Scribd Logo
Upload

Welcome to Scribd!

  • IPsec VPN

    Uploaded by

    Arslan Riaz
    21 views9 pages
    ipsec vpn

    Original Title

    IPsec Vpn

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ipsec vpn

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views9 pages

    IPsec VPN

    Uploaded by

    Arslan Riaz
    ipsec vpn

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    IPsec VPN

    Scenario

    Configurations on R1
    Configuration on R1 involves following steps:
    STEP 1:

    Configuring IP addresses on interfaces and sub-interfaces


    Applying OSPF
    Applying Inter-vlan Routing

    STEP 2:

    Defining and implementing ACL

    STEP 3:

    Configuring ISAKMP phase 1


    Configuring ISAKMP phase 2 (IPsec phase)
    Applying IPsec to interface

    STEP 1:
    R1#conf t
    R1(config)#interface f1/1
    R1(config-if)#no shut
    R1(config-if)#exit
    R1(config)#int f1/1.10
    R1(config-subif)#no shut
    R1(config-subif)#encapsulation dot1 10
    R1(config-subif)#ip address 192.168.1.1 255.255.255.0
    R1(config-subif)#ip ospf 1 area 0
    R1(config-subif)#exit
    R1(config)#interface f1/1.20
    R1(config-subif)#no shut
    R1(config-subif)#encapsulation dot 20
    R1(config-subif)#ip address 192.168.2.1 255.255.255.0
    R1(config-subif)#ip ospf 1 area 0
    R1(config-subif)#exit
    R1(config)#int f1/1.30
    R1(config-subif)#encapsulation dot 30
    R1(config-subif)#ip address 192.168.3.1 255.255.255.0
    R1(config-subif)#ip ospf 1 area 0
    R1(config-subif)#no shut
    R1(config-subif)#exit

    R1(config)#int f1/0
    R1(config-if)#no shut
    R1(config-if)#ip address 1.1.1.1 255.0.0.0
    R1(config-if)#ip ospf 1 area 0
    R1(config-if)#exit
    STEP 2:
    R1(config)#ip access-list extended block
    R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
    R1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
    R1(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
    R1(config-ext-nacl)#permit ahp 1.1.1.1 0.0.0.0 2.1.1.2 0.0.0.0
    R1(config-ext-nacl)#permit esp 1.1.1.1 0.0.0.0 2.1.1.2 0.0.0.0
    R1(config-ext-nacl)#permit udp 1.1.1.1 0.0.0.0 2.1.1.2 0.0.0.0
    R1(config-ext-nacl)#exit
    R1(config)#interface f1/0
    R1(config-if)#ip access-group block out
    R1(config-if)#exit
    STEP 3:
    ISAKMP PHASE 1
    R1(config)#crypto isa policy 1
    R1(config-isakmp)#encryption 3des
    R1(config-isakmp)#hash md5
    R1(config-isakmp)#authentication pre
    R1(config-isakmp)#group 2
    R1(config-isakmp)#lifetime 86400

    R1(config-isakmp)#exit
    R1(config)#crypto isa key nsl address 2.1.1.2
    R1(config)#ip access extended acl
    R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
    R1(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
    R1(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
    R1(config-ext-nacl)#exit
    ISAKMP PHASE 2
    R1(config)#crypto ipsec transform TS esp-3des esp-md5
    R1(cfg-crypto-trans)#exit
    R1(config)#crypto map cmap 10 ipsec-isa
    R1(config-crypto-map)#set peer 2.1.1.2
    R1(config-crypto-map)#set transform TS
    R1(config-crypto-map)#match address acl
    R1(config-crypto-map)#exit
    R1(config)#int f1/0
    R1(config-if)#cryp map cmap

    Configurations on R2
    Configuration on R2 involves:

    Configuring IP addresses on interfaces


    Applying OSPF

    R2(config)#interface f1/0
    R2(config-if)#no shut
    R2(config-if)#ip address 1.1.1.2 255.0.0.0

    R2(config-if)#ip ospf 1 area 0


    R2(config-if)#exit
    R2(config)#interface f1/1
    R2(config-if)#no shut
    R2(config-if)#ip address 2.1.1.1 255.0.0.0
    R2(config-if)#ip ospf 1 area 1

