Download to read offline
![ip domain-name seguridad.edu
crypto key generate rsa usage-keys modulus 1024
crypto ca trustpoint CA
enrollment url http://200.0.1.1:80
revocation-check none
crypto ca authenticate CA
--------------------------------------------------------------------------
Certificate has the following attributes:
Fingerprint MD5: 87B13186 83BD9E72 BB9CA06A 42C6C214
Fingerprint SHA1: 3560514B 9F32D2E4 95E92DA4 6C104ADD BC46E0F5
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
--------------------------------------------------------------------------------
--
crypto ca enroll CA
Password: 123456789
Re-password: 123456789
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
--------------------------------------------------------------------------------
-
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 7200
exit
crypto isakmp key 0 cisco address 200.0.2.2 no-xauth
crypto ipsec transform-set R1_MYSET esp-aes esp-sha-hmac
no access-list 117 permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
no access-list 117 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
--------------------------------------------------------------------------------
-
#ip access-list extended TRAFFIC_R1
#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
#exit
--------------------------------------------------------------------------------
--
crypto map R1_MAP 1 ipsec-isakmp
set peer 200.0.2.2
set transform-set R1_MYSET](https://image.slidesharecdn.com/ipsec-140730154456-phpapp01/85/Ipsec-4-320.jpg)
![match address 117
exit
interface fastEthernet 0/0
crypto map R1_MAP
EXIT
----------------
CONFIGURACION R2
----------------
enable
configure terminal
interface fastEthernet 0/0
ip address 200.0.2.2 255.255.255.252
no shutdown
interface fastEthernet 0/1
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
ip route 200.0.1.0 255.255.255.252 fastEthernet 0/0
ip route 192.168.1.0 255.255.255.0 fastEthernet 0/0
ip domain-name seguridad.edu
crypto key generate rsa usage-keys modulus 1024
crypto ca trustpoint CA
enrollment url http://200.0.1.1:80
revocation-check none
crypto ca authenticate CA
--------------------------------------------------------------------------------
--
Certificate has the following attributes:
Fingerprint MD5: 87B13186 83BD9E72 BB9CA06A 42C6C214
Fingerprint SHA1: 3560514B 9F32D2E4 95E92DA4 6C104ADD BC46E0F5
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
--------------------------------------------------------------------------------
--
crypto ca enroll CA
Password: 123456789
Re-password: 123456789
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no](https://image.slidesharecdn.com/ipsec-140730154456-phpapp01/85/Ipsec-5-320.jpg)
![Request certificate from CA? [yes/no]: yes
--------------------------------------------------------------------------------
-
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 7200
exit
crypto isakmp key 0 cisco address 200.0.1.2 no-xauth
crypto ipsec transform-set R2_SET esp-aes esp-sha-hmac
exit
access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
no access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
no access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
--------------------------------------------------------------------------------
-
#ip access-list extended TRAFFIC_R2
#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
#exit
crypto map R2_MAP 1 ipsec-isakmp
set peer 200.0.1.2
set transform-set R2_SET
match address 117
EXIT
interface fastEthernet 0/0
crypto map R2_MAP
EXIT
--------------------------------------------------------------------------------
--](https://image.slidesharecdn.com/ipsec-140730154456-phpapp01/85/Ipsec-6-320.jpg)
![Request certificate from CA? [yes/no]: yes
--------------------------------------------------------------------------------
-
crypto isakmp policy 1
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 7200
exit
crypto isakmp key 0 cisco address 200.0.1.2 no-xauth
crypto ipsec transform-set R2_SET esp-aes esp-sha-hmac
exit
access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
no access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
no access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
--------------------------------------------------------------------------------
-
#ip access-list extended TRAFFIC_R2
#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
#exit
crypto map R2_MAP 1 ipsec-isakmp
set peer 200.0.1.2
set transform-set R2_SET
match address 117
EXIT
interface fastEthernet 0/0
crypto map R2_MAP
EXIT
--------------------------------------------------------------------------------
--](https://image.slidesharecdn.com/ipsec-140730154456-phpapp01/85/Ipsec-7-320.jpg)
Uploaded byEddy Barzallo
Ipsec
The document describes the configuration of two routers, R1 and R2, to establish an IPsec VPN using pre-shared keys for authentication. It then shows the configuration of a Certificate Authority (CA) and the enrollment of certificates on R1 and R2 to authenticate the IPsec tunnel using RSA signatures instead of pre-shared keys. Access control lists (ACLs) and crypto maps are used to define the traffic to protect and apply the IPsec policies.
