His hash no match - this node outside NAT
*Apr 6 12:33:12.004: ISAKMP: (1001):No NAT Found for self or peer


IKE_R_MM3

500 peer_port 500 (R) MM_KEY_EXCH


IKE_R_MM4
26
VPN VPN- LAB MANUAL

500 sport 500 Global (R) MM_KEY_EXCH

IKE_MM_EXCH

IKE_R_MM5
*Apr 6 12:33:13.536: ISAKMP: (1001):processing ID payload. message ID = 0
next-payload : 8
type :1
port : 500
length : 12
*Apr 6 12:33:13.538: ISAKMP: (0):peer matches *none* of the profiles
*Apr 6 12:33:13.539: ISAKMP: (1001):processing HASH payload. message ID = 0
*Apr 6 12:33:13.540: ISAKMP: (1001):processing NOTIFY INITIAL_CONTACT

protocol 1
spi 0, message ID = 0, sa = 0x103CAE40
authenticated
*Apr 6 12:33:13.541: ISAKMP: (1001):SA has been authenticated with 1.1.1.1
27
VPN VPN- LAB MANUAL
authenticated
*Apr 6 12:33:13.542: ISAKMP: (1001):Process initial contact,
bring down existing phase 1 and 2 SA's with local 2.2.2.2 remote 1.1.1.1 remote
port 500
*Apr 6 12:33:13.544: ISAKMP: (0):Trying to insert a peer 2.2.2.2/1.1.1.1/500/,
*Apr 6 12:33:13.545: ISAKMP: (0): and inserted successfully EAD03B0.


IKE_R_MM5
*Apr 6 12:33:13.550: ISAKMP: (1001):SA is doing
*Apr 6 12:33:13.550: ISAKMP: (1001):pre-shared key authentication using id

type ID_IPV4_ADDR
next-payload : 8
type :1
port : 500
length : 12
*Apr 6 12:33:13.552: ISAKMP: (1001):Total payload length: 12

500 peer_port 500 (R) MM_KEY_EXCH
28
VPN VPN- LAB MANUAL


IKE_P1_COMPLETE

IKE_PHASE1_COMPLETE
*Apr 6 12:33:13.560: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State

= IKE_P1_COMPLETE

500 sport 500 Global (R) QM_IDLE
*Apr 6 12:33:13.595: ISAKMP: (1001):set new node 584614645 to QM_IDLE
*Apr 6 12:33:13.597: ISAKMP: (1001):processing HASH payload. message ID =

584614645
*Apr 6 12:33:13.597: ISAKMP: (1001):processing SA payload. message ID =

584614645
*Apr 6 12:33:13.598: ISAKMP: (1001):Checking IPSec proposal 1
*Apr 6 12:33:13.598: ISAKMP: (1001):transform 1, ESP_AES
*Apr 6 12:33:13.599: ISAKMP: (1001): attributes in transform:
*Apr 6 12:33:13.599: ISAKMP: (1001): encaps is 1 (Tunnel)
*Apr 6 12:33:13.600: ISAKMP: (1001): SA life type in seconds
*Apr 6 12:33:13.600: ISAKMP: (1001): SA life duration (basic) of 3600
*Apr 6 12:33:13.601: ISAKMP: (1001): SA life type in kilobytes
29
VPN VPN- LAB MANUAL
*Apr 6 12:33:13.601: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Apr 6 12:33:13.603: ISAKMP: (1001): authenticator is HMAC-SHA
*Apr 6 12:33:13.604: ISAKMP: (1001): key length is 128
*Apr 6 12:33:13.604: ISAKMP: (1001):atts are acceptable.
*Apr 6 12:33:13.606: ISAKMP: (1001):processing NONCE payload. message ID =

584614645

584614645

584614645
*Apr 6 12:33:13.609: ISAKMP: (1001):QM Responder gets spi

*Apr 6 12:33:13.610: ISAKMP: (1001):Old State = IKE_QM_READY New State =

IKE_QM_SPI_STARVE

IKE_MESG_INTERNAL, IKE_GOT_SPI
*Apr 6 12:33:13.614: ISAKMP: (1001):Old State = IKE_QM_SPI_STARVE New

State = IKE_QM_IPSEC_INSTALL_AWAIT
*Apr 6 12:33:13.628: ISAKMP-ERROR: (0):Failed to find peer index node to

update peer_info_list
*Apr 6 12:33:13.630: ISAKMP: (1001):Received IPSec Install callback...

proceeding with the negotiation
*Apr 6 12:33:13.631: ISAKMP: (1001):Successfully installed IPSEC SA

(SPI:0x5E997667) on GigabitEthernet0/0

500 peer_port 500 (R) QM_IDLE
30
VPN VPN- LAB MANUAL

IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Apr 6 12:33:13.641: ISAKMP: (1001):Old State =

IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2

500 sport 500 Global (R) QM_IDLE
*Apr 6 12:33:13.695: ISAKMP: (1001):deleting node 584614645 error FALSE

reason "QM done (await)"

*Apr 6 12:33:13.696: ISAKMP: (1001):Old State = IKE_QM_R_QM2 New State

= IKE_QM_PHASE2_COMPLETE
*Apr 6 12:34:03.695: ISAKMP: (1001):purging node 584614645
Verification:
R14#show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 QM_IDLE 1001 ACTIVE

This is the normal state of established IKE tunnel.
R14#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
31
VPN VPN- LAB MANUAL
T - cTCP encapsulation, X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 1.1.1.1 2.2.2.2 ACTIVE aes sha psk 5 00:14:39

Engine-id:Conn-id = SW:1

Negotiated ISAKMP policy is visible. This command is useful to figure out which policy has been used
for establishing the IKE tunnel when there are several polices matching at the both sides.
R14#show crypto ipsec sa
interface: GigabitEthernet0/0
This command shows information regarding the interfaces and defined crypto.
Crypto map tag: CMAP, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
32
VPN VPN- LAB MANUAL
The proxies (source and destination of interesitng traffic) are displayed. “0/0”
after IP address and netmask indicates that IP protocol is transported in the
tunnel.
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
Very important output usefull for the IPSec debugging and

troubleshooting. This indicates that outgoing packets are: encapsulated by ESP,
encrypted and digested (the hash has been made to discover any alterations).
The second marked line indicates that incomming packets are: decapsulated
(the IPSec header have been extracted), decrypted and hash/digest has been
verified.
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/0
33
VPN VPN- LAB MANUAL
current outbound spi: 0x5E997667(1587115623)
PFS (Y/N): N, DH group: none
This output contains useful information relevant to unidirectional SA. This shows
the following: used IPSec protocol (ESP), SPI value, used transform-set
(encryption algorithm along with hash function), ESP mode (tunnel or
transport), connection ID, crypto map and lifetime values in second and
kilobytes which remains to session key refreshment (tunnel will be terminated
instead of key refreshment if no packets need to be transported via tunnel when
SA expired).
inbound esp sas:
spi: 0xEE7282CA(4000481994)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4372478/2659)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
34
VPN VPN- LAB MANUAL
outbound esp sas:
spi: 0x5E997667(1587115623)
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
R14#show crypto ipsec sa address

fvrf/address: (none)/1.1.1.1
protocol: ESP
spi: 0xEE7282CA(4000481994)
IV size: 16 bytes
35
VPN VPN- LAB MANUAL
fvrf/address: (none)/2.2.2.2
protocol: ESP
spi: 0x5E997667(1587115623)
IV size: 16 bytes
R51#show crypto engine connections active

Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address

1 IPsec AES+SHA 0 4 4 1.1.1.1
2 IPsec AES+SHA 4 0 0 1.1.1.1
1001 IKE SHA+AES 0 0 0 1.1.1.
R14#show crypto engine connections dh

Number of DH's pregenerated = 4
DH lifetime = 86400 seconds
Software Crypto Engine:

Conn Status Group Time left
36
VPN VPN- LAB MANUAL
1 Pregen Group 2 --
2 Used Group 5 659
4 Pregen Group 5 --
5 Pregen Group 5 --
6 Pregen Group 5 --
TASK2 SITE TO SITE IPSEC VPN AGGRESSIVE MODE (IOS-IOS) R14-

R15
LAB-SETUP
 Configure R14, R15 & R16(ISP) with the IP mentioned in the table
 For the Internet, configure the Default routes on R14 and R15 with the next
hop as corresponding interface IP of R16.
Device Interface IP
R14 Gi0/0 1.1.1.1/24

Loopback1 192.168.1.1
37
VPN VPN- LAB MANUAL
R15 Gi0/0 2.2.2.2/24

Loopback1 192.168.2.2
R16 Gi0/0 1.1.1.2/24

Gi0/1 2.2.2.1/24
 Configure basic Site to Site IPSec VPN in Aggressive Mode to protect traffic
between IP addresses 192.168.1.1 and 192.168.2.2 using the following policy:
ISAKMP Policy IPSec Policy
Policy : 20 Transform-set : TSET

Authentication: Pre-share (cisco) Encryption: esp-aes
Encryption: 3des Hash: SHA
Hash: md5
DH Group: 2
Lifetime: 1800
R14:
hostname R14
38
VPN VPN- LAB MANUAL
interface gi0/0
no shut
ip address 1.1.1.1 255.255.255.0
interface loop 1
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.2
R15:
hostname R15
interface gi0/0
no shut
ip address 2.2.2.2 255.255.255.0
interface loop 1
ip address 192.168.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 2.2.2.1
39
VPN VPN- LAB MANUAL
R16:
hostname R16
interface gi0/0
no shut
ip address 1.1.1.2 255.255.255.0
interface gi0/1
no shut
ip address 2.2.2.1 255.255.255.0
Verifications:
R14#show ip int br

Protocol
S* 0.0.0.0/0 [1/0] via 1.1.1.2
C 1.1.1.0/24 is directly connected , GigabitEthernet0/0
40
VPN VPN- LAB MANUAL
R15# show ip interface brief

