Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)

Implementation of IPsec VPN on Cisco Routers and implementing it on ISP
1
1. INTRODUCTION
1.0 Introduction to TCP and IP concepts:
TCP and IP were developed by a Department of Defence (DOD) research
project to connect a number different networks designed by different vendors
into a network of networks (the "Internet"). It was initially successful because it
delivered a few basic services that everyone needs (file transfer, electronic mail,
remote logon) across a very large number of client and server systems. Several
computers in a small department can use TCP/IP (along with other protocols) on
a single LAN. The IP component provides routing from the department to the
enterprise network, then to regional networks, and finally to the global Internet.
On the battlefield a communications network will sustain damage, so the DOD
designed TCP/IP to be robust and automatically recover from any node or
phone line failure. This design allows the construction of very large networks
with less central management. However, because of the automatic recovery,
network problems can go undiagnosed and uncorrected for long periods of time.
As with all other communications protocol, TCP/IP is composed oflayers:
 IP - is responsible for moving packet of data from node to node. IP
forwards each packet based on a four byte destination address (the IP
number). The Internet authorities assign ranges of numbers to different
organizations. The organizations assign groups of their numbers to
departments. IP operates on gateway machines that move data from
department to organization to region and then around the world.
 TCP - is responsible for verifying the correct delivery of data from client
to server. Data can be lost in the intermediate network. TCP adds support
to detect errors or lost data and to trigger retransmission until the data is
correctly and completely received
 Sockets - is a name given to the package of subroutines that provide
access to TCP/IP on most system.
1.1EXISTING SYSTEM:
There is no standard for what constitutes a VPN. VPNs can be
implemented using a number of different technologies, each of which
have their own strengths and weaknesses. This section presents a

2
scenario, and the strategies used for implementing a VPN for this
scenario.
For Example: The Scenario: Two networks, one home based and
one corporate based. Both are connected to the Internet, and expected, via
this VPN to behave as one.
The premise is as follows:
 You have at least two sites
 Both sites are using IP internally
 Both sites are connected to the Internet, through a gateway that is
running FreeBSD.
 The gateway on each network has at least one public IP address.
 The internal addresses of the two networks can be public or private IP
addresses, it does not matter. They just may not collide; e.g.: may not
both use 192.168.1.x.
1.2 PROPOSED SYSTEM:
Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session. IPsec also includes protocols for
establishing mutual authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of
the Internet Protocol Suite. It can be used in protecting data flows between a
pair of hosts (host-to-host), between a pair of security gateways (network-to-
network), or between a security gateway and a host (network-to-host).
Some other Internet security systems in widespread use, such as Secure Sockets
Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate
in the upperlayers of the TCP/IP model. In the past, the use of TLS/SSL had to
be designed into an application to protect the application protocols. In contrast,
since day one, applications did not need to be specifically designed to use IPsec.
Hence, IPsec protects any application traffic across an IP network.

3
1.3ARCHITECTURE:
1.3.1 TCP/IP INTERNETARCHITECTURE:
Fig 1.1 : Architecture of OSIand TCP/IP model
The Internet architecture is of a layered design, which makes testing and
future development of Internet protocols easy. The architecture and major
protocols of the Internet are controlled by the Internet Architecture Board
(IAB).
The Internet provides three sets of services. At the lowest level is a
connectionless delivery service (network layer) called the Internet protocol (IP).
The next level is the transport layer service. Multiple transport layer services
use the IP service. The highest level is the application layer services. Layering
of the services permits research and development on one without affecting the
others.The physical/link layer envelops the IP layer header and data. If the
physical layer is an Ethernet LAN, the IP layer places its message (datagram) in
the Ethernet (physical/link) frame data field. The transport layer places its

4
message (segment) in the IP data field. The application layer places its data in
the transport layer data field.
1.3.2 INTERNET PROTOCOL(IP)
The IP provides a connectionless delivery system that is unreliable and on a
best-effort basis. The IP specifies the basic unit of data transfer in a TCP/IP
internet as the datagram. Data grams may be delayed, lost, duplicated, delivered
out of sequence, or intentionally fragmented, to permit a node with limited
buffer space to handle the IP datagram. It is the responsibility of the IP to
reassemble any fragmented data grams. In some error situations, data grams are
silently discarded while in other situations, error messages are sent to the
originators (via the ICMP, a utility protocol.) The IP specifications also define
how to choose the initial path over which data will be sent, and defines a set of
rules governing the unreliable datagram service.
Fig 1.2: IP-datagram format.
1.3.2.1HeaderLength – 4 Bit field
The value represents the number of octets in the header divided by four,
which makes it the number of 4-octet groups in the header. The header length is
used as a pointer to the beginning of data. The header length is usually equal to
5, which defines the normal, 20-octet header without options. When options are
Destination address
Source address
Header checksum
Fragment offsetIdentification
Version Total lengthIHL Type of service
D
F
M
F
Time to live Protocol
32 Bits
Options (o or more words)

5
used, padding may be required to make the total size of the header an even
multiple of 4-octet groups. The range of value for the header length is 5 to 15.
1.3.2.2Version– 4 Bit field
All other values are reserved or unassigned. Although the range of values
is 0 to 15, the value used by IP is 4. By means of this field, different versions of
the IP could operate in the Internet.
1.3.2.2Type of Service – 8 Bit field
Specifies the precedence and priority of the IP datagram. Bits +5, +6, and
+7 make up the precedence field, with a range of 0 to 7. Zero is the normal
precedence and 7 is reserved for network control. Most gateways presently
ignore this field.
The four bits (+1, +2, +3, and +4) define the priority field, which has the
field range of 0 to 15. The four priorities presently assigned (the remaining 12
values are reserved) are: value 0 (the default, normal service), value 1
(minimize monetary cost), value 2 (maximize reliability), value 4 (maximize
throughput), and value 8 (bit+4 equal to one, defines minimize delay option).
These values are used by routers to select paths that accommodate the user’s
request.
Fig 1.3: Type-of-service field.
1.3.2.3TotalLength – 16 Bit field
The total length field is used to identify the number of octets in the entire
datagram. The field has 16 bits, and the range is between 0 and 65,535 octets.
Since the datagram typically is contained in an Ethernet frame, the size usually
will be less than 1,500 octets. Larger datagrams may be handled by some
0
PriorityPrecedence
27 26 25 24 23 22 21
20
7 6 5 4 3 2 1
msb Isb
0
Bit order of
transmission

6
intermediate networks of the Internet but are segmented if a gateway of a
network is unable to handle the larger size. IP specifications set a minimum size
of 576 octets that must be handled by routers without fragmentation. Larger
datagrams are subject to fragmentation.
1.3.2.4Identification – 16 Bit field
The value of the identification field is a sequential number assigned by
the originating host. The numbers cycle between 0 and 65,535 which when
combined with the originating host address makes it a unique number in the
Internet. The number is used to aid in the assembling of a fragmented datagram.
1.3.2.5FragmentOffset – 13 Bit field
When the size of a datagram exceeds the maximum of an intermediate
network, it is segmented by that network. The fragment offset represents the
displacement (in increments of eight octets) of this segment form the beginning
of the entire datagram. This is a 13-bit field and provides an offset to the proper
location of this fragmented segment within the original datagram. Since the
value represents groups of eight octets, the effective range of the offset is
between 0 and 8191 octets. The resulting fragments are treated as complete
datagrams, and remain that way until they reach the destination host where they
are reassembled into the original datagram. Each fragment has the same header
as the original header except for the fragment offset field, identification field,
and the flags fields. Since the resulting datagrams may arrive out of order, these
fields are used to assemble the collection of fragments into the original
datagram.
1.3.2.6Flags – 2 Bits
The flag field contains two flags. The low-order bit (MF) of the flags
fields is used to denote the last fragmented datagram when set to zero. That is,
intermediate (not-last) datagrams have the bit set equal to one to denote more
datagrams are to follow. The high-order bit (DF) of the flags field is set by an
originating host to prevent fragmentation of the datagram. When this bit is set
and the length of the datagram exceeds that of an intermediate network, the

7
datagram is discarded by the intermediate network and an error message
returned to the originating host via the ICMP.
1.3.2.7 Time to Live (TTL) – 8 Bit field
It represents a count set by the originator, which the datagram can exist in the
Internet before being discarded. Hence, a datagram may loop around an internet
for a maximum of 28 – 1 or 255 before being discarded. The current
recommended default TTL for the IP is 64. Since each gateway handling a
datagram decrements the TTL by a minimum of one, the TTL can also represent
a hop count. However, if the gateway holds the datagram for more than one
second, then it decrements the TTL by the number of seconds held. The
originator of the datagram is sent an error message via the ICMP when the
datagram is discarded.
1.3.2.8Protocol – 8 Bit field
The protocol field is used to identify the next higher layer protocol using the IP.
It will normally identify either the TCP (value equal to 6) or UDP (value equal
to 17) transport layer, but may identify up to 255 different transport layer
protocols. An upper layer protocol using the IP must have a unique protocol
number.
1.3.2.9Checksum– 16 Bit field
The checksum provides assurance that the header has not been corrupted during
transmission. The checksum includes all fields in the IP header, starting with the
version number and ending with the octet immediately preceding the IP data
field, which may be a pad field if the option field is present.
The checksum includes the checksum field itself, which is set to zero for
the calculation. The checksum represents the 16-bit, one’s complement of the
one’s complement sum of all 16-bit groups in the header.
An intermediate network (node or gateway) the changes a field in the IP header
(e.g., time-to-live) must recompute the checksum before forwarding it. Users of
the IP must provide their own data integrity, since the IP checksum is only for
the header.
1.3.2.10 SourceAddress – 32 Bit field
The source address field contains the network identifier and host
identifier of the originator.

