Configure and Verify a Site-to-Site IPsec VPN using CLI

作者:admin发表时间:2010-11-11 评论:0 点击 4,649+

nstructor Version

Topology Diagram

 

Addressing Table

Device Interface IP Address Subnet Mask
R1 Fa0/0 192.168.1.1 255.255.255.0
S0/0/0 10.1.1.2 255.255.255.252
R2 S0/0/0 10.1.1.1 255.255.255.252
Fa0/0 192.168.2.1 255.255.255.0
S0/0/1 10.2.2.1 255.255.255.252
R3 S0/0/1 10.2.2.2 255.255.255.252
Fa0/0 192.168.3.1 255.255.255.0
PC-A NIC 192.168.1.3 255.255.255.0
PC-B NIC 192.168.2.3 255.255.255.0
PC-C NIC 192.168.3.3 255.255.255.0

Learning Objectives

Verify connectivity throughout the network.

Configure router R1 to support a site-to-site IPsec VPN with R3.

Introduction

The network topology shows three routers. Your task is to configure routers R1 and R3 to support a site-to-site IPsec VPN when traffic flows from their respective LANs. The IPsec VPN tunnel is from router R1 to router R3 via R2. R2 acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.

ISAKMP Phase 1 Policy Parameters

Parameters R1 R3
Key distribution method Manual or ISAKMP ISAKMP ISAKMP
Encryption algorithm DES, 3DES, or AES AES AES
Hash algorithm MD5 or SHA-1 SHA1 SHA1
Authentication method Pre-shared keys or RSA pre-share pre-share
Key exchange DH Group 1, 2, or 5 DH 2 DH 2
IKE SA Lifetime 86400 seconds or less 86400 86400
ISAKMP Key   vpnpa55 vpnpa55

Note: Bolded parameters are defaults. Only unbolded parameters have to be explicitly configured.

IPsec Phase 2 Policy Parameters

Parameters R1 R3
Transform Set VPN-SET VPN-SET
Peer Hostname R3 R1
Peer IP Address 10.2.2.2 10.1.1.2
Network to be encrypted 192.168.1.0/24 192.168.3.0/24
Crypto Map name VPN-MAP VPN-MAP
SA Establishment ipsec-isakmp ipsec-isakmp

The routers have been pre-configured with the following:

Password for console line: ciscoconpa55

Password for vty lines: ciscovtypa55

Enable password: ciscoenpa55

RIP version 2

Task 1: Configure IPsec parameters on R1

S tep 1. T es t c o nnec tiv ity .

Ping from PC-A to PC-C.

S tep 2. Identify intere s ting tra ffic o n R 1.

Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as

interesting. This interesting traffic will trigger the IPsec VPN to be implemented

whenever there is traffic between R1 to R3 LANs. All other traffic sourced from the LANs

will not be encrypted. Remember that due to the implicit deny all, there is no need to

configure a deny any any statement.

R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

S tep 3. C o nfigu re the IS A K MP P h as e 1 pro pe rties o n R 1.

Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key

vpnpa55. Refer to

the ISAKMP Phase 1 table for the specific parameters to configure. Default values do not

have to be configured therefore only the encryption, key exchange method, and DH method

must be configured.

R1(config)# crypto isakmp policy 10

R1(config-isakmp)# encryption aes

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 2

R1(config-isakmp)# exit

R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2

S tep 4. C o nfigu re the IS A K MP P h a s e 2 pro pe rties o n R 1.

Create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the

crypto map VPN- MAP that binds all of the Phase 2 parameters together. Use sequence

number 10 and identify it as an ipsec- isakmp map.

R1(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

R1(config)# crypto map VPN-MAP 10 ipsec-isakmp

R1(config-crypto-map)# description VPN connection to R3

R1(config-crypto-map)# set peer 10.2.2.2

R1(config-crypto-map)# set transform-set VPN-SET

R1(config-crypto-map)# match address 110

R1(config-crypto-map)# exit

S tep 5. C o nfigu re the c r y pto ma p o n the o u tgo ing interfa c e .

Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface. Note: This

is not graded.

R1(config)# interface S0/0/0

R1(config-if)# crypto map VPN-MAP

Task 2: Configure IPsec Parameters on R3

S tep 1. C o nfigu re ro u ter R 3 to s u ppo rt a s ite-to -s ite V P N with R 1.

Now configure reciprocating parameters on R3. Configure ACL 110 identifying the traffic

from the LAN on R3 to the LAN on R1 as interesting.

R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0

0.0.0.255

S tep 2. C o nfigu re the IS A K MP P h a s e 1 pro pe rties o n R 3.

Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key

vpnpa55.

R3(config)# crypto isakmp policy 10

R3(config-isakmp)# encryption aes

R3(config-isakmp)# authentication pre-share

R3(config-isakmp)# group 2

R3(config-isakmp)# exit

R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2

S tep 3. C o nfigu re the IS A K MP P h a s e 2 pro pe rties o n R 1.

Like you did on R1, create the transform-set VPN-SET to use esp-3des and esp-sha-hmac.

Then create the crypto map VPN-MAP that binds all of the Phase 2 parameters together.

Use sequence number 10 and identify it as an ipsec-isakmp map.

R3(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

R3(config)# crypto map VPN-MAP 10 ipsec-isakmp

R3(config-crypto-map)# description VPN connection to R1

R3(config-crypto-map)# set peer 10.1.1.2

R3(config-crypto-map)# set transform-set VPN-SET

R3(config-crypto-map)# match address 110

R3(config-crypto-map)# exit

S tep 4. C o nfigu re the c r y pto ma p o n the o u tgo ing interfa c e .

Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface. Note: This

is not graded.

R3(config)# interface S0/0/1

R3(config-if)# crypto map VPN-MAP

Task 3: Verify the IPsec VPN

S tep 1. V er ify the tu nnel pr io r to interes ting tr a ffic .

Issue the show crypto ipsec sa command on R1. Notice that the number of packets

encapsulated, encrypted, decapsulated and decrypted are all set to 0.

S tep 2. C rea te intere s ting tra ffic .

From PC-A, ping PC-C.

S tep 3. V er ify the tu nnel a fte r interes ting tra ffic .

On R1, re-issue the show crypto ipsec sa command. Now notice that the number of packets

is more than 0 indicating that the IPsec VPN tunnel is working.

S tep 4. C rea te u nintere s ting tra ffic .

From PC-A, ping PC-B.

S tep 5. V er ify the tu nnel.

On R1, re-issue the show crypto ipsec sa command. Finally, notice that the number of

packets has not changed verifying that uninteresting traffic is not encrypted.

S tep 6. C hec k res u lts .

Your completion percentage should be 100%. Click Check Results to see feedback and

verification of which required components have been completed.

顶一下 0 踩一下 0

你可能对以下内容感兴趣!

  1. Configure a Network for S...
  2. win7如何建立vpn,翻墙,代理
  3. Layer 2 VLAN Security
  4. Layer 2 Security
  5. Configure IOS Intrusion P...
  6. Configuring Context-Based...
  7. Configure IP ACLs to Miti...
  8. Configure AAA Authenticat...

发表评论

*

w_0002.gif w_0009.gif w_0007.gif w_0011.gif w_0005.gif w_0008.gif w_0010.gif w_0003.gif w_0012.gif w_0001.gif w_0006.gif