Professional Documents
Culture Documents
L VPN
L VPN
VPN lab
Tunneling
VPN Virtual Private Network
GRE Generic Routing Encapsulation
Difference from nat
At first Router
R1(conf)#int tunnel 1
R1(conf-if)#ip address 172.16.1.1 255.255.255.0
R1(conf-if)#tunnel destination 2.2.2.2
R1(conf-if)#tunnel source g0/0
R1(conf)#ip route 192.168.2.0 255.255.255.0
172.16.1.2
At the second Router
R1(conf)#int tunnel 1
R1(conf-if)#ip address 172.16.1.2 255.255.255.0
R1(conf-if)#tunnel destination 1.1.1.1
R1(conf-if)#tunnel source g0/0
R1(conf)#ip route 192.168.1.0 255.255.255.0
172.16.1.1
VPN (encrypted )
VPN site-to-site
Isakmp protocol (Phase1:set policies)
R1(conf)#crypto isakmp policy 1
R1(conf-isakmp)#authentication pre-shared
R1(conf-isakmp)#encryption aes 128
R1(conf-isakmp)#group 5
R1(conf-isakmp)#Hashing md5
VPN (first site)
Life time for session
R1(conf-isakmp)#lifetime 86400
Phase2:(IKE) negotiation parameter to encrypt the data
R1(conf)#crypto isakmp key cisco address 2.2.2.2
R1(conf)#crypto ipsec transform-set cnds-set esp-aes esp-ah
Phase3: (access-list to determine the traffic which apply
VPN +map)
R1(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255
192.168.4.0 0.0.0.255
R1(conf)#int s0/0
R1(config-if)#crypto map mymap
VPN (first site)
R1(conf)#crypto map mymap 5 ipsec-isakmp
R1(config-crypto-map)#set peer 2.2.2.2 (public ip
for the other branch)
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set cnds-set
note
Must use dynamic route
R1#show crypto isakmp sa
R1#show crypto isakmp key
R1#show crypto isakmp policy (default policy)
R1#show crypto session
R1#show crypto ipsec sa
R1#show crypto ipsec transform-set
R1#show crypto map
R1#show access-list