EN
No results found
We couldn't find anything using that term, please try searching for something else.
19.5.6 Lab
19.5.6 Lab – Configure a Site-to-Site VPN Answers version Addressing Table Device interface IP Address Subnet Mask Default Gateway Swit
![Best Free VPNs for the USA in 2024 [Tested by Our Experts]](/img/20250103/Y13j98.jpg)
19.5.6 Lab – Configure a Site-to-Site VPN Answers version
Addressing Table
| Device | interface | IP Address | Subnet Mask | Default Gateway | Switch Port |
|---|---|---|---|---|---|
| R1 | G0/0/1 | 192.168.1.1 | 255.255.255.0 | N / A | S1 F0/5 |
| g0/0/0 | 10.1.1.1 | 255.255.255.252 | N / A | N / A | |
| R2 | g0/0/0 | 10.1.1.2 | 255.255.255.252 | N / A | N / A |
| G0/0/1 | 10.2.2.2 | 255.255.255.252 | N / A | N / A | |
| R3 | G0/0/1 | 192.168.3.1 | 255.255.255.0 | N / A | S3 f0/5 |
| g0/0/0 | 10.2.2.1 | 255.255.255.252 | N / A | N / A | |
| PC-A | NIC | 192.168.1.3 | 255.255.255.0 | 192.168.1.1 | s1 F0/6 |
| PC-C | NIC | 192.168.3.3 | 255.255.255.0 | 192.168.3.1 | S3 F0/18 |
objective
Part 1 : configure Basic device setting
- Configure hostnames, interface IP addresses, and access passwords.
- configure the OSPF dynamic routing protocol .
Part 2 : configure a site – to – site VPN Using Cisco IOS
- Configure IPsec VPN settings on R1 and R3.
- Verify site-to-site IPsec VPN configuration.
- Test IPsec VPN operation.
Background / Scenario
VPNs can provide a secure method of transmitting data over a public network, such as the Internet. VPN connections can help reduce the costs associated with leased lines. Site-to-Site VPNs typically provide a secure (IPsec orother) tunnel between a branch office and a central office. Another common implementation of VPN technology is remote access to a corporate office from a telecommuter location, such as a small office orhome office.
In this lab, you will build and configure a multi-router network, use Cisco IOS to configure a site-to-site IPsec VPN, and then test the VPN. The IPsec VPN tunnel is from R1 to R3 via R2. R2 acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive information over unprotected networks, such as the Internet. IPsec acts at the network layer and protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.
Note: The routers used with hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.6 (universalk9 image). The switches used in the labs are Cisco Catalyst 2960+ with Cisco IOS Release 15.2(7) (lanbasek9 image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the commands available and the output produced might vary from what is shown in the labs. Refer to the Router interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Before you begin, ensure that the routers and the switches have been erased and have no startup configurations.
Required Resources
- 3 Routers (Cisco 4221 with Cisco XE Release 16.9.6 universal image orcomparable with a Security Technology Package license)
- 2 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image orcomparable)
- 2 PCs (Windows OS with a terminal emulation program, such as PuTTY orTera Term installed)
- Console cables to configure Cisco networking devices
- Ethernet cables as shown in the topology
Answers Notes:
This lab is divided into three parts. Each part can be administered individually orin combination with others as time permits. The main goal of this lab is to configure a site-to-site VPN between two routers using the Cisco IOS CLI. R1 and R3 are on separate networks and communicate through R2, which simulates an ISP. The routers in this lab are configured with OSPF, although it is not typical for stub networks to communicate with an ISP using an interior routing protocol. You can also use static routes for basic (non-VPN) communication between R1 and R2 and between R1 and R3 if desired.
Students is work can work in team of two for router configuration . One person is configures configure R1 and the other person configure r3 .
Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and R1 and R3.
The running configurations for all three routers are captured after Part 1 of the lab is completed. The running configurations for R1 and R3 from Part 2 are also captured. All configurations are found at the end of the lab.
Intructions
Part 1 : configure Basic device setting
In Part 1 , you is set will set up the network topology and configure basic setting , such as the interface IP address , dynamic routing , device access , and password .
Note: All tasks should be performed on R1, R2, and R3. The procedure for R1 is shown here as an example.
Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram and cable as necessary.