Protocol
S* 0.0.0.0/0 [1/0] via 2.2.2.1
R16#show ip int br
R14#ping 2.2.2.2
41
VPN VPN- LAB MANUAL
!!!!!
R15#ping 1.1.1.1
!!!!!
Configuration on Routers:
R14:
encr 3des
hash md5
group 2
lifetime 1800
crypto isakmp peer address 2.2.2.2
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address 2.2.2.2
42
VPN VPN- LAB MANUAL
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TSET
match address VPN
int gi0/0
crypto map MAP
R15:
encr 3des
hash md5
group 2
lifetime 1800
crypto isakmp peer address 1.1.1.1
43
VPN VPN- LAB MANUAL
set aggressive-mode password cisco
set aggressive-mode client-endpoint ipv4-address 1.1.1.1
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
mode tunnel
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TSET
match address VPN
int gi0/0
crypto map MAP
2.2.2.2 1.1.1.1 QM_IDLE 1002 ACTIVE
44
VPN VPN- LAB MANUAL
GigabitEthernet0/0
current outbound spi: 0x77846439(2005165113)
inbound esp sas:
spi: 0xFE115C8F(4262550671)
45
VPN VPN- LAB MANUAL
IV size: 16 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x77846439(2005165113)
IV size: 16 bytes
outbound ah sas:
46
VPN VPN- LAB MANUAL
outbound pcp sas:
LAB-3.2: - CERTIFICATE AUTHORITY WITH CRYPTO ROUTE
LAB-SETUP
 Configure R51[CA], R53, R54, R52[ISP] with the IP mentioned in the table
 For the Internet, the BGP configuration should be as follows.
o R51 is in the BGP AS 3
47
VPN VPN- LAB MANUAL

o Peer all the sites with the ISP using BGP
o Use the BGP authentication password as “cisco” [without quotes]
and encrypt using md5
Device Interface IP
R51 Gi1 20.13.13.1/24

Loopback0 192.168.13.1/24
R53 Gi1 20.14.14.1/24

Loopback1 192.168.14.1/24
R54 Gi1 20.15.15.1/24

Loopback1 192.168.15.1/24
R52 Gi3 20.14.14.2/24

Gi5 20.15.15.2/24
Gi1 20.13.13.2/24
Configuration on Routers:
R51(CA):
interface gi1
48
VPN VPN- LAB MANUAL
no shut
ip address 20.13.13.1 255.255.255.0
interface loop 0
ip address 192.168.13.1 255.255.255.0
router bgp 3
bgp router-id 3.3.3.3
nei 20.13.13.2 remote-as 345
network 192.168.13.0 mask 255.255.255.0
network 20.13.13.0 mask 255.255.255.0
R53:
interface gi1
no shut
ip address 20.14.14.1 255.255.255.0
interface loop 1
ip address 192.168.14.1 255.255.255.0
router bgp 4
49
VPN VPN- LAB MANUAL
nei 20.14.14.2 remote-as 345
network 192.168.14.0
network 20.14.14.0 mask 255.255.255.0
R54:
interface gi1
no shut
ip address 20.15.15.1 255.255.255.0
interface loop 1
ip address 192.168.15.1 255.255.255.0
router bgp 5
nei 20.15.15.2 remote-as 345
network 192.168.15.0
network 20.15.15.0 mask 255.255.255.0
R52(ISP):
50
VPN VPN- LAB MANUAL
interface gi3
no shut
ip address 20.14.14.2 255.255.255.0
interface gi5
no shut
ip address 20.15.15.2 255.255.255.0
interface gi1
no shut
ip address 20.13.13.2 255.255.255.0
interface loop0
ip address 192.168.16.1 255.255.255.0
router bgp 345
nei 20.14.14.1 remote-as 4
network 192.168.16.0 mask 255.255.255.0
Verification:
51
VPN VPN- LAB MANUAL
R51#ping 20.15.15.1
!!!!!
R51#ping 20.14.14.1
!!!!!
R51#ping 20.13.13.1
!!!!!
R52#show ip bgp summary
BGP router identifier 17.17.17.17, local AS number 345
BGP table version is 9, main routing table version 9
4 network entries using 992 bytes of memory
52
VPN VPN- LAB MANUAL
5 path entries using 600 bytes of memory
4/4 BGP path/bestpath attribute entries using 1024 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2688 total bytes of memory
BGP activity 4/0 prefixes, 7/2 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd
20.13.13.1 4 3 18 21 9 0 0 00:11:54 2
20.14.14.1 4 4 17 21 9 0 0 00:11:57 1
20.15.15.1 4 5 10 15 9 0 0 00:04:58 1
TASK1 CONFIGURE NTP
 To ensure all devices in the network have the same time configure NTP server
on R51.
 The server should authenticate the clients with a password of “cisco”.
 Configure rest of devices as NTP clients to the R51 as NTP source.
 Make sure the time zone for all the device is PST with zone name as ccnp.
53
VPN VPN- LAB MANUAL
Configuration on Router
R51:
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp source GigabitEthernet4
ntp master 1
clock timezone ccnp -8
clock set 14:15:00 9 Sep 2018 change to the curent date
R53 & 54:
ntp server 150.1.7.184 key 1
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
clock timezone ccnp -8
Verification
54
VPN VPN- LAB MANUAL
R51#show ntp status
Clock is synchronized, stratum 1, reference is .LOCL.
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
ntp uptime is 93000 (1/100 of seconds), resolution is 4000
reference time is DF401A24.218937A8 (14:16:04.131 ccnp Sun Sep 9 2018)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 439.67 msec, peer dispersion is 438.64 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000000000 s/s
system poll interval is 16, last update was 4 sec ago.
R51#show ntp associations
address ref clock st when poll reach delay offset disp
*~127.127.1.1 .LOCL. 0 15 16 377 0.000 0.000 1.204
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
55
VPN VPN- LAB MANUAL
*~150.1.7.184 .LOCL. 1 53 64 1 3.000 4.500 7938.4
*~150.1.7.184 .LOCL. 1 46 64 1 3.000 3.500 7938.4
TASK2 IOS CERTIFICATE AUTHORITY
 Configure IOS Certificate Authority server on R51

o RSA key :- R51
o PKI Server :- caserver
 The server should have self-signed certificate with a lifetime of 5 years and
grant certificates to the clients with a lifetime of 3 years.
 The server should service all certificate requests automatically.
56
VPN VPN- LAB MANUAL
R51:
crypto key generate rsa label R51 modulus 1024
ip http server
crypto pki server caserver
database level complete
grant auto
issuer-name CN=r51, O=cisco.com
lifetime certificate 1095
lifetime ca-certificate 1825
no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: Sanfran@1234
Re-enter password: Sanfran@1234
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
57
VPN VPN- LAB MANUAL
Verification
R51#show crypto pki server
Certificate Server caserver:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=netmetric, O=cisco.com
CA cert fingerprint: E25DD56A 609047F7 05EF50A8 72EEB2B4
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 14:26:48 ccnp Sep 8 2023
CRL NextUpdate timer: 20:26:51 ccnp Sep 9 2018
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
TASK3 ENROLL WITH THE CA - R53 AND R54
 On both devices enrol a certificate for IPSec peer authentication.

 Certificate uses for IPSec authentication should have at least 1024 bytes keys
with rsa key as r53 and r54
 Configure trustpoint with name trustr53 & trustr54
58
VPN VPN- LAB MANUAL
 Configure domain name of cisco.com and name server as 150.1.7.164

(AD/DNS)
R53:
Ip http server
ip domain-name cisco.com
ip name-server 150.1.7.164
crypto key generate rsa label r53 modulus 1024
crypto pki trustpoint trustr53
enrollment url http://192.168.13.1:80
revocation-check none
rsakeypair r53
crypto pki authenticate trustr53
59
VPN VPN- LAB MANUAL
Certificate has the following attributes:
Fingerprint MD5: ED8C3F90 A4D0AB86 DD12AFA0 92EA3C55
Fingerprint SHA1: 61A9CC05 C7C4CD74 A07723DB 4AA0943E

B6A951A0
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
crypto pki enroll trustr53
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the

configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R53.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
60
VPN VPN- LAB MANUAL
% The serial number in the certificate will be: 91H57NEE1UA
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]:
% Skipping IP address
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose trustr53' command will show
the fingerprint.
R54:
Ip http server
ip name-server 150.1.7.164
crypto key generate rsa label r54 modulus 1024
crypto pki trustpoint trustr54
enrollment url http://192.168.13.1:80
revocation-check none
rsakeypair r54
61
VPN VPN- LAB MANUAL
crypto pki authenticate trustr54
Certificate has the following attributes:
Fingerprint MD5: ED8C3F90 A4D0AB86 DD12AFA0 92EA3C55
Fingerprint SHA1: 61A9CC05 C7C4CD74 A07723DB 4AA0943E

B6A951A0
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
crypto pki enroll trustr54
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the

configuration.
Please make a note of it.
Password:
62
VPN VPN- LAB MANUAL
Re-enter password:
% The subject name in the certificate will include: R54.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9EO5P38C3QA
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose trustr54' command will show
the fingerprint.
TASK4 CONFIGURE THE IPSEC TUNNEL BETWEEN R53 AND R54
 On both devices secure the traffic for 192.168.15.1 and 192.168.14.1

 Use the pre-share key cisco for the isakmp
Configuration on Route
R53
encr aes
63
VPN VPN- LAB MANUAL
authentication rsa-sig
group 2
crypto ipsec transform-set ts esp-aes esp-sha-hmac
mode tunnel
permit ip 192.168.14.0 0.0.0.255 192.168.15.0 0.0.0.255
set peer 20.15.15.1
set transform-set ts
match address VPN
reverse-route static
int gi1
crypto map CMAP
R54:
encr aes
authentication rsa-sig
group 2
crypto ipsec transform-set ts esp-aes esp-sha-hmac
mode tunnel
64
VPN VPN- LAB MANUAL
permit ip 192.168.15.0 0.0.0.255 192.168.14.0 0.0.0.255
set peer 20.14.14.1
set transform-set ts
match address VPN
int gi1
crypto map CMAP
Verification
R53#ping 192.168.15.1 source 192.168.14.1
.!!!!
65
VPN VPN- LAB MANUAL
20.15.15.1 20.14.14.1 QM_IDLE 1001 ACTIVE
interface: GigabitEthernet1
66
VPN VPN- LAB MANUAL
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xB76F1473(3077510259)
inbound esp sas:
spi: 0x23EFC520(602916128)
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80004048, crypto map:

CMAP
IV size: 16 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB76F1473(3077510259)
67
VPN VPN- LAB MANUAL
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80004048, crypto map:

CMAP
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
LAB-3.3: - GRE
68
VPN VPN- LAB MANUAL
TASK1 GRE TUNNEL
 Configure GRE Point to Point tunnel between R18 and R19.

