SlideShare a Scribd company logo

Site to Site VPN between Cisco Routers

S
Sandeep Kumar

- The document describes how to configure a site-to-site IPsec VPN tunnel between Router R1 and Router R3 using pre-shared keys for authentication. - The key steps are to configure ISAKMP policies for phase 1 negotiation, IPsec transform sets for phase 2 encryption and authentication, and crypto maps on each router to establish the VPN tunnel. - Connectivity tests are then run to verify end-to-end connectivity between networks over the encrypted IPsec tunnel.

Technology
1 of 33
Download to read offline
https://www.linkedin.com/in/sandeep-kumarr/ Page 1 Site-to-Site IPsec VPN using Pre-shared-Key Tasks:  Configure hostname of the device, do IP addressing and perform necessary routing.  Check basic connectivity between WAN devices i.e. R1 and R3.  Configure R1 and R3 for IPsec Tunnel simultaneously.  Verify End to End connectivity over Internet Using IPsec Tunnel. Explanation: Here we are going to configure site to site VPN using IPSec. In this task we are performing site to site VPN between Router and whole configuration is done via CLI. Main aim of this Task is that private LAN can communicate over the Internet in a secure way. We are using crypto ISAKMP policy for phase 1 also known as Main Mode negotiation using pre- shared key. Then IPSec transform set which is used to protect actual data. These transform set is exchanged in Phase 2 which is also called Quick Mode. Phase 2 is protected by Phase 1. Then we will define proxy id’s also known as interesting traffic. In proxy ID we will define our Local LAN and Remote LAN. These LAN’s are going to communicate after successful VPN connection established.
https://www.linkedin.com/in/sandeep-kumarr/ Page 2 In Phase 1 for data integrity we can use MD5/SHA. For authentication we can use either pre-share key or RSA-Signature. For confidentiality we can use any encryption algorithm DES/3DES/AES. Lifetime is defined as at what interval DH will refresh key for phase 2 protection. In phase 2 we are configuring transform set in which will define data encapsulation method along with encryption and data integrity method. So here we have two options ESP (Encapsulating Security Payload) and AH (Authentication Header). In ESP information is protected from Layer 3 to Layer 7. In AH information is protected from Layer 4 to Layer 7. At last we have to create a crypto map in which we call our proxy id’s and define our VPN peer ip address. Here we can define route for our remote LAN by injecting reverse route. Then finally call it on the interface. When we apply Crypto Map on interface it will start listening ISAKMP packet at port 500. Which means that particular interface can accept ISAKMP packet at port 500. Configuration: Lets start from PC1 Assign IP address 192.168.1.10/24 and Gateway 192.168.1.1 In run section type ncpa.cpl then enter.
https://www.linkedin.com/in/sandeep-kumarr/ Page 3 Configure adapter in red box by right click on it and open properties.
https://www.linkedin.com/in/sandeep-kumarr/ Page 4 Now click on Internet protocol version 4 (TCP/IP)
https://www.linkedin.com/in/sandeep-kumarr/ Page 5 Now assign ip address as shown, then click OK and you are done with configuration on PC1.
https://www.linkedin.com/in/sandeep-kumarr/ Page 6 Lets verify the IP address assigned to PC1, open Command Prompt and type ipconfig Similarly configure PC2 , Assign IP address 172.16.1.10/24 and Gateway 172.16.1.1 In run section type ncpa.cpl then enter.
https://www.linkedin.com/in/sandeep-kumarr/ Page 7 Configure adapter in red box by right click on it and open properties.
https://www.linkedin.com/in/sandeep-kumarr/ Page 8 Now click on Internet protocol version 4 (TCP/IP)
https://www.linkedin.com/in/sandeep-kumarr/ Page 9 Now assign ip address as shown, then click OK and you are done with configuration on PC2.
https://www.linkedin.com/in/sandeep-kumarr/ Page 10 Lets verify the IP address assigned to PC2, open Command Prompt and type ipconfig Now configure R1 with basic configuration like hostname and IP addressing Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface ethernet0/1 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#no shutdown *Aug 14 16:07:50.068: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Aug 14 16:07:51.074: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R1(config-if)#exit R1(config)#interface ethernet0/0 R1(config-if)#ip address 12.1.1.1 255.255.255.252
https://www.linkedin.com/in/sandeep-kumarr/ Page 11 R1(config-if)#no shutdown *Aug 14 16:08:59.792: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Aug 14 16:09:00.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R1(config-if)#end R1# Verify IP address assigned to Router R1 interfaces R1#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 12.1.1.1 YES manual up up Ethernet0/1 192.168.1.1 YES manual up up Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down Now configure R2 with basic configuration like hostname and IP addressing Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface ethernet0/0 R2(config-if)#ip address 12.1.1.2 255.255.255.252 R2(config-if)#no shutdown *Aug 14 16:24:32.672: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Aug 14 16:24:33.678: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
https://www.linkedin.com/in/sandeep-kumarr/ Page 12 R2(config-if)#exit R2(config)#interface ethernet0/1 R2(config-if)#ip address 23.1.1.2 255.255.255.252 R2(config-if)#no shutdown *Aug 14 16:25:39.726: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Aug 14 16:25:40.732: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R2(config-if)#end R2# Verify IP address assigned to Router R2 interfaces R2#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 12.1.1.2 YES manual up up Ethernet0/1 23.1.1.2 YES manual up up Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down
