SlideShare a Scribd company logo

IPSec VPN

NetProtocol Xpert
NetProtocol Xpert

IPSec VPN

Engineering
1 of 9
IPSec VPN INTERNET PROTOCOL SECURITY VIRTUAL PRIVATE NETWORK June 2014 - Tilak Upadhyay
THE PING BOX .NET CCIE Security 4.0 1 | P a g e IPSec VPN with RSA using NTP & CA Servers CONFIGURATION: STEP I: Configure NTP Server on R4 and NTP Client on R1 & R2 NTP SERVER (ROUTER R4) To set clock, write on privilege mode, CA_Server# clock set 12:10:08 26 july 2014 ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp master 2 VERIFICATION: CA_Server# sh ntp status CA_Server# sh ntp associations
THE PING BOX .NET CCIE Security 4.0 2 | P a g e NTP CLIENTS (ROUTER R1 & R2) ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp server 40.0.0.4 key 1 VERIFICATION: R1# sh ntp status R1# sh ntp associations STEP II: Configure CA Server on R4 and CA Client on Router R1 & R2 CA SERVER (ROUTER R4) ip http server crypto pki server IOS_CA database archive pem password cisco123 grant auto lifetime certificate 300 lifetime ca-certificate 500 no shutdown exit VERIFICATION: CA_Server# sh crypto pki server CA CLIENTS (ROUTER R1 & R2) ip domain name Mabison.com crypto key generate rsa (To generate RSA key)
THE PING BOX .NET CCIE Security 4.0 3 | P a g e crypto pki trustpoint IOS_CA usage ike enrollment url http://40.0.0.4 subject-name CN=R1 C=IN exit crypto ca authenticate IOS_CA (To get authenticate or to get signature certificate from CA) crypto ca enroll IOS_CA (For getting enrol router in CA Server) STEP III: Create IPSec VPN between Router R1 & R2 using “rsa-sig” ROUTER R1 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 20.0.0.2 set transform-set tset match address 101
THE PING BOX .NET CCIE Security 4.0 4 | P a g e exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit ROUTER R2 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 2.2.2.2 host 1.1.1.1 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 10.0.0.1 set transform-set tset match address 101 exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit VERIFICATION:
THE PING BOX .NET CCIE Security 4.0 5 | P a g e R1# sh crypto isakmp sa R1# sh crypto ipsec sa IPSec VPN with IKE V2 CONFIGURATION: ON ROUTER R1 R1(config)#crypto ikev2 proposal prop1 R1(config-ikev2-proposal)# encryption 3des des R1(config-ikev2-proposal)# integrity md5 sha1 R1(config-ikev2-proposal)# group 2 5 R1(config-ikev2-proposal)# exit R1(config)#crypto ikev2 policy pol1 R1(config-ikev2-policy)# proposal prop1 R1(config-ikev2-policy)# exit R1(config)#crypto ikev2 keyring kr1 R1(config-ikev2-keyring)# peer site1 R1(config-ikev2-keyring-peer)# address 30.0.0.3 R1(config-ikev2-keyring-peer)# pre-shared-key local cisco1 R1(config-ikev2-keyring-peer)# pre-shared-key remote cisco2
THE PING BOX .NET CCIE Security 4.0 6 | P a g e R1(config-ikev2-keyring-peer)# exit R1(config-ikev2-keyring)# exit R1(config)#crypto ikev2 profile prof1 R1(config-ikev2-profile)# match identity remote address 30.0.0.3 255.255.255.255 R1(config-ikev2-profile)# authentication remote pre-share R1(config-ikev2-profile)# authentication local pre-share R1(config-ikev2-profile)# keyring local kr1 R1(config-ikev2-profile)# exit R1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit R1(config)#access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 R1(config)#crypto map abc 10 ipsec-isakmp R1(config-crypto-map)# set peer 30.0.0.3 R1(config-crypto-map)# set transform-set tset R1(config-crypto-map)# set ikev2-profile prof1 R1(config-crypto-map)# match address 101 R1(config-crypto-map)# exit R1(config)#int fa 1/0 R1(config-if)#crypto map abc R1(config-if)#exit ON ROUTER R3 R3(config)#crypto ikev2 proposal prop1 R3(config-ikev2-proposal)# encryption 3des des R3(config-ikev2-proposal)# integrity md5 sha1 R3(config-ikev2-proposal)# group 2 5 R3(config-ikev2-proposal)# exit
THE PING BOX .NET CCIE Security 4.0 7 | P a g e R3(config)#crypto ikev2 policy pol1 R3(config-ikev2-policy)# proposal prop1 R3(config-ikev2-policy)# exit R3(config)#crypto ikev2 keyring kr1 R3(config-ikev2-keyring)# peer site1 R3(config-ikev2-keyring-peer)# address 10.0.0.1 R3(config-ikev2-keyring-peer)# pre-shared-key local cisco2 R3(config-ikev2-keyring-peer)# pre-shared-key remote cisco1 R3(config-ikev2-keyring-peer)# exit R3(config-ikev2-keyring)# exit R3(config)#crypto ikev2 profile prof1 R3(config-ikev2-profile)#$tity remote address 10.0.0.1 255.255.255.255 R3(config-ikev2-profile)# authentication remote pre-share R3(config-ikev2-profile)# authentication local pre-share R3(config-ikev2-profile)# keyring local kr1 R3(config-ikev2-profile)# exit R3(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R3(cfg-crypto-trans)#exit R3(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1 R3(config)#crypto map abc 10 ipsec-isakmp R3(config-crypto-map)# set peer 10.0.0.1 R3(config-crypto-map)# set transform-set tset R3(config-crypto-map)# set ikev2-profile prof1 R3(config-crypto-map)# match address 101
THE PING BOX .NET CCIE Security 4.0 8 | P a g e R3(config-crypto-map)# exit R3(config)#int fa 1/0 R3(config-if)#crypto map abc R3(config-if)#exit RESULT: ON ROUTER R1 R1#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.0.0.1/500 30.0.0.3/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/164 sec IPv6 Crypto IKEv2 SA ON ROUTER R3 R3#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 30.0.0.3/500 10.0.0.1/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/36 sec IPv6 Crypto IKEv2 SA