8
1.3.2.11 DestinationAddress – 32 Bit field
The destination address field contains the network and identifier & Host
identifier of the destination.
1.3.2.12 Options – variable field
The presence of the “options” field is determined from the value of the
header length field. If the header length is greater than five, at least one option
is present. Although it is not required that a host set options, it must be able to
accept and process options received in a datagram. The options field is variable
in length. Each option declared begins with a single octet that defines that
format of the remainder of the option.
1.3.2.13 Padding – variable field
The pad field, when present, consists of 1 to 3 octets of zero, as required, to
make the total number of octets in the header divisible by four. (The header
length is in increments of 32-bit groups.)

9
2. LITERATURE SURVEY
2.1 INTRODUCTION
Information does not exist in a vacuum. Just as the need to share
information between desktop computers in an office has forced the proliferation
of LANs, the need to share information beyond a single workgroup is forcing
the adoption of LAN-to-LAN links, host gateways, asynchronous
communication servers, and other methods of communication with other
systems.
2.2 OBJECTIVES
The objectives of this chapter are to familiarize with the following: -
i) The LAN components and terminology
ii) Networking basics and topologies
iii) Hub
iv) Switch
v) Router
vi) Gateway
2.2.1 TOPOLOGY - Topology is the way that each node is physically
connected to the network. Common topologies include:
2.2.1.1 Bus :-
Fig 2.1:Bus network topology
Each node is daisy-chained (connected one right after the other)
along the same backbone. Information sent from a node travels along the

10
backbone until it reaches its destination node. Each end of a bus network
must be terminated with a resistor to keep the signal that is sent by a
node across the network from bouncing back when it reaches the end of
the cable.
2.2.1.2 Ring -
Fig 2.2:Ring network topology
Like a bus network, rings have the nodes daisy-chained. The difference is that
the end of the network comes back around to the first node, creating a complete
circuit. In a ring network, each node takes a turn sending and receiving
information through the use of a token. The token, along with any data, is sent
from the first node to the second node, which extracts the data addressed to it
and adds any data it wishes to send. Then, the second node passes the token and
data to the third node, and so on until it comes back around to the first node
again. Only the node with the token is allowed to send data. All other nodes
must wait for the token to come to them.
2.1.1.3 Star –
Fig 2.3:Star network topology
In a star network, each node is connected to a central device called a hub. The
hub takes a signal that comes from any node and passes it along to all the other
nodes.

11
2.2.1.4SWITCHES:
Switches are a fundamental part of most networks. They make it possible
for several users to send information over a network at the same time without
slowing each other down. Just like routers allow different networks to
communicate with each other, switches allow different nodes (a network
connection point, typically a computer) of a network to communicate directly
with one another in a smooth and efficient manner.
While hubs provide an easy way to scale up and shorten the distance that
the packets must travel to get from one node to another, they do not break up
the actual network into discrete segments. That is where switches come in.
Fig2.4: Imagine that each vehicle is a packet of data waiting for an
opportunity to continue on its trip.
In a fully switched network, switches replace all the hubs of an Ethernet
network with a dedicated segment for every node. These segments connect to a
switch, which supports multiple dedicated segments (sometimes in the
hundreds). Since the only devices on each segment are the switch and the node,
the switch picks up every transmission before it reaches another node. The
switch then forwards the frame over the appropriate segment. Since any
segment contains only a single node, the frame only reaches the intended
recipient. This allows many conversations to occur simultaneously on a
switched network.

12
Fig 2.5:An example of a network using a switch
Switching allows a network to maintain full-duplex Ethernet. Before switching,
Ethernet was half-duplex, which means that data could be transmitted in only
one direction at a time. In a fully switched network, each node communicates
only with the switch, not directly with other nodes. Information can travel from
node to switch and from switch to node simultaneously.
2.2.1.5ROUTERS
Routers connect LANs at the Network layer of the OSI model Routers
connect LANs that use the same Network-layer protocol, such as IPX-to-IPX
and IP-to-IP. Because routers operate at the Network layer, they can be used to
link dissimilar LANs, such as ARCNET, Ethernet, and Token Ring.
Fig 2.6:Example of Routers

13
Two networks connected via a router are physically and logically separate
networks. Network-layer protocols have their own addressing scheme separate
from the addressing scheme of MAC-layer protocols. This addressing scheme
may or may not include the MAC-layer addresses of the network cards. Each
network attached to a router must be assigned a logical identifier, or network
address, to designate it as unique from other physical networks.
For example, NetWare’s IPX routers (NetWare file servers or external
NetWare routers using ROUTER.EXE) use each LAN card’s MAC-layer
address and a logical address for each network assigned by the router installer.
Routers only forward traffic addressed to the other side. This means that
local traffic on one LAN will not affect performance on another. Routers can be
proprietary devices, or can be software and hardware residing in a general
purposecomputer, such as a PC.
Like transparent bridges, routers maintain routing tables. A router’s
routing table, however, keeps track of network addresses and possible routes
between networks, not individual node addresses. Using routers, redundant
paths between networks can be established, and traffic will be routed between
networks based on some algorithm to determine the best path. The simplest
routers usually select the path with the fewest number of router hops as the best
path. More intelligent routers consider other factors, such as the relative
responsetimes of various possible routes, when selecting the bestpath.
2.2.1.6GATEWAYS
A gateway is a fundamentally different type of device than a router or
switch and can be used in conjunction with them. A gateway makes it possible
for an application program, running on a system, confirming to network
architecture, to communicate with an application program running on a system
confirming to some other network architecture.
A gateway performs its function in the Application layer of the OSI
model. The function of a gateway is to convert one set of communication
protocols to some other set of communication protocols. Protocol conversion
may include the following:
 Message Format Conversion- Different networks may employ different
message format, maximum message size, or character codes. The gateway
must be able to convert messages to appropriate format, size and coding.

14
 Address translation- Different networks may employ different addressing
mechanism and network address structures. The gateway must be able to
interpret network address in one network and convert them into network
address in other network.
 Protocol conversion- When a message is prepared for transmission, each
layer adds control information, unique to the protocol used in that layer. The
gateway must be able to convert control information used by each layer so
that the receiving system receives the control information in the format it
expects.
2.3 IPv4 ADDRESSING
2.3.1 IP Addressing:
For any two systems to communicate, they must be able to identify and locate
each other. While these addresses in below Figure are not actual network
addresses, they represent and show the concept of address grouping. This uses
the A or B to identify the network and the number sequence to identify the
individual host. A computer may be connected to more than one network. In
this situation, the system must be given more than one address. Each address
will identify the connection of the computer to a different network.
Fig 2.7:Network system.
A device is not said to have an address, but that each of the connection
points, or interfaces, on that device has an address to a network. This will allow
other computers to locate the device on that particular network. The
combination of letter (network address) and the number (host address) create a
unique address for each device on the network. Each computer in a TCP/IP
network must be given a unique identifier, or IP address. This address,
operating at Layer 3, allows one computer to locate another computer on a

15
network. All computers also have a unique physical address, known as a MAC
address. These are assigned by the manufacturer of the network interface card.
MAC addresses operate at Layer 2 of the OSI model.
2.3.2 IPv4 addressing
A router forwards packets from the originating network to the destination
network using the IP protocol. The packets must include an identifier for both
the source and destination networks. Using the IP address of destination
network, a router can deliver a packet to the correct network. When the packet
arrives at a router connected to the destination network, the router uses the IP
address to locate the particular computer connected to that network. This system
works in much the same way as the national postal system. When the mail is
routed, it must first be delivered to the post office at the destination city using
the zip code. That post office then must locate the final destination in that city
using the street address. This is a two-step process.
Accordingly, every IP address has two parts. One part identifies the
network where the system is connected, and a second part identifies that
particular system on the network.
This kind of address is called a hierarchical address, because it contains
different levels. An IP address combines these two identifiers into one number.
This number must be a unique number, because duplicate addresses would
make routing impossible. The first part identifies the system's network address.
The second part, called the host part, identifies which particular machine it is on
the network.
IP addresses are divided into classes to define the large, medium, and
small networks. Class A addresses are assigned to larger networks. Class B
addresses are used for medium-sized networks and Class C for small networks.
The first step in determining which part of the address identifies the network
and which part identifies the host is identifying the class of an IP address.
2.3.3 Class A, B, C, D, and E IP addresses:
To accommodate different size networks and aid in classifying these
networks, IP addresses are divided into groups called classes. This is known as
class ful addressing. Each complete 32-bit IP address is broken down into a
network part and a host part. A bit or bit sequence at the start of each address
determines the class of the address. There are five IP address classes as shown
in the Figure below.

