Final - Book Test

NATIONAL COLLEGE OF BUSINESS
ADMINISTRATION & ECONOMICS

MULTAN
Virtual Private Network Connection Using IPsec Protocol
BY
Muhammad Saqib Sultan
MASTER OF SCIENCE
IN
COMPUTER SCIENCE
January, 2021

1
MULTAN
BY
A Project Report submitted to

School of Computer Sciences in partial fulfillment of the
requirements for the degree of
MASTER OF SCIENCE
IN
COMPUTER SCIENCE
January, 2021

MULTAN
BY
2
A Project Report submitted to School of Computer Sciences, in partial
fulfillment of the requirements for the degree of
MASTER OF SCIENCE
IN
COMPUTER SCIENCE
Dissertation Committee:
____________________________
Chairman
____________________________
Member
____________________________
Member
_______________________
Pro-Rector
National College of Business
Administration & Economics Multan
3
DECLARATION

This is to certify that this project work has not been submitted for
obtaining similar degree from any other university/college.
4
January, 2021
PROJECT COMPLEITION CERTIFICATE
It is certified that the project work contained in this project entitled

“Virtual Private Network Connection Using IPsec Protocol” has been carried
out and completed by Muhammad Saqib Sultan under my supervision during
her MCS program.
5
(Mr. Ismail Kashif)
Supervisor
National College of Business Administration & Economics

Multan Campus
Wapda town campus Multan
COURSE COMPLETION CERTIFICATE
Ref. Dated:
6
It is certified that Course requirements of Ms. Muhammad Saqib Sultan
Registration No. MTN-19-8751 having current CGPA for the program
Computer Science has been completed.
Prof. Dr. Farkhand Shakeel Prof. Dr. G R Pasha

Director (R&D) Pro-Rector
Copy to
1. The Director NCBA&E Lahore
2. The Director NCBA&E Multan Campus.
3. Notification file.
DEDICATION
We are grateful to ALLAH ALMIGHTY, for enabling us to fulfill this tiring, but
interesting job for the completion of our report. We dedicate this project to our Parents,
Family Members, and Teachers and group member”. Because; Whatever we are it’s because
of our parents and Family Member. Our teacher makes us able to face different challenges and
win those challenges. Last but not least group member, who support us a lot and contribute
their full effort to make this project possible. In the Last, Special Thanks to whole all the
teachers who helped us a lot and without whom it could might never possible.
7
ACKNOWLEDGEMENT
First and foremost, I offer my sincerest and countless gratitude to The Almighty
ALLAH, the one and only, the Most Beneficent and the Most Merciful, for making me what I
am today and for giving me the ability and opportunity to learn and progress.
I am really indebted & grateful to my Holy Prophet whose blessings are all time
with me;Indeed, He is with me.
8
I hereby would like to express my deepest gratitude to those following persons that
have supported and guided me to complete my thesis. If it weren’t for them, this thesis would
not be possible. Without them, I would not be able to fulfill my goals and feel strong enough
to finish what I have started.
I hereby would like to express my deepest gratitude to those following persons that
have supported and guided me to complete my thesis. If it weren’t for them, this thesis would
not be possible. Without them, I would not be able to fulfill my goals and feel strong enough
to finish what I have started.
First of all, I am greatly thankful to Prof. Dr. Farkhand Shakeel Director R&D
NCBA&E Multan Campus for his valuable advices from time to time.
A special thanks to Mr. Ismail Kashif for her keen interest, inspiring guidance, and
constructive criticism that enabled us in completion of this research work. Without whose
motivation and encouragement, we would not have considered a graduate career in this
research. He is the one who truly made a difference in our life. It was under his tutelage that
we developed a focus and became interested in Computer Networking. He provided us with
direction, technical support and became more of a mentor and friend, than a teacher. It was
though his, persistence, understanding and kindness that we completed our Master’s degree
and were encouraged to apply for further training. We doubt that we will ever be able to
convey our appreciation fully, but we owe him our eternal gratitude.
ABSTRACT
In this paper, we consider optimizing a smooth, convex, lower semicontinuous

function in Riemannian space with constraints. To solve the problem, we first convert it to a
dual problem and then propose a general primal-dual algorithm to optimize the primal and
dual variables iteratively. In each optimization iteration, we employ a proximal operator to
search optimal solution in the primal space. We prove convergence of the proposed algorithm
and show its non-asymptotic convergence rate. By utilizing the proposed primal-dual
optimization technique, we propose a novel metric learning algorithm which learns an
optimal feature transformation matrix in the Riemannian space of positive definite matrices.
9
Preliminary experimental results on an optimal fund selection problem in fund of funds
(FOF) management for quantitative investment showed its efficacy.
SUMMARY
In first chapter, we studied Interior Gateway Routing Protocol (EIGRP) is a classless

routing protocol capable of support for CIDR. By default, EIGRP summarizes the routes
within the routes within the routing table and forwards these summarized routes to its peers.
This may have adverse impact within heterogeneous routing environments with dis
contiguoussub-nets. That is, we ask questions about what we are connecting and why we are
connecting. After all we can check our network that we can achieved our desired output in
different ways.
10
The second chapter of this study reviews literatures related to the study. In this
chapter various concepts that relates to networks and security which involves in developing a
secure network in different ways. We can secure a network by tunneling method or to make a
tunnel between different layers. Basically we secure internet protocol on network layer.
The purpose of third part of study is to present and discuss the selections made to
develop a secure network by implementing IPsec VPN tunnel. We can perform the whole
scenario on Packet Tracer. And the experimental work that we performed on Packet Tracer
for making secure Network by securing internet protocol by creating a VPN tunnel between
different networks. In IPsec number of protocols are used which are internet key exchange
(IKE) which further have sub protocols like Isakmp and Oakley. And other protocols are also
used which are encapsulating security payload (ESP) and authentication header (AH).
In the last part of this project, a summary of the results is presented which provides
answers to project questions about network security and the future work about internet
protocol security.
TABLE OF CONTENTS
DECLARATION IV
PROJECT COMPLETION CERTIFICATE V
DEDICATION VII
ABSTRACT VIII
SUMMARY IX
2. 2 Basics of VPNs .......................................................................................................... 5

