NetProtocol Xpert, profile picture
Uploaded byNetProtocol Xpert
1,429 views

IPSec VPN

An IPSec VPN is configured between routers R1 and R2 using RSA signatures for authentication. NTP and a CA server are also configured to synchronize time and authenticate certificates between the routers. IKEv2 is then used to configure an IPSec VPN between routers R1 and R3 using pre-shared keys for authentication.

Embed presentation

IPSec VPN INTERNET PROTOCOL SECURITY VIRTUAL PRIVATE NETWORK June 2014 - Tilak Upadhyay
THE PING BOX .NET CCIE Security 4.0 1 | P a g e IPSec VPN with RSA using NTP & CA Servers CONFIGURATION: STEP I: Configure NTP Server on R4 and NTP Client on R1 & R2 NTP SERVER (ROUTER R4) To set clock, write on privilege mode, CA_Server# clock set 12:10:08 26 july 2014 ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp master 2 VERIFICATION: CA_Server# sh ntp status CA_Server# sh ntp associations
THE PING BOX .NET CCIE Security 4.0 2 | P a g e NTP CLIENTS (ROUTER R1 & R2) ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp server 40.0.0.4 key 1 VERIFICATION: R1# sh ntp status R1# sh ntp associations STEP II: Configure CA Server on R4 and CA Client on Router R1 & R2 CA SERVER (ROUTER R4) ip http server crypto pki server IOS_CA database archive pem password cisco123 grant auto lifetime certificate 300 lifetime ca-certificate 500 no shutdown exit VERIFICATION: CA_Server# sh crypto pki server CA CLIENTS (ROUTER R1 & R2) ip domain name Mabison.com crypto key generate rsa (To generate RSA key)
THE PING BOX .NET CCIE Security 4.0 3 | P a g e crypto pki trustpoint IOS_CA usage ike enrollment url http://40.0.0.4 subject-name CN=R1 C=IN exit crypto ca authenticate IOS_CA (To get authenticate or to get signature certificate from CA) crypto ca enroll IOS_CA (For getting enrol router in CA Server) STEP III: Create IPSec VPN between Router R1 & R2 using “rsa-sig” ROUTER R1 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 20.0.0.2 set transform-set tset match address 101
THE PING BOX .NET CCIE Security 4.0 4 | P a g e exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit ROUTER R2 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 2.2.2.2 host 1.1.1.1 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 10.0.0.1 set transform-set tset match address 101 exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit VERIFICATION:
THE PING BOX .NET CCIE Security 4.0 5 | P a g e R1# sh crypto isakmp sa R1# sh crypto ipsec sa IPSec VPN with IKE V2 CONFIGURATION: ON ROUTER R1 R1(config)#crypto ikev2 proposal prop1 R1(config-ikev2-proposal)# encryption 3des des R1(config-ikev2-proposal)# integrity md5 sha1 R1(config-ikev2-proposal)# group 2 5 R1(config-ikev2-proposal)# exit R1(config)#crypto ikev2 policy pol1 R1(config-ikev2-policy)# proposal prop1 R1(config-ikev2-policy)# exit R1(config)#crypto ikev2 keyring kr1 R1(config-ikev2-keyring)# peer site1 R1(config-ikev2-keyring-peer)# address 30.0.0.3 R1(config-ikev2-keyring-peer)# pre-shared-key local cisco1 R1(config-ikev2-keyring-peer)# pre-shared-key remote cisco2
THE PING BOX .NET CCIE Security 4.0 6 | P a g e R1(config-ikev2-keyring-peer)# exit R1(config-ikev2-keyring)# exit R1(config)#crypto ikev2 profile prof1 R1(config-ikev2-profile)# match identity remote address 30.0.0.3 255.255.255.255 R1(config-ikev2-profile)# authentication remote pre-share R1(config-ikev2-profile)# authentication local pre-share R1(config-ikev2-profile)# keyring local kr1 R1(config-ikev2-profile)# exit R1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit R1(config)#access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 R1(config)#crypto map abc 10 ipsec-isakmp R1(config-crypto-map)# set peer 30.0.0.3 R1(config-crypto-map)# set transform-set tset R1(config-crypto-map)# set ikev2-profile prof1 R1(config-crypto-map)# match address 101 R1(config-crypto-map)# exit R1(config)#int fa 1/0 R1(config-if)#crypto map abc R1(config-if)#exit ON ROUTER R3 R3(config)#crypto ikev2 proposal prop1 R3(config-ikev2-proposal)# encryption 3des des R3(config-ikev2-proposal)# integrity md5 sha1 R3(config-ikev2-proposal)# group 2 5 R3(config-ikev2-proposal)# exit
THE PING BOX .NET CCIE Security 4.0 7 | P a g e R3(config)#crypto ikev2 policy pol1 R3(config-ikev2-policy)# proposal prop1 R3(config-ikev2-policy)# exit R3(config)#crypto ikev2 keyring kr1 R3(config-ikev2-keyring)# peer site1 R3(config-ikev2-keyring-peer)# address 10.0.0.1 R3(config-ikev2-keyring-peer)# pre-shared-key local cisco2 R3(config-ikev2-keyring-peer)# pre-shared-key remote cisco1 R3(config-ikev2-keyring-peer)# exit R3(config-ikev2-keyring)# exit R3(config)#crypto ikev2 profile prof1 R3(config-ikev2-profile)#$tity remote address 10.0.0.1 255.255.255.255 R3(config-ikev2-profile)# authentication remote pre-share R3(config-ikev2-profile)# authentication local pre-share R3(config-ikev2-profile)# keyring local kr1 R3(config-ikev2-profile)# exit R3(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R3(cfg-crypto-trans)#exit R3(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1 R3(config)#crypto map abc 10 ipsec-isakmp R3(config-crypto-map)# set peer 10.0.0.1 R3(config-crypto-map)# set transform-set tset R3(config-crypto-map)# set ikev2-profile prof1 R3(config-crypto-map)# match address 101
THE PING BOX .NET CCIE Security 4.0 8 | P a g e R3(config-crypto-map)# exit R3(config)#int fa 1/0 R3(config-if)#crypto map abc R3(config-if)#exit RESULT: ON ROUTER R1 R1#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.0.0.1/500 30.0.0.3/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/164 sec IPv6 Crypto IKEv2 SA ON ROUTER R3 R3#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 30.0.0.3/500 10.0.0.1/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/36 sec IPv6 Crypto IKEv2 SA

