Scribd Logo
Upload

Welcome to Scribd!

  • SITe 2 Site VPN

    Uploaded by

    ishaq
    4 views3 pages
    Configs

    Original Title

    SITe-2-site-vpn

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Configs

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views3 pages

    SITe 2 Site VPN

    Uploaded by

    ishaq
    Configs

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    R1:

    conf t
    int g0/0
    Desc ---conn to ISP
    ip add 1.1.1.1 255.255.255.0
    no sh
    int g1/0
    Desc conn to LAN
    ip add 10.1.1.1 255.255.255.0
    no sh
    exi

    ip route 0.0.0.0 0.0.0.0 1.1.1.2

    R2-ISP

    conf t
    int g0/0
    Desc ---conn to CE-1
    ip add 1.1.1.2 255.255.255.0
    no sh
    int g1/0
    Desc conn to CE-3
    ip add 2.2.2.2 255.255.255.0
    no sh
    exi

    R3:
    conf t
    int g0/0
    Desc ---conn to ISP
    ip add 2.2.2.3 255.255.255.0
    no sh
    int g1/0
    Desc conn to LAN
    ip add 10.3.3.3 255.255.255.0
    no sh
    exi

    ip route 0.0.0.0 0.0.0.0 2.2.2.2

    =======================================
    Site 2 site vpns

    Phase I
    Isakmp/ikev tunnel -- control plane
    <------------------------>
    Bidirectional

    Phase II
    ipsec tunnel -- Data plane
    <--------------------
    -------------------->
    2 unidirectional tunnel
    inbound/outbound
    ! HAGLE
    Hash - Data integrity MD5,SHA
    Auth - Validation PSK,PKI
    Group -DH group 2,5,17
    Lifetime - 24 hrs/ 1 day /86400 sec 1 day 1/2 day lower is agreed
    Encryption : 3des,Aes

    Common session keys are generated,validation&identification

    PHASE II

    Intresting traffic with ACL

    Transform set -ESP 50 Hash/enc AH 49 data-int

    crypto map join phase1/phase2

    apply

    R1
    crypto isakmp policy 10
    hash md5
    auth pre-share
    group 5
    enc aes
    exit

    cry isakmp key cisco123 address 2.2.2.3


    -----------------------------------------------
    PHASE II

    access-list 101 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255

    cry ipsec transform-set tset esp-aes esp-sha-hmac


    exi

    crypto map cmap 10 ipsec-isakmp


    set peer 2.2.2.3
    match address 101
    set transform-set tset
    exi

    int g0/0
    cry map cmap
    exi

    R3:
    crypto isakmp policy 10
    hash md5
    auth pre-share
    group 5
    enc aes
    exit

    cry isakmp key cisco123 address 1.1.1.1


    access-list 101 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255

    cry ipsec transform-set tset esp-aes esp-sha-hmac

    crypto map cmap 10 ipsec-isakmp


    set peer 1.1.1.1
    match address 101
    set transform-set tset
    exi

    int g0/0
    cry map cmap
    exi

    UDP port no 500 is used by site 2 site

    You might also like