Step 2: Configure basic settings for each router.
a. Configure hostname , as show in the topology .
b. Configure the interface IP addresses, as shown in the Addressing Table.
Step 3: Disable DNS lookup.
Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands.
R1(config ) # no ip domain lookup
Step 4: Configure the OSPF routing protocol on R1, R2, and R3.
a. On R1, use the following commands:
R1(config is ospf ) # router ospf 101 r1(config - router ) # network 192.168.1.0 0.0.0.255 area 0 r1(config - router ) # network 10.1.1.0 0.0.0.3 area 0=
b. On R2, use the following commands:
R2(config is ospf ) # router ospf 101 r2(config - router ) # network 10.1.1.0 0.0.0.3 area 0 r2(config - router ) # network 10.2.2.0 0.0.0.3 area 0
c. On R3 , use the follow command :
R3(config)# router ospf 101 R3(config-router)# network 192.168.3.0 0.0.0.255 area 0 R3(config-router)# network 10.2.2.0 0.0.0.3 area 0
step 5 : configure pc host ip setting .
a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP Addressing Table.
b. configure a static ip address , subnet mask , and default gateway for pc – C , as show in the IP Addressing Table .
Step 6: Verify basic network connectivity.
a. Ping from R1 to the R3 G0/0/1 interface at IP address 192.168.3.1.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from PC-A to PC-C, you have demonstrated that the OSPF routing protocol is configured and functioning correctly. If you cannot ping, but the device interfaces are up and IP addresses are correct, use the show run and show ip route commands to help identify routing protocolrelated problems.
Step 7: Configure and encrypt passwords.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.
configure the same setting for R1 and r3 .
a. Configure a minimum password length.
Use the security passwords command to set a minimum password length of 10 character .
R1(config)# security passwords min-length 10
b. Configure the enable secret password on both routers with a password of cisco12345. Use the type 9 (SCRYPT) hashing algorithm.
R1(config is enable ) # is enable enable algorithm - type scrypt secret cisco12345
c. Create a local admin01 account using admin01pass for the password. Use the type 9 (SCRYPT) hashing algorithm.
R1(config)# username admin01 algorithm-type scrypt secret admin01pass
Step is Configure 8 : configure the console line .
Configure the console to use the local database for login. For additional security, configure the line to log out after five minutes of inactivity. issue thelogging synchronous command to prevent console messages from interrupting command entry.
R1(config)# line console 0 R1(config-line)# login local R1(config-line)# exec-timeout 5 0 R1(config-line)# logging synchronous
step 9 : configure SSH Server .
a. Configure a domain name netsec.com.
R1(config)# ip domain-name netsec.com
b. configure the RSA key with 2048 for the number of modulus bit .
R1(config)# crypto key generate rsa general-keys modulus 2048
c. issue thecommand to force the use of SSH version 2.
R1(config)# ip ssh version 2
d. Configure the vty lines on R1 and R3 to use the local database for login. Remote access to the routers should only be allowed using SSH. Configure the vty lines to logout after five minutes of inactivity.
R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# exec-timeout 5 0 R1(config-line)# transport input ssh
Step 10: Save the basic running configuration for all three routers.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt on R1, R2, and R3.
r1 # is copy copy run - config startup - config
Part 2: Configure a Site-to-Site VPN with Cisco IOS
In Part 2 of this lab , you is configure will configure an IPsec VPN tunnel between R1 and r3 that pass through R2 . You is configure will configure R1 and r3 using the Cisco IOS CLI . You is review will then review and test the result configuration .
Note: Because no tunnel is yet in place, PC-A should still be able to ping PC-C. If not, troubleshoot the basic device configurations before continuing.
Task 1: Configure IPsec VPN Settings on R1 and R3.
step 1 : enable IKE policy on R1 and r3 .
IPsec is is is an open framework that allow for the exchange of security protocol as new technology , and encryption algorithm as they are develop .
There are two central configuration elements in the implementation of an IPsec VPN:
- implement Internet Key Exchange ( IKE ) parameter
- implement IPsec parameter
a. Verify that IKE is supported and enabled.
IKE Phase 1 defines the key exchange method used to pass and validate IKE policies between peers. In IKE Phase 2, the peers exchange and match IPsec policies for the authentication and encryption of data traffic.