 The tunnel should pass EIGRP AS 100
 The multicast packets exchanging information about Loopback0 networks.
 Use 192.168.189.x/24 as tunnel IP addresses.
 R21 being ISP.
 Point simple default routes from R18 and R19 towards the R21.
 Configure using the below mentioned table:
Device Interface IP
R18 F0/0 20.18.18.1/24

Loopback0 192.168.18.18/24
Tunnel 0 192.168.189.18/24
R19 Fa0/0 20.19.19.1/24

Loopback0 192.168.19.19/24
Tunnel 0 192.168.189.19/24
R21 Fa0/0 20.18.18.2/24

Fa0/1 20.19.19.2/24
Configuration on Routers
R18:
69
VPN VPN- LAB MANUAL
hostname R18
interface f 0/0
no shut
ip address 20.18.18.1 255.255.255.0
interface loop 0
ip address 192.168.18.18 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.18.18.2
interface tunnel 0
tunnel source f0/0
tunnel destination 20.19.19.1
ip address 192.168.189.18 255.255.255.0
router eigrp 100
no auto-summary
network 192.168.189.0
network 192.168.18.0
R19:
70
VPN VPN- LAB MANUAL
hostname R19
interface f 0/0
no shut
ip address 20.19.19.1 255.255.255.0
interface loop 0
ip address 192.168.19.19 255.255.255.0
ip route 0.0.0.0 0.0.0.0 20.19.19.2
interface tunnel 0
tunnel source f0/0
ip address 192.168.189.19 255.255.255.0
router eigrp 100
no auto-summary
network 192.168.189.0
network 192.168.19.0
R21:
71
VPN VPN- LAB MANUAL
hostname R21
interface f 0/0
no shut
ip address 20.18.18.2 255.255.255.0
interface f 0/1
no shut
ip address 20.19.19.2 255.255.255.0
Verifications:
R18#ping 20.19.19.1
!!!!!
R19#ping 20.18.18.1
72
VPN VPN- LAB MANUAL
!!!!!
R18#show ip interface brief | exclude unassigned
FastEthernet0/0 20.18.18.1 YES manual up up
Tunnel0 192.168.189.18 YES manual up up
---------------------------------------------------------------------------------------------------------
----------------
R19#show ip interface brief | exclude unassigned
FastEthernet0/0 20.19.19.1 YES manual up up
Tunnel0 192.168.189.19 YES manual up up
R18#ping 192.168.189.19
73
VPN VPN- LAB MANUAL
!!!!!
R19#ping 192.168.189.18
!!!!!
---------------------------------------------------------------------------------------------------------
----------------
R18#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.189.19 Tu0 11 00:00:35 1049 5000 0 3
R19#show ip eigrp neighbors
(sec) (ms) Cnt Num
74
VPN VPN- LAB MANUAL
0 192.168.189.18 Tu0 13 00:01:07 163 5000 0 5
TASK2 GRE TUNNEL OVER IPSEC
 Protect the tunnel we configured on the previous task and ensure the traffic
passing by the tunnel is encrypted. Use the following parameters for IPSec
protocol:
 ISAKMP Parameters
o Authentication : Pre-shared
o Group :5
o Encryption : AES
o Hash : SHA
o Lifetime : 1800
o Key : Netmetric
 IPSec Parameters
o Encryption : ESP-AES
o Authentication : ESP-SHA-HMAC
o Lifetime : 1800
Configuration on Routers
75
VPN VPN- LAB MANUAL
R18:
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key Netmetric address 20.19.19.1
mode transport
crypto ipsec security-association lifetime seconds 1800
crypto ipsec profile GRE
interface tunnel 0
tunnel protection ipsec profile GRE
76
VPN VPN- LAB MANUAL
R19:
encryption aes
hash sha
group 5
lifetime 1800
crypto isakmp key Netmetric address 20.18.18.1
mode transport
crypto ipsec security-association lifetime seconds 1800
crypto ipsec profile GRE
interface tunnel 0
tunnel protection ipsec profile GRE
77
VPN VPN- LAB MANUAL
Verifications:
dst src state conn-id slot status
20.19.19.1 20.18.18.1 QM_IDLE 1002 0 ACTIVE
X - IKE Extended Authentication
78
VPN VPN- LAB MANUAL
R18#ping 192.168.19.19 source loopback 0 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.18.18.1
79
VPN VPN- LAB MANUAL
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x93BAD181(2478494081)
inbound esp sas:
spi: 0x9C392EFD(2620993277)
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: Tunnel0-head-0
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
80
VPN VPN- LAB MANUAL
inbound pcp sas:
outbound esp sas:
spi: 0x93BAD181(2478494081)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
20.18.18.1 20.19.19.1 QM_IDLE 1001 0 ACTIVE
81
VPN VPN- LAB MANUAL
X - IKE Extended Authentication
R19#ping 192.168.18.18 source loopback 0 repeat 100
82
VPN VPN- LAB MANUAL
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 20.19.19.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
83
VPN VPN- LAB MANUAL
current outbound spi: 0x9C392EFD(2620993277)
inbound esp sas:
spi: 0x93BAD181(2478494081)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9C392EFD(2620993277)
IV size: 16 bytes
84
VPN VPN- LAB MANUAL
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
LAB-3.4: - DMVPN
Dynamic Multipoint Virtual Private Network (DMVPN) has been introduced by Cisco in late 2000. This
technology has been developed to address needs for automatically created VPN tunnels when dynamic
IP addresses on the spokes are in use.
In GRE over IPSec (described in the previous lab) both ends of the connection must have
static/unchangeable IP address. It is possible however, to create many GRE Site-to-Site tunnels from
85
VPN VPN- LAB MANUAL
company’s branches to the Headquarters. This is pure Hub-and-Spoke topology where all branches may
communicate with each other securely through the Hub.
In DMVPN may have dynamic IP addresses on the spokes, but there must be static IP address on the Hub.
There is also an additional technology used to let the hub know what dynamic IP addresses are in use by
the spokes. This is NHRP (Next Hop Resolution Protocol) which works like ARP but for layer 3. All it does
is building a dynamic database stored on the hub with information about spokes’ IP addresses. Now the
Hub knows IPSec peers and can build the tunnels with them.
The Hub must be connected to many spokes at the same time so there was another issue to solve: how
to configure the Hub to not have many Tunnel interfaces (each for Site-to-Site tunnel with spoke). The
answer is: use GRE multipoint type of tunnel, where we do not need to specify the other end of the
tunnel statically.
That being said, there are three DMVPN mutations called phases:
Phase 1: simple Hub and Spoke topology were dynamic IP addresses on the spokes may be
used
Phase 2: Hub and Spoke with Spoke to Spoke direct communication allowed
Phase 3: Hub and Spoke with Spoke to Spoke direct communication allowed with better
scalability using NHRP Redirects
All above phases will be described in more detail in the next few labs.
LAB-SETUP
 Configure R18 (HUB), R19 (Spoke1), R20 (Spoke2), R21 (ISP) with the IP
mentioned in the table
 For the Internet, the BGP configuration should be as follows.
o Peer all the sites with the ISP using BGP
o Use the BGP authentication password as “cisco” [without quotes]
and encrypt using md5
Device Interface IP
86
VPN VPN- LAB MANUAL
R18 gi0/0 18.18.18.18/24

Loopback0 192.168.18.1/24
R19 gi0/0 19.19.19.19/24

Loopback1 192.168.19.1/24
R20 gi0/0 20.20.20.20/24

Loopback1 192.168.20.1/24
R21 gi0/0 18.18.18.21/24

gi0/1 19.19.19.21/24
gi0/2 20.20.20.21/24
Note: Erase the configuration of Basic GRE from R18 & R19
R18:
Hostname HUB
interface gi0/0
no shut
ip address 18.18.18.18 255.255.255.0
interface loop 0
ip address 192.168.18.1 255.255.255.0
87
VPN VPN- LAB MANUAL
router bgp 3
neighbor 18.18.18.21 remote-as 345
network 18.18.18.0 mask 255.255.255.0
R19:
Hostname Spoke1
interface gi0/0
no shut
ip address 19.19.19.19 255.255.255.0
interface loop 0
ip address 192.168.19.1 255.255.255.0
router bgp 4
network 19.19.19.0 mask 255.255.255.0
R20:
Hostname Spoke2
88
VPN VPN- LAB MANUAL
interface gi0/0
no shut
ip address 20.20.20.20 255.255.255.0
interface loop 0
ip address 192.168.20.1 255.255.255.0
router bgp 5
network 20.20.20.0 mask 255.255.255.0
R21(ISP):
Hostname ISP
interface gi0/0
no shut
ip address 18.18.18.21 255.255.255.0
interface gi0/1
no shut
ip address 19.19.19.21 255.255.255.0
89
VPN VPN- LAB MANUAL
interface gi0/2
no shut
ip address 20.20.20.21 255.255.255.0
router bgp 345
Verification
ISP#show ip bgp summary
BGP router identifier 20.20.20.21, local AS number 345
BGP table version is 7, main routing table version 7
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
4/3 BGP path/bestpath attribute entries using 496 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 1116 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
90
VPN VPN- LAB MANUAL
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd
18.18.18.18 4 3 5 7 7 0 0 00:00:12 1
19.19.19.19 4 4 4 6 7 0 0 00:00:31 1
20.20.20.20 4 5 4 6 7 0 0 00:00:40 1
TASK1 DMVPN PHASE 1 BASIC CONFIGURATION
 Configure Hub-and-Spoke GRE tunnels between R18, R19 and R20, where R18
is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be
transmitted securely via the Hub to the other spokes.
91
VPN VPN- LAB MANUAL
 Use the following settings when configuring tunnels