More Related Content

PDF
DMVPN
byNetProtocol Xpert
 
PPTX
Cisco CCNA Port Security
byHamed Moghaddam
 
PPTX
Cisco CCNA EIGRP IPV6 Configuration
byHamed Moghaddam
 
PPTX
Cisco CCNA-CCNP IP SLA Configuration
byHamed Moghaddam
 
PPTX
Cisco CCNA-Standard Access List
byHamed Moghaddam
 
PPTX
Cisco CCNA OSPF IPV6 Configuration
byHamed Moghaddam
 
PPTX
Cisco CCNA CCNP VACL Configuration
byHamed Moghaddam
 
PPTX
Cisco CCNA IP SLA with tracking configuration
byHamed Moghaddam
 
DMVPN
byNetProtocol Xpert
 
Cisco CCNA Port Security
byHamed Moghaddam
 
Cisco CCNA EIGRP IPV6 Configuration
byHamed Moghaddam
 
Cisco CCNA-CCNP IP SLA Configuration
byHamed Moghaddam
 
Cisco CCNA-Standard Access List
byHamed Moghaddam
 
Cisco CCNA OSPF IPV6 Configuration
byHamed Moghaddam
 
Cisco CCNA CCNP VACL Configuration
byHamed Moghaddam
 
Cisco CCNA IP SLA with tracking configuration
byHamed Moghaddam
 

What's hot

PPTX
Cisco CCNA- NAT Configuration
byHamed Moghaddam
 
PPTX
Cisco CCNA- How to Configure Multi-Layer Switch
byHamed Moghaddam
 
PPTX
Cisco CCNA IPV6 Static Configuration
byHamed Moghaddam
 
PPTX
Cisco CCNA-Router on Stick
byHamed Moghaddam
 
PPTX
Juniper JNCIA – Juniper RIP Route Configuration
byHamed Moghaddam
 
PDF
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
byNetwax Lab
 
PPTX
Cisco CCNA- PPP Multilink Configuration
byHamed Moghaddam
 
DOCX
Configure Cisco Routers for Syslog, NTP, and SSH Operations
byKelson Silva
 
PPTX
Juniper JNCIA – Juniper Floating Static Route Configuration
byHamed Moghaddam
 