16
Fig 2.8:Class A, B, C, D &E IP address
The Class A address was designed to support extremely large networks, with
more than 16 million host addresses available. Class A IP addresses use only the
first octet to indicate the network address. The remaining three octets provide
for host addresses.
The first bit of a Class A address is always 0. With that first bit a 0, the
lowest number that can be represented is 00000000, decimal 0. The highest
number that can be represented is 01111111, decimal 127. The numbers 0 and
127 are reserved and cannot be used as network addresses. Any address that
starts with a value between 1 and 126 in the first octet is a Class A address.
The 127.0.0.0 network is reserved for loopback testing. Routers or local
machines can use this address to send packets back to themselves. Therefore,
this number cannot be assigned to a network.
The Class B address was designed to support the needs of moderate to
large-sized networks. A Class B IP address uses the first two of the four octets
to indicate the network address. The other two octets specify host addresses.
The first two bits of the first octet of a Class B address are always 10. The
remaining six bits may be populated with either 1s or 0s. Therefore, the lowest
number that can be represented with a Class B address is 10000000, decimal
128. The highest number that can be represented is 10111111, decimal 191.

17
Any address that starts with a value in the range of 128 to 191 in the first octet
is a Class B address.
The Class C address space is the most commonly used of the original
address classes. This address space was intended to support small networks
with a maximum of 254 hosts.
A Class C address begins with binary 110. Therefore, the lowest number that
can be represented is 11000000, decimal 192. The highest number that can be
represented is 11011111, decimal 223. If an address contains a number in the
range of 192 to 223 in the first octet, it is a Class C address.
The Class D address class was created to enable multicasting in an IP
address. A multicast address is a unique network address that directs packets
with that destination address to predefined groups of IP addresses. Therefore, a
single station can simultaneously transmit a single stream of data to multiple
recipients.
The Class D address space, much like the other address spaces, is
mathematically constrained. The first four bits of a Class D address must be
1110. Therefore, the first octet range for Class D addresses is 11100000 to
11101111, or 224 to 239. An IP address that starts with a value in the range of
224 to 239 in the first octet is a Class D address.
A Class E address has been defined. However, the Internet Engineering
Task Force (IETF) reserves these addresses for its own research. Therefore, no
Class E addresses have been released for use in the Internet. The first four bits
of a Class E address are always set to 1s. Therefore, the first octet range for
Class E addresses is 11110000 to 11111111, or 240 to 255.
2.3.4 ReservedIP addresses:
Certain host addresses are reserved and cannot be assigned to devices on
a network. These reserved hostaddresses include the following:
2.3.4.1 Introduction to subnetting:
Subnetting is another method of managing IP addresses. This method of
dividing full network address classes into smaller pieces has prevented complete
IP address exhaustion. It is important to understand subnetting as a means of
dividing and identifying separate networks throughout the LAN. It is not always
necessary to subnet a small network. However, for large or extremely large
networks, subnetting is required. Subnetting a network means to use the subnet
mask to divide the network and break a large network up into smaller, more
efficient and manageable segments, or subnets. An example would be the U.S.

18
telephone system which is broken into area codes, exchange codes, and local
numbers.
The system administrator must resolve these issues when adding and
expanding the network. It is important to know how many subnets or networks
are needed and how many hosts will be needed on each network. With
subnetting, the network is not limited to the default Class A, B, or C network
Fig2.9:An Example Subnet System
Subnet addresses include the network portion, plus a subnet field and a
host field. The subnet field and the host field are created from the original host
portion for the entire network. The ability to decide how to divide the original
host portion into the new subnet and host fields provides addressing flexibility
for the network administrator.
To create a subnet address, a network administrator borrows bits from the
host field and designates them as the subnet field. The minimum number of bits
that can be borrowed is two. When creating a subnet, where only one bit was
borrowed the network number would be the .0 network. The broadcast number
would then be the .255 network.
The method that was used to create the subnet chart can be used to solve
all subnetting problems. This method uses the following formula:
 Number of usable subnets= two to the power of the assigned subnet bits
or borrowed bits, minus two (reserved addresses for subnetwork id and
subnetwork broadcast)
(2 power of borrowed bits) – 2 = usable subnets
(23) – 2 = 6
 Number of usable hosts= two to the power of the bits remaining, minus
two (reserved addresses for subnet id and subnet broadcast)
(2 power of remaining host bits) – 2 = usable hosts
(25) – 2 = 30

19
As early as 1992, the Internet Engineering Task Force (IETF) identified
the following two specific concerns: Exhaustion of the remaining, unassigned
IPv4 network addresses. At the time, the Class B space was on the verge of
depletion.
The rapid and large increase in the size of Internet routing tables occurred
as more Class C networks came online. The resulting flood of new network
information threatened the ability of Internet routers to copeef
Fig2.10:Assigning the addressesto different regions
2.3.4.3Applying the subnet mask:
Once the subnet mask has been established it then can be used to create
the subnet scheme. The chart in the Figure is an example of the subnets and
addresses created by assigning three bits to the subnet field. This will create
Fig 2.10(a):Applying the subnet mask
eight subnets with 32 hosts per subnet. Start with zero (0) when
numbering subnets. The first subnet is always referenced as the zero subnet.
When filling in the subnet chart three of the fields are automatic, others require
some calculation.
The sub network ID of subnet zero is the same as the major network
number, in this case 192.168.10.0. The broadcast ID for the whole network is
the largest number possible, in this case 192.168.10.255. The third number that
IANA
National
Local
Consumer
InterNIC
America
RIPE
Europe
APNIC
Asia Regional
IANA
NationalNational
LocalLocal
ConsumerConsumer
InterNIC
America
RIPE
Europe
APNIC
Asia Regional
InterNIC
America
RIPE
Europe
APNIC
Asia
InterNIC
America
RIPE
Europe
APNIC
Asia Regional

20
is given is the subnetwork ID for subnet number seven. This number is the three
network octets with the subnet mask number inserted in the fourth octet
position. Three bits were assigned to the subnet field with a cumulative value of
224. The ID for subnet seven is 192.168.10.224. By inserting these numbers,
checkpoints have been established that will verify the accuracy when the chart
is completed.
When consulting the subnetting chart or using the formula, the three bits
assigned to the subnet field will result in 32 total hosts assigned to each subnet.
This information provides the step count for each subnetwork ID. Adding 32 to
each preceding number, starting with subnet zero, the ID for each subnet is
established. Notice that the subnet ID has all binary 0s in the hostportion.
Fig 2.10(b):Appling the subnet mask
The broadcast field is the last number in each subnetwork, and has all
binary ones in the host portion. This address has the ability to broadcast only to
the members of a single subnet. Since the subnetwork ID for subnet zero is
192.168.10.0 and there are 32 total hosts the broadcast ID would be
192.168.10.31. Starting at zero the 32nd sequential number is 31. It is important
to remember that zero (0) is a real number in the world of networking.
The balance of the broadcast ID column can be filled in using the same
process that was used in the subnetwork ID column. Simply add 32 to the
preceding broadcast ID of the subnet. Another option is to start at the bottom of

21
this column and work up to the top by subtracting one from the preceding
subnetwork ID.
2.4 ROUTING CONCEPTS:
2.4.1 Introduction to Routing:
This chapter introduces the underlying concepts widely used in routing
protocols. Topics summarized here include routing protocol components and
algorithms. In addition, the role of routing protocols is briefly contrasted with
the role of routed or network protocols.
2.4.2 Whatis Routing?
Routing is the act of moving information across an inter-network from a source
to a destination. Along the way, at least one intermediate node typically is
encountered. Routing is often contrasted with bridging, which might seem to
accomplish precisely the same thing to the casual observer. The primary
difference between the two is that bridging occurs at Layer 2 (the link layer) of
the OSI reference model, whereas routing occurs at Layer 3 (the network layer).
This distinction provides routing and bridging with different information to use
in the process of moving information from source to destination, so the two
functions accomplish their tasks in different ways.
The topic of routing has been covered in computer science literature for
more than two decades, but routing achieved commercial popularity as late as
the mid-1980s. The primary reason for this time lag is that networks in the
1970s were simple, homogeneous environments. Only relatively recently has
large-scale internetworking become popular.
2.4.3 Routing Components:
Routing involves two basic activities: determining optimal routing paths and
transporting information groups (typically called packets) through an
internet-work. In the context of the routing process, the latter of these is referred
to as packet switching. Although packet switching is relatively straightforward,
path determination can be very complex.
2.4.4 PathDetermination:
Routing protocols use metrics to evaluate what path will be the best for a packet
to travel. A metric is a standard of measurement, such as path bandwidth, that is
used by routing algorithms to determine the optimal path to a destination. To aid
the process of path determination, routing algorithms initialize and maintain

22
routing tables, which contain route information. Route information varies
depending on the routing algorithm used.
Routing algorithms fill routing tables with a variety of information.
Destination/next hop associations tell a router that a particular destination can
be reached optimally by sending the packet to a particular router representing
the "next hop" on the way to the final destination. When a router receives an
incoming packet, it checks the destination address and attempts to associate this
address with a next hop.
Routing tables also can contain other information, such as data about the
desirability of a path. Routers compare metrics to determine optimal routes, and
these metrics differ depending on the design of the routing algorithm used. A
variety of common metrics will be introduced and described later in this
chapter.
Routers communicate with one another and maintain their routing tables
through the transmission of a variety of messages. The routing update message
is one such message that generally consists of all or a portion of a routing table.
By analyzing routing updates from all other routers, a router can build a detailed
picture of network topology. A link-state advertisement, another example of a
message sent between routers, informs other routers of the state of the sender's
links. Link information also can be used to build a complete picture of network
topology to enable routers to determine optimal routes to network destinations.
2.4.5 Routing Algorithms
Routing algorithms can be differentiated based on several key characteristics.
First, the particular goals of the algorithm designer affect the operation of the
resulting routing protocol. Second, various types of routing algorithms exist,
and each algorithm has a different impact on network and router resources.
Finally, routing algorithms use a variety of metrics that affect calculation of
optimal routes. The following sections analyze these routing algorithm
attributes.
2.4.5.1Routing Algorithms DesignGoals
Routing algorithms often have one or more of the following design goals:
 Optimality
 Simplicity and low overhead
 Robustness and stability