More Related Content
Ipsec
- 1. 1=>show crypto cacertificates 2=>show crypto isakmp policy 3=>show crypto isakmp sa 4=>show crypto ipsec transform-set 5=>show crypto map 6=>show crypto ipsec sa tunnel GRE R1 GRE configure terminal interface Tunnel10 ip address 10.0.0.1 255.255.255.252 tunnel source serial 0/1/0 tunnel destination 200.0.2.2 exit ip route 200.0.1.0 255.255.255.252 serial 0/1/0 ip route 192.168.1.0 255.255.255.0 10.0.0.2 end R1 GRE configure terminal interface Tunnel10 ip address 10.0.0.2 255.255.255.252 tunnel source serial 0/1/0 tunnel destination 200.0.1.2 exit ip route 200.0.2.0 255.255.255.252 serial 0/1/0 ip route 192.168.2.0 255.255.255.0 10.0.0.1 end ================================================================== R1 pre-share enable configure terminal interface serial 0/1/0 ip address 200.0.1.2 255.255.255.252 no shutdown interface fastEthernet 0/0 ip address 192.168.1.1 255.255.255.0 no shutdown exit ip route 200.0.2.0 255.255.255.252 serial 0/1/0 ip route 192.168.2.0 255.255.255.0 serial 0/1/0 ============================================================= R2 pre-share enable configure terminal interface serial 0/1/0 ip address 200.0.2.2 255.255.255.252 no shutdown
- 2. interface fastEthernet 0/0 ipaddress 192.168.2.1 255.255.255.0 no shutdown exit ip route 200.0.1.0 255.255.255.252 serial 0/1/0 ip route 192.168.1.0 255.255.255.0 serial 0/1/0 ============================================================== R3 ISP enable configure terminal interface serial 0/1/0 ip address 200.0.1.1 255.255.255.252 no shutdown interface serial 0/1/1 ip address 200.0.2.1 255.255.255.252 no shutdown exit ============================================================== R1 crypto isakmp policy 110 authentication pre-share encryption 3des group 1 hash sha lifetime 43200 exit crypto isakmp key cisco123 address 200.0.2.2 crypto ipsec transform-set R1SET esp-aes 128 exit access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 110 permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map R1MAP 10 ipsec-isakmp match address 110 set peer 200.0.2.2 set pfs group1 set transform-set R1SET set security-association lifetime seconds 86400 exit interface serial0/1/0 crypto map R1MAP R2 crypto isakmp policy 110 authentication pre-share encryption 3des group 1 hash sha lifetime 43200 exit crypto isakmp key cisco123 address 200.0.1.2 crypto ipsec transform-set R2SET esp-aes 128 exit access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 crypto map R2MAP 10 ipsec-isakmp match address 110 set peer 200.0.1.2
- 3. set pfs group1 settransform-set R2SET set security-association lifetime seconds 86400 exit interface serial0/1/0 crypto map R2MAP exit -------------------- CONFIGURACION DEL CA -------------------- enable configure terminal interface fastEthernet 0/0 ip address 200.0.1.1 255.255.255.252 no shutdown interface fastEthernet 0/1 ip address 200.0.2.1 255.255.255.252 no shutdown exit ip http server ip domain-name seguridad.edu crypto key generate rsa general-keys label CA modulus 1024 ex crypto pki server CA issuer-name CN=CA.seguridad.edu database url nvram: database level minimum grant auto lifetime crl 24 lifetime ca-certificate 365 cdp-url http://200.0.1.1/CA.cdp.CA.crl no shutdown -------------------------------------------------------------------------- ca1234567 Re-enter password: ca1234567 ---------------- CONFIGURACION R1 ---------------- configure terminal interface fastEthernet 0/0 ip address 200.0.1.2 255.255.255.252 no shutdown interface fastEthernet 0/1 ip address 192.168.1.1 255.255.255.0 no shutdown exit ip route 200.0.2.0 255.255.255.252 fastEthernet 0/0 ip route 192.168.2.0 255.255.255.0 fastEthernet 0/0