PDF
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
byCisco Canada
 
PPTX
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
byNetProtocol Xpert
 
PDF
Nxll10 v lan and trunking
byNetwax Lab
 
PDF
BACIK CISCO SKILLS
byPeťko Z Chochoľova
 
PDF
VPNIPSec site to site
byDimitri LEMBOKOLO
 
PDF
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
byNetwax Lab
 
PPTX
Basic BGP Configuration
byNetProtocol Xpert
 
DOC
Networking Tutorial Goes to Basic PPP Configuration
by3Anetwork com
 
Cisco CCNA- NAT Configuration
byHamed Moghaddam
 
Cisco CCNA- How to Configure Multi-Layer Switch
byHamed Moghaddam
 
Cisco CCNA IPV6 Static Configuration
byHamed Moghaddam
 
Cisco CCNA-Router on Stick
byHamed Moghaddam
 
Juniper JNCIA – Juniper RIP Route Configuration
byHamed Moghaddam
 
Eincop Netwax Lab: Site 2 Site VPN with Routing Protocols
byNetwax Lab
 
Cisco CCNA- PPP Multilink Configuration
byHamed Moghaddam
 
Configure Cisco Routers for Syslog, NTP, and SSH Operations
byKelson Silva
 
Juniper JNCIA – Juniper Floating Static Route Configuration
byHamed Moghaddam
 
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
byCisco Canada
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
byNetProtocol Xpert
 
Nxll10 v lan and trunking
byNetwax Lab
 
BACIK CISCO SKILLS
byPeťko Z Chochoľova
 
VPNIPSec site to site
byDimitri LEMBOKOLO
 
Eincop Netwax Lab: HSRP (Hot Standby Router Protocol)
byNetwax Lab
 
Basic BGP Configuration
byNetProtocol Xpert
 
Networking Tutorial Goes to Basic PPP Configuration
by3Anetwork com
 

Viewers also liked

PPTX
ASA Firewall Interview- Questions & Answers
byNetProtocol Xpert
 
PDF
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
byDuane Bodle
 
PDF
IPSec_VPN_Final_
byPratik Bhide
 
PPT
Understanding and Troubleshooting ASA NAT
byCisco Russia
 
PPTX
NAT in ASA Firewall
byNetProtocol Xpert
 
PPT
checkpoint
byMayank Dhingra
 
PPTX
Checkpoint Firewall for Dummies
bysushmil123
 
DOCX
ihsan cv
byIhsanUllah Khan
 
PDF
Par2 2 0901(1)
bylaura ximena nuñez plata
 
PDF
IPsec vpn topology over GRE tunnels
byMustafa Khaleel
 
PDF
Troubleshooting Remote Workers and VPNs
byThousandEyes
 
PDF
VSS_Final
byPratik Bhide
 
PDF
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
byHuy Eav
 
PPTX
Mastering checkpoint-1-basic-installation
bynetworkershome
 
PPTX
Checkpoint Firewall Training | Checkpoint Firewall Online Course
byGlobal Online Trainings
 
PPT
Ip sec training
byWahyu Nasution
 
PPT
Firewall
byguestdb9bc9
 
PPTX
Alu xgpon solution for pt telkom akses 20130830+
byWahyu Nasution
 
PDF
Cisco trouble shooting
byHamid Younesi
 
ASA Firewall Interview- Questions & Answers
byNetProtocol Xpert
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
byDuane Bodle
 
IPSec_VPN_Final_
byPratik Bhide
 
Understanding and Troubleshooting ASA NAT
byCisco Russia
 
NAT in ASA Firewall
byNetProtocol Xpert
 
checkpoint
byMayank Dhingra
 
Checkpoint Firewall for Dummies
bysushmil123
 
ihsan cv
byIhsanUllah Khan
 
Par2 2 0901(1)
bylaura ximena nuñez plata
 
IPsec vpn topology over GRE tunnels
byMustafa Khaleel
 
Troubleshooting Remote Workers and VPNs
byThousandEyes
 
VSS_Final
byPratik Bhide
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
byHuy Eav
 