23
 Rapid convergence
 Flexibility
Optimality refers to the capability of the routing algorithm to select the
best route, which depends on the metrics and metric weightings used to make
the calculation. For example, one routing algorithm may use a number of hops
and delays, but it may weigh delay more heavily in the calculation. Naturally,
routing protocols must define their metric calculation algorithms strictly.
Routing algorithms also are designed to be as simple as possible. In other
words, the routing algorithm must offer its functionality efficiently, with a
minimum of software and utilization overhead. Efficiency is particularly
important when the software implementing the routing algorithm must run on a
computer with limited physical resources.
Routing algorithms must be robust, which means that they should
perform correctly in the face of unusual or unforeseen circumstances, such as
hardware failures, high load conditions, and incorrect implementations. Because
routers are located at network junction points, they can cause considerable
problems when they fail. The best routing algorithms are often those that have
withstood the test of time and that have proven stable under a variety of network
conditions.
In addition, routing algorithms must converge rapidly. Convergence is the
process of agreement, by all routers, on optimal routes. When a network event
causes routes to either go down or become available, routers distribute routing
update messages that permeate networks, stimulating recalculation of optimal
routes and eventually causing all routers to agree on these routes. Routing
algorithms that converge slowly can cause routing loops or network outages.
Routing algorithms should also be flexible, which means that they should
quickly and accurately adapt to a variety of network circumstances. Assume, for
example, that a network segment has gone down. As many routing algorithms
become aware of the problem, they will quickly select the next-best path for all
routes normally using that segment. Routing algorithms can be programmed to
adapt to changes in network bandwidth, router queue size, and network delay,
among other variables.

24
2.4.6 Types of Routing:
 Static Routing
 Dynamic Routing
 Default Routing
2.4.6.1Static Routing
Static routing is a data communication concept describing one way of
configuring path selection of routers in computer networks. It is the type
of routing characterized by the absence of communication between routers
regarding the current of the network. This is achieved by manually
adding routes to the routing table. In these systems, routes through a data
network are described by fixed paths (statically). The system administrator
usually enters these routes into the router. An entire network can be configured
using static routes, but this type of configuration is not fault tolerant. When
there is a change in the network or a failure occurs between two statically
defined nodes, traffic will not be rerouted. This means that anything that wishes
to take an affected path will either have to wait for the failure to be repaired or
the static route to be updated by the administrator before restarting its journey.
Most requests will time out (ultimately failing) before these repairs can be
made. There are, however, times when static routes can improve the
performance of a network. Some of these include stub networks and default
routes.
Static Routing:
a. Routes for each destination network have to be manually configured by the
administrator.
b. Requires destination network ID for the configuration
c. Used in small networks.
d. Administrative distance for static route is
Disadvantagesofstatic routing:
a. Topologychanges cannot be dynamically updated
b. Compulsory need of all destination network ID's
c. Administrative work is more
d. Used for only small organizations

25
Syntax for Static Routing:
Router (config)# ip route <destination network ID><destination subnet
mask><next hop IP address> [Permanent]
Or
mask><exit interface type><interface number> [Permanent]
2.4.6.2DefaultRouting
A default route, also known as the gateway of last resort, is the network route
used by a router when no other known route exists for a given IP packet's
destination address. All the packets for destinations not known by the
router's routing table are sent to the default route. This route generally leads to
another router, which treats the packet the same way: If the route is known, the
packet will get forwarded to the known route. If not, the packet is forwarded to
the default-route of that router which generally leads to another router. And so
on. Each router traversal adds a one-hop distance to the route.
Once the router with a known route to a host destination is reached, the
router determines which route is valid by finding the "most specific match". The
network with the longest subnet mask that matches the destination IP
address wins.
The default route in IPv4 (in CIDR notation) is 0.0.0.0/0, often called the
quad-zero route. Since the subnet mask given is /0, it effectively specifies no
network, and is the "shortest" match possible. A route lookup that doesn't match
anything will naturally fall back onto this route. Similarly, in IPv6 the default
address is given by ::/0.
Routers in an organization generally point the default route towards the
router that has a connection to a network service provider. This way, packets
with destinations outside the organization's local area network (LAN)—
typically to the Internet, WAN, or VPN—will be forwarded by the router with
the connection to that provider.

26
Once it is routed outside the network, if that router does not know the
route of the destination, it will forward it to its own Default Route, which is
usually a router connected to larger number of networks. Similarly, the packet
will progress to internet backbone if still no route is known about the
destination IP. It is then considered that the network does not exist, and the
packet is discarded.
Host devices in an organization generally refer to the default route as a default
gateway which can be, and usually is, a filtration device such as
a firewall or Proxy server.
Syntax for Default Routing:
Router (config)# ip route 0.0.0.0 0.0.0.0 <next hop IP address>
Or
Router (config)# ip route 0.0.0.0 0.0.0.0 <exit interface type><interface
number>
2.4.6.3Dynamic routing
Dynamic routing protocols are supported by software applications running on
the routing device (the router) which dynamically learn network destinations
and how to get to them and also advertise those destinations to other routers.
This advertisement function allows all the routers to learn about all the
destination networks that exist and how to those networks.
A router using dynamic routing will 'learn' the routes to all networks that are
directly connected to the device. Next, the router will learn routes from
other routers that run the same routing protocol (RIP, RIP2, EIGRP, OSPF, IS-
IS, BGP etc). Each router will then sort through it's list of routes and select one
or more 'best' routes for each network destination the router knows or has
learned.
Dynamic routing protocols will then distribute this 'best route' information to
other routers running the same routing protocol, thereby extending the
information on what networks exist and can be reached. This gives dynamic
routing protocols the ability to adapt to logical network topology changes,
equipment failures or network outages 'on the fly'.

27
2.4.7 Types of Dynamic Routing Protocols:
 Distance-vector protocol (RIP - Routing Information Protocol)it is Open
standard.
 Link State Protocol(OSPF - Open shortest path first)it is Open standard.
 Hybrid or Advanced distance vector Routing protocol (EIGRP- Enhanced
Interior Gateway Routing Protocol)it is a CISCO proprietary.
2.4.7.1OPEN SHORTESTPATHFIRST (OSPF):
OSPF is a protocol that runs in the Transport Layer (OSPF runs over and its
protocolnumber in the IP datagram is 89.
OSPF is an Interior Gateway Protocol, which means that it is used by all
the routers inside the same Autonomous System in order to route packets inside
the AS. In an internet, which is divided into several AS's, the routing between 2
hosts on different AS's is done as follows: first, the packet is sent from the
original host to some Border Router using the Interior Gateway Protocol (IGP).
The Border Router uses Border Gateway Protocol (BGP) to route the packet to
the AS of the destination. Inside that AS, the packet is routed through the IGP
of that AS.
The general idea behind OSPF is the following:
OSPF is a link-state routing protocol, which is based on the SPF (Shortest Path
First) algorithm to find the least cost path to any destination in the network.
Each router sends the list of his neighbors to all the other routers. When a router
has received that information from all other routers, it is ready to deduce the
topology of the network, which will enable it, through the use of the Dijkstra
algorithm, to find the least-cost path to any IP address on the entire network.
OSPF can be described as follows:
In OSPF, each router maintains a database that describes the current
topology of the network. However, since OSPF is run inside ASs and since ASs
can be very large, there is a division of ASs into small sets of networks which

28
are called "Areas". The main idea is that each router should maintain a database
of the topology of the area in which it resides.
In order to flood link state information throughout the area, OSPF
introduces the notion of Designated Routers. Once Designated Routers have
been selected, whenever some router want to send link state information, he
will transfer it to the Designated router in an exchange protocol. Next, the
designated router will transfer the information to all the other routers.
The shortest-path tree (or trees) is later used to build the routing table of
each router.
OSPF Features:
 Open standard (IETF)
 Successorof RIP
 SPF or Dijikstra algorithm
 Link-state routing protocol
 Classless
 Hello packets are sent every 10 seconds
 Supports FLSM, VLSM, CIDR and Manual Summary
 Incremental / trigged updates
 Updates are sent as multicast (224.0.0.5 & 224.0.0.6)
 Metric = Cost(cost = 10^8/bandwidth in bps)
 Administrative distance = 110
 Load balancing via equal cost paths by default ( unequal cost load
balancing not supported)
2.4.7.2Link- state routing protocol
 Auto neighbor discovery
 Hierarchical network design
 One area has to be designated as area 0 (backbone area)
 sends periodic updates, known as link-state refresh, for every 30 second
 Maintains similar database on all the routers within an area
 router ID is used to identify each router