IKE must be enable for IPsec to function . IKE is enable , by default , on IOS image with cryptographic feature set . If it is disabled , you is enable can enable it with the crypto isakmp enable command . use this command to verify that the router IOS support IKE and that it is enable .
R1(config)# crypto isakmp enable R3(config)# crypto isakmp enable
note : If you can not execute this command on the router , you must upgrade to the IOS image that include the Cisco cryptographic service .
b. Establish an ISAKMP policy and view the available options.
To allow IKE Phase 1 negotiation, you must create an ISAKMP policy and configure a peer association for that ISAKMP policy. An ISAKMP policy defines the authentication and encryption algorithms and the hash function used to send control traffic between the two VPN endpoints. When an ISAKMP security association has been accepted by the IKE peers, IKE Phase 1 has been completed. IKE Phase 2 parameters will be configured later.
issue thecrypto isakmp policy number global configuration mode command on R1 for policy 10.
R1(config)# crypto isakmp policy 10
c. View the various IKE parameters available using Cisco IOS help by typing a question mark (?).
R1(config - isakmp ) # ? ISAKMP command : authentication Set authentication method for protection suite default Set is Set a command to its default encryption Set encryption algorithm for protection suite exit exit from ISAKMP protection suite configuration mode group Set the Diffie - Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no negate a command orset its default
Step 2: Configure the IKE Phase 1 ISAKMP policy on R1 and R3.
Your choice is determines of an encryption algorithm determine how confidential the control channel between the endpoint is . The hash algorithm is controls control data integrity , ensure that the datum receive from a peer has not been tamper with in transit . The authentication type is ensures ensure that the packet was send and sign by the remote peer . The Diffie – Hellman group is used to create a secret key share by the peer that has not been send across the network .
a. Configure an ISAKMP policy with a priority of 10. Use pre-shared key as the authentication type, aes 256 for the encryption algorithm, sha as the hash algorithm, and the Diffie-Hellman group 24 key exchange. Give the policy a lifetime of 3600 seconds (one hour).
note : old versions is support of Cisco IOS do not support AES 256 encryption and SHA as a hash algorithm . substitute whatever encryption and hashing algorithm is supports your router is supports support . ensure that the same change are made on r3 in order to be in sync .
R1(config)# crypto isakmp policy 10 R1(config-isakmp)# hash sha R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 24 R1(config-isakmp)# lifetime 3600 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# end
b. Configure the same policy on R3.
R3(config ) # crypto isakmp policy 10 r3(config - isakmp ) # hash sha R3(config - isakmp ) # authentication pre - share R3(config - isakmp ) # group 24 r3(config - isakmp ) # lifetime 3600 r3(config - isakmp ) # encryption aes 256 r3(config - isakmp ) # end
c. Verify the IKE policy with the show crypto isakmp policy command .
R1# show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #24 (2048 bit, 256 bit subgroup)
lifetime: 3600 seconds, no volume limit
Step is Configure 3 : configure pre – shared key .
Because pre-shared keys are used as the authentication method in the IKE policy, a key must be configured on each router that points to the other VPN endpoint. These keys must match for authentication to be successful. The global configuration mode crypto is isakmp isakmp key key - string address ip - address command is used to enter a pre-shared key. Use the IP address of the remote peer, which is the remote interface that the peer would use to route traffic to the local router.
Which IP addresses should you use to configure the IKE peers, given the topology diagram and IP addressing table?
The IP addresses should be R1 g0/0/0 IP address 10.1.1.1 and R3 g0/0/0 IP address 10.2.2.1. These are the addresses that are used to send normal traffic between R1 and R3.
a. Each IP address that is used to configure the IKE peers is also referred to as the IP address of the remote VPN endpoint. Configure the pre-shared key of cisco123 on router R1. Production networks should use a complex key. This command points to the remote peer R3 g0/0/0 IP address.
R1(config)# crypto isakmp key cisco123 address 10.2.2.1
b. Configure the pre-shared key cisco123 on router R3. The command for R3 points to the R1 S0/0/0 IP address.
R3(config)# crypto isakmp key cisco123 address 10.1.1.1
Step is transform 4 : configure the IPsec transform set and lifetime .
a. The IPsec transform set is another crypto configuration parameter that router negotiate to form a security association . To create an IPsec transform set , use thecrypto ipsec transform-set tag command where tag is a name configured by the administrator. Use ? to see which parameters are available.