Mastering checkpoint-1-basic-installation
bynetworkershome
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
byGlobal Online Trainings
 
Ip sec training
byWahyu Nasution
 
Firewall
byguestdb9bc9
 
Alu xgpon solution for pt telkom akses 20130830+
byWahyu Nasution
 
Cisco trouble shooting
byHamid Younesi
 

Similar to IPSec VPN

PPT
Vpn site to site
byIT Tech
 
PPTX
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
byNetProtocol Xpert
 
PPT
Vpn(4)
bySuraj Kumar
 
PDF
Actividad configuración de cisco asa vpn
byAndres Ldño
 
PDF
Cisco asa vpn
byAndres Ldño
 
PPT
Chapter 8 overview
byali raza
 
TXT
Ipsec
byEddy Barzallo
 
PDF
Configuring Ip Sec Between A Router And A Pix
byangelitoh11
 
PPTX
Network Security version Virtual Private Networks
byZaheer Parvez
 
PDF
multi vendor VPN NGF UTM untuk setting vpn
byjasjus
 
PPTX
Lan to lan vpn
byRohit Pardasani
 
PPTX
RAVPN EAP-IKEv2 VPN.pptx
byDhruv Sharma
 
PPTX
CCNASv2_InstructorPPT_CH8.en.es.pptx
byRichardChecca1
 
PDF
Ch8 - Implementing Virtual Private Networks
byOhmRon
 
PPT
Cisco Router As A Vpn Server
bymmoizuddin
 
PDF
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
byHarris Andrea
 
PDF
20 palo alto site to site
byMostafa El Lathy
 
DOCX
I psec tunnel vs transport mode
byIT Tech
 
PPTX
IP Protocol Security
byDavid Barker
 
PPTX
Ccna sv2 instructor_ppt_ch8
bySalmenHAJJI1
 
Vpn site to site
byIT Tech
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
byNetProtocol Xpert
 