29
Router id
 Router id is used to identify the router
 The highest ip assigned to an active physical interface is the router id.
 If logical interface is configured then the highest ip assigned to a logical
interface (loopback) is the router id.
Neighbors:
 Routers that share a common link become neighbors.
 Neighbors are discovered by hello packets.
 To become neighbors the following should match.
a) Area id. b) Hello and dead intervals. c) Authentication
Adjacencies:
 Adjacencies are formed once neighbor relation is established.
 In adjacencies the database details are exchanged
OSPF tables.
Neighbortable:
 neighbor table contains information about the directly connected OSPF
neighbors
Database tables:
 It contains information about the entire view if the topology with respect
to each other.
Routing table:
 It contains information about the best path calculated by the shortest path
first algorithm In the database tables.
OSPF CONFIGURATION:
Syntax:
Router (config)# ip routing
Router (config)# router ospf<process id>
Router (config-router)#network <network id><wildcard mask> area <area id>

30
2.5 VIRTUAL PRIVATE NETWORKING(VPN):
2.5.1 Introduction to Virtual Private Network?
There have been many improvements in the Internet including Quality of
Service, network performance, and inexpensive technologies, such as DSL. But
one of the most important advances has been in Virtual Private Networking
(VPN) Internet Protocol security (IPSec). IPSec is one of the most complete,
secure, and commercially available, standards-based protocols developed for
transporting data.
A VPN is a shared network where private data is segmented
from other traffic so that only the intended recipient has access. The term VPN
was originally used to describe a secure connection over the Internet. Today,
however, VPN is also used to describe private networks, such as Frame Relay,
Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching
(MPLS).A key aspect of data security is that the data flowing across the
network is protected by encryption technologies. Private networks lack data
security, which can allow data attackers to tap directly into the network and read
the data. IPSec-based VPNs use encryption to provide data security, which
increases the network’s resistance to data tampering or theft.IPSec-based VPNs
can be created over any type of IP network, including the Internet, Frame Relay,
ATM, and MPLS, but only the Internet is ubiquitous and inexpensive.
2.5.2 VPNs are traditionally usage
•Intranets
Intranets connect an organization’s locations. These locations range from
the
headquarters offices, to branch offices, to a remote employee’s home. Often this
connectivity
is used for e-mail and for sharing applications and files. While Frame Relay,
ATM, and MPLS accomplish these tasks, the shortcomings of each limits
connectivity. The cost of connecting home users is also very expensive
compared to Internet-access technologies, such as DSL or cable. Because of
this, organizations are moving their networks to the Internet, which is
inexpensive, and using IPSec to create these networks.

31
•Remote Access:
Remote access enables telecommuters and mobile workers to access e-
mail and business applications. A dial-up connection to an organization’s
modem pool is one method of access for remote workers, but it is expensive
because the organization must pay the associated long distance telephone and
service costs. Remote access VPNs greatly reduce expenses by enabling mobile
workers to dial a local Internet connection and then set up a secure IPSec-based
VPN communications to their organization.
•Extranets:
Extranets are secure connections between two or more organizations. Common
uses for extranets include supply-chain management, development partnerships,
and subscription services. These undertakings can be difficult using legacy
network technologies due to connection costs, time delays, and access
availability. IPSec-based VPNs are ideal for extranet connections. IPSec-
capable devices can be quickly and inexpensively installed on existing Internet
connections.
2.5.3 Virtual private networking
2.5.3.1Key Management:
IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and
automate the SA setup and the exchange of keys between parties transferring
data. Using keys ensures that only the sender and receiver of a message can
access it.
IPSec requires that keys be re-created, or refreshed, frequently so that the
parties can communicate securely with each other. IKE manages the process of
refreshing keys; however,a user can control the key strength and the refresh
frequency. Refreshing keys on a regular basis ensures data confidentiality
between sender and receiver.
The VPN Consortium has developed specific scenarios to
aid system administrators in the often confusing process of connecting two
different vendor implementations of the IPSec standard. The examples in this
manual follow the addressing and configuration mechanics defined by the VPN
Consortium. It is a good idea to gather all the necessary information required to

32
establish a VPN before you begin the configuration process. You should
understand whether the firmware is up-to-date, all of the addresses that will be
necessary, and all of the parameters that need to be set on both sides. Try to
understand any incompatibilities before you begin, so that you minimize any
potential complications which may arise from normal firewall or WAN
processes.
2.5.3.2VPN ProcessOverview
Even though IPSec is standards-based, each vendor has its own set of terms and
procedures for implementing the standard. Because of these differences, it may
be a good idea to review some of the terms and the generic processes for
connecting two gateways before diving into to the specifics. Network Interfaces
and Addresses
The VPN gateway is aptly named because it functions as a “gatekeeper”
for each of the computers connected on the Local Area Network behind it.
In most cases, each gateway will have a “public” facing address (WAN side)
and a “private” facing address (LAN side). These addresses are referred to as
the “network interface” in documentation regarding the construction of VPN
communication. Please note that the addresses used in the example .Interface
Addressing this document uses example addresses provided the VPN
Consortium. It is important to understand that you will be using addresses
specific to the devices that you are attempting to connectvia IPSec VPN.
It is also important to make sure the addresses do not overlap or conflict. That
is, each set of addresses should be separate and distinct.
Each gateway must negotiate its Security Association with another
gateway using the parameters and processes established by IPSec. As illustrated
below, the most common method of accomplishing this process is via the
Internet Key Exchange (IKE) protocol which automates some of the negotiation
procedures. Alternatively, you can configure your gateways using manual key
exchange, which involves manually configuring each paramter on both
gateways. The IPSec software on Host A initiates the IPSec process in an
attempt to communicate with Host B. The two computers then begin the
Internet Key Exchange (IKE) process.

33
2.5.3.3IKE Phase I.
a .The two parties negotiate the encryption and authentication algorithms to use
in the IKE SA’s.
b. The two parties authenticate each other using a predetermined mechanism,
such as pre -shared keys or digital certificates.
c. A shared master key is generated by the Diffie-Hellman Public key algorithm
within the IKE framework for the two parties. The master key is also used in the
second phase to derive IPsec keys for the SAs.
2.5.3.4IKE Phase II.
a. The two parties negotiate the encryption and authentication algorithms to use
in the IPsec SAs.
b. The master key is used to derive the IPSec keys for the SAs. Once the SA
keys are created and exchanged, the IPsec SAs are ready to protect user data
between the two VPN gateways.
Data transfer. Data is transferred between IPSec peers based on the IPSec
parameters and keys stored in the SA database. IPsec tunnel termination. IPSec
SAs terminate through deletion or by timing out.
VPN Gateway to VPN Gateway
1) Communicationrequest sent to VPN Gateway
2) IKE Phase I authentication
3) IKE Phase II negotiation
4) Secure data transfer
IPsec tunnel terminationallows for a lot of flexibility. All
companies do not deploy the same networking hardware in their
environment, but as long as they are IPSec compliant, network
connectivity can be established via IPSec tunnelling protocol.
When creating IPSec tunnels, the main goal is to protect data flows that
carry confidential or sensitive data over an un trusted or public network.
Therefore, before planning your IPSec tunnel implementation, you must
have a solid understanding of the traffic you want protected by IPSec
tunnels, and the sources and destinations of this traffic.

34
2.6 IPsec (INTERNETPROTOCALSECURITY):
2.6.1 Introduction:
IPsec (Internet Protocol Security) is a network layer security protocol that
is design environment over the Internet considering flexibility, scalability, and
interoperability. IPsec primarily supports security among hosts rather than users
unlike the other security protocols. Recently, IPsec is emphasized as one of the
important security infrastructures in the NGI (Next Generation Internet). It also
has suitable features to implement VPN (Virtual Private Network) efficiently
and its application areas are expected to grow rapidly. In this paper, the basic
concepts and related standard documents of IPsec will be introduced.
2.6.2 WhatIs IPSec and How Does It Work?
IPSec is an Internet Engineering Task Force (IETF) standard suite of
protocols that provides data authentication, integrity, and confidentiality as data
is transferred between communication points across IP networks. IPSec
provides data security at the IP packet level. A packet is a data bundle that is
organized for transmission across a network, and it includes a header and
payload (the data in the packet). IPSec emerged as a viable network security
standard because enterprises wanted to ensure that data could be securely
transmitted over the Internet.
IPSec protects against possible security exposures by protecting data
while in transit. IPSec Security Features IPSec is the most secure method
commercially available for connecting network sites. IPSec was designed to
provide the following security features when transferring packets across
networks:
•Authentication: Verifies that the packet received is actually from the claimed
sender.
•Integrity: Ensures that the contents of the packet did not change in transit.
•Confidentiality: Conceals the message content through encryption.