    Configurations on R3
    Configuration on R3 involves following steps:
    STEP 1:

    Configuring IP addresses on interfaces and sub-interfaces


    Applying OSPF
    Applying Inter-vlan Routing

    STEP 2:

    Configuring ISAKMP phase 1


    Configuring ISAKMP phase 2 (IPsec phase)
    Applying IPsec to interface

    STEP 1:
    R3#conf t
    R3(config)#interface f1/1
    R3(config-if)#no shut
    R3(config-if)#exit
    R3(config)#int f1/1.10
    R3(config-subif)#no shut
    R3(config-subif)#encapsulation dot1 10
    R3(config-subif)#ip address 192.168.4.1 255.255.255.0

    R3(config-subif)#ip ospf 1 area 1


    R3(config-subif)#exit
    R3(config)#int f1/1.20
    R3(config-subif)#no shut
    R3(config-subif)#encapsulation dot 20
    R3(config-subif)#ip address 192.168.5.1 255.255.255.0
    R3(config-subif)#ip ospf 1 area 1
    R3(config-subif)#exit
    R3(config)#interface f1/1.30
    R3(config-subif)#encapsulation dot 30
    R3(config-subif)#ip address 192.168.6.1 255.255.255.0
    R3(config-subif)#ip ospf 1 area 1
    R3(config-subif)#no shut
    R3(config-subif)#exit
    R3(config)#interface f1/0
    R3(config-if)#no shut
    R3(config-if)#ip address 2.1.1.2 255.0.0.0
    R3(config-if)#ip ospf 1 area 1
    R3(config-if)#ex
    STEP 2:
    ISAKMP PHASE 1
    R3(config)#crypto isa policy 1
    R3(config-isakmp)#encryption 3des
    R3(config-isakmp)#hash md5
    R3(config-isakmp)#authentication pre

    R3(config-isakmp)#group 2
    R3(config-isakmp)#lifetime 86400
    R3(config-isakmp)#exit
    R3(config)#cryp isa key nsl address 1.1.1.1
    R3(config)#ip acce ex acl
    R3(config-ext-nacl)#permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
    R3(config-ext-nacl)#permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
    R3(config-ext-nacl)#permit ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
    R3(config-ext-nacl)#exit
    ISAKMP PHASE 2
    R3(config)#crypto ipsec tra TS esp-3des esp-md5
    R3(cfg-crypto-trans)#exit
    R3(config)#cryp map cmap 10 ipsec-isa
    R3(config-crypto-map)#set peer 1.1.1.1
    R3(config-crypto-map)#set tra TS
    R3(config-crypto-map)#match address acl
    R3(config-crypto-map)#ex
    R3(config)#int f1/0
    R3(config-if)#cryp map cmap

    Configurations on SW-1 and SW-2


    Configuration on SW-1 and SW-2 Involves:

    Defining mode of ports


    Configuring Vlans for interfaces

    R4-SW#conf t
    R4-SW(config)#interface f1/0

    R4-SW(config-if)#no shut
    R4-SW(config-if)#switchport mode trunk
    R4-SW(config-if)#exit
    R4-SW(config)#end
    R4-SW#vlan data
    R4-SW(vlan)#vlan 10
    R4-SW(vlan)#vlan 20
    R4-SW(vlan)#vlan 30
    R4-SW(vlan)#exit
    R4-SW#conf t
    R4-SW(config)#interface f1/1
    R4-SW(config-if)#no shut
    R4-SW(config-if)#switch mode access
    R4-SW(config-if)#switch acce vlan 10
    R4-SW(config-if)#ex
    R4-SW(config)#int f1/2
    R4-SW(config-if)#no shut
    R4-SW(config-if)#swi mode acce
    R4-SW(config-if)#swi acce vlan 20
    R4-SW(config-if)#exit
    R4-SW(config)#int f1/3
    R4-SW(config-if)#no shut
    R4-SW(config-if)#switch mode acce
    R4-SW(config-if)#switch acce vlan 30
    R4-SW(config-if)#exit

    TESTING
    Sending ping from PC-1 to others and analyzing ESP packets at WIRESHARK

    You might also like