Vpn(4)
bySuraj Kumar
 
Actividad configuración de cisco asa vpn
byAndres Ldño
 
Cisco asa vpn
byAndres Ldño
 
Chapter 8 overview
byali raza
 
Ipsec
byEddy Barzallo
 
Configuring Ip Sec Between A Router And A Pix
byangelitoh11
 
Network Security version Virtual Private Networks
byZaheer Parvez
 
multi vendor VPN NGF UTM untuk setting vpn
byjasjus
 
Lan to lan vpn
byRohit Pardasani
 
RAVPN EAP-IKEv2 VPN.pptx
byDhruv Sharma
 
CCNASv2_InstructorPPT_CH8.en.es.pptx
byRichardChecca1
 
Ch8 - Implementing Virtual Private Networks
byOhmRon
 
Cisco Router As A Vpn Server
bymmoizuddin
 
Site-to-Site IPSEC VPN Between Cisco ASA and Pfsense
byHarris Andrea
 
20 palo alto site to site
byMostafa El Lathy
 
I psec tunnel vs transport mode
byIT Tech
 
IP Protocol Security
byDavid Barker
 
Ccna sv2 instructor_ppt_ch8
bySalmenHAJJI1
 

More from NetProtocol Xpert

PPTX
Basic Cisco ASA 5506-x Configuration (Firepower)
byNetProtocol Xpert
 
PPTX
MPLS Layer 3 VPN
byNetProtocol Xpert
 
PPTX
Common Layer 2 Threats, Attacks & Mitigation
byNetProtocol Xpert
 
PPTX
Storm-Control
byNetProtocol Xpert
 
PPTX
Dynamic ARP Inspection (DAI)
byNetProtocol Xpert
 
PPTX
IP Source Guard
byNetProtocol Xpert
 
PPTX
DHCP Snooping
byNetProtocol Xpert
 
PPTX
Password Recovery
byNetProtocol Xpert
 
PPTX
Application & Data Center
byNetProtocol Xpert
 
PPTX
Cisco ISR 4351 Router
byNetProtocol Xpert
 
PPTX
Cisco ASR 1001-X Router
byNetProtocol Xpert
 
PPTX
Securing management, control & data plane
byNetProtocol Xpert
 
PPTX
Point to-point protocol (ppp), PAP & CHAP
byNetProtocol Xpert
 
PPTX
Avoid DNS lookup when mistyping a command
byNetProtocol Xpert
 
PPTX
TCLSH and Macro Ping Test on Cisco Routers and Switches
byNetProtocol Xpert
 
PPTX
Private VLANs
byNetProtocol Xpert
 
PPTX
MTU (maximum transmission unit) & MRU (maximum receive unit)
byNetProtocol Xpert
 
PPTX
OTV Configuration
byNetProtocol Xpert
 
PPTX
Cisco OTV 
byNetProtocol Xpert
 
PPTX
OTV(Overlay Transport Virtualization)
byNetProtocol Xpert
 
Basic Cisco ASA 5506-x Configuration (Firepower)
byNetProtocol Xpert
 
MPLS Layer 3 VPN
byNetProtocol Xpert
 
Common Layer 2 Threats, Attacks & Mitigation
byNetProtocol Xpert
 
Storm-Control
byNetProtocol Xpert
 
Dynamic ARP Inspection (DAI)
byNetProtocol Xpert
 
IP Source Guard
byNetProtocol Xpert
 
DHCP Snooping
byNetProtocol Xpert
 
Password Recovery
byNetProtocol Xpert
 
Application & Data Center
byNetProtocol Xpert
 
Cisco ISR 4351 Router
byNetProtocol Xpert
 
Cisco ASR 1001-X Router
byNetProtocol Xpert
 
Securing management, control & data plane
byNetProtocol Xpert
 
Point to-point protocol (ppp), PAP & CHAP
byNetProtocol Xpert
 
Avoid DNS lookup when mistyping a command
byNetProtocol Xpert
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
byNetProtocol Xpert
 
Private VLANs
byNetProtocol Xpert
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
byNetProtocol Xpert
 
OTV Configuration
byNetProtocol Xpert
 
Cisco OTV 
byNetProtocol Xpert
 
OTV(Overlay Transport Virtualization)
byNetProtocol Xpert
 

Recently uploaded

PPTX
CFP_Unit 3 Decision Control and Looping Statements
bypawarbhaktiit
 
PDF
Environmental Engineering (3-0-2) Laboratory.pdf
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
PPTX
Environmental-Impact-of-Sustainable-Development.pptx
byyecamoy754
 
PDF
lecture notes digital_design_examples.pdf
bygeekcooder2020
 
PDF
Damped Oscillations through different mediums
byandysoccer530
 
PDF
Basics of Electronics Simplified by Akash.pdf.pdf.pdf
byakashgirasha
 
PPTX
review of transistor circuit and applications
bysophieshuqinghuang
 
PDF
Finite Automata With Output - Moore and Mealy Machines definitions and Solved...
byNileshPardeshi28
 
PPTX
Solar PV An Essential Requirement in renewable energy based sources Industria...
byshilpashukla2025
 
PPTX
Attack surfaces and attack tress[inform]
byErAnilKumarGupta1
 
PPTX
plastic road.pptxPlastic Roads: A Sustainable Solution
byalfiyasutar10
 
PDF
Alternator Protection.pdf`djdjdjkdkdkdkdkd
byMDMahfujRahman1
 
PPTX
introduction-210127111642.pptx hamster frftt
byridhammodi198
 
PDF
Interaction with IIT Khatragpur for Infrastructure Development
byHARSIMRAN SINGH
 
PDF
Foundations and evolution of Artificial Intelligence - Mechanical Engineering...
byvyankatesh1
 