35
2.6.3 Terms and Definitions
Now that we have discussed the concepts of SG-to-SG VPN connections,
we can start addressing the topic in more detail. Here are some definitions and
Terms that will be used throughout the remainder of the paper.
Encryption - Provides data confidentiality.
Authentication - Provides data integrity.
2.6.4 Internet ProtocolSecurity(IPSec)
A framework of open standards that provides data confidentiality, data
integrity, and data authentication between participating peers. IPSec provides
these security services at the IP layer; it uses IKE to handle negotiation of
protocols and algorithms based on local policy, and to generate the encryption
and authentication keys to be used by IPSec.
2.6.4.1 Internet Security Association and Key Management Protocol
(ISAKMP)
This is the framework which defines the mechanics of implementation a
key exchange protocoland the negotiation of a security association.
2.6.4.2 Internet Key exchange protocol (IKE) - Provides authentication of the
IPSec
peers, negotiates security associations, and establishes IPSec keys.
2.6.4.3 Hashed Message Authentication Code (HMAC) – Combination of
hash algorithm and secret shared key.
> DES - Data Encryption Standard used to encrypt packet data. 3DES is no
longer the best method of encryption, but is considered reliable and secure.
> MD5 (HMAC variant) - MD5 (Message Digest 5) is a hash algorithm.
HMAC is a keyed hash variant used to authenticate data.
> Peer- Refers to the two Cisco routers on either side of the VPN tunnel.
> Security association (SA) - IPSec security association which describes how
two or more entities will use security services for a particular data flow. This

36
includes the methods which will be used for encryption and authentication.
Security Parameter Index (SPI) -This is a number combined with an IP address
nd security protocol identifies a SA.Transform set - Represents a certain
combination of security protocols and algorithms that the peers on each end of
the tunnel must agree upon before initiating a secure data flow.
2.6.5 Tunnel – A secure communication path between two peers
2.6.5.1IPSec Tunnelling:
Mode
SAs operate using modes. A mode is the method in which the IPSec
protocol is applied to the packet. IPSec can be used in tunnel mode or transport
mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel
protection, but transport mode is used for host-to-host IPSec tunnel protection.
A gateway is a device that monitors and manages incoming and outgoing
network traffic and routes the traffic accordingly. A host is a device that sends
and receives network traffic.
•TransportMode:
The transport mode IPSec implementation encapsulates only the packet’s
packet contains the old IP header (with the source and destination IP addresses
unchanged) and the processed packet payload. Transport mode does not shield
the information in the IP header; therefore, an attacker can learn where the
packet is coming from and where it is going to.
•Tunnel Mode:
The tunnel mode IPSec implementation encapsulates the entire IP
packet. The entire packet becomes the payload of the packet that is processed
with IPSec. A new IP header is created that contains the two IPSec gateway
addresses. The gateways perform the encapsulation/encapsulation on behalf of
the hosts. Tunnel mode ESP prevents an attacker from analyzing the data and
deciphering it, as well as knowing who the packet is from and
where it is going.
Note:AH and ESP can be used in both transport mode and tunnel mode.
IPSec technology presents a way to protectsensitive data that travels across

37
untrusted networks. IPSec is the IETF standard for network layer tunnelling
described in RFC 1825 through 1829.9 “With IPsec, data can be transmitted
across a public network without fear of observation, modification, or spoofing.
This enables application intranets, extranet”10 IPsec allows the creation of a
secure tunnel between two Security Gateways or IPSec compliant routers.
Intranets in separate geographic locations can be created across the internet.
This concept is commonly referred to as transferring data from trusted networks
across an untrusted network. IPSec was created to provide the following
functionality across the internet.
• Data Confidentiality—the IPSec sender can encrypt packets before
transmitting them across a network.
• Data Integrity—the IPSec receiver can authenticate packets sent by the
IPSec sender to ensure that the data has not been altered during
transmission.
• Data Origin Authentication—the IPSec receiver can authenticate the
source of the IPSec packets sent. This service is dependent upon the data
integrity service.
• Anti-Replay—The IPSec receiver can detect and reject replayed.
2.6.5.2Encapsulating SecurityPayload(ESP):
ESP provides authentication, integrity, and confidentiality, which protect
against data tampering and, most importantly, provide message content
protection.
IPSec provides an open framework for implementing industry standard
algorithms, such as SHA and MD5. The algorithms IPSec uses produce a
unique and unforgeable identifier for each packet, which is a data equivalent of
a fingerprint. This fingerprint allows the device to determine if a packet has
been tampered with. Furthermore, packets that are not authenticated are
discarded and not delivered to the intended receiver.
ESP also provides all encryption services in IPSec. Encryption translates
a readable message into an unreadable format to hide the message content. The

38
opposite process, called decryption, translates the message content from an
unreadable format to a readable message. Encryption/decryption allows only the
sender and the authorized receiver to read the data. In addition, ESP has an
option to perform authentication, called ESP authentication. Using ESP
authentication, ESP provides authentication and integrity for the payload and
not for the IP header.
The ESP header is inserted into the packet between the IP header and any
subsequent packet contents. However, because ESP encrypts the data, the
payload is changed. ESP does not encrypt the ESP header, nor does it encrypt
the ESP authentication.
2.6.5.3Authentication Header (AH):
AH provides authentication and integrity, which protect against data tampering,
using the same algorithms as ESP. AH also provides optional anti-replay
protection, which protects against unauthorized retransmission of packets. The
authentication header is inserted into the packet between the IP header and any
subsequent packet contents. The payload is not touched.
Although AH protects the packet’s origin, destination, and contents from being
tampered with, the identity of the sender and receiver is known. In addition, AH
does not protect the data’s confidentiality. If data is intercepted and only AH is
used, the message contents can be read. ESP protects data confidentiality. For
added protection in certain cases, AH and ESP can be used together. In the
following table, IP HDR represents the IP header and includes both source and
destination IP addresses.
2.6.5.4SecurityAssociation
IPSec introduces the concept of the Security Association (SA). An SA is a
logical connection between two devices transferring data. An SA provides data
protection for unidirectional traffic by using the defined IPSec protocols. An
IPSec tunnel typically consists of two unidirectional SAs, which together
provide a protected, full-duplex data channel .The SAs allow an enterprise to
control exactly what resources may communicate securely, according to
security policy. To do this an enterprise can set up multiple SAs to enable
multiple secure VPNs, as well as define SAs within the VPN to support
different departments and business partners.

39
3. SYSTEM ARCHITECTURE
3.0 System Architecture:
Fig-3 : Architecture of IPSec
3.1 MODULES:
IPsec was created to provide the following functionality across the internet.
• Data Confidentiality—the IPsec sender can encrypt packets before
transmitting them across a network.
• Data Integrity—the IPsec receiver can authenticate packets sent by the
IPsec sender to ensure that the data has not been altered during
transmission.
• Data Origin Authentication—the IPsec receiver can authenticate the
source of the IPsec packets sent. This service is dependent upon the data
integrity service.
• Anti-Replay—The IPsec receiver can detect and reject replayed .
3.2 SOFTWARE AND HARDWARE REQUIREMENTS:
3.2.1 Software Requirements:
Cisco Packet Tracer 5.3
3.2.2 Hardware Requirements:
Cisco Hubs, Wireless Device, Copper Straight-Through Cable , Copper
Cross-OverCable, Fiber Optics Cable, Coaxial Cable.
The information in this document was created from the devices in a

40
specific lab environment. All of the devices used in this document
started with a cleared (default) configuration. If your network is live, make
sure that you understand the potential impact of any command.
Windows XP, Windows server 2003, Server & Client .And also this
document is not restricted to specific software and hardware versions.

41
4.SYSTEM STUDY
4.1 Feasibility Study:
It is a very important aspect of any project report. There is always chance of
manual errors. Cost factor is also there which depends upon the size of the
work.
Feasibility studies aim to objectively and rationally uncover the
strengths and weaknesses of the existing business or proposed venture,
opportunities and threats as presented by the environment, the resources
required to carry through, and ultimately the prospects for success. In its
simplest term, the two criteria to judge feasibility are cost required and value to
be attained. As such, a well-designed feasibility study should provide a
historical background of the business or project, description of the product or
service, accounting statements, details of the operations and management,
marketing research and policies, financial data, legal requirements and tax
obligations. Generally, feasibility studies precede technical development and
project implementation.
4.1.1 TechnicalFeasibility:
In the preliminary investigation phase, we examine the feasibility of the
project. We find the likelihood the Network which we established will be useful
to the organization. We determine whether the solution is a viable or not. For
thispurpose, the analyst clearly establishes the feasibility of each alternative
testing for benefits, costs and other resources.
4.1.2 Behavioral / OperationalFeasibility :
For any network which we implemented and used by an
organization, its behavioral nature must be analyzed. It means that if any
organization want to access the net on many systems by using only one
internet service provider then it can be done by with the help of NAT
Operational feasibility is a measure of how well a proposed system
solves the problems, and takes advantage of the opportunities identified
during scope definition and how it satisfies the requirements identified in
the requirements analysis phase of system development.
4.1.3 Economic Feasibility:
This project does not specify an Internet standard of any kind.
Distribution of this project is unlimited. You can use private addresses on your

42
inside networks. Private addresses are not routable on the Internet. NAT hides
the local addresses from other networks, so attackers cannot learn the real
address of a server in the data center You can resolve IP routing problems such
as overlapping addresses when you have two interfaces connected to
overlapping subnets.
Economic analysis is the most frequently used method for evaluating the
effectiveness of a new system. More commonly known as cost/benefit analysis,
the procedure is to determine the benefits and savings that are expected from a
candidate system and compare them with costs. If benefits outweigh costs, then
the decision is made to design and implement the system. An entrepreneur must
accurately weigh the costversus benefits before taking an action.

43
5. SYSTEM DESIGN
5.1.1 Introduction to DFD Diagrams:
The Data Flow diagram is a graphic tool used for expressing system
requirements in a graphical form. The DFD also known as the “bubble chart”
has the purpose of clarifying system requirements and identifying major
transformations that to becomeprogram in system design.
Thus DFD can be stated as the starting point of the design phase that
functionally decomposes the requirements specifications down to the lowest
level of detail.
The DFD consists of series of bubbles joined by lines. The bubbles
represent data transformations and the lines represent data flows in the system.
A DFD describes what data flow is rather than how they are processed, so it
does not depend on hardware, software, data structure or file organization.

44
5.2 At Source IP address:
5.1 Incoming Packet
Fig 5.1 : At source IP Address.