2.1 Site-to-site VPN........................................................................................................... 5
2.2 Site-to-site GRE Tunnel............................................................................................. 6
2.3 IPSec Remote Access VPN........................................................................................ 6
2.4 IPSec VPN...................................................................................................................... 7
2.5 Secure Sockets Layer (SSL)...................................................................................... 9
2.6 Transport Layer Security (TLS) ...........................................................................11
2.7 Clientless Secure Sockets Layer (SSL) VPN .......................................................12
11
2.8 SSL Portal VPN versus SSL Tunnel VPN..............................................................12
3. 3 VPN Implementation............................................................................................13
3.1 Cisco Configuration Professional Software.......................................................13
3.2 Implementing Site-to-site VPN at Main Site using CCP ..................................13
3.3 Detailed CLI site-to-site VPN Command Breakdown…...................................15
3.4 Implementing Remote Access IPSec VPN using CCP.......................................16
3.5 Detailed CLI Easy VPN Server Command Breakdown....................................18
3.6 Implementing SSL VPN Gateway at Main Office using CCP ...........................20
3.7 Detailed CLI SSL VPN Command Breakdown....................................................22
4. 4 Testing VPN Functionality..................................................................................25
4.1 Testing Site-to-site VPN Functionality ...............................................................25
4.2 Testing IPSec Remote Access VPN Functionality............................................27
4.3 Testing SSL VPN Functionality..............................................................................29
5. 5 VPN Comparison ...................................................................................................33
6. 6 Conclusion.....................................
1 Chapter 1
1 Introduction
The costs to a business and its reputation from stolen, manipulated or corrupted data can be
devastating. Before the advent of the Internet, sensitive business documents were safeguarded
by either placing them in a secure location (bank vault, locked filing cabinet, etc…) or by
using some simple type of cryptography such as substitution ciphers. These ciphers replaced
the characters in the original message with other symbols, digits or letters. This meant that
the encrypted message could only be decoded by someone who possessed knowledge of the
make-up of the substitution cipher. Unless, of course, an outside party was able to “crack” the
coded message without having actual knowledge of the substitution cipher. [3] This process
of looking for ways to encrypt data in the most secure manner possible while staying one step
ahead of those looking to decrypt that same data has continued for centuries. However, two
major differences have occurred in the field of cryptography and secure communications
since the advent of computing and the Internet: 1) Access to information (even of the most
private kind) has never been easier to obtain since much of the information is no longer
physically secured and 2) Even some of the most secure methods of encryption can not
withstand the computational onslaught of machines dedicated to running trillions of
calculations per second. [4] In order to prevent unauthorized access to sensitive business
materials as they traverse the Internet, the concept of Virtual Private Networks (VPNs) was
invented. Richard Deal, in his book, “The Complete Cisco VPN Configuration Guide”,
defines a VPN in its simplest form “as a connection, typically protected, between two entities
that are not necessarily directed connected.” [1] He goes on to state that a good VPN solution
will typically address all of the below points:  Using encryption technologies (DES, 3DES
and AES) to prevent unauthorized individuals from viewing the contents of your IP packets
even if a rogue user is able to capture the packets as they traverse the Internet  Protecting
these packets from manipulation by using a hashing function such as MD5 or SHA 
Preventing a rogue device/user from inserting themselves in the middle of your IP
“conversation” by implementing authentication methods using preshared keys or digital
certificates  Defining which traffic needs to be secured and how to best secure this traffic
using encryption, authentication and integrity checking [1] Virtual Private Networks 2 1.1
12
Project Background This project is based on a fictional real estate company (Cheap Flats) that
started with one main office and a few sales representatives. A sample (deprecated) topology
of the company's existing network can be found below the Methodology section 1.4. After
tremendous growth in their primary market, the company was looking to expand its
operations and open a remote branch office in a city several hundred miles away from their
main office. The branch office will be considerably smaller than the main office, consisting
only a few real estate agents and an office manager. 1.2 Objectives The main objective for
this project was to assist Cheap Flats with establishing secure data communications between
their new remote branch office and the main office. Since a point-to-point serial connection
has been deemed too costly, the company wanted to implement a VPN solution using their
existing Internet connections consisting of a high-speed fiber connection at the main office
and an ADSL connection at the remote branch. Below are some of the prerequisites that were
specified by the company president: 1. Workers at the remote branch shall be able to connect
securely to the main office LAN using their PCs. 2. The remote branch office employees
need access to the following services on the main office LAN: client database stored on web
server, email stored on local server, legacy Excel program for creating new apartment rental
listings and lastly the company Intranet containing important rules/regulations pertaining to
new listings. 3. The VPN shall be implemented in the most expedient manner possible since
the new branch is scheduled to be up and running by the end of 2013. 4. Since this year has
been especially profitable up to this point, the purchase of new networking equipment up to
$10,000 has been sanctioned if necessary. 1.3 Project Goals Our project goals were to
configure and test three different types of VPNs in order to confirm that the VPN best suited
to meet all of the prerequisites laid out by the company president under the objectives section
above is an IPSec Client VPN. In order to do this, we implemented and tested the following
types of VPNs: 1) Site-to-site: Tunnel mode connection between VPN gateways. The process
of encrypting and transferring data between networks is transparent to end-users. [1] 2) IPSec
client: Network Layer VPN for both network-to-network and remote-access deployments.
End-users will need to run either Cisco or Open Source VPN software on their PCs. 3)
Clientless SSL: “Remote-access VPN technology that provides Presentation Layer encryption
services for Applications through local redirection on the client.” [2] VPN 3 Chapter 1:
Introduction communications are established using a browser rather than specific software
installed on the end-user’s device. 1.4 Methodology The methods used to test the success of
the project were implemented in either the Cisco laboratory at Halmstad University or in
GNS3 using a replica of Cheap Flats existing Network Topology. First, the sample network
was built and tested without any encryption whatsoever to ensure successful communications
between the main office and remote branch. Then the different types of VPNs were
implemented and the results documented. A deprecated view of the topology created using
Cisco's Packet Tracer program is provided below. Figure 1.1 – Packet Tracer Topology:
representation of deprecated network topology Virtual Private Networks 4 5 Chapter 2 2
Basics of VPNs 2.1 Site-to-site VPN A Virtual Private Network (VPN) is a communications
environment that uses virtual connections routed through the Internet by encrypting the
traffic. One of the basic types of VPN networks is a site-to-site VPN. It refers to
implementations in which the network of one location is connected to the network of another
location via a VPN. Frame Relay, ATM, and MPLS VPNs are examples of site-to-site VPNs.
[5] There are two types of site-to site VPNs:  Intranet-based -- Allows a company to
establish a secure connection with its remote locations.  Extranet-based -- Allows two
companies to work together via a secure connection while preventing access to their separate
intranets One of the features of the site-to-site VPN is that hosts do not have VPN client
software. Instead, they just send and receive normal TCP/IP traffic through a VPN gateway.
The VPN gateway is responsible for the encryption and encapsulation of the outbound traffic.
13
That means that there is a VPN tunnel through which communication can be established
between peers over the Internet. Upon receipt, the peer VPN gateway strips the headers,
decrypts the content, and relays the packet toward the target host inside its private network.
[6] Basically the site-to-site VPN extends the company's network making communication
easier. A good example here could be a company with branches in several remote locations.
Virtual Private Networks 6 Figure 2.1 – Site-to-site VPN Tunnel: simple graphical depiction
of a site-to-site VPN tunnel 2.2 Site-to-site GRE Tunnel Generic Routing Encapsulation is a
tunneling protocol developed by Cisco Systems. The main function of this protocol is to
encapsulate a variety of network layer protocols within a virtual point-to-point link over an IP
internetwork. The advantage of GRE Tunnel is that it supports transport of multicast and
broadcast traffic unlike the IPSec which supports only unicast traffic over the tunnel link.
Unfortunately GRE doesn’t provide encryption, for those IPSec should be configured. 2.3
IPSec Remote Access VPN For remote access VPN connectivity with full integration into the
LAN it is necessary to employ an IPSec VPN connection between a VPN Gateway and a
remote client. As opposed to SSL, which operates at the application layer and is typically
limited to web applications or a web portal, IPSec is a connectionless protocol that operates at
Layer-3. With IPSec VPN it is possible to give the remote user full or custom access to the
LAN with a user experience as if the remote user were physically connected inside the LAN.
Also, it would appear to devices inside the LAN that the remote user was physically present.
In other words, full network extension can be achieved. An IPSec VPN deployment is
particularly necessary when the remote user needs to access applications that cannot be
managed through a web portal such as an ERP or legacy software. Although it offers more
possibilities in the network, IPSec is often compared to SSL/TLS as being more complicated
with increased administrative overhead. In addition to this drawback, another drawback to the
IPSec Remote Access VPN approach is that the VPN client software must be installed on the
remote user’s 7 Chapter 2: Basics of VPNs machine with administrative privileges which can
hinder scalability in large scale deployments. [8] Another challenge with IPSec VPNs can be
navigating through firewalls and NAT devices that are situated between the client and the
gateway. (Matei 2012) Thankfully there are tools available that can help resolve these
challenges, such as NAT Traversal. Cisco’s implementation of this option is called Easy VPN
Server and it is the one we chose to implement for this project. [8] 2.4 IPSec VPN IPSec is an
IETF standard that acts as a modular framework of open standards that define how a VPN
connection is implemented. [9] The three main security solutions IPSec offers are data
integrity, data authentication, and data confidentiality. Data integrity is accomplished through
the use of HMAC, a standard that uses a hash algorithm to create a hash value that is sent
along with the packet. Upon receipt, the hash algorithm is run again and compared to the
received hash value. The hash values must be identical for the packet to be accepted. The two
hash algorithms available to use in IPSec are MD5 and SHA-1. [9] Data authentication is
achieved through pre-shared keys, RSA signatures (digital signatures), or RSA encrypted
nonces. Data confidentiality is attained by encrypting the data. Common encryption
algorithms that are available in IPSec are DES, 3DES, AES, and SEAL Triggering the VPN
Connection There are two ways that an IPSec VPN connection can be set into motion. In a
siteto-site connection, “interesting traffic” is identified through the use of an ACL. Any
traffic that is permitted by the ACL triggers the IKE process. In a remote client connection,
the user initiates the connection manually by clicking on the connection profile in the
software client. Internet Key Exchange (IKE) IKE is used by IPSec to negotiate and establish
multiple Security Associations (SA). The implementation is divided into two phases. IKE
Phase 1 The first SA is created during IKE Phase 1 and is essentially a control channel. The
purpose of the first phase is to establish a secure and authenticated channel that will allow
secure Phase 2 negotiations to take place. [8] It also authenticates the peers. It works at 2
14
modes: Virtual Private Networks 8  Main mode (three two-way exchanges)  Aggressive
mode The main difference between these two is that aggressive mode will pass more
information in fewer packets, with the benefit of slightly faster connection establishment.
During the first step of phase 1 the following parameters are negotiated as policy sets: 
Encryption – (DES, 3DES, AES)  Hash – (MD5, SHA-1)  Authentication – (Pre-shared
keys, RSA signatures, RSA encrypted nonces)  Diffie-Hellman group  Lifetime Once the
policy set is negotiated, the second step of Phase 1 occurs when the DiffieHellman protocol is
run in order to establish the shared keys. These shared keys will be retained and used in
subsequent encryption algorithms and hashes. The last step in IKE Phase 1 is to authenticate
the peers using the negotiated hash algorithm and the shared keys obtained in the DH
exchange. IKE Phase 2 The purpose of IKE Phase 2 is to negotiate and establish SAs that will
protect the IP traffic. The negotiation takes place over the control channel that is created in
Phase 1 and the newly established shared keys from Phase 1 may also be used here. Unlike in
Phase 1, the SAs in Phase 2 are unidirectional so two must be created, one in each direction.
[8] The IPsec tunnel terminates when the IPsec SAs are deleted, or when their lifetime
expires. [10] IKE Versions The IKE process as previously explained is unique to IKE version
1. There is also now an IKE version 2 in use. It is very similar to IKE version 1 but has
improved on some of the challenges that were inherent in version IKEv1 and the process has
been streamlined a bit. Some of the more notable differences in IKEv2 are:  Negotiation is
shorter.  It is reduced to only one phase. Child SAs are created inside this phase eliminating
the need for a second phase.  NAT Traversal is built in. This feature solves some of the
challenges with NAT/PAT that were mentioned earlier. [8] 9 Chapter 2: Basics of VPNs A
high level visual representation of the IPSec process is shown in the following figure. Figure
2.2 - IPSec negotiation process 2.5 Secure Sockets Layer (SSL) The SSL protocol was
originally developed by Netscape as a way to provide secure transmission of information
between a server and the company’s browser. This was done in part to try and strengthen the
ability of e-commerce companies to provide their online shoppers with a safe and reliable
experience. The SSL protocol is implemented at the Transport Layer and upwards in the
seven layer Open Systems Interconnection (OSI) network model. In contrast to IPSec, the
layer 3 (source and destination IP address) information is not encrypted. The entire secure
communications process between client and server is quite complex but can be broken down
into a nine-step process. This handshake process is quite similar when using TLS. [12]
Virtual Private Networks 10 Figure 2.3 - SSL Handshake: graphical depiction of the 9-step
client/server handshake IBM’s WebSphere online portal, which is the source of the graphic
handshake procedure representation above, also provides a short summary of the SSL
handshake procedure as follows: 1) “The SSL or TLS client sends a "client hello" message
that lists cryptographic information such as the SSL or TLS version and, in the client's order
of preference, the CipherSuites supported by the client. The message also contains a random
byte string that is used in subsequent computations. The protocol allows for the "client hello"
to include the data compression methods supported by the client. 2) The SSL or TLS server
responds with a "server hello" message that contains the CipherSuite chosen by the server
from the list provided by the client, the session ID, and another random byte string. The
server also sends its digital certificate. If the server requires a digital certificate for client
authentication, the server sends a "client certificate request" that includes a list of the types of
certificates supported and the Distinguished Names of acceptable Certification Authorities
(CAs). 3) The SSL or TLS client verifies the server's digital certificate. 11 Chapter 2: Basics
of VPNs 4) The SSL or TLS client sends the random byte string that enables both the client
and the server to compute the secret key to be used for encrypting subsequent message data.
The random byte string itself is encrypted with the server's public key. 5) If the SSL or TLS
server sent a "client certificate request", the client sends a random byte string encrypted with
15
the client's private key, together with the client's digital certificate, or a "no digital certificate
alert". This alert is only a warning, but with some implementations the handshake fails if
client authentication is mandatory. 6) The SSL or TLS server verifies the client's certificate.
7) The SSL or TLS client sends the server a "finished" message, which is encrypted with the
secret key, indicating that the client part of the handshake is complete. 8) The SSL or TLS
server sends the client a "finished" message, which is encrypted with the secret key,