PPTX
Two Unethical Issue Engineers Practice.pptx
byhehbe481
 
PDF
graph graph graph theory Graph presentation .pdf
bygeekcooder2020
 
PPT
5.1 Basic concept and hierarchy.ppt1234564
byChetansingh768231
 
PDF
Robert Walker Epps - A Football Coach
byRobert Walker Epps
 
PPT
software-security-intro Secure software Design and Development
bysahar62648
 
CFP_Unit 3 Decision Control and Looping Statements
bypawarbhaktiit
 
Environmental Engineering (3-0-2) Laboratory.pdf
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
Environmental-Impact-of-Sustainable-Development.pptx
byyecamoy754
 
lecture notes digital_design_examples.pdf
bygeekcooder2020
 
Damped Oscillations through different mediums
byandysoccer530
 
Basics of Electronics Simplified by Akash.pdf.pdf.pdf
byakashgirasha
 
review of transistor circuit and applications
bysophieshuqinghuang
 
Finite Automata With Output - Moore and Mealy Machines definitions and Solved...
byNileshPardeshi28
 
Solar PV An Essential Requirement in renewable energy based sources Industria...
byshilpashukla2025
 
Attack surfaces and attack tress[inform]
byErAnilKumarGupta1
 
plastic road.pptxPlastic Roads: A Sustainable Solution
byalfiyasutar10
 
Alternator Protection.pdf`djdjdjkdkdkdkdkd
byMDMahfujRahman1
 
introduction-210127111642.pptx hamster frftt
byridhammodi198
 
Interaction with IIT Khatragpur for Infrastructure Development
byHARSIMRAN SINGH
 
Foundations and evolution of Artificial Intelligence - Mechanical Engineering...
byvyankatesh1
 