45
5.3 At receiving IP Address
Source Application:
Fig 5.1 : DFD for Source IP address
At the receiving end:
Fig. 5.2 – Packetreceiving from the Source IP address.

46
6. SYSTEM IMPLEMENTATION
6.1 ALGORITHMS USED:
6.1.1 MD5:
The MD5 Message-DigestAlgorithm is a widely used cryptographic hash
function that produces a 128-bit (16-byte) hash value. Specified in RFC 1321,
MD5 has been utilized in a wide variety of security applications, and is also
commonly used to check data integrity. MD5 was designed by Ron Rivest in
1991 to replace an earlier hash function, MD4. An MD5 hash is typically
expressed as a hexadecimal number, 32 digits long.
However, it has since been shown that MD5 is not resistant; as such, MD5 is
not suitable for applications like SSL certificates or digital signatures that rely
on this property. In 1996, a flaw was found with the design of MD5, and while
it was not a clearly fatal weakness, cryptographers began recommending the use
of other algorithms, such as SHA-1—which has since been found to be
vulnerable as well. In 2004, more serious flaws were discovered in MD5,
making further use of the algorithm for security purposes questionable—
specifically, a group of researchers described how to create a pair of files that
share the same MD5 checksum. Further advances were made in breaking MD5
in 2005, 2006, and 2007. In December 2008, a group of researchers used this
technique to fake SSL certificate validity, and CMU Software Engineering
Institute now says that MD5 "should be considered cryptographically broken
and unsuitable for further use", and most U.S. government applications now
require the SHA-2 family of hash functions.
6.1.2 SHA( SECURE HASH ALGORITHM):
In cryptography, SHA-1 is a cryptographic hash function designed by the
United States National Security Agency and published by the United
States NIST as a U.S. Federal Information Processing Standard. SHA stands for
"secure hash algorithm". The four SHA algorithms are structured differently and
are distinguished as SHA-0, SHA-1, SHA-2, and SHA-3. SHA-1 is very similar
to SHA-0, but corrects an error in the original SHA hash specification that led
to significant weaknesses. The SHA-0 algorithm was not adopted by many
applications. SHA-2 on the other hand significantly differs from the SHA-1
hash function.
SHA-1 is the most widely used of the existing SHA hash functions, and is
employed in several widely used applications and protocols.
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm
might not be secure enough for ongoing use. NIST required many applications
in federal agencies to move to SHA-2 after 2010 becauseof the

47
weakness. Although no successfulattacks have yet been reported on SHA-2,
they are algorithmically similar to SHA-1. In 2012, following a long-running
competition, NIST selected an additional algorithm, Keccak, for standardization
as SHA-3 .
Algorithm and
variant
Output
size
(bits)
Internal
state
size
(bits)
Block
size
(bits)
Max
message
size
(bits)
Word
size
(bits)
Rounds Operations
Collisions
found?
SHA-0
160 160 512 264 – 1 32 80
add, and, or,
xor, rotate,
mod
Yes
SHA-1
Theoretical
attack (251)[6]
SHA-
2
SHA-
256/224
256/224 256 512 264 – 1 32 64
add, and, or,
xor, rotate,
mod, shift
No
SHA-
512/384
512/384 512 1024 2128 – 1 64 80
Table-6.1.2: Details about SHA-0,SHA-1,SHA-2
6.1.3 MD5 VS SHA:
MD5 has been cryptographically broken for quite some time now. This
basically means that some of the properties usually guaranteed by hash
algorithms, do not hold anymore. Forexample it is possible to find hash
collisions in much less time than potentially necessary for the output length.
SHA-512 (one of the SHA-2 family of hash functions) is, for now, secure
enough but possibly not much longer for the foreseeable future. That's why the
NIST started a contestfor SHA-3.Generally, you want hash algorithms to
be one-way functions. They map some input to some output. Usually the output
is of a fixed length, thereby providing a "digest" of the original input. However,
flaws in design or implementation often result in reduced complexity for
attacks. Once those are known it's time to evaluate whether still using a hash
function. If the attack complexity drops far enough practical attacks easily get in
the range of people without specialized computing equipment.

48
6.2 ROUTER CONFIGURATION:
Fig 6.1:Routers configuration AT RTTC, Hyderabad

49
6.2.1 INITIAL CONFIGURATION AT TRIPURA
Router> (User Mode)
Router>enable
Router# (Privilege Mode)
Router# configure terminal
Router(config)# (Global Configuration Mode)
Router(config)# hostname TRIPURA
Configuration for assigning an IP address to Fastethernetinterface
TRIPURA(config)# interface fastethernet 0/0
TRIPURA(config-if)# (Interface Configuration Mode)
TRIPURA(config-if)# ip address 192.168.4.49 255.255.255.240
TRIPURA(config-if)# no shutdown
TRIPURA(config-if)# exit
Configuration for setting a TELNET session and password
TRIPURA(config)# line vty 0 4
TRIPURA(config-line)# (Line Configuration Mode)
TRIPURA(config-line)# password cisco
TRIPURA(config-line)# login
TRIPURA(config-line)# exit
Configuration for setting a CONSOLE password
TRIPURA(config)# line con0
TRIPURA(config-line)# password cisco
TRIPURA(config-line)# login
TRIPURA(config-line)# exit
Configuration for setting a ENABLE password
TRIPURA(config)# enable password cisco
TRIPURA(config)# exit

50
Configuration of an IP address to the serial interface
TRIPURA(config)#interface serial 0/1/0
TRIPURA(config-if)# ip address 192.168.4.82 255.255.255.252
TRIPURA(config-if)# no shutdown
TRIPURA(config-if)# encapsulation ppp
TRIPURA(config-if)# ^Z
TRIPURA# wr ( for saving the configuration )
6.2.2 INITIAL CONFIGURATION OF SHILLONG
SHILLONG
Router> (User Mode)
Router>enable
Router# config terminal
Router(config)# hostname SHILLONG
SHILLONG(config)# interface fastethernet 0/0
SHILLONG(config-if)# (Interface Configuration Mode)
SHILLONG(config-if)# ip address 192.168.4.33 255.255.255.240
SHILLONG(config-if)# no shutdown
SHILLONG(config-if)# exit
Configuration for setting a TELNET sessionand password
SHILLONG(config)# line vty 0 15
SHILLONG(config-line)# (Line Configuration Mode)
SHILLONG(config-line)# password 0 cisco
SHILLONG(config-line)# login
SHILLONG(config-line)# exit

51
SHILLONG(config)# line con 0
SHILLONG(config-line)# password 0 cisco
SHILLONG(config-line)# login
SHILLONG(config-line)# exit
SHILLONG(config)# enable password cisco
SHILLONG(config)# exit
SHILLONG(config)#interface serial 0/0/0
SHILLONG(config-if)# ip address 192.168.4.94 255.255.255.252
SHILLONG(config-if)# no shutdown
SHILLONG(config-if)# encapsulation ppp
SHILLONG(config-if)# exit
SHILLONG(config)#
6.2.3 INITIAL CONFIGURATION OF CALCUTTA
CALCUTTA
Router> (User Mode)
Router>enable
Router(config)# hostname CALCUTTA
CALCUTTA(config)# interface fastethernet 0/0

52
CALCUTTA(config-if)# (Interface Configuration Mode)
CALCUTTA(config-if)# ip address 192.168.4.17 255.255.255.240
CALCUTTA(config-if)# no shutdown
CALCUTTA(config-if)# exit
CALCUTTA(config)# line vty 0 15
CALCUTTA(config-line)# (Line Configuration Mode)
CALCUTTA(config-line)# password 0 cisco
CALCUTTA(config-line)# login
CALCUTTA(config-line)# exit
CALCUTTA(config)# line con 0
CALCUTTA(config-line)# password 0 cisco
CALCUTTA(config-line)# login
CALCUTTA(config-line)# exit
CALCUTTA(config)# enable password cisco
CALCUTTA(config)# exit
CALCUTTA(config)#interface serial 0/1/0
CALCUTTA(config-if)# encapsulation ppp
CALCUTTA(config-if)# exit
CALCUTTA(config)#interface serial 0/1/1
CALCUTTA(config-if)# encapsulation ppp
CALCUTTA# wr( save the configuration)

53
6.3 Configuration of Open ShortestPath First (OSPF)in IPv4 domain
Fig 6.2 Configuration of OSPF in IPv4 domain on
SHILLONG,TRIPURA& CALCUTTA Routers considering the area as
Back bone area (Area 0)
CALCUTTA # configure terminal
CALCUTTA (config)# ip routing
CALCUTTA (config)# router ospf10
CALCUTTA (config-router)# network 192.168.4.16 0.0.0.15 area 0
CALCUTTA (config-router)#^Z
CALCUTTA#wr (save the configuration)
SHILLONG(config)#ip routing
SHILLONG (config)#router ospf10
SHILLONG (config-ospf)#network 192.168.4.32 0.0.0.15 area 0
SHILLONG (config-ospf)#network 192.168.4.92 0.0.0.3 area 0
SHILLONG (config-ospf)#^Z
SHILLONG# wr (save the configuration)
TRIPURA#configure terminal
TRIPURA (config)#ip routing
TRIPURA (config)#router ospf

54
TRIPURA (config-ospf)#network 192.168.4.48 0.0.0.15 area 0
TRIPURA (config-ospf)#network 192.168.4.80 0.0.0.3 area 0
TRIPURA (config-ospf)#^Z
TRIPURA # wr (save the configuration)
Show commands @ Any router for checking the OSPF process
ROUTER#ship route (Display the Routing table)
ROUTER#ship ospfneighbor (Display the Neighbor information)
ROUTER#ship ospfdatabase (Display the OSPF database)
Also check the connectivity using “ping” commands to interface ipv6 addresses
and end to end connectivity from PC in one router LAN to PC in other router
LAN.
6.4 Configuration of NMREC- Engineering, NMREC-Jr. College and
NMREC-School networkonIPv4
Fig 6.3 : NMREC- Engineering, NMREC-Jr. College and NMREC-School
network on IPv4 .

