Scribd Logo
Upload

Welcome to Scribd!

  • IPSec VPN

    Uploaded by

    cciersman
    43 views5 pages

    Original Title

    IPSec-VPN

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    43 views5 pages

    IPSec VPN

    Uploaded by

    cciersman

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Download PNETLab Platform

    PNETLAB Store
    PNETLab.com

    IPSEC VPN SITE-TO-SITE


    Lab Topology:
    Please use the following topology to complete this lab exercise:

    https://user.pnetlab.com/store/labs/detail?id=16033404912009

    Lab Objective:
    The objective of lab exercise is for you to learn and understand step-by-step config VPN site-to-
    site.

    1
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    Task:
    1. Routing between R2, Internet, R4
    2. Configure VPN IPSEC only on R2 and R4
    + Configure the ISAKMP policy required to establish IKE phase 1
    + Set key and peer
    + Configure IPSec policy to establish IKE phase 2
    + Create ACL to define which traffic should be sent though the IPSec tunnel.
    + Create crypto map to the outgoing interface of the VPN device.
    + Apply the crypto map to the outgoing interface.

    Solution:
    Task 1: Routing between R2, Internet, R4
    - On R2:
    Router ospf 100
    Network 172.168.23.0 0.0.0.255 area 0
    Network 192.168.12.0 0.0.0.255 area 0

    - On Internet:
    Router ospf 100
    Network 172.168.23.0 0.0.0.255 area 0
    Network 172.168.34.0 0.0.0.255 area 0

    - On R4:
    Router ospf 100
    Network 172.168.34.0 0.0.0.255 area 0
    Network 192.168.45.0 0.0.0.255 area 0

    - On R1:
    Ip route 0.0.0.0 0.0.0.0 192.168.12.2

    - On R5:
    Ip route 0.0.0.0 0.0.0.0 192.168.45.4

    2
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    Task 2: Configure VPN IPSEC only on R2 and R4

    R2 R4
    crypto isakmp policy 10 crypto isakmp policy 10
    hash md5 hash md5
    authentication pre-share authentication pre-share
    group 2 group 2
    encryption 3des encryption 3des

    crypto isakmp key cisco address 172.168.34.4 crypto isakmp key cisco address 172.168.23.2

    crypto ipsec transform-set myset esp-3des crypto ipsec transform-set myset esp-3des
    esp-md5-hmac esp-md5-hmac

    access-list 100 permit ip 192.168.12.0 access-list 100 permit ip 192.168.45.0


    0.0.0.255 192.168.45.0 0.0.0.255 0.0.0.255 192.168.12.0 0.0.0.255

    crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 ipsec-isakmp


    set peer 172.168.34.4 set peer 172.168.23.2
    set transform-set myset set transform-set myset
    match address 100 match address 100

    interface e0/1 interface e0/0


    crypto map MYMAP crypto map MYMAP

    Verification:
    R2#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    172.168.34.4 172.168.23.2 QM_IDLE 1001 ACTIVE

    R2#show crypto isakmp policy


    Global IKE policy
    Protection suite of priority 10
    encryption algorithm:Three key triple DES
    hash algorithm: Message Digest 5
    authentication method:Pre-Shared Key
    Diffie-Hellman group:#2 (1024 bit)
    lifetime:86400 seconds, no volume limit

    3
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    R2#show crypto isakmp key


    Keyring Hostname/Address Preshared Key
    default 172.168.34.4 cisco

    R2#show crypto map


    Crypto Map IPv4 "MYMAP" 10 ipsec-isakmp
    Peer = 172.168.34.4
    Extended IP access list 100
    access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.45.0 0.0.0.255
    Current peer: 172.168.34.4
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Mixed-mode : Disabled
    Transform sets={ MYSET: { esp-3des esp-md5-hmac } ,
    }
    Interfaces using crypto map MYMAP: Ethernet0/1
    Interfaces using crypto map NiStTeSt1:

    R2#show crypto ipsec sa


    interface: Ethernet0/1
    Crypto map tag: MYMAP, local addr 172.168.23.2
    protected vrf: (none)
    local ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.45.0/255.255.255.0/0/0)
    current_peer 172.168.34.4 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: 172.168.23.2, remote crypto endpt.: 172.168.34.4
    plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
    current outbound spi: 0x84584C8D(2220379277)
    PFS (Y/N): N, DH group: none
    inbound esp sas:
    spi: 0x7A9CBDF3(2057092595)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    4
    Download PNETLab Platform
    PNETLAB Store
    PNETLab.com

    conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: MYMAP


    sa timing: remaining key lifetime (k/sec): (4280142/3365)
    IV size: 8 bytes
    replay detection support: Y
    ecn bit support: Y status: off
    Status: ACTIVE(ACTIVE)
    outbound ah sas:
    outbound pcp sas:

    Wireshark: Check the results with packet capture using Wireshark over Internet area
    transmission. Every packet is encoded as an ESP call and the actual source and destination
    address of the packet has changed.

    You might also like