indicating that the server part of the handshake is complete. 9) For the duration of the SSL or
TLS session, the server and client can now exchange messages that are symmetrically
encrypted with the shared secret key.” [13] Unfortunately, even the SSL protocol cannot be
considered entirely secure at this point, as its encryption mechanisms appear to have been
cracked by the National Security Agency (NSA) in the US. According to Mike Janke, the
C.E.O. of the encrypted-communications company Silent Circle, “N.S.A. developed a
massive push-button scale ability to defeat or circumvent SSL encryption in virtually real
time.” [14] 2.6 Transport Layer Security (TLS) Although Transport Layer Security (TLS)
uses a similar handshake procedure as SSL in order to authenticate the end-points and come
to an agreement on the method of encryption prior to session establishment, there are some
notable differences between the two protocols. Namely:  TLS is an open standard initialized
through a Request For Comments 2246 from the Internet Engineering Task Force (IETF)
whereas SSL is a proprietary protocol suite introduced by Netscape, a privately held
company.  TLS is not interoperable with SSL, as the TLS protocol is considered more
secure.  TLS operates with any hash function whereas SSL only operates with MD5 or
SHA. [15] According to Marshall Honorof, in an article entitled “SSL vs. TLS: The Future of
Data Encryption”, the NSA has not yet been able to or rather, has not focused on cracking the
TLS protocol. [16] 2.7 Clientless Secure Sockets Layer (SSL) VPN By far the easiest form of
VPN to implement from an end-user perspective is the clientless Secure Sockets Layer (SSL)
VPN. After a remote user opens up their web browser and is successfully authenticated
against a Cisco IOS SSL VPN Gateway (or other SSL VPN gateway) they are able to access
web services running in their home office LAN through their browser. Some remote services
that are available via Virtual Private Networks 12 a clientless SSL VPN connection are “web
servers, shared file directories, webbased email systems, applications that run on protected
servers and any other services that can be channeled through a web page.” [12] It is important
to note that generally speaking, a clientless SSL VPN cannot be considered a permanent
replacement for an IPSec client VPN or site-to-site VPN. This is due to the fact that clientless
SSL VPNs typically don’t support applications such as Telnet, SNMP, ping, traceroute, FTP
and IP Telephony that can’t be run through web browsers. [1] One solution to this problem is
to create a SSL Tunnel VPN with a web browser. These options will be discussed in a later
section. 2.8 SSL Portal VPN versus SSL Tunnel VPN SSL Portal VPNs get their name
because a user accesses the remote services through a single web page. This page usually
then provides links to other services within the LAN that can be run through a web page.
“Specifically, they work with browsers whether or not the browsers allow (or support) active
content meaning that SSL portal VPNs are accessible to more users than SSL Tunnel VPNs.”
[12] Although SSL Tunnel VPNs also use a web browser to allow users to remotely access a
LAN, the SSL Tunnel VPNs require that the “web browser be able to handle specific types of
active content (e.g. JavaScript, Flash or ActiveX) and that the user be able to run them.” [12]
This can generate confusion on the part of the end-user since they must enable various
browser plug-ins and agree to the associated security warnings before the application is
loaded in their web browser. However, by enabling certain types of active content the end-
user may have access to a greater array of services than with an SSL Portal VPN. Taken as a
whole, SSL Tunnel VPNs are considered to be slightly more complex and less user-friendly
when compared to SSL Portal VPNs. [12] 13 Chapter 3 3 VPN Implementation 3.1 Cisco
16
Configuration Professional Software Due to its ease of use and the ability to quickly
implement different types of VPNs using a graphical user interface (GUI), Cisco
Configuration Professional (CCP) software was chosen to configure the VPNs over a
command line interface (CLI) only approach. If more granularity or a non-standard VPN
configuration is required, it is still possible to complete any minor changes using the CLI
once CCP has delivered the commands to the router’s running configuration. Cisco
Configuration Professional is a software program that ”offers smart wizards and advanced
configuration support for LAN and WAN interfaces, Network Address Translation (NAT),
stateful and application firewall policy, IPS, IPSec and SSL VPN, QoS and Cisco Network
Admission Control policy features.” [17] 3.2 Implementing Site-to-site VPN at Main Site
using CCP This section will provide a breakdown of the basic steps needed to successfully
configure a site-to-site VPN using CCP software. In the appendix there is an accompanying
screenshot for each step in the VPN configuration process. The first important step is to set
up the IKE proposals which are used by each router at the end of the VPN tunnel to
authenticate its neighboring router at the other end of the VPN tunnel. For a site-to-site VPN,
most of the VPN connection information should be symmetrical on the routers located at both
sides of the VPN tunnel. Figure 3.1 - IKE Proposals: used for negotiation between VPN
endpoints Virtual Private Networks 14 Figure 3.2 – Peer Identity: set remote VPN peer IP
address and pre-shared key Once the VPN peer routers have agreed on and established a
secure communication with each other, it is time to set up the details related to the actual
secure communications between the end devices behind the VPNs. These details include the
encryption method and hashing algorithms to be used among others. Figure 3.3 – Transform
Set: sets VPN parameters for VPN tunnel Lastly, you will need to define interesting traffic
(the traffic that should be encrypted by the VPN) by setting up extended access control lists
(ACLs). This step is easily 15 Chapter 3: VPN Implementation completed using the VPN
Wizard as you are simply prompted to enter the local and remote network IDs and subnet
masks. Figure 3.4 – Interesting Traffic: define the traffic to be encrypted by the VPN tunnel
3.3 Detailed CLI site-to-site VPN Command Breakdown This section will provide more in-
depth information regarding the commands generated by CCP in order to set up the site-to-
site VPN gateway on the main office router and the purpose of each command. The
commands are listed in italics along with an explanation directly below the command as to
their relevance to the Site-tosite VPN configuration: Crypto isakmp enable  This command
globally enables IKE at the router (Enabled by default)
------------------------------------------------------------------------------------------------------- crypto
isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit 
Defines the parameters within an IKE policy. An ISAKMP policy must be configured with
the same parameters on both routers in order to establish a VPN tunnel connection. Virtual
Private Networks 16
------------------------------------------------------------------------------------------------------- crypto
isakmp key cisco123 address 10.2.2.2  Define a pre-shared key with a remote peer.
------------------------------------------------------------------------------------------------------- crypto
ipsec transform-set ESP-3DES-SHA2 esp-sha-hmac esp-3des mode tunnel exit 
Configuration for the IPSec policies and transform sets used during IPSec negotiation.
------------------------------------------------------------------------------------------------------- ip
access-list extended SDM_1 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 exit 
Configuration of symmetrical peer crypto ACL.
------------------------------------------------------------------------------------------------------- crypto
map SDM_CMAP_1 1 ipsec-isakmp set transform-set ESP-3DES-SHA2 set peer 10.2.2.2
match address SDM_1 exit  Configure IPSec crypto map
-------------------------------------------------------------------------------------------------------
17
interface serial0/1/0 crypto map SDM_CMAP_1  Applying crypto map to the outgoing
interfaces activates the IPSec policy 3.4 Implementing Remote Access IPSec VPN using
CCP This section will provide an overview of some of the most important steps and
information needed to successfully configure a Remote Access IPSec VPN using CCP
software. In the appendix there is an accompanying screenshot for each step in the VPN
configuration process. We used the Easy VPN Server Wizard in CCP to set up this
implementation 17 Chapter 3: VPN Implementation Figure 3.5 – Easy VPN Server: used to
set IPSec Client VPN The first step of configuration is to determine the interface which will
host the connection and determine the method of authentication, in our case pre-shared keys.
Then, IKE Proposals and Transform Sets are determined. The default settings were
appropriate for us here. Next, authorization and authentication settings are configured over
the course of a few screens. Users and groups are then created with passwords and pre-shared
keys, and an IP address pool is configured. Figure 3.6 – Group Policy: set pre-shared key and
internal IP address pool assignments Virtual Private Networks 18 The commands are
delivered to the router with the click of a button. To configure the VPN Client software, one
must create a new connection profile that includes the group name and pre-shared key. Figure
3.7 – VPN Client Software: must be installed on each remote client PC When establishing the
connection the user will then be prompted for a username and password and will gain access
after the 802.1X authentication is completed. 3.5 Detailed CLI Easy VPN Server Command
Breakdown This section will provide more in-depth information regarding the commands
generated by CCP in order to set up the Remote Access IPSec VPN gateway on the main
office router and the purpose of each command. The commands are listed in italics along with
an explanation directly below the command as to their relevance to the Easy VPN Server
configuration: aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization
network ciscocp_vpn_group_ml_1 local  AAA authentication and authorization are used
with the local database ip local pool SDM_POOL_1 192.168.1.200 192.168.1.230  The
pool of addresses to be pushed to the VPN client is defined. crypto isakmp profile ciscocp-
ike-profile-1 isakmp authorization list ciscocp_vpn_group_ml_1 client authentication list
ciscocp_vpn_xauth_ml_1 match identity group RemoteVPN client configuration address
respond exit  An ISAKMP profile is created that defines actions to take when the
“RemoteVPN” group is matched. crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac
esp-3des 19 Chapter 3: VPN Implementation mode tunnel exit crypto ipsec profile
CiscoCP_Profile1 set security-association idle-time 3600 set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1 exit  Configuration for the IPSec policies and
transform sets used during IPSec negotiation. interface Virtual-Template1 type tunnel exit
default interface Virtual-Template1 interface Virtual-Template1 type tunnel no shutdown ip
unnumbered Serial0/1/0 tunnel protection ipsec profile CiscoCP_Profile1 tunnel mode ipsec
ipv4 exit crypto isakmp profile ciscocp-ike-profile-1 virtual-template 1 exit  Creates a
virtual template interface that is applied to Serial0/1/0 for the remote VPN sessions. “A
virtual template interface is a logical entity—a configuration for a serial interface but not tied
to a physical interface—that can be applied dynamically as needed.” [18] crypto isakmp
policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit  Defines
ISAKMP policy. Since the policy is pushed to the client, there is no need to define multiple
policies. crypto isakmp client configuration group RemoteVPN key 0 ********** pool
SDM_POOL_1 netmask 255.255.255.0 exit  Defines the group policy. IP address / user
account command username sales1 privilege 1 secret 0 **********  Defines the user that
will be authenticated via XAUTH. Virtual Private Networks 20 3.6 Implementing SSL VPN
Gateway at Main Office using CCP Only the main office router needed to be configured in
order to implement the clientless SSL VPN. This section will provide a breakdown of a few
18
of the important steps and information needed to successfully configure a SSL VPN using
CCP software. Please note that for brevity’s sake some of the steps are omitted. In the
appendix there is an accompanying screenshot for all of the steps in the VPN configuration
process. Once you have connected to the main branch router using the CCP GUI and selected
the SSL VPN Manager, the first important task is to configure the IP address through which
the VPN will be accessed and the whether the digital certificate will be self-signed or issued
by a Certificate Authority (CA) in order for the remote user to authenticate the main branch
router. Figure 3.8 – SSL VPN Wizard: used to enter information to set up clientless SSL VPN
After you have designated the basic parameters of the VPN tunnel connection, as well
creating the AAA authentication list, you need to specify which main office LAN resources
will be made available to the remote branch users. In this instance it is helpful to note that
some services will not be available or function correctly if they cannot be run through a web
browser. 21 Chapter 3: VPN Implementation Figure 3.9 – URL List: lists intranet resources
that can be accessed remotely via the VPN The last major step of the configuration is
reviewing a summary of the SSL VPN configuration and the subsequent commands
generated by CCP that will be sent to the main office router's running configuration. Figure
3.10 – Summary of Configuration: lists important details about the SSL VPN Virtual Private
Networks 22 3.7 Detailed CLI SSL VPN Command Breakdown This section will provide
more in-depth information regarding the commands generated by CCP in order to set up the
SSL VPN gateway on the main office router and the purpose of each command. Although the
CCP SSL VPN wizard only asked a couple of questions, 33 commands were updated to the
main office router’s running configuration in order to set up the SSL VPN gateway. These
commands are listed in italics along with an explanation directly below the command as to
their relevance to the SSL VPN configuration: aaa authentication login
ciscocp_vpn_xauth_ml_1 local  Specifies that AAA authentication should be done with
local router database username and password
---------------------------------------------------------------------------------------------------------------
interface Serial0/0/0 ip nat outside interface Loopback1 description Do not delete - SDM
WebVPN generated interface no shutdown ip address 192.168.3.1 255.255.255.252 ip nat
inside ip nat inside source static tcp 192.168.3.1 443 10.1.1.1 4443 extendable  According
to Cisco documentation, a loopback interface was created because Secure Device Manager
(prior version of CCP), “may not launch using the IP address of WebVPN Gateway. When
CCP attempts to connect to a router with a WebVPN gateway configured using the Cisco IOS
CLI, it might not launch from the IP address used by that gateway if the CLI statements
necessary for CCP access are not included.” [19]
----------------------------------------------------------------------------------------------------------------
webvpn gateway cheapflats1 ip address 10.1.1.1 port 443 http-redirect port 80 ssl trustpoint
TP-self-signed-3303613606 inservice  The WebVPN Gateway is used to enable secure
access to the main office router/LAN from the remote office branch or while traveling. The
outside IP interface on the main office router is entered along with port 443 for https. If the
remote user tries to connect through http, they are automatically redirected to https port. The
self-signed certificate will then be passed to the remote user’s web browser at which point
they must accept it and have it saved as part of the valid security certificates for that browser.
The last inservice command actives the SSL VPN gateway in a similar fashion to the no
shutdown command under a physical router interface. [20]
------------------------------------------------------------------------------------------------------ 23
Chapter 3: VPN Implementation webvpn context CheapFlats title-color #CCCC66
secondary-color white text-color black ssl authenticate verify all  “The WebVPN context is
where the SSL VPN is terminated, and the user's VPN session is established. “ [20] The
above commands set the color and layout of the VPN portal page and states that all users
19
attempting to connect to the VPN portal should be authenticated.
----------------------------------------------------------------------------------------------------------------
url-list "CheapFlats" heading "Cheap Flats Intranet" url-text "CheapFlats" url-value
"http://intranet.cheapflats.com" url-text "Web Mail" url-value
"http://intranet.cheapflats.com/webmail/exchange"  This command section lists the URLs
that will be available on the VPN portal page once a user has been authenticated. In this case,
two example links to a Outlook webmail page and the company’s intranet page were added.
----------------------------------------------------------------------------------------------------------------
policy group policy_1 url-list "CheapFlats" mask-urls  If you want to set up different
policies for different users you can use the above commands. In this case all the remote users
will have the same policy since this will all have access to the same resources on the VPN
portal page. The mask-urls command simply hides the URLs from above on the VPN portal
page and replaces them with the text links “Web Mail” and “CheapFlats”.
----------------------------------------------------------------------------------------------------------------
default-group-policy policy_1 aaa authentication list ciscocp_vpn_xauth_ml_1 gateway
cheapflats1 inservice  Applies policy_1 as the default group policy, referencing the only
WebVPN gateway and AAA authentication lists that were created with the prior commands.
Virtual Private Networks 24
Chapter 3
Methodology
In this chapter, we use packet tracer for create a topology and implement protocol on
this topology. We implement EIGRP() on this topology. There are 3 layers in every topology
which are Layer 1, Layer 2 and Layer 3. Layer 1 is access layer in which end devices are
included like desktop computers, laptops and VOIP phones etc. Second one is Layer 2 which
is called distributive layer, in this layer switches are used. And last one the Layer 3 is called
Core layer where routers are used. A packet is sends and receives from source to destination
by the help of these three layers.
3.1 Packet Tracer:

Packet Tracer is a cross-platform visual simulation tool designed by Cisco
Systems that allows users to create network topologies and imitate modern computer
networks. The software allows users to simulate the configuration of Cisco routers and
switches using a simulated command line interface. Packet Tracer makes use of a drag and
drop user interface, allowing users to add and remove simulated network devices as they see
20
fit. The software is mainly focused towards Certified Cisco Network Associate Academy
students as an educational tool for helping them learn fundamental CCNA concepts.
Previously students enrolled in a CCNA Academy program could freely download and use
the tool free of charge for educational use.
Packet Tracer can be run on Linux and Microsoft Windows.

Similar Android and IOS apps are also available. Packet Tracer allows users to create
simulated network topologies by dragging and dropping routers, switches and various other
types of network devices. A physical connection between devices is represented by a "cable"
item. Packet Tracer supports an array of simulated Application Layer protocols, as well as
basic routing with RIP, OSPF, EIGRP, BGP, to the extents required by the
current CCNA curriculum. As of version 5.3, Packet Tracer also supports the Border
Gateway Protocol.
3.2 Proposed Topology
Figure 3.1 Screenshot of Proposed Topology
This is our proposed topology in which we implementing the protocol. In this topology we
use routers,switches and pc. We used 7 routers of [1841] series in this topology. Using 7
switches [2960] series. Each switch have 24 ports in which pc’s are connected means every
switch can connect 24 pc’s with it. And desktop pc’s are used in this topology. The router
[1841] has only 2 ports by default. We add modules in the routers for the sake of serial port.
3.3 Documentation of Proposed Topology:

3.3.1 Documentation of Routers
21
In router 6 there are 3 ports there port which is connected with switch 0 has IP address
192.168.1.1/24, the port which is connected with router 7 has IP address 10.1.1.1/24 and the
port which is connected with router 8 has IP address 11.1.1.1/24. In router 7 there are 3 ports
the port which is connected with switch 1 has IP address 192.168.2.1/24, the port which is
connected with router 9 has IP address 12.1.1.1/24 and the port which is connected with
router 6 has IP address 10.1.1.2/24. In router 8 there are 4 ports there port which is connected
with switch 2 has IP address 192.168.3.1/24, the port which is connected with router 6 has IP
address 11.1.1.2/24 and the port which is connected with router 10 has IP address 13.1.1.1/24
and the port which is connected with router 12 has IP address 14.1.1.1/24. In router 9 there
are 4 ports the port which is connected with switch 3 has IP address 192.168.4.1/24, the port
which is connected with router 7 has IP address 12.1.1.2/24 and the port which is connected
with router 11 has IP address 16.1.1.1/24 and the port which is connected with router 12 has
IP address 15.1.1.1/24. In router 10 there are 2 ports the port which is connected with switch
4 has IP address 192.168.5.1/24, the port which is connected with router 8 has IP address
13.1.1.2/24. In router 12 there are 3 ports the port which is connected with switch 6 has IP
address 192.168.6.1/24, the port which is connected with router 8 has IP address 14.1.1.2/24
and the port which is connected with router 9 has IP address 15.1.1.2/24. In router 10 there
are 2 ports the port which is connected with switch 5 has IP address 192.168.7.1/24, the port
which is connected with router 9 has IP address 16.1.1.2/24.
3.3.2 Documentation of Switches

