Professional Documents
Culture Documents
Topology:
Data is considered to be safe in resting state and vulnerable in transit. That’s why IPSEC came into
existence to traverse data securely over the internet.
In an enterprise environment, to confluence all the remote networks, we need to some protocol over the
internet.
If we consider activating BGP over the internet, we first need to configure IPSEC as underlay and on top
of that BGP to be activated with tunnel protection profile for secure convergence of data.
For the same, a very simple topology is taken as shown in the above image and also not to convolute,
basic configuration is given below.
interface FastEthernet0/1
description towards Branch
ip address 2.2.2.1 255.0.0.0
no shut
Interface Configuration:
interface FastEthernet0/0
ip address 1.1.1.1 255.0.0.0
description WAN_Interface
no shut
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
description LAN_Interface
no shut
Crypto Configuration:
ISAKMP Configuration: (Phase-01)
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
Pre-shared key configuration: (We are telling the router that this is the PSK for this peer)
crypto isakmp key 123456 address 2.2.2.2
Defining Transform-Set: (Phase-02. This transform-set is needed to secure the actual payload)
crypto ipsec transform-set TS esp-3des esp-md5-hmac
Defining Crypto MAP: (As the name suggests, we map all crypto criteria here)
crypto map CM 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
Defing tunnel protection crypto profile: (Needed to secure the tunnel interface traffic. In this case I
have used the same transform set that is used in Phase-2)
crypto ipsec profile CP
set transform-set TS
interface FastEthernet0/0
description LAN_Interface
ip address 172.16.1.1 255.255.255.0
Crypto Configuration:
ISAKMP Configuration: (Phase-01)
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
Pre-shared key configuration: (We are telling the router that this is the PSK for this peer)
crypto isakmp key 123456 address 1.1.1.1
Defining Transform-Set: (Phase-02. This transform-set is needed to secure the actual payload)
crypto ipsec transform-set TS esp-3des esp-md5-hmac
Defining Crypto MAP: (As the name suggests, we map all crypto criteria here)
crypto map CM 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS
Verification on HO Router:
HO#show ip bgp summary
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
3.3.3.2 4 200 32 32 4 0 0 00:28:02 2