https://www.linkedin.com/in/sandeep-kumarr/ Page 13 Now configure R3 with basic configuration like hostname and IP addressing Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#interface ethernet0/1 R3(config-if)#ip address 23.1.1.1 255.255.255.252 R3(config-if)#no shutdown *Aug 14 17:11:59.175: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Aug 14 17:12:00.176: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R3(config-if)#exit R3(config)#interface ethernet0/0 R3(config-if)#ip address 172.16.1.1 255.255.255.0 R3(config-if)#no shutdown R3(config-if)# *Aug 14 17:12:40.098: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Aug 14 17:12:41.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R3(config-if)#end R3#
https://www.linkedin.com/in/sandeep-kumarr/ Page 14 Verify IP address assigned to Router R3 interfaces R3#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 172.16.1.1 YES manual up up Ethernet0/1 23.1.1.1 YES manual up up Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down
https://www.linkedin.com/in/sandeep-kumarr/ Page 15 Lets do Some Routing Start with Router R1 R1(config)#ip route 0.0.0.0 0.0.0.0 ethernet0/0 12.1.1.2 Verify Routing Table of Router R1 R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 12.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 12.1.1.2, Ethernet0/0 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 12.1.1.0/30 is directly connected, Ethernet0/0 L 12.1.1.1/32 is directly connected, Ethernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Ethernet0/1 L 192.168.1.1/32 is directly connected, Ethernet0/1
https://www.linkedin.com/in/sandeep-kumarr/ Page 16 Similarly on Router R3 R3(config)#ip route 0.0.0.0 0.0.0.0 ethernet0/1 23.1.1.2 Verify Routing Table of Router R3 R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 23.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 23.1.1.2, Ethernet0/1 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.1.1.0/30 is directly connected, Ethernet0/1 L 23.1.1.1/32 is directly connected, Ethernet0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, Ethernet0/0 L 172.16.1.1/32 is directly connected, Ethernet0/0
https://www.linkedin.com/in/sandeep-kumarr/ Page 17 Routing Table of Router R2 R2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 12.1.1.0/30 is directly connected, Ethernet0/0 L 12.1.1.2/32 is directly connected, Ethernet0/0 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.1.1.0/30 is directly connected, Ethernet0/1 L 23.1.1.2/32 is directly connected, Ethernet0/1
https://www.linkedin.com/in/sandeep-kumarr/ Page 18 Lets check connectivity between Devices R1#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms R1#ping 23.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms Similarly from Router R3 R3#ping 172.16.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms R3#ping 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
https://www.linkedin.com/in/sandeep-kumarr/ Page 19 Lets Start with VPN Configuration on Router R1 So here We first create Crypto ISAKMP policy 1 R1(config)# R1(config)#crypto isakmp policy 1 R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#encryption des R1(config-isakmp)#exit configure pre-shared-key authentication R1(config)#crypto isakmp key sandeep@123 address 23.1.1.1 configure IPsec transform set for phase 2 R1(config)#crypto ipsec transform-set TSET esp-aes esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit Configure an ACL for proxy ID or interesting traffic R1(config)# R1(config)#ip access-list extended VPN R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 R1(config-ext-nacl)#exit R1(config)# Now configure crypto map R1(config)#crypto map SITE_A 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer
https://www.linkedin.com/in/sandeep-kumarr/ Page 20 and a valid access list have been configured. R1(config-crypto-map)#set peer 23.1.1.1 R1(config-crypto-map)#match address VPN R1(config-crypto-map)#set transform-set TSET R1(config-crypto-map)#reverse-route static R1(config-crypto-map)#exit R1(config)# Now apply crypto map on the interface R1(config)# R1(config)#interface ethernet0/0 R1(config-if)#crypto map SITE_A R1(config-if)# *Aug 14 19:57:07.548: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verify Configuration of IPsec VPN Start with ISAKMP policy R1#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
https://www.linkedin.com/in/sandeep-kumarr/ Page 21 Verify ISAKMP key R1#show crypto isakmp key Keyring Hostname/Address Preshared Key default 23.1.1.1 sandeep@123 Verify IPsec Transform-set R1#show crypto ipsec transform-set TSET { esp-aes esp-md5-hmac } will negotiate = { Tunnel, }, Verify proxy-id R1#show ip access-lists Extended IP access list VPN 10 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Verify Crypto map R1#show crypto map Interfaces using crypto map NiStTeSt1: Crypto Map IPv4 "SITE_A" 1 ipsec-isakmp Peer = 23.1.1.1 Extended IP access list VPN access-list VPN permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Current peer: 23.1.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N
https://www.linkedin.com/in/sandeep-kumarr/ Page 22 Mixed-mode : Disabled Transform sets={ TSET: { esp-aes esp-md5-hmac } , } Reverse Route Injection Enabled Interfaces using crypto map SITE_A: Ethernet0/0 As we have enabled reverse-route in crypto map so a route should be present in routing table, I have highlighted it in yellow colour in routing table. R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 12.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 12.1.1.2, Ethernet0/0 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
https://www.linkedin.com/in/sandeep-kumarr/ Page 23 C 12.1.1.0/30 is directly connected, Ethernet0/0 L 12.1.1.1/32 is directly connected, Ethernet0/0 172.16.0.0/24 is subnetted, 1 subnets S 172.16.1.0 [1/0] via 23.1.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Ethernet0/1 L 192.168.1.1/32 is directly connected, Ethernet0/1 Now configure R3 for VPN connection, So here We first create Crypto ISAKMP policy 1 R3# R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#crypto isakmp policy 1 R3(config-isakmp)#hash md5 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#encryption des R3(config-isakmp)#exi Configure pre-shared-key for authentication R3(config)# R3(config)#crypto isakmp key sandeep@123 address 12.1.1.1 R3(config)#