Recommended

DMVPN
DMVPNDMVPN
DMVPN
NetProtocol Xpert
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
Hamed Moghaddam
 
Cisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationCisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 Configuration
Hamed Moghaddam
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
Hamed Moghaddam
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access List
Hamed Moghaddam
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 Configuration
Hamed Moghaddam
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL Configuration
Hamed Moghaddam
 
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 

Recommended

DMVPN
DMVPNDMVPN
DMVPN
NetProtocol Xpert
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
Hamed Moghaddam
 
Cisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationCisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 Configuration
Hamed Moghaddam
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
Hamed Moghaddam
 
Cisco CCNA-Standard Access List
Cisco CCNA-Standard Access ListCisco CCNA-Standard Access List
Cisco CCNA-Standard Access List
Hamed Moghaddam
 
Cisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 ConfigurationCisco CCNA OSPF IPV6 Configuration
Cisco CCNA OSPF IPV6 Configuration
Hamed Moghaddam
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL Configuration
Hamed Moghaddam
 
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 
Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT Configuration
Hamed Moghaddam
 
Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer Switch
Hamed Moghaddam
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
Hamed Moghaddam
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
Juniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationJuniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route Configuration
Hamed Moghaddam
 
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing ProtocolsEincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Netwax Lab
 
Cisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink ConfigurationCisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink Configuration
Hamed Moghaddam
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Kelson Silva
 
Juniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route ConfigurationJuniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route Configuration
Hamed Moghaddam
 
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Cisco Canada
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunking
Netwax Lab
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
Peťko Z Chochoľova
 
VPNIPSec site to site
VPNIPSec site to siteVPNIPSec site to site
VPNIPSec site to site
Dimitri LEMBOKOLO
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Netwax Lab
 
Basic BGP Configuration
Basic BGP ConfigurationBasic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration
3Anetwork com
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Duane Bodle
 
IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_
Pratik Bhide
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
NAT in ASA Firewall
NAT in ASA Firewall NAT in ASA Firewall
NAT in ASA Firewall
NetProtocol Xpert
 

More Related Content

What's hot

What's hot (17)

Cisco CCNA- NAT Configuration
Cisco CCNA- NAT ConfigurationCisco CCNA- NAT Configuration
Cisco CCNA- NAT Configuration
 
Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer Switch
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
 
Juniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationJuniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route Configuration
 
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing ProtocolsEincop Netwax Lab: Site 2 Site VPN with Routing Protocols
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
 
Cisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink ConfigurationCisco CCNA- PPP Multilink Configuration
Cisco CCNA- PPP Multilink Configuration
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations Configure Cisco Routers for Syslog, NTP, and SSH Operations
Configure Cisco Routers for Syslog, NTP, and SSH Operations
 
Juniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route ConfigurationJuniper JNCIA – Juniper Floating Static Route Configuration
Juniper JNCIA – Juniper Floating Static Route Configuration
 
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
 
Nxll10 v lan and trunking
Nxll10 v lan and trunkingNxll10 v lan and trunking
Nxll10 v lan and trunking
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
 