55
6.4.1 INITIAL CONFIGURATION AT NMREC
Router> (User Mode)
Router>enable
Router# configure terminal
Router(config)# hostname NMREC
NMREC(config)# interface fastethernet 0/0
NMREC(config-if)# (Interface Configuration Mode)
NMREC(config-if)# ip address 192.168.1.0 255.255.255.0
NMREC(config-if)# no shutdown
NMREC(config-if)# exit
NMREC(config)# line vty 0 4
NMREC(config-line)# (Line Configuration Mode)
NMREC(config-line)# password cisco
NMREC(config-line)# login
NMREC(config-line)# exit
NMREC(config)# line con 0
NMREC(config-line)# password cisco
NMREC(config-line)# login
NMREC(config-line)# exit
NMREC(config)# enable password cisco
NMREC(config)# exit

56
NMREC(config)#interface serial 0/0/0
NMREC(config-if)# ip address 192.168.6.1 255.255.255.252
NMREC(config-if)# no shutdown
NMREC(config-if)# encapsulation ppp
NMREC(config-if)# ^Z
NMREC# wr ( for saving the configuration )
6.4.2 INITIAL CONFIGURATION OF NMREC-JR. COLLEGE
NMREC-JR.COLLEGE
Router> (User Mode)
Router>enable
Router(config)# hostname NMREC-JR. COLLEGE
NMREC-JR. COLLEGE(config)# interface fastethernet 0/0
NMREC-JR. COLLEGE(config-if)# (Interface Configuration Mode)
NMREC-JR. COLLEGE(config-if)# ip address 192.168.2.1 255.255.255.0
NMREC-JR. COLLEGE(config-if)# no shutdown
NMREC-JR. COLLEGE(config-if)# exit
NMREC-JR. COLLEGE(config)#interface serial 0/1/0
NMREC-JR. COLLEGE(config-if)# encapsulation ppp
NMREC-JR. COLLEGE(config-if)# ^Z
NMREC-JR. COLLEGE# wr ( for saving the configuration )

57
NMREC-JR. COLLEGE(config)#interface serial 0/1/1
NMREC-JR. COLLEGE(config-if)# encapsulation ppp
NMREC-JR. COLLEGE(config-if)# ^Z
NMREC-JR. COLLEGE# wr ( for saving the configuration )
6.4.3 INITIAL CONFIGURATION OF NMREC-SCHOOL
NMREC-SCHOOL
Router> (User Mode)
Router>enable
Router(config)# hostname NMREC-SCHOOL
NMREC-SCHOOL(config)# interface fastethernet 0/0
NMREC-SCHOOL(config-if)# (Interface Configuration Mode)
NMREC-SCHOOL(config-if)# ip address 192.168.3.1 255.255.255.0
NMREC-SCHOOL(config-if)# no shutdown
NMREC-SCHOOL(config-if)# exit
NMREC-SCHOOL(config)# line vty 0 15
NMREC-SCHOOL(config-line)# (Line Configuration Mode)
NMREC-SCHOOL(config-line)# password 0 cisco
NMREC-SCHOOL(config-line)# login
NMREC-SCHOOL(config-line)# exit

58
NMREC-SCHOOL(config)# line con 0
NMREC-SCHOOL(config-line)# password 0 cisco
NMREC-SCHOOL(config-line)# login
NMREC-SCHOOL(config-line)# exit
NMREC-SCHOOL(config)# enable password cisco
NMREC-SCHOOL(config)# exit
NMREC-SCHOOL(config)#interface serial 0/2/0
NMREC-SCHOOL(config-if)# encapsulation ppp
NMREC-SCHOOL(config-if)# exit
NMREC-SCHOOL(config)#interface serial 0/2/1
NMREC-SCHOOL(config-if)# encapsulation ppp
NMREC-SCHOOL(config-if)# ^Z
NMREC-SCHOOL# wr ( save the configuration)
6.5 ROUTING
6.5.1 Static Routing
IPV4:
mask><exit interface type><interface number> [Permanent]
Static routing for NMREC, NMREC-JR. COLLEGE and NMREC-
SCHOOL

59
Fig 6.4 : An Example of Static Routing
6.5.1.1Configuring at NMREC-ENGG:
Input commands: (IPV4)
NMREC(config)#ip route 192.168.2.0 255.255.255.0 Serial0/0/0
NMREC(config)# ip route 192.168.3.0 255.255.255.0 Serial0/0/0
NMREC(config)#exit
NMREC# wr
Output results:
interface Serial0/0/0

60
ip address 192.168.6.1 255.255.255.252
encapsulation ppp
ipv6 address FD00:0:0:F1::1/64
clock rate 500000
!
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.2.0 255.255.255.0 Serial0/0/0
ip route 192.168.3.0 255.255.255.0 Serial0/0/0
ip route 192.168.4.0 255.255.255.0 Serial0/0/0
ip route 192.168.5.0 255.255.255.0 Serial0/0/0
ip route 192.168.6.4 255.255.255.252 Serial0/0/0
ip route 192.168.6.8 255.255.255.252 Serial0/0/0
ip route 192.168.6.12 255.255.255.252 Serial0/0/0
!
ipv6 route FD00:0:0:2::/64 Serial0/0/0
ipv6 route FD00:0:0:F2::/64 Serial0/0/0
Verification commands:
NMREC#show ip route (ipv4)
Codes:C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

61
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S 192.168.2.0/24 is directly connected, Serial0/0/0
192.168.6.0/30 is subnetted, 4 subnets
C 192.168.6.0 is directly connected, Serial0/0/0
S 192.168.6.4 is directly connected, Serial0/0/0
6.5.1.2NMREC-JR.COLLEGE:
NMREC-JR.COLLEGE(config)#ip route 192.168.1.0 255.255.255.0 Serial0/1/0
NMREC-JR.COLLEGE(config)#ip route 192.168.6.8 255.255.255.252
Serial0/1/1
NMREC-JR.COLLEGE(config)#ip route 192.168.6.12 255.255.255.252
Serial0/1/1
NMREC-JR.COLLEGE(config)#exit
NMREC-JR.COLLEGE#wr

62
Output results:
ip address 192.168.6.2 255.255.255.252
encapsulation ppp
!
ip address 192.168.6.5 255.255.255.252
encapsulation ppp
clock rate 125000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 Serial0/1/0
ip route 192.168.3.0 255.255.255.0 Serial0/1/1
ip route 192.168.4.0 255.255.255.0 Serial0/1/1
ip route 192.168.5.0 255.255.255.0 Serial0/1/1
ip route 192.168.6.8 255.255.255.252 Serial0/1/1
ip route 192.168.6.12 255.255.255.252 Serial0/1/1
!
NMREC-JR. COLLEGE#showip route (ipv4)

63
Results:
6.5.1.3CONFIGURING AT NMREC-SCHOOL
NMREC-SCHOOL(config)#ip route 192.168.4.0 255.255.255.240 Serial0/2/1
NMREC-SCHOOL(config)#exit
NMREC-SCHOOL#wr

64
Output results:
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
ipv6 address FD00:0:0:3::1/64
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
ip address 192.168.6.6 255.255.255.252
encapsulation ppp
!
ip address 192.168.6.9 255.255.255.252
encapsulation ppp
clock rate 125000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.2.0 255.255.255.240 Serial0/2/0
ip route 192.168.4.0 255.255.255.240 Serial0/2/1
ip route 192.168.1.0 255.255.255.240 Serial0/2/0
ip route 192.168.5.0 255.255.255.240 Serial0/2/1
ip route 192.168.6.0 255.255.255.252 Serial0/2/0
ip route 192.168.6.12 255.255.255.252 Serial0/2/1
!

65
NMREC-SCHOOL#show ip route (ipv4)

66
Ping commands:
Pinging from NMREC router to NMREC-JR. COLLEGE router
NMREC#ping 192.168.2.1(ipv4)
Result:
Type escapesequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/27/121 ms
Pinging from NMREC router to NMREC-SCHOOLrouter
NMREC#ping 192.168.3.1(ipv4)
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/62/109 ms.
Pinging from NMREC-JR.COLLEGE routerto NMREC router
NMREC-JR. COLLEGE#ping192.168.1.1(ipv4)
!!!!!

67
Pinging from NMREC-JR. COLLEGE router to NMREC-SCHOOL
router
NMREC-JR. COLLEGE#ping192.168.3.1(ipv4)
!!!!!
Pinging from NMREC-SCHOOLrouter to NMREC router
NMREC-SCHOOL#ping 192.168.1.1(ipv4)
!!!!!
Pinging from NMREC-SCHOOL router to NMREC-JR. COLLEGE
router
NMREC-SCHOOL#ping 192.168.2.1(ipv4)
!!!!!

Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)

Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)

Similar to Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1) (20)

Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)