https://www.linkedin.com/in/sandeep-kumarr/ Page 24 Configure ipsec transform set R3(config)#crypto ipsec transform-set TSET esp-aes esp-md5-hmac R3(cfg-crypto-trans)#mode tunnel R3(cfg-crypto-trans)#exit R3(config)# Now create an ACL for proxy ID’s R3(config)#ip access-list extended VPN R3(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 R3(config-ext-nacl)#exit R3(config)# Configure Crypto Map R3(config)#crypto map SITE_B 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#set peer 12.1.1.1 R3(config-crypto-map)#match address VPN R3(config-crypto-map)#set transform-set TSET R3(config-crypto-map)#reverse-route static R3(config-crypto-map)#exit Now apply crypto map on the interface R3(config)#interface ethernet0/1 R3(config-if)#crypto map SITE_B *Aug 14 20:22:06.426: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)#exit
https://www.linkedin.com/in/sandeep-kumarr/ Page 25 Let’s verify the configuration of Router R3 Verify ISAKMP policy R3#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit verify ISAKMP key R3#show crypto isakmp key Keyring Hostname/Address Preshared Key default 12.1.1.1 sandeep@123 Verify IPsec Transform-set R3#show crypto ipsec transform-set TSET { esp-aes esp-md5-hmac } will negotiate = { Tunnel, }, Verify proxy Id R3#show ip access-lists Extended IP access list VPN 10 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
https://www.linkedin.com/in/sandeep-kumarr/ Page 26 Verify Crypto Map R3#show crypto map Interfaces using crypto map NiStTeSt1: Crypto Map IPv4 "SITE_B" 1 ipsec-isakmp Peer = 12.1.1.1 Extended IP access list VPN access-list VPN permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Current peer: 12.1.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Mixed-mode : Disabled Transform sets={ TSET: { esp-aes esp-md5-hmac } , } Reverse Route Injection Enabled Interfaces using crypto map SITE_B: Ethernet0/1 Verify Routing Table R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
https://www.linkedin.com/in/sandeep-kumarr/ Page 27 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 23.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 23.1.1.2, Ethernet0/1 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.1.1.0/30 is directly connected, Ethernet0/1 L 23.1.1.1/32 is directly connected, Ethernet0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, Ethernet0/0 L 172.16.1.1/32 is directly connected, Ethernet0/0 S 192.168.1.0/24 [1/0] via 12.1.1.1 So we are done with the configuration part of all the devices. It’s time to verify VPN connection establishment between SITE_A and SITE_B.
https://www.linkedin.com/in/sandeep-kumarr/ Page 28 Verification of the TASK: Generate some traffic from PC1 for PC2. So here from 192.168.1.10 (PC1) ping to 172.16.1.10 (PC2) Now check ISAKMP sa on Router R1 R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 23.1.1.1 12.1.1.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA Now check IPsec sa on Router R1 R1#show crypto ipsec sa interface: Ethernet0/0 Crypto map tag: SITE_A, local addr 12.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
https://www.linkedin.com/in/sandeep-kumarr/ Page 29 remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) current_peer 23.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0 current outbound spi: 0xAEDF3447(2933863495) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x600FE16E(1611653486) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: SITE_A sa timing: remaining key lifetime (k/sec): (4176059/3487) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
https://www.linkedin.com/in/sandeep-kumarr/ Page 30 inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAEDF3447(2933863495) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: SITE_A sa timing: remaining key lifetime (k/sec): (4176059/3487) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: Check Crypto session on Router R1 R1#show crypto session Crypto session current status Interface: Ethernet0/0 Session status: UP-ACTIVE Peer: 23.1.1.1 port 500 Session ID: 0 IKEv1 SA: local 12.1.1.1/500 remote 23.1.1.1/500 Active IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 172.16.1.0/255.255.255.0 Active SAs: 2, origin: crypto map
https://www.linkedin.com/in/sandeep-kumarr/ Page 31 Check similar things on Router R3 R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 23.1.1.1 12.1.1.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA Check ipsec sa on Router R3 R3#show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: SITE_B, local addr 23.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 12.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 23.1.1.1, remote crypto endpt.: 12.1.1.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1 current outbound spi: 0x600FE16E(1611653486)
https://www.linkedin.com/in/sandeep-kumarr/ Page 32 PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xAEDF3447(2933863495) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: SITE_B sa timing: remaining key lifetime (k/sec): (4257465/3134) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x600FE16E(1611653486) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: SITE_B sa timing: remaining key lifetime (k/sec): (4257465/3134) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:
https://www.linkedin.com/in/sandeep-kumarr/ Page 33 Check crypto session on Router R3 R3#show crypto session Crypto session current status Interface: Ethernet0/1 Session status: UP-ACTIVE Peer: 12.1.1.1 port 500 Session ID: 0 IKEv1 SA: local 23.1.1.1/500 remote 12.1.1.1/500 Active IPSEC FLOW: permit ip 172.16.1.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 2, origin: crypto map END of Task.