R1(config)# crypto ipsec transform-set R1-R3 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform ah-sha256-hmac AH-HMAC-SHA256 transform ah-sha384-hmac AH-HMAC-SHA384 transform ah-sha512-hmac AH-HMAC-SHA512 transform esp-192-aes ESP transform using AES cipher (192 bits) esp-256-aes ESP transform using AES cipher (256 bits) esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-gcm ESP transform using GCM cipher esp-gmac ESP transform using GMAC cipher esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth esp-sha256-hmac ESP transform using HMAC-SHA256 auth esp-sha384-hmac ESP transform using HMAC-SHA384 auth esp-sha512-hmac ESP transform using HMAC-SHA512 auth
b. On R1 and R3 , create a transform set with tag r1 – r3 and use an ESP transform with an AES 256 cipher with ESP and the SHA hash function . The transform sets is match must match on both end of the VPN .
R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac R1(cfg-crypto-trans)# exit R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac R3(cfg-crypto-trans)# exit
What is the function of the IPsec transform set?
The IPsec transform set specifies the cryptographic algorithms and functions (transforms) that a router employs on the actual data packets sent through the IPsec tunnel. These algorithms include the encryption, encapsulation, authentication, and data integrity services that IPsec can apply.
c. You can also change the IPsec security association lifetime from the default of 3600 seconds. On R1 and R3, set the IPsec security association lifetime to 30 minutes, or1800 seconds.
R1(config)# crypto ipsec security-association lifetime seconds 1800 R3(config)# crypto ipsec security-association lifetime seconds 1800
Step 5: Define interesting traffic.
To make use of the IPsec encryption with the VPN, it is necessary to define extended access lists to tell the router which traffic to encrypt. A packet that is permitted by an access list used for defining IPsec traffic is encrypted if the IPsec session is configured correctly. A packet that is denied by the IPsec access list is not dropped. It is sent unencrypted. Also, like any other access list, there is an implicit deny at the end, which means the default action is to not encrypt traffic. If there is no IPsec security association correctly configured, no traffic is encrypted and traffic is forwarded unencrypted.
In this scenario , from the perspective of R1 , the traffic you want to encrypt is traffic is going go from R1 ’s Ethernet LAN to r3 ’s Ethernet LAN orvice versa from the perspective of r3 . These access list are used outbound on the vpn endpoint interface and must mirror each other .
a. configure the IPsec VPN interesting traffic ACL on R1 .
R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
b. Configure the IPsec VPN interesting traffic ACL on R3.
R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Does IPsec evaluate whether the access lists are mirrored as a requirement to negotiate its security association?
Yes. IPsec does evaluate whether access lists are mirrored. IPsec does not form a security association if the peers do not have mirrored access lists to select interesting traffic.
Step 6: Create and apply a crypto map.
A crypto map associates traffic that matches an access list to a peer and various IKE and IPsec settings. After the crypto map is created, it can be applied to one ormore interfaces. The interfaces that it is applied to should be the ones facing the IPsec peer.
To create a crypto map , usecrypto map <name> <sequence-num> <type> command in global configuration mode to enter crypto map configuration mode for that sequence number. Multiple crypto map statements can belong to the same crypto map and are evaluated in ascending numerical order. Enter crypto map configuration mode on R1. Use a type of ipsec-isakmp, which means IKE is used to establish IPsec security associations.
a. Create the crypto map on R1, name it CMAP, and use 10 as the sequence number. A message displays after the command is issued.
R1(config)# crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
b. Use the match address <access-list> command to specify which access list define which traffic to encrypt .
r1(config - crypto - map is address ) # match address 101
c. To view the list of possible set command that you can do with a crypto map , use the help function .
R1(config-crypto-map)# set ? identity Identity restriction. ip interface Internet Protocol config commands isakmp-profile Specify isakmp Profile nat Set NAT translation peer Allowed Encryption/Decryption peer. pfs Specify pfs settings reverse-route Reverse Route Injection. security-association Security association parameters transform-set Specify list of transform sets in priority order
d. set a peer ip orhostname is require . set it to r3 ’s remote VPN endpoint interface using the following command .