In switch 0 we are using 2 ports, the port which is connected with pc 0 has Network
address 192.168.1.0/24 and the second port which is connected to router 6 has IP address
192.168.1.1/24. In switch 1 we are using 2 ports, the port which is connected with Pc 1 has
Network address 192.168.2.0/24 and the second port which is connected to router 7 has IP
address 192.168.2.1/24. In switch 2 we are using 2 ports, the port which is connected with pc
2 has Network address 192.168.3.0/24 and the second port which is connected to router 8 has
IP address 192.168.3.1/24. In switch 3 we are using 2 ports, the port which is connected with
pc 3 has Network address 192.168.4.0/24 and the second port which is connected to router 9
has IP address 192.168.4.1/24. In switch 4 we are using 2 ports, the port which is connected
with pc 4 has Network address 192.168.5.0/24 and the second port which is connected to
router 10 has IP address 192.168.5.1/24. In switch 5 we are using 2 ports, the port which is
connected with pc 5 has Network address 192.168.6.0/24 and the second port which is
connected to router 11 has IP address 192.168.6.1/24. In switch 6 we are using 2 ports, the
22
port which is connected with pc 6 has Network address 192.168.7.0/24 and the second port
which is connected to router 12 has IP address 192.168.7.1/24.
In switch 1 we are using 2 ports, the port which is connected with pc 0 has Network
address 192.168.1.0/24 and the second port which is connected to router 6 has IP address
192.168.1.1/24. In switch 1 we are using 2 ports, the port which is connected with Pc 1 has
Network address 192.168.2.0/24 and the second port which is connected to router 7 has IP
address 192.168.2.1/24. In switch 2 we are using 2 ports, the port which is connected with pc
2 has Network address 192.168.3.0/24 and the second port which is connected to router 8 has
IP address 192.168.3.1/24. In switch 3 we are using 2 ports, the port which is connected with
pc 3 has Network address 192.168.4.0/24 and the second port which is connected to router 9
has IP address 192.168.4.1/24. In switch 4 we are using 2 ports, the port which is connected
with pc 4 has Network address 192.168.5.0/24 and the second port which is connected to
router 10 has IP address 192.168.5.1/24. In switch 5 we are using 2 ports, the port which is
connected with pc 5 has Network address 192.168.6.0/24 and the second port which is
connected to router 11 has IP address 192.168.6.1/24.
3.3.3 Documentation of PC’S
23
Figure 3.2 Screenshot of Assigning IP Address in PC 0
PC 0 has the IP address 192.168.1.2, 255.255.255.0 has its subnet mask and 192.168.1
24
Figure 3.3 Screenshot ofAssigning IP Address in PC 1
PC 1 has the IP address 192.168.2.2, 255.255.255.0 has its subnet mask and 192.168.2.1.
25
26
27
Figure 3.6Screenshot of Assigning IP Address in PC 3
28
29
Chapter 4
30
Experimental Work
4.1 Topology for Configuring EIGRP Protocol on IPV4

Here, we taken the topology of seven routers (1841), seven switches (2960) Cisco,
seven pc’s as end devices. We connect all the end devices to switches we use straight through
cables. And after connecting the end devices to switches we connect the switches with routers
we use straight through cables. We connect the routers with other router in topology we use
serial and cross over cable. With the help of cables we connect all the switches, routers and
end devices with each other.
Figure 4.1 Screenshot of Main topology diagram
Table 4.1 Documentation of Topology

Device Name Interface IP address Subnet mask Default Gateway
R6 Fa0/0 192.168.1.1 255.255.255.0 N/A
R6 Se0/0/0 10.1.1.1 255.255.255.0 N/A
R6 Se0/0/1 11.1.1.1 255.255.255.0 N/A
R7 Se0/0/1 10.1.1.2 255.255.255.0 N/A
R7 Se0/0/0 12.1.1.1 255.255.255.0 N/A
R7 Fa0/0 192.168.2.1 255.255.255.0 N/A
R8 Se0/0/0 11.1.1.2 255.255.255.0 N/A
R8 Se0/0/1 13.1.1.1 255.255.255.0 N/A
31
R8 Fa0/0 192.168.3.1 255.255.255.0 N/A
R8 Fa0/1 14.1.1.1 255.255.255.0 N/A
R9 Se0/0/1 12.1.1.2 255.255.255.0 N/A
R9 Se0/0/0 15.1.1.1 255.255.255.0 N/A
R9 Fa0/1 16.1.1.1 255.255.255.0 N/A
R9 Fa0/0 192.168.4.1 255.255.255.0 N/A
R10 Se0/0/0 13.1.1.2 255.255.255.0 N/A
R10 Fa0/0 192.168.5.1 255.255.255.0 N/A
R12 Fa0/0 192.168.6.1 255.255.255.0 N/A
R12 Fa0/1 14.1.1.2 255.255.255.0 N/A
R12 Se0/1/0 15.1.1.2 255.255.255.0 N/A
R11 Fa0/1 16.1.1.2 255.255.255.0 N/A
R11 Fa0/0 192.168.7.1 255.255.255.0 N/A
PC0 Fa0 192.168.1.2 255.255.255.0 192.168.1.1
PC1 Fa0 192.168.2.2 255.255.255.0 192.168.2.1
PC2 Fa0 192.168.3.2 255.255.255.0 192.168.3.1
PC3 Fa0 192.168.4.2 255.255.255.0 192.168.4.1
PC4 Fa0 192.168.5.2 255.255.255.0 192.168.5.1
PC5 Fa0 192.168.6.2 255.255.255.0 192.168.6.1
PC6 Fa0 192.168.7.2 255.255.255.0 192.168.7.1
4.2 Commands for configuring the interfaces in IPV4

When we creating a topology by default all the interface are in down state and they
have no ip address. Than we have to assign them IP address and take the entire router in
upstate ny using some commands.
 Enable
 Configure terminal
 Interface (which port are configuring)
 IP address x.xx.x subnet mask
 No shut
 Exit
 Exit
 Copy run start
Now explaining all these commands in CLI mode of a router. Which show below.
32
Figure 4.2 Screenshot of Configure the interfaces of R6
This figure explain that we are configuring the interface fa0/0,se0/0/0 and se0/0/1 on
router6 with their IP address and subnet mask. When we write the no shut command these all
ports are in upstate.
33
Fig 4.3 Screenshot of Configure the interfaces of router 7
router7 with their ip address and subnet mask. When we write the no shut command these all
34
Figure 4.4 Screenshot of Configure the interfaces of router 8
This figure explain that we are configuring the interface fa0/0,se0/0/0,fa0/1 and
se0/0/1 on router8 with their IP address and subnet mask. When we write the no shut
command these all ports are in upstate.
Figure 4.5 Screenshot of Configure the interface of router 9

This figure explain that we are configuring the interface fa0/0,se0/0/0,fa0/1 and
se0/0/1 on router 9 with their IP address and subnet mask. When we write the no shut
command these all ports are in up state
35
This figure explain that we are configuring the interface fa0/0 and se0/0/0 on router
10 with their IP address and subnet mask. When we write the no shut command these all
ports are in up state