Recommended

Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010
irbas
 
Ccna 2 chapter 2 v4.0 answers 2011
Ccna 2 chapter 2 v4.0 answers 2011Ccna 2 chapter 2 v4.0 answers 2011
Ccna 2 chapter 2 v4.0 answers 2011
Dân Chơi
 
Migrating from OSPF to IS-IS by Philip Smith
Migrating from OSPF to IS-IS by Philip SmithMigrating from OSPF to IS-IS by Philip Smith
Migrating from OSPF to IS-IS by Philip Smith
MyNOG
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Basic BGP Configuration
Basic BGP ConfigurationBasic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
 
CCNP Lab Guide CCIE University
CCNP Lab Guide CCIE UniversityCCNP Lab Guide CCIE University
CCNP Lab Guide CCIE University
Salachudin Emir
 
lab1
lab1lab1
lab1
guest575c3e
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2
Abdul Basit
 

Recommended

Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010
irbas
 
Ccna 2 chapter 2 v4.0 answers 2011
Ccna 2 chapter 2 v4.0 answers 2011Ccna 2 chapter 2 v4.0 answers 2011
Ccna 2 chapter 2 v4.0 answers 2011
Dân Chơi
 
Migrating from OSPF to IS-IS by Philip Smith
Migrating from OSPF to IS-IS by Philip SmithMigrating from OSPF to IS-IS by Philip Smith
Migrating from OSPF to IS-IS by Philip Smith
MyNOG
 
SPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPANSPAN, RSPAN and ERSPAN
SPAN, RSPAN and ERSPAN
NetProtocol Xpert
 
Basic BGP Configuration
Basic BGP ConfigurationBasic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
 
CCNP Lab Guide CCIE University
CCNP Lab Guide CCIE UniversityCCNP Lab Guide CCIE University
CCNP Lab Guide CCIE University
Salachudin Emir
 
lab1
lab1lab1
lab1
guest575c3e
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2
Abdul Basit
 
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
Arz Sy
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
NetProtocol Xpert
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
Peťko Z Chochoľova
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
NetProtocol Xpert
 
Packet Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingPacket Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 Routing
Johnson Liu
 
Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011
Dân Chơi
 
Лекц 15
Лекц 15Лекц 15
Лекц 15
Muuluu
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
Ccna PPT2
Ccna PPT2Ccna PPT2
Ccna PPT2
AIRTEL
 
Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014
Đồng Quốc Vương
 
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
Naoto MATSUMOTO
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
Hamed Moghaddam
 
RIP (routing information protocol)
RIP (routing information protocol)RIP (routing information protocol)
RIP (routing information protocol)
Netwax Lab
 
Switch configuration
Switch configurationSwitch configuration
Switch configuration
Muuluu
 
OSPF Authentication
OSPF AuthenticationOSPF Authentication
OSPF Authentication
NetProtocol Xpert
 
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric VanderburgCCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
Eric Vanderburg
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
IPMAX s.r.l.
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
Hamed Moghaddam
 
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
 
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 
How to Configure Routing Information Protocol (RIP)
How to Configure Routing Information Protocol (RIP)How to Configure Routing Information Protocol (RIP)
How to Configure Routing Information Protocol (RIP)
IT Tech
 
Lab routing protocols eigrp
Lab routing protocols eigrpLab routing protocols eigrp
Lab routing protocols eigrp
zafar85
 

More Related Content

What's hot

Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
Arz Sy
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
NetProtocol Xpert
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
Peťko Z Chochoľova
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
NetProtocol Xpert
 
Packet Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingPacket Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 Routing
Johnson Liu
 
Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011
Dân Chơi
 
Лекц 15
Лекц 15Лекц 15
Лекц 15
Muuluu
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
Hamed Moghaddam
 