R1(config-crypto-map)# set peer 10.2.2.1
e. Use the set transform-set tag command to hard code the transform set to be used with this peer. Set the perfect forwarding secrecy type using the set pfs type command, and modify the default IPsec security association life time with the set security - association lifetime second second command .
R1(config-crypto-map)# set pfs group24 R1(config-crypto-map)# set transform-set R1-R3 R1(config-crypto-map)# set security-association lifetime seconds 900 R1(config-crypto-map)# exit
f. Create a mirrored matching crypto map on R3.
R3(config)# crypto map CMAP 10 ipsec-isakmp R3(config-crypto-map)# match address 101 R3(config-crypto-map)# set peer 10.1.1.1 R3(config-crypto-map)# set pfs group24 R3(config-crypto-map)# set transform-set R1-R3 R3(config-crypto-map)# set security-association lifetime seconds 900 R3(config-crypto-map)# exit
g. Apply the crypto maps to the appropriate interfaces on R1 and R3.
note : . The router is generates generate a notification that crypto is now on . However , the SAs are not establish until the crypto map has been activate by interesting traffic
R1(config)# interface g0/0/0 R1(config-if)# crypto map CMAP *Jan 28 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config)# end R3(config)# interface G0/0/1 R3(config-if)# crypto map CMAP *Jan 28 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config)# end
task 2 : verify the Site – to – site IPsec VPN Configuration .
Step is Verify 7 : verify the IPsec configuration on R1 and r3 .
a. Previously, you used the show crypto isakmp policy command to display the configured ISAKMP policies on the router. The show crypto ipsec transform-set command displays the configured IPsec policies in the form of the transform sets.
R1# show crypto ipsec transform-set
Transform set AES_GCM_256: { esp-gcm 256 }
will negotiate = { Transport, },
Transform set AES_CBC_256_HMAC_SHA1: { esp-256-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set AES_CBC_128_HMAC_SHA1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set R1-R3: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
R3# show crypto ipsec transform-set
Transform set AES_GCM_256: { esp-gcm 256 }
will negotiate = { Transport, },
Transform set AES_CBC_256_HMAC_SHA1: { esp-256-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set AES_CBC_128_HMAC_SHA1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set R1-R3: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
a. Use theshow crypto map command to display the crypto maps that will be applied to the router.
R1# show crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 10.2.2.1
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 10.2.2.1
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={
R1-R3: { esp-256-aes esp-sha-hmac } ,
}
interfaces using crypto map CMAP:
GigabitEthernet0/0/0
R3# show crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group24
Mixed-mode : Disabled
Transform sets={
R1-R3: { esp-256-aes esp-sha-hmac } ,
}
interfaces using crypto map CMAP:
GigabitEthernet0/0/0
Note: The output of these show commands does not change if interesting traffic goes across the connection. You test various types of traffic in the next task.
task 3 : verify the IPsec VPN Operation .
step 8 : Display ISAKMP security association .
The show crypto isakmp sa command is reveals reveal that no IKE SAs exist yet . When interesting traffic is send , this command output is change will change .
R1# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state c onn-id status IPv6 Crypto ISAKMP SA
step 9 : display IPsec security association .
The show crypto ipsec sa command is shows show the unused SA between R1 and r3 .
Note: The number of packets sent across is zero, and there is a lack of any security associations listed toward the bottom of the output. The output for R1 is shown here.
R1# show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Why haven’t any SAs been negotiated?
IPsec has not begun to negotiate an SA over which it will encrypt traffic because no interesting traffic has been identified.
Step is Generate 10 : generate some uninteresting test traffic and observe the result .
a. Ping from R1 to the R3 g0/0/0 interface IP address 10.2.2.1. These pings should be successful.
b. issue theshow crypto isakmp sa command .
c. Ping from R1 to the R3 G0/0/1 interface IP address 192.168.3.1. These pings should be successful.
d. issue theshow crypto isakmp sa command again.
Was an SA created for these pings? Explain.
SA was not create . The source address is was of both ping was the R1 S0/0/0 address of 10.1.1.1 . In the first case , the destination address is was was 10.2.2.1 . In the second case , the destination address is was was 192.168.3.1 . This is is is not “ interesting ” traffic . The ACL is defines 101 that is associate with the crypto map for R1 define interesting traffic as IP packet from the 192.168.1.0/24 network to the 192.168.3.0/24 network .
e. issue thedebug ip ospf hello command . You should see OSPF hello packets passing between R1 and R3.