o Tunnel Parameters:
 IP address : 1.1.1.0/24
 IP MTU : 1400
 Tunnel Authentication Key : 12345
o NHRP Parameters
 NHRP ID : 12345
 NHRP Authentication key : DMVPN
 NHRP Hub : R18
 NHRP Holdtime : 5 Minutes
Configuration on Routers:-
R18 (HUB):
interface tunnel 1
ip address 1.1.1.1 255.255.255.0
tunnel source gi0/0
tunnel mode gre multipoint
ip nhrp map multicast dynamic
ip nhrp network-id 12345
ip nhrp authentication DMVPN
tunnel key 12345
ip nhrp holdtime 300
ip mtu 1400
92
VPN VPN- LAB MANUAL
R19 (Spoke1):
interface tunnel 1
ip address 1.1.1.2 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp map multicast 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source gi0/0
tunnel key 12345
ip mtu 1400
R20 (Spoke2):
93
VPN VPN- LAB MANUAL
interface tunnel 1
ip address 1.1.1.3 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source gi0/0
tunnel key 12345
ip mtu 1400
Verification:
HUB#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
94
VPN VPN- LAB MANUAL
UpDn Time --> Up or Down Time for a Tunnel
================================================================
==========
Interface: Tunnel1, IPv4 NHRP Details
Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 19.19.19.19 1.1.1.2 UP 00:00:33 D
1 20.20.20.20 1.1.1.3 UP 00:00:06 D
Spoke1#traceroute ip 1.1.1.3 source 1.1.1.2
Tracing the route to 1.1.1.3
1 1.1.1.1 16 msec 36 msec 20 msec
2 1.1.1.3 52 msec 36 msec *
95
VPN VPN- LAB MANUAL
HUB#show ip nhrp
1.1.1.2/32 via 1.1.1.2
Tunnel1 created 00:01:01, expire 00:03:58
Type: dynamic, Flags: unique registered nhop
NBMA address: 19.19.19.19
1.1.1.3/32 via 1.1.1.3
Type: dynamic, Flags: unique registered nhop
HUB#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
-------------- Interface Tunnel1 info: --------------
Intf. is up, Line Protocol is up, Addr. is 1.1.1.1
Source addr: 18.18.18.18, Dest addr: MGRE
Protocol/Transport: "multi-GRE/IP", Protect "",
Tunnel VRF "", ip vrf forwarding ""
NHRP Details:
Type:Hub, NBMA Peers:2
96
VPN VPN- LAB MANUAL
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 19.19.19.19 1.1.1.2 UP 00:16:21 D 1.1.1.2/32
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 20.20.20.20 1.1.1.3 UP 00:06:56 D 1.1.1.3/32
Pending DMVPN Sessions:
TASK2 DMVPN PHASE 1 WITH EIGRP
 Routing Protocol Parameters

o EIGRP 1
o Use split horizon rule
Configuration on the Router
R18(HUB) :
router eigrp 1
network 1.1.1.0 0.0.0.255

97
VPN VPN- LAB MANUAL
network 192.168.18.0
no auto-summary
R19:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 192.168.19.0
no auto-summary
R20:
router eigrp 1
network 1.1.1.0 0.0.0.255
network 192.168.20.0
no auto-summary
Verification:
HUB#show ip route eigrp
D 192.168.20.0/24 [90/297372416] via 1.1.1.3, 00:00:29, Tunnel1
D 192.168.19.0/24 [90/297372416] via 1.1.1.2, 00:01:30, Tunnel1
HUB#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
98
VPN VPN- LAB MANUAL
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set

C 1.1.1.0/24 is directly connected, Tunnel1
L 1.1.1.1/32 is directly connected, Tunnel1
C 18.18.18.0/24 is directly connected, GigabitEthernet0/0
19.0.0.0/24 is subnetted, 1 subnets
B 19.19.19.0 [20/0] via 18.18.18.21, 00:04:09
B 20.20.20.0 [20/0] via 18.18.18.21, 00:04:09
D 192.168.19.0/24 [90/27008000] via 1.1.1.2, 00:01:14, Tunnel1
99
VPN VPN- LAB MANUAL
D 192.168.20.0/24 [90/27008000] via 1.1.1.3, 00:01:08, Tunnel1
Spoke1#show ip route eigrp
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:03:07, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:02:33, Tunnel1
EIGRP is a distance vector routing protocol so we have split horizon issues. The spoke routers don’t see
each other’s networks. Let’s fix this for now:
int tunnel1
no ip split-horizon eigrp 1
Since we use EIGRP between the Hub and the Spokes, we need to disable Split Horizon for that protocol
to be able to send routes gathered from one Spoke to the other Spoke. The Split Horizon rule says:
“information about the routing is never sent back in the direction from which it was received”. This is
basic rule for loop prevention.
D 192.168.20.0/24 [90/310172416] via 1.1.1.1, 00:00:10, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:04:44, Tunnel
Spoke1#show ip route
100
VPN VPN- LAB MANUAL
B 18.18.18.0 [20/0] via 19.19.19.21, 00:06:33
B 20.20.20.0 [20/0] via 19.19.19.21, 00:06:33
101
VPN VPN- LAB MANUAL
D 192.168.19.0/24 [90/310172416] via 1.1.1.1, 00:00:30, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:04:04, Tunnel1
Spoke1#ping 192.168.20.1 source loopback 0
!!!!!
Spoke1#show ip cef 192.168.20.1
192.168.20.0/24
nexthop 1.1.1.1 Tunnel1

The CEF entries displayed for Spoke loopback network. This indicates an IP address of next hop which
have to be used for reaching 192.168.20.0/24.
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
Tunnel1 created 00:06:50, never expire
Type: static, Flags:
102
VPN VPN- LAB MANUAL
Spoke1#traceroute 192.168.20.1 source loopback 0
1 1.1.1.1 36 msec 24 msec 20 msec
2 1.1.1.3 20 msec 28 msec *
TASK3 DMVPN PHASE 1 ENCRYPT THE TUNNEL USING IPSEC

o ISAKMP Parameters:
 Authentication : Pre-Shared
103
VPN VPN- LAB MANUAL
 Encryption : 3DES
 Hashing : SHA
 DH Group :2
 Pre-Shared Key : cisco
o IPSec Parameters
 Encryption : ESP-aes
 Authentication : ESP-SHA-HMAC
 is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted
securely directly to the other spokes.
 You must use EIGRP dynamic routing protocol to let other spokes know about
protected networks.
 Tunnel Parameters:
o IP address : 1.1.1.0/24
o IP MTU : 1400
o Tunnel Authentication Key : 12345
 NHRP Parameters
o NHRP ID : 12345
o NHRP Authentication key : DMVPN
o NHRP Hub : R18
o NHRP Holdtime : 5 Minutes
104
VPN VPN- LAB MANUAL
The difference is in routing protocol behaviour. The DMVPN Phase 2 allows for direct Spoke to Spoke
communication. Hence, one spoke must send the traffic to the other spoke using its routing table
information. In DMVPN Phase 1 the spoke sends all traffic up to the Hub and uses the Hub for Spoke to
Spoke communication. However, in DMVPN Phase 2 a spoke must point to the other spoke directly.
This is achieved by changing the routing protocol behaviour. The EIGRP changes next hop in the routing
update when sending it further. So that, the Hub changes the next hop to itself when sending down the
routing updates to the Spokes. This behaviour can be changed by the command “no ip next-hop-self
eigrp AS”.
Configuration on Routers: -
R18 (HUB):
Same configuration as of Phase 1 with few changes
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
tunnel source FastEthernet0/0

105
VPN VPN- LAB MANUAL
tunnel key 12345
end
The EIGRP changes next hop in the routing update when sending it further. So that, the Hub changes the
next hop to itself when sending down the routing updates to the Spokes. This behaviour can be changed
by the command “no ip next-hop-self eigrp AS”
R19 (Spoke1)
Show run int tun 1
interface tunnel 1
ip address 1.1.1.2 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source f0/0
ip mtu 1400
tunnel key 12345
106
VPN VPN- LAB MANUAL
Remove the tunnel destination command
int tunnel 1
no tunnel destination 18.18.18.18
R20 (Spoke2):
Show run int tunnel 1
interface tunnel 1
ip address 1.1.1.3 255.255.255.0
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel source f0/0
ip mtu 1400
tunnel key 12345
107
VPN VPN- LAB MANUAL
Remove the tunnel destination command
int tunnel 1
no tunnel destination 18.18.18.18
Verification
HUB# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
o - ODR, P - periodic downloaded static route
C 1.1.1.0 is directly connected, Tunnel1
108
VPN VPN- LAB MANUAL
B 19.19.19.0 [20/0] via 18.18.18.21, 01:43:04
C 18.18.18.0 is directly connected, FastEthernet0/0
B 20.20.20.0 [20/0] via 18.18.18.21, 01:43:04
D 192.168.20.0/24 [90/297372416] via 1.1.1.3, 00:13:39, Tunnel1
D 192.168.19.0/24 [90/297372416] via 1.1.1.2, 00:13:55, Tunnel1
HUB#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 19.19.19.19 1.1.1.2 UP never D
1 20.20.20.20 1.1.1.3 UP never D
HUB#ping 1.1.1.2
109
VPN VPN- LAB MANUAL
!!!!!
HUB#ping 1.1.1.3
!!!!!
HUB#show ip nhrp
1.1.1.2/32 via 1.1.1.2, Tunnel1 created 00:14:22, expire 00:03:57
Type: dynamic, Flags: unique registered
HUB#show ip eigrp neighbors
110
VPN VPN- LAB MANUAL
H Address Interface Hold Uptime SRTT RTO Q

Seq
(sec) (ms) Cnt Num
1 1.1.1.3 Tu1 10 00:14:35 137 5000 0 14
0 1.1.1.2 Tu1 12 00:14:53 92 5000 0

18
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
o - ODR, P - periodic downloaded static route
C 1.1.1.0 is directly connected, Tunnel1
C 19.19.19.0 is directly connected, FastEthernet0/0