This figure explains that we are configuring the interface, fa0/1 and fa0/0 on router11
with their IP address and subnet mask. When we write the no shut command these all ports are
in up state
36
This figure explain that we are configuring the interface se0/1/0,fa0/1 and fa0/0 on
router8 with their IP address and subnet mask. When we write the no shut command these all
4.3 Commands for Configuring EIGRP on IPV4

 Enable
 Router EIGRP (Autonomous number)
 Network (IP address of directly connected)
 No auto-summary
 Exit
 Exit
 Copy run start
When we implement EIGRP in our topology. The autonomous number should be

same of all the router in our topology. When we configure the EIGRP we get the IP address
of directly connected routes because it is dynamic routing.
37
4.3.1 Configure EIGRP on Routers
Figure 4.9 Screenshot of Configuration of EIGRP on Router 6
Figure 4.10 Screenshot of Configuration EIGRP on router 7
This figure shows that, we are configuring the EIGRP protocol on router 7 with some
commands. First when we start are configuration by default we are in user mode and then we
write the command ‘enable’ this command helps us to go in user EXEC mode. When are in
38
user exec mode we write the command ‘configure terminal’ this command go us in global
configuration mode in this mode all EIGRP configuration commands are implemented.First
we write the command ‘router EIGRP autonomous number’ this command helps the router in
EIGRP configuration mode and autonomous number should be same of all the routers in our
whole topology. AS number means the number of particular area and its range is (0-65535).
In this figure we take the 7 as our AS number of all the routers. Because if don’t set the as
number same all the router in their particular area they can’t communicate with each other
after the router EIGRP command we get the network of directly connected routes. Then we
no auto-summary command After this command with exit the global configuration with the
ctrl z this command take us in privilege mode and where we write the copy run start. This
command saves the all configuration in NVRAM.
Figure 4.11 Screenshot of Configure EIGRP on router 8

39
command take us in privilege mode and where we write .
Figure 4.12 Screenshot of Configure the EIGRP on router 9

command saves the all configuration in NVRAM
40
Figure 4.13 Screenshot of Configure the EIGRP on router 10
This figure shows that, we are configuring the EIGRP protocol on router 10 with
some commands. First when we start is configuration by default we are in user mode and
then we write the command ‘enable’ this command helps us to go in user EXEC mode. When
are in user exec mode we write the command ‘configure terminal’ this command go us in
global configuration mode in this mode all EIGRP configuration commands are
implemented.First we write the command ‘router EIGRP autonomous number’ this command
helps the router in EIGRP configuration mode and autonomous number should be same of all
the routers in our whole topology. AS number means the number of particular area and its
range is (0-65535). In this figure we take the 7 as our AS number of all the routers. Because
if don’t set the as number same all the router in their particular area they can’t communicate
with each other after the router EIGRP command we get the network of directly connected
routes. Then we no auto-summary command After this command with exit the global
configuration with the ctrl z this command take us in privilege mode and where we write the
copy run start. This command saves the all configuration in NVRAM.
41
Figure 4.14 Screenshot ofConfigure EIGRP on router 11
some commands. First when we start are configuration by default we are in user mode and
42
43
4.4 Topology for configuring the EIGRP in IPV6
Figure 4.16 Screenshot of Topology Diagram for implementation of EIGRP in IPV6
Here, we taken the topology of seven routers (1841), seven switches (2960) Cisco,
seven pc’s as end devices. We connect all the end devices to switches we use straight through
cables. And after connecting the end devices to switches we connect the switches with routers
we use straight through cables. We connect the routers with other router in topology we use
serial and cross over cable. With the help of cables, we connect all the switches, routers and
end devices with each other. And then they make the topology. In packet tracer we design
this topology under some rules and regulations of packet tracer like same devices are connect
with cross-over cable
Table 4.2 Documentation of Topology on IPV(6)

Device Name Interface IP address Subnet mask Default Gateway
R6 Fa0/0 2001::1 64 N/A
R6 Se0/0/0 2002::2 64 N/A
R6 Se0/0/1 2004::2 64 N/A
R7 Se0/0/1 2002::3 64 N/A
R7 Se0/0/0 2005::2 64 N/A
R7 Fa0/0 2002::1 64 N/A
R8 Se0/0/0 2004::3 64 N/A
R8 Se0/0/1 2008::2 64 N/A
R8 Fa0/0 2006::1 64 N/A
R8 Fa0/1 2010::2 64 N/A
R9 Se0/0/1 2007::2 64 N/A
R9 Se0/0/0 2011::2 64 N/A
R9 Fa0/1 2009::2 64 N/A
R9 Fa0/0 2007::1 64 N/A
R10 Se0/0/0 2008::1 64 N/A
R10 Fa0/0 2012::1 64 N/A
R12 Fa0/0 2014::1 64 N/A
44
R12 Fa0/1 2010::3 64 N/A
R12 Se0/0/1 2011::3 64 N/A
R11 Fa0/1 2009::3 64 N/A
R11 Fa0/0 2013::1 64 N/A
PC0 Fa0 2001::2 64 2001::1
PC1 Fa0 2002::2 64 2002::1
PC2 Fa0 2006::2 64 2006::1
PC3 Fa0 2007::2 64 2007::1
PC4 Fa0 2012::2 64 2012::1
PC5 Fa0 2013::2 64 2013::1
PC6 Fa0 20014::2 64 2014::1
4.5 Configuring the interfaces of Topology in IPV6

When we creating a topology by default all the interface are in down state and they
have no ip address. Than we have to assign them IP address and take the entire router in
upstate my using some commands
 Enable
 IPv6 unicast-routing
 Interface(which port we are configuring)
 Ipv6 address/subnet
 Exit
 Exit
 Copy run start
45
Figure 4.17 Screenshot of Configure the interface on router 6
ports are in up state.
46
This figure explains that we are configuring the interface fa0/0,se0/0/0 and se0/0/1 on
4.6 Configure EIGRP in IPV6

4.6.1 Commands for EIGRP implementation
 Enable
 Ipv6 unicast-routing
 Ipv6 router EIGRP (0-65535)
 No shut
 EIGRP router ID(x.x.x.x)
 Exit
 Exit
 Interface (directly connected)(fa0/0,se0/0/0 etc)
 Ipv6 EIGRP (0-65535)
 Exit
 Exit
 Copy run start
4.6.2 Implementation of EIGRP in IPV6
47
In this figure we take the as our AS number of all the routers. Because if don’t set the as
command saves the all configuration in NVRAM
48
copy run start. This command saves the all configuration in NVRAM
49
copy run start. This command saves the all configuration in NVRAM
50
Chapter 5
Results & Discussions, Conclusion & Future Work
5.1 Results & Discussion

Network scalability is very important as it allows for future expansion of the network
infrastructure can be enhanced by reducing network congestion and this demonstrates that the
network convergence time is far better of as compared to EIGRP_OSPF and OSPF networks
because EIGRP network is able learn the topological information and updates the routing
table faster especially EIGRP and OSPF are widely being used in the computer networking.
In this research work, I have presented a per analysis of selected routing protocols such as
EIGRP, OSPF and the combination of EIGRP and OSPF. This command is used to display
information about EIGRP named configurations and EIGRP autonomous-system (AS)
configurations. The output of this command shows the information that has been exchanged
between the neighboring EIGRP routers. An explanation of each output field follows the
table.
 Hellos sent/received shows the number of hello packets sent and received (sent

-1927/received - 1930).
 Updates sent/received displays the number of update packets sent and received (sent-
20/received-39).
 Queries sent/received means the number of query packets sent and received (sent-
10/received-18).
 Replies sent/received shows the number of reply packets sent and received (sent-
18/received-16).
 Acks sent/received standsfor the number of acknowledgment packets sent and
received (sent-66/received-41).
 SIA-Queries sent/received means number of stuck in active query packets sent and
received (sent-0/received-0).
 SIA-Replies sent/received displays the number of stuck in active reply packets sent
and received (sent-0/received-0).
 Hello Process ID is the hello process identifier (270).
 PDM Process ID stands for protocol-dependant module IOS process identifier (251).
 Socket Queue displays the IP to EIGRP Hello Process socket queue counters (current-
0/max-2000/highest-1/drops-0).
51
 Input Queue shows the EIGRP Hello Process to EIGRP PDM socket queue
counters (current-0/max-2000/highest-1/drops-0).
This command only displays feasible successors. To display all entries in the topology
table, use the show ip EIGRP topology all-links command. An explanation of each output
field follows the table.
 A means active. This could also show a P, meaning passive.