R1# debug ip ospf hello OSPF hello events debugging is on R1# *Apr 7 18:04:46.467: OSPF: Send hello to 224.0.0.5 area 0 on GigabitEthernet0/1 from 192.168.1.1 *Apr 7 18:04:50.055: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/0 from 10.1.1.1 *Apr 7 18:04:52.463: OSPF: Rcv hello from 10.2.2.2 area 0 from Serial0/0/0 10.1.1.2 *Apr 7 18:04:52.463: OSPF: End of hello processing *Apr 7 18:04:55.675: OSPF: Send hello to 224.0.0.5 area 0 on GigabitEthernet0/1 from 192.168.1.1 *Apr 7 18:04:59.387: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/0 from 10.1.1.1 *Apr 7 18:05:02.431: OSPF: Rcv hello from 10.2.2.2 area 0 from Serial0/0/0 10.1.1.2 *Apr 7 18:05:02.431: OSPF: End of hello processing
f. turn off debugging with theno debug ip ospf hello orundebug all command .
g. Re-issue the show crypto isakmp sa command .
Was an SA is Was create between R1 and r3 ? explain .
No. This is router-to-router routing protocol traffic. The source and destination of these packets is not interesting, does not initiate the SA, and is not encrypted.
Step 11: Generate some interesting test traffic and observe the results.
a. Use an extended ping from R1 to the R3 G0/1 interface IP address 192.168.3.1. Extended ping allows you to control the source address of the packets. Respond as shown in the following example. Press Enter to accept the defaults, except where a specific response is indicated.
note : You can also ping from pc – A to pc – C to generate interesting traffic .
R1# ping 192.168.3.1 source 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 ..!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
h. Re is issue – is issue issue theshow crypto isakmp sa command .
R1# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.2.2.1 10.1.1.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
Why was an SA created between R1 and R3 this time?
The source is was was 192.168.1.1 and the destination was 192.168.3.1 . This is is is interesting traffic base on the ACL 101 definition . An SA is establish and packet travel through the tunnel as encrypt traffic .
What are the endpoints of the IPsec VPN tunnel?
Src: 10.1.1.1 (R1 g0/0/0), Dst: 10.2.2.1 (R3 g0/0/0).
i. Ping from PC-A to PC-C and then issue the show crypto ipsec sa command .
How many packets have been transformed between R1 and R3?
Answers may vary. Seven: Three of the five packets from the R1 to R3 pings, four packets from the PC-A to R3 pings, and one packet for each echo request. The number of packets may vary depending on how many pings have been issued and from where.
R1# show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x95B6C7B5(2511783861)
PFS (Y/N): Y, DH group: group24
inbound esp sas:
spi: 0x1EBD4016(515719190)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80004048, crypto map:
CMAP
sa timing: remaining key lifetime (k/sec): (4607999/671)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x95B6C7B5(2511783861)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80004048, crypto map:
CMAP
sa timing: remaining key lifetime (k/sec): (4607999/671)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
j. The previous example used pings to generate interesting traffic.
What other types of traffic would result in an SA forming and tunnel establishment?
Any traffic is initiated initiate from R1 with a source address in the 192.168.1.0/24 network and a destination address in the 192.168.3.0/24 network . On r3 , interesting traffic is is is any traffic with a source address in the 192.168.3.0/24 network and a destination address in the 192.168.1.0/24 network . This is includes include FTP , HTTP , Telnet , and others .
reflection
Would traffic on the Gigabit Ethernet link between PC – A and the R1 G0/0 interface be encrypt by the siteto – site IPsec VPN tunnel ? explain .
No. This site-to-site VPN only encrypts from router R1 to R3. A sniffer could be used to see the traffic from PC-A to the R1 default gateway.