111
VPN VPN- LAB MANUAL
B 18.18.18.0 [20/0] via 19.19.19.21, 01:44:24
B 20.20.20.0 [20/0] via 19.19.19.21, 01:44:24
D 192.168.20.0/24 [90/310172416] via 1.1.1.3, 00:14:58, Tunnel1
D 192.168.18.0/24 [90/297372416] via 1.1.1.1, 00:15:16, Tunnel1
Spoke1#show ip route 192.168.20.1
Routing entry for 192.168.20.0/24
Known via "eigrp 1", distance 90, metric 310172416, type internal
Redistributing via eigrp 1
Last update from 1.1.1.3 on Tunnel1, 00:16:01 ago
Routing Descriptor Blocks:
* 1.1.1.3, from 1.1.1.1, 00:16:01 ago, via Tunnel1
Route metric is 310172416, traffic share count is 1
Total delay is 1005000 microseconds, minimum bandwidth is 9 Kbit
Reliability 255/255, minimum MTU 1400 bytes
Loading 1/255, Hops 2
112
VPN VPN- LAB MANUAL
192.168.20.0/24
1.1.1.0/24
attached to Tunnel1
20.20.20.0/24
nexthop 19.19.19.21 GigabitEthernet0/0
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
Type: static, Flags: used
1.1.1.2/32 via 1.1.1.2
Type: dynamic, Flags: router unique local
(no-socket)
1.1.1.3/32 via 1.1.1.3
113
VPN VPN- LAB MANUAL
Type: dynamic, Flags: router used nhop
Spoke1#show adjacency tunnel 1 detail
Protocol Interface Address
IP Tunnel1 1.1.1.1(11)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 28
4500000000000000FF2F718513131313
121212122000080000003039
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0, addr 19.19.19.21
IP Tunnel1 1.1.1.3(11)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 28
4500000000000000FF2F6D8113131313
141414142000080000003039
114
VPN VPN- LAB MANUAL
Tun endpt
Next chain element:
IP adj out of GigabitEthernet0/0, addr 19.19.19.21
Spoke1#traceroute 192.168.20.1 source loopback 0
1.1.1.3 16 msec 48 msec *
 is acting as a Hub.
 Traffic originated from every Spoke’s loopback interface should be transmitted
securely directly to the other spokes.
 You must use EIGRP dynamic routing protocol to let other spokes know about
protected networks.
 You must ensure that every traffic is CEF switched.
o Tunnel Parameters:
 IP address : 1.1.1.0/24
 IP MTU : 1400
115
VPN VPN- LAB MANUAL
 Tunnel Authentication Key : 12345

o NHRP Parameters
 NHRP ID : 12345
 NHRP Authentication key : DMVPN
 NHRP Hub : R18
 NHRP Holdtime : 5 Minutes
DMVPN Phase 3 is the latest method of configuration. It was introduced by Cisco to fix some
disadvantages of Phase 2 like:
- Scalability: Phase 2 allows Hubs daisy-chaining, OSPF single area, limited number of hubs due
to OSPF DR/BDR election
- Scalability: Phase 2 does not allow route summarization on the Hub, all prefixes must
be distributed to all spokes to be able to set up direct spoke to spoke tunnels.
- Performance: Phase 2 sends first packets through the Hub using process-switching
(not CEF) causing CPU spikes. DMVPN Phase 3 uses two NHRP “hacks” to make it happen:
- NHRP Redirect (HUB) – a new messages send from the Hub to the Spoke to let the
Spoke know that there is a better path to the other spoke than through the Hub
- NHRP Shortcut – a new way of changing (overwriting) CEF information on the Spoke
In DMVPN Phase 3 all Spokes must point to the Hub for the networks behind the other spokes
(just like it was in Phase 1).
 Packet is sent from Spoke’s 19 network to Spoke’s 20 network via Hub (according to
routing table)
 Hub routes packet to Spoke2 but in parallel sends back the NHRP Redirect message to
Spoke19 containing information about suboptimal path to Spoke20 and tunnel IP of
Spoke2
 Spoke19 then issues the NHRP Resolution request of Spoke’s 20 NBMA IP address to
NHS with destination IP of Spoke’s 2 tunnel, this NHRP Resolution request is sent
targeted to Spoke20 via NHS (according to routing table) – it is normal hop by hop NHRP
forwarding process
 Spoke2 after receiving resolution request including NBMA IP of Spoke19 sends the NHRP
Resolution reply directly to Spoke19 – Reply does not traverse the Hub!
 Spoke19 after receiving correct NBMA IP of Spoke2 rewrites the CEF entry for destination
prefix – this procedure is called NHRP Shortcut
116
VPN VPN- LAB MANUAL
 Spokes don’t trigger NHRP by glean adjacencies but NHRP replies updates the CEF
R18 (HUB):
Same configuration on the HUB, but some additional commands
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
tunnel key 12345
117
VPN VPN- LAB MANUAL
ip nhrp redirect
NHRP Redirect is a special NHRP message sent by the Hub to the spoke to tell the spoke that there is a
better path to the remote spoke than through the Hub. All it does is enforces the spoke to trigger an NHRP
resolution request to IP destination.
The “ip nhrp redirect” command should be configured on the Hub only!
R19 (Spoke1):
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
tunnel key 12345
ip nhrp shortcut
end
118
VPN VPN- LAB MANUAL
The only difference on the spoke is that the spoke has NHRP Shortcut configured. This will work together
with NHRP Redirect on the Hub to send a new Resolution Request NHRP message and overwrite CEF entry
to use direct spoke to spoke tunnel instead of the Hub. This command should be configured on spokes
only.
R20 (Spoke2):
interface Tunnel1
ip address 1.1.1.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 1.1.1.1 18.18.18.18
ip nhrp nhs 1.1.1.1
ip nhrp shortcut
tunnel key 12345
end
119
VPN VPN- LAB MANUAL
HUB#show ip eigrp neighbors
(sec) (ms) Cnt Num
1 1.1.1.3 Tu1 13 00:00:20 50 5000 0 23
0 1.1.1.2 Tu1 14 00:00:27 837 5000 0 28
HUB#show ip route
120
VPN VPN- LAB MANUAL
B 19.19.19.0 [20/0] via 18.18.18.21, 00:20:52
B 20.20.20.0 [20/0] via 18.18.18.21, 00:20:52
D 192.168.19.0/24 [90/27008000] via 1.1.1.2, 00:01:05, Tunnel1
D 192.168.20.0/24 [90/27008000] via 1.1.1.3, 00:01:03, Tunnel1
HUB#show ip nhrp
Before PING
121
VPN VPN- LAB MANUAL
B 18.18.18.0 [20/0] via 19.19.19.21, 00:21:49
B 20.20.20.0 [20/0] via 19.19.19.21, 00:21:49
122
VPN VPN- LAB MANUAL
D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:02:01, Tunnel1
D 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:01:56, Tunnel1
192.168.20.0/24
Before PING
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
Spoke1#ping 192.168.20.1 source lo0
!!!!!
123
VPN VPN- LAB MANUAL
192.168.20.0/24
Spoke1#show ip nhrp
1.1.1.1/32 via 1.1.1.1
1.1.1.2/32 via 1.1.1.2
(no-socket)
1.1.1.3/32 via 1.1.1.3
Type: dynamic, Flags: router nhop rib
192.168.19.0/24 via 1.1.1.2
124
VPN VPN- LAB MANUAL
(no-socket)
192.168.20.0/24 via 1.1.1.3
Type: dynamic, Flags: router used rib nho
The NHRP datatbase shows new dynamic entries for the remote spoke and the “local” entry for Spoke
which is created when sending an NHRP resolution reply.
125
VPN VPN- LAB MANUAL
H 1.1.1.3/32 is directly connected, 00:01:21, Tunnel1
B 18.18.18.0 [20/0] via 19.19.19.21, 00:30:13
B 20.20.20.0 [20/0] via 19.19.19.21, 00:30:13
D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:10:25, Tunnel1
D % 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:10:20, Tunnel1
Spoke1#show ip route next-hop-override
126
VPN VPN- LAB MANUAL
H 1.1.1.3/32 is directly connected, 00:00:02, Tunnel1
B 18.18.18.0 [20/0] via 19.19.19.21, 00:37:29
B 20.20.20.0 [20/0] via 19.19.19.21, 00:37:29
D 192.168.18.0/24 [90/27008000] via 1.1.1.1, 00:17:41, Tunnel1
D % 192.168.20.0/24 [90/28288000] via 1.1.1.3, 00:17:36, Tunnel1
[NHO][90/255] via 1.1.1.3, 00:00:02, Tunnel1
127
VPN VPN- LAB MANUAL
LAB-3.5: - SSL CLIENTLESS VPN
TASK1 PERFORM SSL CLIENTLESS VPN
 Your configuration should meet the following requirements on ASA1:

 VPN access credentials should be username: cisco password: cisco.
 Connection banner should be Welcome to Netmetric.
 Group alias should be named ccnp
 The Ca trustpoint should be configured as follows:
 Name : trust
 Enrollement : self
 RSA key : ccnp
 Session idle time 24 hours
 Idle Time out 24 hours
 The web ACL implementation should only allow the following URLs:
 http://server1.cisco.com:8080
 http://server2.cisco.com:8080
128
VPN VPN- LAB MANUAL
 The bookmarks for the above servers should appear in the server portal as server1
and server2 respectively.
 Make sure that even when you close the RDP connection to client_pc that should
not tear down the established VPN session.
 The DNS server is at 150.1.7.164
 Note: Any information not provided for this task can be assumed by the
candidate.
Configuration on ASA
ASA1v
int gi0/0
nameif outside
ip address 20.1.1.1 255.255.255.0
no sh
int gi0/1
nameif inside
ip add 10.1.10.1 255.255.255.0
no sh
router eigrp 1
network 10.1.10.0 255.255.255.0
129
VPN VPN- LAB MANUAL
ASA1# show int ip br
ASA1# show nameif
Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
ASA1# show eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
(sec) (ms) Cnt Num
0 10.1.10.10 inside 14 00:00:14 10 200 0 6
ASA1# show route
D 1.1.1.0 255.255.255.0 [90/130816] via 10.1.10.10, 00:01:25, inside
D 2.2.2.0 255.255.255.0 [90/130816] via 10.1.10.10, 00:01:25, inside
C 10.1.10.0 255.255.255.0 is directly connected, inside
L 10.1.10.1 255.255.255.255 is directly connected, inside
C 20.1.1.0 255.255.255.0 is directly connected, outside
L 20.1.1.1 255.255.255.255 is directly connected, outside