Two Unethical Issue Engineers Practice.pptx
byhehbe481
 
graph graph graph theory Graph presentation .pdf
bygeekcooder2020
 
5.1 Basic concept and hierarchy.ppt1234564
byChetansingh768231
 
Robert Walker Epps - A Football Coach
byRobert Walker Epps
 
software-security-intro Secure software Design and Development
bysahar62648
 

IPSec VPN

  • 1.
    IPSec VPN INTERNET PROTOCOLSECURITY VIRTUAL PRIVATE NETWORK June 2014 - Tilak Upadhyay
  • 2.
    THE PING BOX.NET CCIE Security 4.0 1 | P a g e IPSec VPN with RSA using NTP & CA Servers CONFIGURATION: STEP I: Configure NTP Server on R4 and NTP Client on R1 & R2 NTP SERVER (ROUTER R4) To set clock, write on privilege mode, CA_Server# clock set 12:10:08 26 july 2014 ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp master 2 VERIFICATION: CA_Server# sh ntp status CA_Server# sh ntp associations
  • 3.
    THE PING BOX.NET CCIE Security 4.0 2 | P a g e NTP CLIENTS (ROUTER R1 & R2) ntp authentication-key 1 md5 ciscoNTP ntp authenticate ntp trusted-key 1 ntp server 40.0.0.4 key 1 VERIFICATION: R1# sh ntp status R1# sh ntp associations STEP II: Configure CA Server on R4 and CA Client on Router R1 & R2 CA SERVER (ROUTER R4) ip http server crypto pki server IOS_CA database archive pem password cisco123 grant auto lifetime certificate 300 lifetime ca-certificate 500 no shutdown exit VERIFICATION: CA_Server# sh crypto pki server CA CLIENTS (ROUTER R1 & R2) ip domain name Mabison.com crypto key generate rsa (To generate RSA key)
  • 4.
    THE PING BOX.NET CCIE Security 4.0 3 | P a g e crypto pki trustpoint IOS_CA usage ike enrollment url http://40.0.0.4 subject-name CN=R1 C=IN exit crypto ca authenticate IOS_CA (To get authenticate or to get signature certificate from CA) crypto ca enroll IOS_CA (For getting enrol router in CA Server) STEP III: Create IPSec VPN between Router R1 & R2 using “rsa-sig” ROUTER R1 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 20.0.0.2 set transform-set tset match address 101
  • 5.
    THE PING BOX.NET CCIE Security 4.0 4 | P a g e exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit ROUTER R2 crypto isakmp policy 10 encr 3des hash md5 group 2 auth rsa-sig exit access-list 101 permit ip host 2.2.2.2 host 1.1.1.1 crypto ipsec transform-set tset esp-3des esp-md5-hmac exit crypto map RSA_ENCRYPT 10 ipsec-isakmp set peer 10.0.0.1 set transform-set tset match address 101 exit interface FastEthernet0/0 crypto map RSA_ENCRYPT exit VERIFICATION:
  • 6.
    THE PING BOX.NET CCIE Security 4.0 5 | P a g e R1# sh crypto isakmp sa R1# sh crypto ipsec sa IPSec VPN with IKE V2 CONFIGURATION: ON ROUTER R1 R1(config)#crypto ikev2 proposal prop1 R1(config-ikev2-proposal)# encryption 3des des R1(config-ikev2-proposal)# integrity md5 sha1 R1(config-ikev2-proposal)# group 2 5 R1(config-ikev2-proposal)# exit R1(config)#crypto ikev2 policy pol1 R1(config-ikev2-policy)# proposal prop1 R1(config-ikev2-policy)# exit R1(config)#crypto ikev2 keyring kr1 R1(config-ikev2-keyring)# peer site1 R1(config-ikev2-keyring-peer)# address 30.0.0.3 R1(config-ikev2-keyring-peer)# pre-shared-key local cisco1 R1(config-ikev2-keyring-peer)# pre-shared-key remote cisco2
  • 7.
    THE PING BOX.NET CCIE Security 4.0 6 | P a g e R1(config-ikev2-keyring-peer)# exit R1(config-ikev2-keyring)# exit R1(config)#crypto ikev2 profile prof1 R1(config-ikev2-profile)# match identity remote address 30.0.0.3 255.255.255.255 R1(config-ikev2-profile)# authentication remote pre-share R1(config-ikev2-profile)# authentication local pre-share R1(config-ikev2-profile)# keyring local kr1 R1(config-ikev2-profile)# exit R1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit R1(config)#access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 R1(config)#crypto map abc 10 ipsec-isakmp R1(config-crypto-map)# set peer 30.0.0.3 R1(config-crypto-map)# set transform-set tset R1(config-crypto-map)# set ikev2-profile prof1 R1(config-crypto-map)# match address 101 R1(config-crypto-map)# exit R1(config)#int fa 1/0 R1(config-if)#crypto map abc R1(config-if)#exit ON ROUTER R3 R3(config)#crypto ikev2 proposal prop1 R3(config-ikev2-proposal)# encryption 3des des R3(config-ikev2-proposal)# integrity md5 sha1 R3(config-ikev2-proposal)# group 2 5 R3(config-ikev2-proposal)# exit
  • 8.
    THE PING BOX.NET CCIE Security 4.0 7 | P a g e R3(config)#crypto ikev2 policy pol1 R3(config-ikev2-policy)# proposal prop1 R3(config-ikev2-policy)# exit R3(config)#crypto ikev2 keyring kr1 R3(config-ikev2-keyring)# peer site1 R3(config-ikev2-keyring-peer)# address 10.0.0.1 R3(config-ikev2-keyring-peer)# pre-shared-key local cisco2 R3(config-ikev2-keyring-peer)# pre-shared-key remote cisco1 R3(config-ikev2-keyring-peer)# exit R3(config-ikev2-keyring)# exit R3(config)#crypto ikev2 profile prof1 R3(config-ikev2-profile)#$tity remote address 10.0.0.1 255.255.255.255 R3(config-ikev2-profile)# authentication remote pre-share R3(config-ikev2-profile)# authentication local pre-share R3(config-ikev2-profile)# keyring local kr1 R3(config-ikev2-profile)# exit R3(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac R3(cfg-crypto-trans)#exit R3(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1 R3(config)#crypto map abc 10 ipsec-isakmp R3(config-crypto-map)# set peer 10.0.0.1 R3(config-crypto-map)# set transform-set tset R3(config-crypto-map)# set ikev2-profile prof1 R3(config-crypto-map)# match address 101
  • 9.
    THE PING BOX.NET CCIE Security 4.0 8 | P a g e R3(config-crypto-map)# exit R3(config)#int fa 1/0 R3(config-if)#crypto map abc R3(config-if)#exit RESULT: ON ROUTER R1 R1#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 10.0.0.1/500 30.0.0.3/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/164 sec IPv6 Crypto IKEv2 SA ON ROUTER R3 R3#sh crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 30.0.0.3/500 10.0.0.1/500 none/none READY Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/36 sec IPv6 Crypto IKEv2 SA