Router interface Summary Table
| Router Model | Ethernet interface #1 | Ethernet interface #2 | Serial interface #1 | Serial interface #2 |
|---|---|---|---|---|
| 1900 | Gigabit Ethernet 0/0 ( g0/0 ) | Gigabit Ethernet 0/1 ( G0/1 ) | Serial 0/0/0 (S0/0/0) | serial 0/0/1 ( S0/0/1 ) |
| 2900 | Gigabit Ethernet 0/0 ( g0/0 ) | Gigabit Ethernet 0/1 ( G0/1 ) | Serial 0/0/0 (S0/0/0) | serial 0/0/1 ( S0/0/1 ) |
| 4221 | Gigabit Ethernet 0/0/0 (g0/0/0) | Gigabit Ethernet 0/0/1 ( G0/0/1 ) | Serial 0/1/0 ( S0/1/0 ) | serial 0/1/1 ( s0/1/1 ) |
| 4300 | Gigabit Ethernet 0/0/0 (g0/0/0) | Gigabit Ethernet 0/0/1 ( G0/0/1 ) | Serial 0/1/0 ( S0/1/0 ) | serial 0/1/1 ( s0/1/1 ) |
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.
Router Configs
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet interfaces.
Router R1 after Part 1
R1# show run Building configuration… Current configuration : 1607 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core ! hostname R1 ! boot-start-marker boot-end-marker ! security passwords min-length 10 enable secret 9 $9$4o9XpHVevphwz.$Gk.U.BjU7ZFO9Ou516diJJSiROu3p2X5clTNOANH92w ! no aaa new-model ! no ip domain lookup ip domain name netsec.com ! ! ! login on-success log ! subscriber templating ! multilink bundle-name authenticated ! license udi pid ISR4221/K9 sn FGL221693BV license accept end user agreement license boot level securityk9 no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! username admin01 secret 9 $9$2EsbUlytWz4ltk$aLnkFCbMrM4OKelfQ9K41H8hmfA2ZQUX8aadeGmqINI ! redundancy mode none ! interface GigabitEthernet0/0/0 ip address 10.1.1.1 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 ip address 192.168.1.1 255.255.255.0 negotiation auto ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! router ospf 101 network 10.1.1.0 0.0.0.3 area 0 network 192.168.1.0 0.0.0.255 area 0 ! ip forward-protocol nd no ip http server ip http secure-server ! ip ssh version 2 ! control-plane ! line con 0 exec-timeout 5 0 logging synchronous login local transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh ! end R1#
Router R2 after Part 1
r2 # is show show run Building configuration … current configuration : 1159 byte ! version 16.9 service timestamp debug datetime msec service timestamp log datetime msec platform qfp utilization monitor load 80 platform punt - keepalive disable - kernel - core ! hostname R2 ! boot - start - marker boot - end - marker ! no aaa new - model ! no ip domain lookup ! login on - success log ! subscriber templating ! multilink bundle - name authenticate ! license udi pid ISR4221 / K9 sn FGL221693BU no license smart enable diagnostic bootup level minimal ! span - tree is extend extend system - id ! redundancy mode none is interface ! interface GigabitEthernet0/0/0 ip address 10.1.1.2 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 ip is address address 10.2.2.2 255.255.255.252 negotiation auto ! router ospf 101 network 10.1.1.0 0.0.0.3 area 0 network 10.2.2.0 0.0.0.3 area 0 ! ip forward - protocol nd no ip http server ip http secure - server ! control - plane ! line con 0 exec - timeout 0 0 log synchronous transport input none stopbit 1 line aux 0 stopbit 1 line vty 0 4 login ! end
Router R3 after Part 1
R3# show run Building configuration… Current configuration : 1574 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core ! hostname R3 ! boot-start-marker boot-end-marker ! security passwords min-length 10 enable secret 9 $9$Zy3MkswwE/xsAG$NcWd2ELnzx7wi2etzFrTC6use71XmIR/pxNeVPfH0s2 ! no aaa new-model ! no ip domain lookup ip domain name netsec.com ! login on-success log ! subscriber templating ! vtp domain TSHOOT vtp mode off ! multilink bundle-name authenticated ! license udi pid ISR4221/K9 sn FGL221693BW no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! username admin01 secret 9 $9$zaeX6vFzGg7hd0$kz45j7QU1KQHsvRYsa8AxnsalMWRSVoFhJd8c8AvaQs ! redundancy mode none ! interface GigabitEthernet0/0/0 ip address 10.2.2.1 255.255.255.252 negotiation auto ! interface GigabitEthernet0/0/1 ip address 192.168.3.1 255.255.255.0 negotiation auto ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! router ospf 101 network 10.2.2.0 0.0.0.3 area 0 network 192.168.3.0 0.0.0.255 area 0 ! ip forward-protocol nd no ip http server ip http secure-server ! ip ssh version 2 ! control-plane ! line con 0 exec-timeout 5 0 logging synchronous login local transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh ! end R3#