130
VPN VPN- LAB MANUAL
dns domain-lookup mgmt
dns name-server 150.1.7.164
domain-name cisco.com
crypto key generate rsa label ccnp modulus 1024
crypto ca trustpoint trust
enrollment self
keypair ccnp
subject-name CN=asa1.cisco.com
ASA1(config)# crypto ca enroll trust
% The fully-qualified domain name in the certificate will be:

ASA1.cisco.com
% Include the device serial number in the subject name? [yes/no]: yes
Generate Self-Signed Certificate? [yes/no]: yes
access-list webacl webtype permit url http://server1.cisco.com:8080
access-list webacl webtype permit url http://server2.cisco.com:8080
group-policy ccnp internal
group-policy ccnp attributes
banner value Welcome to Netmetric
131
VPN VPN- LAB MANUAL
vpn-idle-timeout 1440
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-clientless
webvpn
filter value webacl
exit
tunnel-group ccnp type remote-access
tunnel-group ccnp general-attributes
default-group-policy ccnp
tunnel-group ccnp webvpn-attributes
group-alias ccnp enable
webvpn
enable outside
tunnel-group-list enable
username admin password cisco privilege 15
ssl trust-point trust outside
Repeat Task 1.3 for ASDM image as, we cannot create the bookmarks
from the CLI.
132
VPN VPN- LAB MANUAL
copy tftp://150.1.7.20/asdm-782-151.bin flash:
http server enable
http 150.1.7.0 255.255.255.0 mgmt
asdm image boot:/asdm-79150.bin
133
VPN VPN- LAB MANUAL
134
VPN VPN- LAB MANUAL
135
VPN VPN- LAB MANUAL
Click on the Assign
136
VPN VPN- LAB MANUAL
from the client-pc open the internet explorer and give https://20.1.1.1
137
VPN VPN- LAB MANUAL
username and password admin/cisco
138
VPN VPN- LAB MANUAL
username and password admin/cisco
139
VPN VPN- LAB MANUAL
ASA1# show vpn-sessiondb webvpn
Session Type : WebVPN
Username : admin Index : 3
Public IP : 20.1.1.6
Protocol : Clientless
License : AnyConnect Premium
140
VPN VPN- LAB MANUAL
Encryption : Clientless : (1)AES256 Hashing : Clientless:

(1)SHA1
Bytes Tx : 314701 Bytes Rx : 40457
Group Policy : ccnp Tunnel Group : ccnp
Login Time : 14:39:56 UTC Sat Aug 18 2018
Duration : 0h:02m:18s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 960107a6000030005b782fbc
Security Grp : none
LAB-3.6: - CISCO ANYCONNECT WITH IKEV2
TASK1 PERFORM ANYCONNECT CLIENTBASED VPN

141
VPN VPN- LAB MANUAL
 Configure the ASA1 with the following IP address and nameif mentioned in the above
diagram
 Use Eigrp as the routing protocol between the ASA1 and DC-Router and advertise
the 10.1.10.0/24 network with AS 1.
 Your configuration should meet the following requirements on ASA1V:
 The tunnel should negotiate IKEv2 policy and IPsec proposal for AES-256 encryption.
 The tunnel should only secure traffic for server1 and server2.
 The client address pool should be 100.10.1.1-100.10.1.10/24.
 The session tunnel should remain connected for 24 hours even without any activity.
 The connection profile name should be “ConnectionP”
 The group alias for the session should be “ccnpprofile”.
 The trustpoint for the implementation should be named “trust” using RSA key pair
“ccnp”
 ASA should authenticate the session locally for Credential :- username cisco
password cisco.
 Use the FireFox browser to test your connectivity with server1 and server2 Any
information not provided for this task can be assumed by the candidate.
 For detail solution please refer to the “avi” file uploaded on the resource
portal
Configuration on ASA1: -
NOTE: - Use Gi0/0 instead of Fa0/0 on R29 and R30
R27(KS):
142
VPN VPN- LAB MANUAL
Ip vrf mgmt
rd 20:20
LAB-3.7: - GETVPN WITH VRF AWARE
GET VPN is a technology used to encrypt traffic going through unsecured networks.
It leverages IPSec protocol suite to enforce Integrity and Confidentiality of data.
Typical GET deployment consists a router called Key Server (KS) and a couple of
routers called Group Members (GMs). The KS is used to create, maintain and send a
“policy” to GMs. The policy is an information what traffic should be encrypted by
GM and what encryption algorithms must be used. The most important function of
KS is generation of encryption keys. There are two keys used:
TEK – Transport Encryption Key – used by GM to encrypt the data KEK – Key
Encryption Key – used to encrypt information between KS and GM A very important
143
VPN VPN- LAB MANUAL
aspect of GET is that it does not set up any IPSec tunnels between GMs! It is NOT like
DMVPN. Every GM has the policy (what to encrypt, what encryption algorithm to
use, what key is used by the encryption algorithm) and just encrypt every packet
conforming its policy and sends it out to the network using ESP (Encapsulated
Security Payload). Note that it uses original IP addresses to route the packet out (this
is called IP Header Preservation mechanism), hence the packet can be routed
towards every other router in the network as long as the routing table has such
information.
TASK1 PERFORM GETVPN ON KEY SERVER AND GROUP MEMBER
 VRF for SITE_A should be site_a

 VRF for SITE_B should be site_b
 Registration link between the KS and GM should be in vrf mgmt.
 Pre-shared key between the sites should be “cisco”
 ISAKMP policy should have encryption aes and DH Group 5
 Identity number for site_a should be 10
 Identity number for site_b should be 20
 Re-keyring authentication should use RSA key “ccnpkey” for both sites
 Rekey Algorithm should be aes and transport Unicast.
 The implementation should secure traffic site_a between 192.168.29.0/24 and
192.168.30.0/24 networks.
 The implementation should secure traffic site_b between 192.168.29.0/24 and
192.168.30.0/24 networks.
 EIGRP routing process for site_a and site_b should be authenticated using mode
MD5 and password ccnp
 Notes: Prefer to the topology for addressing VLAN and EIGRP routing information.
SW_GET is preconfigured for this task.
144
VPN VPN- LAB MANUAL
NOTE: - Use Gi0/0 instead of Fa0/0 on R29 and R30
R27(KS):
Ip vrf mgmt
rd 20:20
Interface fa0/0
ip vrf forwarding mgmt
ip address 20.1.20.3 255.255.255.0

no shutdown
First we need RSA keys to be used by our KS for Rekey process. The KS must send out a new TEK (and KEK)
before TEK is expired (default is 3600 seconds). It does this in so-called Rekey phase. This phase is
authenticated and secured by ISAKMP SA which is established between KS and GM. This ISAKMP uses GDOI
messages (think of this like a mutation of IKE) to build SA and encrypt GM registration. The GDOI uses
UDP/848 instead of UDP/500 like IKE does. The RSA keys are used to authenticated the KS to GM in the
Rekey process. Remember that to generate new RSA keys you must have Hostname and Domain-name
configured on the router.
crypto key generate rsa label ccnp modulus 2048
Then we need ISAKMP parameters, just like in regular IPSec configuration. Pre-shared key must be specified
on both KS and GM to be able to authenticate. This will be used to establish ISAKMP SA to secure further
145
VPN VPN- LAB MANUAL
GDOI messages.
Crypto isakmp policy 10
encryption aes
group 5
exit
crypto keyring mgmt vrf mgmt
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
The IPSec parameters must be configured on KS. These parameters are not used by KS itself. They are part
of policy that will be send down to the GMs. The IPSec profile tells the GM what encryption algorithm use.
crypto ipsec profile IPSPROFILE

Now it’s time to configure KS. To do that we need to specify The Group. One KS may have many groups
and each group may have different security policy.
crypto gdoi group site_a

identity number 10
server local
Here we need to specify Rekey parameters. The Rekey phase can be performed in two ways:
146
VPN VPN- LAB MANUAL
- Unicast Rekey – when we do not have multicast support in our infrastructure (may be a
case when ISP does not support multicast in its IP VPN cloud). The KS sends down a Rekey packet
to every GM it knows of.
- Multicast Rekey – when we have multicast ready infrastructure, then we can enable
multicast Rekey and the KS generates only one packet and sends it down to all GMs at one time
rekey algorithm aes 256
rekey authentication mypubkey rsa ccnp

rekey transport unicast
Now it’s time to configure policy for our GMs. Encryption policy is created by IPSec Profile configured
earlier. To tell the GMs what packets they should encrypt, we need another ACL (extended this time). Our
ACL is named site_a. The last parameter important is KS’s IP address. This parameter must as well be send
don to the GMs as KS may be run on different IP address (like Loopback).
sa ipsec 1
profile IPSPROFILE
match address ipv4 site_a
address ipv4 20.1.20.3
Same for Site_b

crypto gdoi group site_b
identity number 20
server local
rekey algorithm aes 256
rekey authentication mypubkey rsa ccnp
rekey transport unicast
147
VPN VPN- LAB MANUAL
sa ipsec 1
profile IPSPROFILE
match address ipv4 site_b
address ipv4 20.1.20.3
ip access-list extended site_a

permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
ip access-list extended site_b
permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
R29(GM):
Hostname R29
int gi0/0
no sh
ip vrf mgmt
rd 20:20
ip vrf site_a
rd 100:100
148
VPN VPN- LAB MANUAL
ip vrf site_b
rd 200:200
key chain ccnp

key 1
key-string ccnp
interface Loopback100
ip vrf forwarding site_a
ip address 192.168.29.29 255.255.255.255
ip vrf forwarding site_b
ip address 192.168.29.29 255.255.255.255
interface gi0/0.20
encapsulation dot1Q 20
ip address 20.1.20.29 255.255.255.0
interface gi0/0.100
ip address 20.1.45.29 255.255.255.0
149
VPN VPN- LAB MANUAL
ip authentication mode eigrp 505 md5
ip authentication key-chain eigrp 505 ccnp
interface gi0/0.200
ip address 20.1.45.29 255.255.255.0

router eigrp 55
address-family ipv4 vrf site_a autonomous-system 505
network 20.1.45.0 0.0.0.255
network 192.168.29.0
exit-address-family
address-family ipv4 vrf site_b autonomous-system 505

network 20.1.45.0 0.0.0.255
network 192.168.29.0
exit-address-family
R30(GM):
Hostname R30
150
VPN VPN- LAB MANUAL
int gi0/0
no sh
ip vrf mgmt
rd 20:20
ip vrf site_a
rd 100:100
ip vrf site_b
rd 200:200
key chain ccnp

key 1
key-string ccnp
ip address 192.168.30.30 255.255.255.255

ip address 192.168.30.30 255.255.255.255
151
VPN VPN- LAB MANUAL
interface gi0/0.20
ip address 20.1.20.30 255.255.255.0
interface gi0/0.100
ip address 20.1.45.30 255.255.255.0

interface gi0/0.200
ip address 20.1.45.30 255.255.255.0

router eigrp 55
address-family ipv4 vrf site_a autonomous-system 505
network 20.1.45.0 0.0.0.255
152
VPN VPN- LAB MANUAL
network 192.168.30.0
exit-address-family
address-family ipv4 vrf site_b autonomous-system 505

network 20.1.45.0 0.0.0.255
network 192.168.30.0
exit-address-family
Verification:
R29#show ip route vrf site_a eigrp
Routing Table: site_a