Ccna PPT2
Ccna PPT2Ccna PPT2
Ccna PPT2
AIRTEL
 
Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014
Đồng Quốc Vương
 
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
Naoto MATSUMOTO
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
Hamed Moghaddam
 
RIP (routing information protocol)
RIP (routing information protocol)RIP (routing information protocol)
RIP (routing information protocol)
Netwax Lab
 
Switch configuration
Switch configurationSwitch configuration
Switch configuration
Muuluu
 
OSPF Authentication
OSPF AuthenticationOSPF Authentication
OSPF Authentication
NetProtocol Xpert
 
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric VanderburgCCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
Eric Vanderburg
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
IPMAX s.r.l.
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
Hamed Moghaddam
 
Static Routing
Static RoutingStatic Routing
Static Routing
Kishore Kumar
 

What's hot (19)

Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer) Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
BACIK CISCO SKILLS
BACIK CISCO SKILLSBACIK CISCO SKILLS
BACIK CISCO SKILLS
 
Policy Based Routing
Policy Based RoutingPolicy Based Routing
Policy Based Routing
 
Packet Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 RoutingPacket Tracer Simulation Lab Layer3 Routing
Packet Tracer Simulation Lab Layer3 Routing
 
Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011Ccna 1 chapter 11 v4.0 answers 2011
Ccna 1 chapter 11 v4.0 answers 2011
 
Лекц 15
Лекц 15Лекц 15
Лекц 15
 
Cisco CCNA-Router on Stick
Cisco CCNA-Router on StickCisco CCNA-Router on Stick
Cisco CCNA-Router on Stick
 
Ccna PPT2
Ccna PPT2Ccna PPT2
Ccna PPT2
 
Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014Ccnav5.org ccna 3-v50_final_exam_2014
Ccnav5.org ccna 3-v50_final_exam_2014
 
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
PBR-LB - Direct Server Return Load Balancing using Policy Based Routing (MEMO)
 
Cisco CCNA Port Security
Cisco CCNA Port SecurityCisco CCNA Port Security
Cisco CCNA Port Security
 
RIP (routing information protocol)
RIP (routing information protocol)RIP (routing information protocol)
RIP (routing information protocol)
 
Switch configuration
Switch configurationSwitch configuration
Switch configuration
 
OSPF Authentication
OSPF AuthenticationOSPF Authentication
OSPF Authentication
 
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric VanderburgCCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
CCNA Routing and Switching Lessons 11-12 - WAN Configuration - Eric Vanderburg
 
Cisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch PortCisco Switch How To - Secure a Switch Port
Cisco Switch How To - Secure a Switch Port
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
 
Static Routing
Static RoutingStatic Routing
Static Routing
 

Similar to Site to Site VPN between Cisco Routers

Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
Hamed Moghaddam
 
How to Configure Routing Information Protocol (RIP)
How to Configure Routing Information Protocol (RIP)How to Configure Routing Information Protocol (RIP)
How to Configure Routing Information Protocol (RIP)
IT Tech
 
Lab routing protocols eigrp
Lab routing protocols eigrpLab routing protocols eigrp
Lab routing protocols eigrp
zafar85
 
How to configure interior gateway routing protocol (igrp)
How to configure interior gateway routing protocol (igrp)How to configure interior gateway routing protocol (igrp)
How to configure interior gateway routing protocol (igrp)
IT Tech
 
Cisco CCNA GRE Tunnel Configuration
Cisco CCNA GRE Tunnel ConfigurationCisco CCNA GRE Tunnel Configuration
Cisco CCNA GRE Tunnel Configuration
Hamed Moghaddam
 
Intro to router_config
Intro to router_configIntro to router_config
Intro to router_config
97148881557
 
Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010
irbas
 
Labs ospf
Labs ospfLabs ospf
Labs ospf
Abraham Salgado Garcia
 
Routing information protocol & rip configuration
Routing information protocol & rip configurationRouting information protocol & rip configuration
Routing information protocol & rip configuration
3Anetwork com
 
Labmannual
LabmannualLabmannual
Labmannual
Matiullah Jamil
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration
3Anetwork com
 
Ospf Last Modified Eng
Ospf Last Modified EngOspf Last Modified Eng
Ospf Last Modified Eng
Alp isik
 
Eigrp on a cisco asa firewall configuration
Eigrp on a cisco asa firewall configurationEigrp on a cisco asa firewall configuration
Eigrp on a cisco asa firewall configuration
3Anetwork com
 
119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut
nicolelemmimg
 
BGP Next-hop-self
BGP Next-hop-selfBGP Next-hop-self
BGP Next-hop-self
NetProtocol Xpert
 
E routing final exam ccna 2 46
E routing final exam ccna 2 46E routing final exam ccna 2 46
E routing final exam ccna 2 46
lslsc
 
Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer Switch
Hamed Moghaddam
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 
Intro to router_config
Intro to router_configIntro to router_config
Intro to router_config
arjuntrk
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
Prince Gautam
 