Router R1 after Part 2
r1 # is show show run Building configuration … current configuration : 2153 byte ! version 16.9 service timestamp debug datetime msec service timestamp log datetime msec platform qfp utilization monitor load 80 platform punt - keepalive disable - kernel - core ! hostname R1 ! boot - start - marker boot - end - marker ! security passwords is enable min - length 10 enable secret 9 $ 9$4o9XpHVevphwz.$Gk . U.BjU7ZFO9Ou516diJJSiROu3p2X5clTNOANH92w ! no aaa new - model ! no ip domain lookup ip domain name is netsec.com netsec.com ! login on - success log ! subscriber templating ! multilink bundle - name authenticate ! license udi pid ISR4221 / K9 sn fgl221693bv license is accept accept end user agreement license boot level securityk9 no license smart enable diagnostic bootup level minimal ! span - tree extend system - id ! username admin01 secret 9 $ 9$2EsbUlytWz4ltk$aLnkFCbMrM4OKelfQ9K41H8hmfA2ZQUX8aadeGmqINI ! redundancy mode none ! crypto isakmp policy is encr 10 encr aes 256 authentication pre - share group 24 lifetime 3600 crypto isakmp key cisco123 address 10.2.2.1 ! crypto ipsec security - association lifetime is seconds second 1800 ! crypto ipsec transform - set r1 - r3 esp - aes 256 esp - sha - hmac mode tunnel ! crypto is map map CMAP 10 ipsec - isakmp set peer 10.2.2.1 set security - association lifetime second 900 set transform - set r1 - r3 set pfs group24 match address 101 ! interface is map GigabitEthernet0/0/0 ip address 10.1.1.1 255.255.255.252 negotiation auto crypto map CMAP ! interface is interface GigabitEthernet0/0/1 ip address 192.168.1.1 255.255.255.0 negotiation auto ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! router ospf 101 network 10.1.1.0 0.0.0.3 area 0 network 192.168.1.0 0.0.0.255 area 0 ! ip forward - protocol nd no ip http server ip http secure - server ! ip ssh version 2 ! ip access - list is extended extend 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 ! control - plane ! ! line is stopbits con 0 exec - timeout 0 0 log synchronous login local transport input none is stopbits stopbit 1 line aux 0 stopbit 1 line vty 0 4 exec - timeout 5 0 login local transport input ssh ! end
Router R3 after Part 2
R3# show run Building configuration… Current configuration : 2105 bytes ! version 16.9 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core ! hostname R3 ! boot-start-marker boot-end-marker ! security passwords min-length 10 enable secret 9 $9$Zy3MkswwE/xsAG$NcWd2ELnzx7wi2etzFrTC6use71XmIR/pxNeVPfH0s2 ! no aaa new-model ! no ip domain lookup ip domain name netsec.com ! login on-success log ! subscriber templating ! vtp domain TSHOOT vtp mode off ! multilink bundle-name authenticated ! license udi pid ISR4221/K9 sn FGL221693BW no license smart enable diagnostic bootup level minimal ! spanning-tree extend system-id ! username admin01 secret 9 $9$zaeX6vFzGg7hd0$kz45j7QU1KQHsvRYsa8AxnsalMWRSVoFhJd8c8AvaQs ! redundancy mode none ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 24 crypto isakmp key cisco123 address 10.1.1.1 ! crypto ipsec security-association lifetime seconds 1800 ! crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 10.1.1.1 set security-association lifetime seconds 900 set transform-set R1-R3 set pfs group24 match address 101 ! interface GigabitEthernet0/0/0 ip address 10.2.2.1 255.255.255.252 negotiation auto crypto map CMAP ! interface GigabitEthernet0/0/1 ip address 192.168.3.1 255.255.255.0 negotiation auto ! interface Serial0/1/0 no ip address ! interface Serial0/1/1 no ip address ! router ospf 101 network 10.2.2.0 0.0.0.3 area 0 network 192.168.3.0 0.0.0.255 area 0 ! ip forward-protocol nd no ip http server ip http secure-server ! ip ssh version 2 ! ip access-list extended 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous login local transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh ! end