 10.2.4.0/24 is the destination or mask.
 0 successors show how many successors (or paths) are available for this destination;
if successors are capitalized, the route is in transition.
 FD is 512640000 shows the feasible distance, which is the best metric to reach this
destination or the best metric known when the route went active.
 Tag is 0x0 can be set and/or filtered using route maps with the set tag and match
tag commands.
 Q means a query is pending. This field can also be: U, for update pending; or R, for
reply pending.
 1 reply shows the number of outstanding replies.
 Active 00:00:01 shows how long this route has been active.
 Query origin: Local origin shows this route originated the query. This field can also
be: Multiple origins, meaning that multiple neighbors have sent queries on this
destination, but not the successor; or Successor origin, meaning the successor originated
the query.
 Via 10.1.2.2 shows that we learned of this route from a neighbor whose IP address is
10.1.2.2. This field can also be: Connected, if the network is directly connected to this
router; Redistributed, if this route is being redistributed into EIGRP on this router; or
Summary, if this is a summary route generated on this router.
 (Infinity/Infinity) shows the metric to reach this path through this neighbor in the first
field, and the reported distance through this neighbor in the second field.
 r shows that we have queried this neighbor and are waiting for a reply.
 Q is the send flag for this route, meaning there is a query pending. This field can also
be: U, meaning there is an update pending; or R, meaning there is a reply pending.
Originating Router shows that this is the router that injected this route into the EIGRP AS.
 External AS shows the Autonomous System this route came from (if there is one).
52
 External Protocol shows the protocol this route came from (if there is one).
 External metric shows the internal metric in the external protocol.
 Administrator Tag can be set and/or filtered using route maps with the set tag and match
tag commands.
The Routing is nothing but, showing the path for the packets to flow from source to
destination there are different types of routing techniques are used depends on the
requirement of usage. In this paper, the EIGRP protocol has explained and configured
successfully using the Cisco packet tracer and the results are explained.
5.2 Conclusion & Future Work

The only varying parameter in our analysis, other than routing protocol of course, was
the size of the network topology. Improvement or future works for this project can include
adding metrics on interfaces such as cost, bandwidth, distance, Bit Error Rate (BER), and
delay. Furthermore, various network topologies (in terms of size, routers and links used) can
be implemented for comparison of performance between these routing protocols. Since OSPF
is the most complex routing protocol, more time could be spent on analyzing it to find the
value of parameters that need to be set in order for it to perform optimally. Another
possibility is to implement real network topologies used, perhaps in a university campus a
company office, or a larger networksize while also modifying the network parameters, such
as interfaces, to those of the actual scenario being analyzed
53
REFERENCES
Dooley, K., & Brown, I. (2006). Cisco IOS Cookbook: Field-Tested Solutions to Cisco Router
Problems. " O'Reilly Media, Inc.".
Feamster, N., & Balakrishnan, H. (2005, May). Detecting BGP configuration faults with static
analysis. In Proceedings of the 2nd conference on Symposium on Networked Systems Design &
Implementation-Volume 2 (pp. 43-56). USENIX Association.
Leiner, B. M., Cerf, V. G., Clark, D. D., Kahn, R. E., Kleinrock, L., Lynch, D. C., ... & Wolff, S.
(2009). A brief history of the Internet. ACM SIGCOMM Computer Communication Review, 39(5),
22-31.
Parra, O. J. S., Rios, A. P., & Rubio, G. L. (2011, December). IPV6 and IPV4 QoS mechanisms.
In Proceedings of the 13th International Conference on Information Integration and Web-based
Applications and Services (pp. 463-466). ACM.
Pepelnjak, I. (2000). EIGRP network design solutions: the definitive resource for EIGRP design,
deployment, and operation (Vol. 250). Cisco Press.
Yunos, R., Noor, N. M., & Ahmad, S. A. (2010, March). Performance evaluation between IPv4 and
IPv6 on MPLS Linux platform. In 2010 International Conference on Information Retrieval &
Knowledge Management (CAMP) (pp. 204-208). IEEE.
54
APPENDIX
Source Code
R1#crypto isakmp enable

R1#crypto isalmp policy 10
R1#encryption 3des
R1#hash md5
R1#authenticatin pre-share
R1#group 5
R1#exit
R1#crypto isakmp key 0 cisco address 1.1.1.2
R1#crypto ipsec transform-set yourset esp-aes esp-3des-hmac
R1#model tunnel
R1#exit
R1#ip access-list extended vpn
R1#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1#exit
R1#crypto map mymap 10 ipsec-isakmp
R1#match address vpn
R1#set transform-set tset
R1#set peer 10.1.1.2
R1#exit
R1#int serial 0/1/0
R1#cryppto map mymap
R1#exit
55

Final - Book Test

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Final - Book Test

Uploaded by

Copyright:

Available Formats

NATIONAL COLLEGE OF BUSINESS

ADMINISTRATION & ECONOMICS

Virtual Private Network Connection Using IPsec Protocol

Muhammad Saqib Sultan

NATIONAL COLLEGE OF BUSINESS

Virtual Private Network Connection Using IPsec Protocol

Muhammad Saqib Sultan

A Project Report submitted to

NATIONAL COLLEGE OF BUSINESS

PROJECT COMPLEITION CERTIFICATE

It is certified that the project work contained in this project entitled

National College of Business Administration & Economics

COURSE COMPLETION CERTIFICATE

Prof. Dr. Farkhand Shakeel Prof. Dr. G R Pasha

In this paper, we consider optimizing a smooth, convex, lower semicontinuous

In first chapter, we studied Interior Gateway Routing Protocol (EIGRP) is a classless

2. 2 Basics of VPNs .......................................................................................................... 5

3.1 Packet Tracer:

Packet Tracer can be run on Linux and Microsoft Windows.

3.2 Proposed Topology

Figure 3.1 Screenshot of Proposed Topology

3.3 Documentation of Proposed Topology:

3.3.2 Documentation of Switches

3.3.3 Documentation of PC’S

4.1 Topology for Configuring EIGRP Protocol on IPV4

Figure 4.1 Screenshot of Main topology diagram

Table 4.1 Documentation of Topology

4.2 Commands for configuring the interfaces in IPV4

Figure 4.5 Screenshot of Configure the interface of router 9

Figure 4.7 Screenshot of Configure the interface of router 11

4.3 Commands for Configuring EIGRP on IPV4

When we implement EIGRP in our topology. The autonomous number should be

Figure 4.9 Screenshot of Configuration of EIGRP on Router 6

Figure 4.10 Screenshot of Configuration EIGRP on router 7

Figure 4.11 Screenshot of Configure EIGRP on router 8

Figure 4.12 Screenshot of Configure the EIGRP on router 9

Figure 4.16 Screenshot of Topology Diagram for implementation of EIGRP in IPV6

Table 4.2 Documentation of Topology on IPV(6)

4.5 Configuring the interfaces of Topology in IPV6

Figure 4.18 Screenshot of Configure the interfaces of router 7

Figure 4.19 Screenshot of Configure the interface of router 8

4.6 Configure EIGRP in IPV6

4.6.2 Implementation of EIGRP in IPV6

5.1 Results & Discussion

 Hellos sent/received shows the number of hello packets sent and received (sent

 A means active. This could also show a P, meaning passive.

5.2 Conclusion & Future Work

R1#crypto isakmp enable

You might also like