Similar to Site to Site VPN between Cisco Routers (20)

Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
 
How to Configure Routing Information Protocol (RIP)
How to Configure Routing Information Protocol (RIP)How to Configure Routing Information Protocol (RIP)
How to Configure Routing Information Protocol (RIP)
 
Lab routing protocols eigrp
Lab routing protocols eigrpLab routing protocols eigrp
Lab routing protocols eigrp
 
How to configure interior gateway routing protocol (igrp)
How to configure interior gateway routing protocol (igrp)How to configure interior gateway routing protocol (igrp)
How to configure interior gateway routing protocol (igrp)
 
Cisco CCNA GRE Tunnel Configuration
Cisco CCNA GRE Tunnel ConfigurationCisco CCNA GRE Tunnel Configuration
Cisco CCNA GRE Tunnel Configuration
 
Intro to router_config
Intro to router_configIntro to router_config
Intro to router_config
 
Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010Ccna 2 v 4.0 final-exam-19-06-2010
Ccna 2 v 4.0 final-exam-19-06-2010
 
Labs ospf
Labs ospfLabs ospf
Labs ospf
 
Routing information protocol & rip configuration
Routing information protocol & rip configurationRouting information protocol & rip configuration
Routing information protocol & rip configuration
 
Labmannual
LabmannualLabmannual
Labmannual
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration
 
Ospf Last Modified Eng
Ospf Last Modified EngOspf Last Modified Eng
Ospf Last Modified Eng
 
Eigrp on a cisco asa firewall configuration
Eigrp on a cisco asa firewall configurationEigrp on a cisco asa firewall configuration
Eigrp on a cisco asa firewall configuration
 
119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut119163798 icnd1-practice-questions-9tut
119163798 icnd1-practice-questions-9tut
 
BGP Next-hop-self
BGP Next-hop-selfBGP Next-hop-self
BGP Next-hop-self
 
E routing final exam ccna 2 46
E routing final exam ccna 2 46E routing final exam ccna 2 46
E routing final exam ccna 2 46
 
Cisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer SwitchCisco CCNA- How to Configure Multi-Layer Switch
Cisco CCNA- How to Configure Multi-Layer Switch
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
 
Intro to router_config
Intro to router_configIntro to router_config
Intro to router_config
 
ccna project on topic company infrastructure
ccna project on topic company infrastructureccna project on topic company infrastructure
ccna project on topic company infrastructure
 

Recently uploaded

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 

Recently uploaded (20)