153
VPN VPN- LAB MANUAL
D 192.168.30.30
[90/130816] via 20.1.45.30, 00:00:23, GigabitEthernet0/0.100
R29#show ip route vrf site_b eigrp
Routing Table: site_b




D 192.168.30.30
[90/130816] via 20.1.45.30, 00:01:16, GigabitEthernet0/0.200
R29# ping vrf site_a 192.168.30.30 source loopback 100

154
VPN VPN- LAB MANUAL
!!!!!
R29#ping vrf site_b 192.168.30.30 source loopback 200


!!!!!
R29#ping vrf mgmt 20.1.20.3 source gi0/0.20


!!!!!
Now Configure The GM to download the policy from the KS
155
VPN VPN- LAB MANUAL
Configuration on R29: -
R29 is our first GM. We need the following to be configured on every GM:
- ISAKMP policy and pre-shared key (in case of PSK) - the Group to which the GM needs to be registered
to - (optional) ACL to exclude some traffic from encryption
- crypto map type GDOI
encryption aes
group 5
exit
pre-shared-key address 20.1.20.3 key cisco
identity number 10
server address ipv4 20.1.20.3
client registration interface gi0/0.20
156
VPN VPN- LAB MANUAL
identity number 20
crypto map site_a 10 gdoi
set group site_a

crypto map site_b 10 gdoi
set group site_b
int gi0/0.100
crypto map site_a
int gi0/0.200
crypto map site_b
Configuration on R30:
encryption aes
group 5
exit
157
VPN VPN- LAB MANUAL
pre-shared-key address 20.1.20.3 key cisco

identity number 10

identity number 20
crypto map site_a 10 gdoi

set group site_a
crypto map site_b 10 gdoi
set group site_b
int gi0/0.100
crypto map site_a
int gi0/0.200
158
VPN VPN- LAB MANUAL
crypto map site_b
KS#show crypto gdoi group site_a
Group Name : site_a (Unicast)

Group Identity : 10
Group Members :2
IPSec SA Direction : Both

Active Group Server : Local
Group Rekey Lifetime : 86400 secs
Group Rekey
Remaining Lifetime : 86224 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts :2

Group Retransmit
IPSec SA Number :1
IPSec SA Rekey Lifetime : 3600 secs
Profile Name : IPSPROFILE

Replay method : Count Based
Replay Window Size : 64
SA Rekey
159
VPN VPN- LAB MANUAL
ACL Configured : access-list site_a
Group Server list : Local
KS#show crypto gdoi group site_b
Group Name : site_b (Unicast)
Group Identity : 20
Group Members :2
Active Group Server : Local

Group Rekey Lifetime : 86400 secs
Group Rekey

Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts :2
Group Retransmit
IPSec SA Number :1
IPSec SA Rekey Lifetime : 3600 secs

Profile Name : IPSPROFILE
Replay method : Count Based
Replay Window Size : 64

SA Rekey
160
VPN VPN- LAB MANUAL
ACL Configured : access-list site_b
Group Server list : Local

KS#show crypto gdoi ks policy
Key Server Policy:
For group site_a (handle: 2147483650) server 20.1.20.3 (handle: 2147483650):
# of teks : 1 Seq num : 0
KEK POLICY (transport type : Unicast)
spi : 0x26778C2AF4A83B1747C42DAC7CEA8D6
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 32
orig life(sec) : 86400 remaining life(sec) : 86165
sig hash algorithm : enabled sig key length : 294
sig size : 256
sig key name : ccnp
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xD17F4FD5 access-list : site_a
# of transforms :0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
161
VPN VPN- LAB MANUAL
alg key size : 16 sig key size : 20
tek life(sec) : 3600 elapsed time(sec) : 234
antireplay window size: 64
Key Server Policy:
For group site_b (handle: 2147483651) server 20.1.20.3 (handle: 2147483651):
# of teks :1 Seq num : 0
KEK POLICY (transport type : Unicast)
spi : 0x91BA0BFE365FEBEB1CF752BBD5C726ED
management alg : disabled encrypt alg : AES
crypto iv length : 16 key size : 32
sig hash algorithm : enabled sig key length : 294
sig size : 256
sig key name : ccnp
TEK POLICY (encaps : ENCAPS_TUNNEL)
spi : 0xD4615608 access-list : site_b
# of transforms :0 transform : ESP_AES
hmac alg : HMAC_AUTH_SHA
162
VPN VPN- LAB MANUAL
alg key size : 16 sig key size : 20
tek life(sec) : 3600 elapsed time(sec) : 232
antireplay window size: 64
See both keys: TEK and KEK. KEK – for Rekey encryption, default lifetime 24 hours, default enrytpion
algorithm 3DES TEK – for traffic encryption between GMs, default lifetime 1 hour, encryption elgorith
depends on configured policy (no defaults).
KS# show crypto gdoi ks acl
Group Name: site_a
Configured ACL:
access-list site_a permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list site_a permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
Group Name: site_b
Configured ACL:
access-list site_b permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list site_b permit ip 192.168.30.0 0.0.0.255 192.168.29.0 0.0.0.255
163
VPN VPN- LAB MANUAL
KS#show crypto gdoi ks members
Group Member Information:
Number of rekeys sent for group site_a :0
Group Member ID : 20.1.20.29
Group ID : 10
Group Name : site_a
Key Server ID : 20.1.20.3
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
Rekey Acks missed :0
Sent seq num : 0 0 0 0
Rcvd seq num : 0 0 0 0
Group ID : 10
Group Name : site_a
164
VPN VPN- LAB MANUAL
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
Number of rekeys sent for group site_b :0
Group ID : 20
Group Name : site_b
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
165
VPN VPN- LAB MANUAL
Group ID : 20
Group Name : site_b
Rekeys sent :0
Rekeys retries :0
Rekey Acks Rcvd :0
KS# show crypto gdoi ks rekey
Group site_a (Unicast)
Number of Rekeys sent :0
Number of Rekeys retransmitted :0
KEK rekey lifetime (sec) : 86400
Remaining lifetime (sec) : 85978
Retransmit period : 10
Number of retransmissions :2
IPSec SA 1 lifetime (sec) : 3600
166
VPN VPN- LAB MANUAL
Group site_b (Unicast)
Number of Rekeys sent :0
Number of Rekeys retransmitted :0
KEK rekey lifetime (sec) : 86400
Retransmit period : 10
Number of retransmissions :2
IPSec SA 1 lifetime (sec) : 3600
We have configured that for Rekey phase. It is very important for Unicast Rekey that KS will retransmit
Rekey message if it didn’t receive ACK from the GM.
KS#show crypto isakmp sa
20.1.20.3 20.1.20.29 GDOI_IDLE 1001 0 ACTIVE
20.1.20.3 20.1.20.30 GDOI_IDLE 1002 0 ACTIVE
Note that ISAKMP SA is established between KS and GMs only. There is no ISAKMP SA between GMs.
167
VPN VPN- LAB MANUAL
KS#show crypto ipsec sa
No SAs found
There are no IPSec SA between KS and GMs. All is done using ISAKMP SA. After IKE Phase 1 establishes the
SA, the GDOI protocol uses it for GM Registration and Rekey.
The same bunch of commands are on GMs.
On R29
R29#show crypto gdoi gm
Group Member Information For Group site_a:
ACL Received From KS : gdoi_group_site_a_temp_acl
Group member : 20.1.20.29 vrf: mgmt
Local addr/port : 20.1.20.29/848
Remote addr/port : 20.1.20.3/848
fvrf/ivrf : mgmt/mgmt
Version : 1.0.17
Registration status : Registered
Registered with : 20.1.20.3
Re-registers in : 2845 sec
168
VPN VPN- LAB MANUAL
Succeeded registration :1
Attempted registration :1
Last rekey from : 0.0.0.0
Last rekey seq num :0
Unicast rekey received :0
Rekey ACKs sent :0
Rekey Received : never
DP Error Monitoring : OFF
IPSEC init reg executed :0
IPSEC init reg postponed :0
Active TEK Number :1
SA Track (OID/status) : disabled
Group Member Information For Group site_b:
ACL Received From KS : gdoi_group_site_b_temp_acl
Group member : 20.1.20.29 vrf: mgmt
Local addr/port : 20.1.20.29/848
Remote addr/port : 20.1.20.3/848
fvrf/ivrf : mgmt/mgmt
Version : 1.0.17
Registration status : Registered
169
VPN VPN- LAB MANUAL
Registered with : 20.1.20.3
Re-registers in : 2874 sec
Succeeded registration :1
Attempted registration :1
Last rekey from : 0.0.0.0
Last rekey seq num :0
Unicast rekey received :0
Rekey ACKs sent :0
Rekey Received : never
DP Error Monitoring : OFF
IPSEC init reg executed :0
IPSEC init reg postponed :0
Active TEK Number :1
SA Track (OID/status) : disabled
R29#show crypto gdoi gm acl
Group Name: site_a
ACL Downloaded From KS 20.1.20.3:
access-list permit ip 192.168.29.0 0.0.0.255 192.168.30.0 0.0.0.255
170
VPN VPN- LAB MANUAL
ACL Configured Locally:
ACL of default bypass policy for group-key management traffic:
GigabitEthernet0/0.100: None (registration/rekey occurs via vrf mgmt)
Group Name: site_b
ACL Downloaded From KS 20.1.20.3:
ACL Configured Locally:
ACL of default bypass policy for group-key management traffic:
GigabitEthernet0/0.200: None (registration/rekey occurs via vrf mgmt)
20.1.20.3 20.1.20.29 GDOI_IDLE 1001 ACTIVE
interface: GigabitEthernet0/0.100
171
VPN VPN- LAB MANUAL
Crypto map tag: site_a, local addr 20.1.45.29
protected vrf: site_a
Group: site_a
PERMIT, flags={}
GigabitEthernet0/0.100
current outbound spi: 0xD17F4FD5(3514781653)
inbound esp sas:
spi: 0xD17F4FD5(3514781653)
172
VPN VPN- LAB MANUAL
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: site_a
sa timing: remaining key lifetime (sec): 2722
Kilobyte Volume Rekey has been disabled
IV size: 16 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD17F4FD5(3514781653)
IV size: 16 bytes
173
VPN VPN- LAB MANUAL
outbound ah sas:
outbound pcp sas:
Group: site_a
PERMIT, flags={}
current outbound spi: 0xD17F4FD5(3514781653)
174
VPN VPN- LAB MANUAL
inbound esp sas:
spi: 0xD17F4FD5(3514781653)
IV size: 16 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD17F4FD5(3514781653)
175
VPN VPN- LAB MANUAL
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
Crypto map tag: site_b, local addr 20.1.45.29
protected vrf: site_b
Group: site_b
PERMIT, flags={}
176
VPN VPN- LAB MANUAL
current outbound spi: 0xD4615608(3563148808)
inbound esp sas:
spi: 0xD4615608(3563148808)
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: site_b
IV size: 16 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:
177
VPN VPN- LAB MANUAL
spi: 0xD4615608(3563148808)
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
Group: site_b
PERMIT, flags={}
178
VPN VPN- LAB MANUAL
current outbound spi: 0xD4615608(3563148808)
inbound esp sas:
spi: 0xD4615608(3563148808)
IV size: 16 bytes
inbound ah sas:
179
VPN VPN- LAB MANUAL
inbound pcp sas:
outbound esp sas:
spi: 0xD4615608(3563148808)
IV size: 16 bytes
outbound ah sas:
outbound pcp sas:
R29#ping vrf site_a 192.168.30.30 source loopback 100
!!!!!
180
VPN VPN- LAB MANUAL
Crypto map tag: site_a, local addr 20.1.45.29
Group: site_a
PERMIT, flags={}
R29#ping vrf site_b 192.168.30.30 source loopback 200
!!!!!
181
VPN VPN- LAB MANUAL
Crypto map tag: site_b, local addr 20.1.45.29
Group: site_b
PERMIT, flags={}
LAB-3.8: - FLEX VPN
182
VPN VPN- LAB MANUAL
TASK-1 CONFIGURE THE R14, R15 AND R16
 Configure the routes according to the topology
Configuration of Routers: -
Note Use GIGA ethernet instead fastethernet in all the routers
R14:
hostname R14
interface gi0/0
ip address 1.1.1.1 255.255.255.0