- 4. ip domain-name seguridad.edu cryptokey generate rsa usage-keys modulus 1024 crypto ca trustpoint CA enrollment url http://200.0.1.1:80 revocation-check none crypto ca authenticate CA -------------------------------------------------------------------------- Certificate has the following attributes: Fingerprint MD5: 87B13186 83BD9E72 BB9CA06A 42C6C214 Fingerprint SHA1: 3560514B 9F32D2E4 95E92DA4 6C104ADD BC46E0F5 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. -------------------------------------------------------------------------------- -- crypto ca enroll CA Password: 123456789 Re-password: 123456789 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes -------------------------------------------------------------------------------- - crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 2 lifetime 7200 exit crypto isakmp key 0 cisco address 200.0.2.2 no-xauth crypto ipsec transform-set R1_MYSET esp-aes esp-sha-hmac no access-list 117 permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 no access-list 117 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 -------------------------------------------------------------------------------- - #ip access-list extended TRAFFIC_R1 #permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 #exit -------------------------------------------------------------------------------- -- crypto map R1_MAP 1 ipsec-isakmp set peer 200.0.2.2 set transform-set R1_MYSET
- 5. match address 117 exit interfacefastEthernet 0/0 crypto map R1_MAP EXIT ---------------- CONFIGURACION R2 ---------------- enable configure terminal interface fastEthernet 0/0 ip address 200.0.2.2 255.255.255.252 no shutdown interface fastEthernet 0/1 ip address 192.168.2.1 255.255.255.0 no shutdown exit ip route 200.0.1.0 255.255.255.252 fastEthernet 0/0 ip route 192.168.1.0 255.255.255.0 fastEthernet 0/0 ip domain-name seguridad.edu crypto key generate rsa usage-keys modulus 1024 crypto ca trustpoint CA enrollment url http://200.0.1.1:80 revocation-check none crypto ca authenticate CA -------------------------------------------------------------------------------- -- Certificate has the following attributes: Fingerprint MD5: 87B13186 83BD9E72 BB9CA06A 42C6C214 Fingerprint SHA1: 3560514B 9F32D2E4 95E92DA4 6C104ADD BC46E0F5 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. -------------------------------------------------------------------------------- -- crypto ca enroll CA Password: 123456789 Re-password: 123456789 % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no
- 6. Request certificate fromCA? [yes/no]: yes -------------------------------------------------------------------------------- - crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 2 lifetime 7200 exit crypto isakmp key 0 cisco address 200.0.1.2 no-xauth crypto ipsec transform-set R2_SET esp-aes esp-sha-hmac exit access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 no access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 no access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 -------------------------------------------------------------------------------- - #ip access-list extended TRAFFIC_R2 #permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 #exit crypto map R2_MAP 1 ipsec-isakmp set peer 200.0.1.2 set transform-set R2_SET match address 117 EXIT interface fastEthernet 0/0 crypto map R2_MAP EXIT -------------------------------------------------------------------------------- --
- 7. Request certificate fromCA? [yes/no]: yes -------------------------------------------------------------------------------- - crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 2 lifetime 7200 exit crypto isakmp key 0 cisco address 200.0.1.2 no-xauth crypto ipsec transform-set R2_SET esp-aes esp-sha-hmac exit access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 no access-list 117 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 no access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 -------------------------------------------------------------------------------- - #ip access-list extended TRAFFIC_R2 #permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 #exit crypto map R2_MAP 1 ipsec-isakmp set peer 200.0.1.2 set transform-set R2_SET match address 117 EXIT interface fastEthernet 0/0 crypto map R2_MAP EXIT -------------------------------------------------------------------------------- --