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 

Site to Site VPN between Cisco Routers

  • 1. https://www.linkedin.com/in/sandeep-kumarr/ Page 1 Site-to-Site IPsec VPN using Pre-shared-Key Tasks:  Configure hostname of the device, do IP addressing and perform necessary routing.  Check basic connectivity between WAN devices i.e. R1 and R3.  Configure R1 and R3 for IPsec Tunnel simultaneously.  Verify End to End connectivity over Internet Using IPsec Tunnel. Explanation: Here we are going to configure site to site VPN using IPSec. In this task we are performing site to site VPN between Router and whole configuration is done via CLI. Main aim of this Task is that private LAN can communicate over the Internet in a secure way. We are using crypto ISAKMP policy for phase 1 also known as Main Mode negotiation using pre- shared key. Then IPSec transform set which is used to protect actual data. These transform set is exchanged in Phase 2 which is also called Quick Mode. Phase 2 is protected by Phase 1. Then we will define proxy id’s also known as interesting traffic. In proxy ID we will define our Local LAN and Remote LAN. These LAN’s are going to communicate after successful VPN connection established.
  • 2. https://www.linkedin.com/in/sandeep-kumarr/ Page 2 In Phase 1 for data integrity we can use MD5/SHA. For authentication we can use either pre-share key or RSA-Signature. For confidentiality we can use any encryption algorithm DES/3DES/AES. Lifetime is defined as at what interval DH will refresh key for phase 2 protection. In phase 2 we are configuring transform set in which will define data encapsulation method along with encryption and data integrity method. So here we have two options ESP (Encapsulating Security Payload) and AH (Authentication Header). In ESP information is protected from Layer 3 to Layer 7. In AH information is protected from Layer 4 to Layer 7. At last we have to create a crypto map in which we call our proxy id’s and define our VPN peer ip address. Here we can define route for our remote LAN by injecting reverse route. Then finally call it on the interface. When we apply Crypto Map on interface it will start listening ISAKMP packet at port 500. Which means that particular interface can accept ISAKMP packet at port 500. Configuration: Lets start from PC1 Assign IP address 192.168.1.10/24 and Gateway 192.168.1.1 In run section type ncpa.cpl then enter.
  • 3. https://www.linkedin.com/in/sandeep-kumarr/ Page 3 Configure adapter in red box by right click on it and open properties.
  • 4. https://www.linkedin.com/in/sandeep-kumarr/ Page 4 Now click on Internet protocol version 4 (TCP/IP)
  • 5. https://www.linkedin.com/in/sandeep-kumarr/ Page 5 Now assign ip address as shown, then click OK and you are done with configuration on PC1.
  • 6. https://www.linkedin.com/in/sandeep-kumarr/ Page 6 Lets verify the IP address assigned to PC1, open Command Prompt and type ipconfig Similarly configure PC2 , Assign IP address 172.16.1.10/24 and Gateway 172.16.1.1 In run section type ncpa.cpl then enter.
  • 7. https://www.linkedin.com/in/sandeep-kumarr/ Page 7 Configure adapter in red box by right click on it and open properties.
  • 8. https://www.linkedin.com/in/sandeep-kumarr/ Page 8 Now click on Internet protocol version 4 (TCP/IP)
  • 9. https://www.linkedin.com/in/sandeep-kumarr/ Page 9 Now assign ip address as shown, then click OK and you are done with configuration on PC2.
  • 10. https://www.linkedin.com/in/sandeep-kumarr/ Page 10 Lets verify the IP address assigned to PC2, open Command Prompt and type ipconfig Now configure R1 with basic configuration like hostname and IP addressing Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface ethernet0/1 R1(config-if)#ip address 192.168.1.1 255.255.255.0 R1(config-if)#no shutdown *Aug 14 16:07:50.068: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Aug 14 16:07:51.074: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R1(config-if)#exit R1(config)#interface ethernet0/0 R1(config-if)#ip address 12.1.1.1 255.255.255.252
  • 11. https://www.linkedin.com/in/sandeep-kumarr/ Page 11 R1(config-if)#no shutdown *Aug 14 16:08:59.792: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Aug 14 16:09:00.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R1(config-if)#end R1# Verify IP address assigned to Router R1 interfaces R1#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 12.1.1.1 YES manual up up Ethernet0/1 192.168.1.1 YES manual up up Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down Now configure R2 with basic configuration like hostname and IP addressing Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface ethernet0/0 R2(config-if)#ip address 12.1.1.2 255.255.255.252 R2(config-if)#no shutdown *Aug 14 16:24:32.672: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Aug 14 16:24:33.678: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
  • 12. https://www.linkedin.com/in/sandeep-kumarr/ Page 12 R2(config-if)#exit R2(config)#interface ethernet0/1 R2(config-if)#ip address 23.1.1.2 255.255.255.252 R2(config-if)#no shutdown *Aug 14 16:25:39.726: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Aug 14 16:25:40.732: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R2(config-if)#end R2# Verify IP address assigned to Router R2 interfaces R2#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 12.1.1.2 YES manual up up Ethernet0/1 23.1.1.2 YES manual up up Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down
  • 13. https://www.linkedin.com/in/sandeep-kumarr/ Page 13 Now configure R3 with basic configuration like hostname and IP addressing Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#interface ethernet0/1 R3(config-if)#ip address 23.1.1.1 255.255.255.252 R3(config-if)#no shutdown *Aug 14 17:11:59.175: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Aug 14 17:12:00.176: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R3(config-if)#exit R3(config)#interface ethernet0/0 R3(config-if)#ip address 172.16.1.1 255.255.255.0 R3(config-if)#no shutdown R3(config-if)# *Aug 14 17:12:40.098: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Aug 14 17:12:41.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R3(config-if)#end R3#
  • 14. https://www.linkedin.com/in/sandeep-kumarr/ Page 14 Verify IP address assigned to Router R3 interfaces R3#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 172.16.1.1 YES manual up up Ethernet0/1 23.1.1.1 YES manual up up Ethernet0/2 unassigned YES unset administratively down down Ethernet0/3 unassigned YES unset administratively down down