VPNIPSec site to site
VPNIPSec site to siteVPNIPSec site to site
VPNIPSec site to site
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
 
Basic BGP Configuration
Basic BGP ConfigurationBasic BGP Configuration
Basic BGP Configuration
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration
 

Viewers also liked

Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Duane Bodle
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Huy Eav
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Global Online Trainings
 

Viewers also liked (19)

ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
 
IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 
NAT in ASA Firewall
NAT in ASA Firewall NAT in ASA Firewall
NAT in ASA Firewall
 
checkpoint
checkpointcheckpoint
checkpoint
 
Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies Checkpoint Firewall for Dummies
Checkpoint Firewall for Dummies
 
ihsan cv
ihsan cvihsan cv
ihsan cv
 
Par2 2 0901(1)
Par2 2 0901(1)Par2 2 0901(1)
Par2 2 0901(1)
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnels
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNs
 
VSS_Final
VSS_FinalVSS_Final
VSS_Final
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
 
Mastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installationMastering checkpoint-1-basic-installation
Mastering checkpoint-1-basic-installation
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
 
Ip sec training
Ip sec trainingIp sec training
Ip sec training
 
Firewall
FirewallFirewall
Firewall
 
Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+
 
Cisco trouble shooting
Cisco trouble shootingCisco trouble shooting
Cisco trouble shooting
 

Similar to IPSec VPN

Báo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháiBáo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng thái
tran thai
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
Salem Trabelsi
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
angelitoh11
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
Nguyen Thanh
 

Similar to IPSec VPN (20)

Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)Nxll18 vpn (s2 s gre & dmvpn)
Nxll18 vpn (s2 s gre & dmvpn)
 
Báo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng tháiBáo cáo thực tập athena trần trọng thái
Báo cáo thực tập athena trần trọng thái
 
Sc manual
Sc manualSc manual
Sc manual
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
2.5.1.2 packet tracer configure cisco routers for syslog, ntp, and ssh oper...
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
Nxll17 dynamic routing with asa
Nxll17 dynamic routing with asaNxll17 dynamic routing with asa
Nxll17 dynamic routing with asa
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1
 
10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express10 step-to-configure-cisco-call-manager-express
10 step-to-configure-cisco-call-manager-express
 
10 step to configure cisco call manager express
10 step to configure cisco call manager express10 step to configure cisco call manager express
10 step to configure cisco call manager express
 
Eigrp authentication
Eigrp authenticationEigrp authentication
Eigrp authentication
 
Ciso commands
Ciso commandsCiso commands
Ciso commands
 
Ciso commands
Ciso commandsCiso commands
Ciso commands
 
Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2Basic cisco commands_by_marcus_nielson_2
Basic cisco commands_by_marcus_nielson_2
 
Service Provider Networks and Frame Relay
Service Provider Networks and Frame RelayService Provider Networks and Frame Relay
Service Provider Networks and Frame Relay
 

More from NetProtocol Xpert

More from NetProtocol Xpert (20)

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 

Recently uploaded

Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 

Recently uploaded (20)

Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 

IPSec VPN

  • 1. IPSec VPN INTERNET PROTOCOL SECURITY VIRTUAL PRIVATE NETWORK June 2014 - Tilak Upadhyay
  • 2. THE PING BOX .NET CCIE Security 4.0 1 | P a g e IPSec VPN with RSA using NTP & CA Servers CONFIGURATION: STEP I: Configure NTP Server on R4 and NTP Client on R1 & R2 NTP SERVER (ROUTER R4) To set clock, write on privilege mode, CA_Server# clock set 12:10:08 26 july 2014 ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp master 2 VERIFICATION: CA_Server# sh ntp status CA_Server# sh ntp associations
  • 3. THE PING BOX .NET CCIE Security 4.0 2 | P a g e NTP CLIENTS (ROUTER R1 & R2) ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp server 40.0.0.4 key 1 VERIFICATION: R1# sh ntp status R1# sh ntp associations STEP II: Configure CA Server on R4 and CA Client on Router R1 & R2 CA SERVER (ROUTER R4) ip http server crypto pki server IOS_CA database archive pem password cisco123 grant auto lifetime certificate 300 lifetime ca-certificate 500 no shutdown exit VERIFICATION: CA_Server# sh crypto pki server CA CLIENTS (ROUTER R1 & R2) ip domain name Mabison.com crypto key generate rsa (To generate RSA key)
  • 4. THE PING BOX .NET CCIE Security 4.0 3 | P a g e crypto pki trustpoint IOS_CA usage ike enrollment url http://40.0.0.4 subject-name CN=R1 C=IN exit crypto ca authenticate IOS_CA (To get authenticate or to get signature certificate from CA) crypto ca enroll IOS_CA (For getting enrol router in CA Server) STEP III: Create IPSec VPN between Router R1 & R2 using “rsa-sig” ROUTER R1 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 20.0.0.2 set transform-set tset match address 101
  • 5. THE PING BOX .NET CCIE Security 4.0 4 | P a g e exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit ROUTER R2 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 2.2.2.2 host 1.1.1.1 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 10.0.0.1 set transform-set tset match address 101 exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit VERIFICATION:
  • 6. THE PING BOX .NET CCIE Security 4.0 5 | P a g e R1# sh crypto isakmp sa R1# sh crypto ipsec sa IPSec VPN with IKE V2 CONFIGURATION: ON ROUTER R1 R1(config)#crypto ikev2 proposal prop1 R1(config-ikev2-proposal)# encryption 3des des R1(config-ikev2-proposal)# integrity md5 sha1 R1(config-ikev2-proposal)# group 2 5 R1(config-ikev2-proposal)# exit R1(config)#crypto ikev2 policy pol1 R1(config-ikev2-policy)# proposal prop1 R1(config-ikev2-policy)# exit R1(config)#crypto ikev2 keyring kr1 R1(config-ikev2-keyring)# peer site1 R1(config-ikev2-keyring-peer)# address 30.0.0.3 R1(config-ikev2-keyring-peer)# pre-shared-key local cisco1 R1(config-ikev2-keyring-peer)# pre-shared-key remote cisco2
  • 7. THE PING BOX .NET CCIE Security 4.0 6 | P a g e R1(config-ikev2-keyring-peer)# exit R1(config-ikev2-keyring)# exit R1(config)#crypto ikev2 profile prof1 R1(config-ikev2-profile)# match identity remote address 30.0.0.3 255.255.255.255 R1(config-ikev2-profile)# authentication remote pre-share R1(config-ikev2-profile)# authentication local pre-share R1(config-ikev2-profile)# keyring local kr1 R1(config-ikev2-profile)# exit R1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit R1(config)#access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 R1(config)#crypto map abc 10 ipsec-isakmp R1(config-crypto-map)# set peer 30.0.0.3 R1(config-crypto-map)# set transform-set tset R1(config-crypto-map)# set ikev2-profile prof1 R1(config-crypto-map)# match address 101 R1(config-crypto-map)# exit R1(config)#int fa 1/0 R1(config-if)#crypto map abc R1(config-if)#exit ON ROUTER R3 R3(config)#crypto ikev2 proposal prop1 R3(config-ikev2-proposal)# encryption 3des des R3(config-ikev2-proposal)# integrity md5 sha1 R3(config-ikev2-proposal)# group 2 5 R3(config-ikev2-proposal)# exit
  • 8. THE PING BOX .NET CCIE Security 4.0 7 | P a g e R3(config)#crypto ikev2 policy pol1 R3(config-ikev2-policy)# proposal prop1 R3(config-ikev2-policy)# exit R3(config)#crypto ikev2 keyring kr1 R3(config-ikev2-keyring)# peer site1 R3(config-ikev2-keyring-peer)# address 10.0.0.1 R3(config-ikev2-keyring-peer)# pre-shared-key local cisco2 R3(config-ikev2-keyring-peer)# pre-shared-key remote cisco1 R3(config-ikev2-keyring-peer)# exit R3(config-ikev2-keyring)# exit R3(config)#crypto ikev2 profile prof1 R3(config-ikev2-profile)#$tity remote address 10.0.0.1 255.255.255.255 R3(config-ikev2-profile)# authentication remote pre-share R3(config-ikev2-profile)# authentication local pre-share R3(config-ikev2-profile)# keyring local kr1 R3(config-ikev2-profile)# exit R3(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R3(cfg-crypto-trans)#exit R3(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1 R3(config)#crypto map abc 10 ipsec-isakmp R3(config-crypto-map)# set peer 10.0.0.1 R3(config-crypto-map)# set transform-set tset R3(config-crypto-map)# set ikev2-profile prof1 R3(config-crypto-map)# match address 101
  • 9. THE PING BOX .NET CCIE Security 4.0 8 | P a g e R3(config-crypto-map)# exit R3(config)#int fa 1/0 R3(config-if)#crypto map abc R3(config-if)#exit RESULT: ON ROUTER R1 R1#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.0.0.1/500 30.0.0.3/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/164 sec IPv6 Crypto IKEv2 SA ON ROUTER R3 R3#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 30.0.0.3/500 10.0.0.1/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/36 sec IPv6 Crypto IKEv2 SA