no sh
interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 1.1.1.10
R15:
hostname R15
interface GigabitEthernet0/0
ip address 2.2.2.2 255.255.255.0

no sh
183
VPN VPN- LAB MANUAL
interface Loopback1
ip address 192.168.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 2.2.2.10
R16:
ip address 1.1.1.10 255.255.255.0

no sh
ip address 2.2.2.10 255.255.255.0
no sh
TASK-2 SITE TO SITE WITH PSK - FLEX VPN – IKEV2
 Configure the IKEv2 proposal, policy, profile and keyring for the secure
communication between the 192.168.1.1 and 192.168.2.2 device on R14 and R15
respectively.
184
VPN VPN- LAB MANUAL
Configuration of Routers
R14: -
crypto ikev2 proposal ccnp-pro

encryption aes-cbc-128
integrity md5
group 2
crypto ikev2 policy ccnp-policy

proposal ccnp-pro
crypto ikev2 keyring ccnp-key

peer r15
address 2.2.2.2
pre-shared-key cisco
crypto ikev2 profile ccnp-profile

match identity remote address 2.2.2.2 255.255.255.255
authentication local pre-share

authentication remote pre-share
185
VPN VPN- LAB MANUAL
keyring local ccnp-key

mode tunnel

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
set peer 2.2.2.2

set ikev2-profile ccnp-profile
match address VPN

int gi0/0
crypto map CMAP
R15: -
crypto ikev2 proposal ccnp-pro
encryption aes-cbc-128
integrity md5
186
VPN VPN- LAB MANUAL
group 2
crypto ikev2 policy ccnp-policy

proposal ccnp-pro
crypto ikev2 keyring ccnp-key

peer r14
address 1.1.1.1
pre-shared-key cisco

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto ikev2 profile ccnp-profile

match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share

keyring local ccnp-key

mode tunnel

set peer 1.1.1.1
187
VPN VPN- LAB MANUAL
set ikev2-profile ccnp-profile

match address VPN
int gi0/0
crypto map CMAP
R14#ping 192.168.2.2 source 192.168.1.1


.!!!!
R14#show crypto ikev2 proposal
IKEv2 proposal : ccnp-pro

Encryption : AES-CBC-128
Integrity : MD596
PRF : MD5
DH Group : DH_GROUP_1024_MODP/Group
2
IKEv2 proposal : default
Encryption : AES-CBC-256 AES-CBC-192 AES-

188
VPN VPN- LAB MANUAL
CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96

MD596
PRF : SHA512 SHA384 SHA256 SHA1
MD5
DH Group : DH_GROUP_1536_MODP/Group
5
DH_GROUP_1024_MODP/Group
2
R14#show crypto ikev2 policy

IKEv2 policy : ccnp-policy
Match fvrf : global

Match address local : any
Proposal : ccnp-pro
IKEv2 policy : default

Match fvrf : any
Match address local : any
Proposal : default
R14#show crypto ikev2 profile

189
VPN VPN- LAB MANUAL
IKEv2 profile : ccnp-profile

Ref Count :2
Match criteria:
Fvrf : global
Local address/interface : none
Identities : address 2.2.2.2 255.255.255.255
Certificate maps : none

Local identity : none
Remote identity : none
Local authentication method : pre-share

Remote authentication method(s) : pre-share
EAP options : none
Keyring : ccnp-key
Trustpoint(s) : none
Lifetime : 86400 seconds
DPD : disabled
NAT-keepalive : disabled
Ivrf : none
Virtual-template : none
mode auto : none
AAA AnyConnect EAP authentication mlist : none
AAA EAP authentication mlist : none

AAA Accounting : none
190
VPN VPN- LAB MANUAL
AAA group authorization : none
AAA user authorization : none
R14#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.1/500 2.2.2.2/500 none/none READY

Encr: AES-CBC, keysize: 128, PRF: MD5, Hash: MD596, DH Grp:2, Auth sign:
PSK, Auth verify: PSK
Life/Active Time: 86400/523 sec
IPv6 Crypto IKEv2 SA

191
VPN VPN- LAB MANUAL

GigabitEthernet0/0
current outbound spi: 0x2BDF8145(736067909)
inbound esp sas:

spi: 0xF0070CCE(4026993870)


IV size: 16 bytes
192
VPN VPN- LAB MANUAL
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x2BDF8145(736067909)

IV size: 16 bytes
193

VPN LLAB

Uploaded by

Copyright:

Available Formats

You might also like

VPN LLAB

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPN LLAB

Uploaded by

Copyright:

Available Formats

VPN VPN- LAB MANUAL

GOAL OF THE LAB

Multiple topology drawings are available for this chapter.

LAB-3.1: - SITE TO SITE VPN

corresponding interface IP of R16.

R14 Gi0/0 1.1.1.1/24

R15 Gi0/0 2.2.2.2/24

R16 Gi0/0 1.1.1.2/24

ip address 1.1.1.1 255.255.255.0

ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.1.2

ip address 2.2.2.2 255.255.255.0

ip address 192.168.2.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 2.2.2.1

ip address 1.1.1.2 255.255.255.0

ip address 2.2.2.1 255.255.255.0

Interface IP-Address OK? Method Status

GigabitEthernet0/0 1.1.1.1 YES manual up up

Loopback1 192.168.1.1 YES manual up up

R15#show ip route static

S* 0.0.0.0/0 [1/0] via 1.1.1.2

1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 1.1.1.0/24 is directly connected , GigabitEthernet0/0

L 1.1.1.1/32 is directly connected, GigabitEthernet0/0

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, Loopback1

L 192.168.1.1/32 is directly connected, Loopback1

R15# show ip interface brief

Interface IP-Address OK? Method Status

GigabitEthernet0/0 2.2.2.2 YES manual up up

Loopback1 192.168.2.2 YES manual up up

R15#show ip route static

S* 0.0.0.0/0 [1/0] via 2.2.2.1

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 1.1.1.2 YES manual up up

GigabitEthernet0/1 2.2.2.1 YES manual up up

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/32 ms

TASK1 SITE TO SITE IPSEC VPN (IOS-IOS) R14-R15

between IP addresses 192.168.1.1 and 192.168.2.2 using the following policy:

ISAKMP Policy IPSec Policy

Authentication: Pre-share Encryption: esp-aes

crypto isakmp policy 10

crypto isakmp key cisco address 2.2.2.2

crypto ipsec transform-set TS esp-aes esp-sha-hmac

ip access-list extended VPN

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto map CMAP 10 ipsec-isakmp

set peer 2.2.2.2

match address VPN

crypto map CMAP

crypto isakmp policy 10

crypto isakmp key cisco address 1.1.1.1

crypto ipsec transform-set TS esp-aes esp-sha-hmac

ip access-list extended VPN