  • 15. https://www.linkedin.com/in/sandeep-kumarr/ Page 15 Lets do Some Routing Start with Router R1 R1(config)#ip route 0.0.0.0 0.0.0.0 ethernet0/0 12.1.1.2 Verify Routing Table of Router R1 R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 12.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 12.1.1.2, Ethernet0/0 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 12.1.1.0/30 is directly connected, Ethernet0/0 L 12.1.1.1/32 is directly connected, Ethernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Ethernet0/1 L 192.168.1.1/32 is directly connected, Ethernet0/1
  • 16. https://www.linkedin.com/in/sandeep-kumarr/ Page 16 Similarly on Router R3 R3(config)#ip route 0.0.0.0 0.0.0.0 ethernet0/1 23.1.1.2 Verify Routing Table of Router R3 R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 23.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 23.1.1.2, Ethernet0/1 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.1.1.0/30 is directly connected, Ethernet0/1 L 23.1.1.1/32 is directly connected, Ethernet0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, Ethernet0/0 L 172.16.1.1/32 is directly connected, Ethernet0/0
  • 17. https://www.linkedin.com/in/sandeep-kumarr/ Page 17 Routing Table of Router R2 R2#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is not set 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 12.1.1.0/30 is directly connected, Ethernet0/0 L 12.1.1.2/32 is directly connected, Ethernet0/0 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.1.1.0/30 is directly connected, Ethernet0/1 L 23.1.1.2/32 is directly connected, Ethernet0/1
  • 18. https://www.linkedin.com/in/sandeep-kumarr/ Page 18 Lets check connectivity between Devices R1#ping 192.168.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms R1#ping 23.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 23.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms Similarly from Router R3 R3#ping 172.16.1.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms R3#ping 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  • 19. https://www.linkedin.com/in/sandeep-kumarr/ Page 19 Lets Start with VPN Configuration on Router R1 So here We first create Crypto ISAKMP policy 1 R1(config)# R1(config)#crypto isakmp policy 1 R1(config-isakmp)#hash md5 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#encryption des R1(config-isakmp)#exit configure pre-shared-key authentication R1(config)#crypto isakmp key sandeep@123 address 23.1.1.1 configure IPsec transform set for phase 2 R1(config)#crypto ipsec transform-set TSET esp-aes esp-md5-hmac R1(cfg-crypto-trans)#mode tunnel R1(cfg-crypto-trans)#exit Configure an ACL for proxy ID or interesting traffic R1(config)# R1(config)#ip access-list extended VPN R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 R1(config-ext-nacl)#exit R1(config)# Now configure crypto map R1(config)#crypto map SITE_A 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer
  • 20. https://www.linkedin.com/in/sandeep-kumarr/ Page 20 and a valid access list have been configured. R1(config-crypto-map)#set peer 23.1.1.1 R1(config-crypto-map)#match address VPN R1(config-crypto-map)#set transform-set TSET R1(config-crypto-map)#reverse-route static R1(config-crypto-map)#exit R1(config)# Now apply crypto map on the interface R1(config)# R1(config)#interface ethernet0/0 R1(config-if)#crypto map SITE_A R1(config-if)# *Aug 14 19:57:07.548: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Verify Configuration of IPsec VPN Start with ISAKMP policy R1#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit
  • 21. https://www.linkedin.com/in/sandeep-kumarr/ Page 21 Verify ISAKMP key R1#show crypto isakmp key Keyring Hostname/Address Preshared Key default 23.1.1.1 sandeep@123 Verify IPsec Transform-set R1#show crypto ipsec transform-set TSET { esp-aes esp-md5-hmac } will negotiate = { Tunnel, }, Verify proxy-id R1#show ip access-lists Extended IP access list VPN 10 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Verify Crypto map R1#show crypto map Interfaces using crypto map NiStTeSt1: Crypto Map IPv4 "SITE_A" 1 ipsec-isakmp Peer = 23.1.1.1 Extended IP access list VPN access-list VPN permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Current peer: 23.1.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N
  • 22. https://www.linkedin.com/in/sandeep-kumarr/ Page 22 Mixed-mode : Disabled Transform sets={ TSET: { esp-aes esp-md5-hmac } , } Reverse Route Injection Enabled Interfaces using crypto map SITE_A: Ethernet0/0 As we have enabled reverse-route in crypto map so a route should be present in routing table, I have highlighted it in yellow colour in routing table. R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 12.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 12.1.1.2, Ethernet0/0 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  • 23. https://www.linkedin.com/in/sandeep-kumarr/ Page 23 C 12.1.1.0/30 is directly connected, Ethernet0/0 L 12.1.1.1/32 is directly connected, Ethernet0/0 172.16.0.0/24 is subnetted, 1 subnets S 172.16.1.0 [1/0] via 23.1.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, Ethernet0/1 L 192.168.1.1/32 is directly connected, Ethernet0/1 Now configure R3 for VPN connection, So here We first create Crypto ISAKMP policy 1 R3# R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#crypto isakmp policy 1 R3(config-isakmp)#hash md5 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#encryption des R3(config-isakmp)#exi Configure pre-shared-key for authentication R3(config)# R3(config)#crypto isakmp key sandeep@123 address 12.1.1.1 R3(config)#
  • 24. https://www.linkedin.com/in/sandeep-kumarr/ Page 24 Configure ipsec transform set R3(config)#crypto ipsec transform-set TSET esp-aes esp-md5-hmac R3(cfg-crypto-trans)#mode tunnel R3(cfg-crypto-trans)#exit R3(config)# Now create an ACL for proxy ID’s R3(config)#ip access-list extended VPN R3(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 R3(config-ext-nacl)#exit R3(config)# Configure Crypto Map R3(config)#crypto map SITE_B 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#set peer 12.1.1.1 R3(config-crypto-map)#match address VPN R3(config-crypto-map)#set transform-set TSET R3(config-crypto-map)#reverse-route static R3(config-crypto-map)#exit Now apply crypto map on the interface R3(config)#interface ethernet0/1 R3(config-if)#crypto map SITE_B *Aug 14 20:22:06.426: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)#exit
  • 25. https://www.linkedin.com/in/sandeep-kumarr/ Page 25 Let’s verify the configuration of Router R3 Verify ISAKMP policy R3#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit verify ISAKMP key R3#show crypto isakmp key Keyring Hostname/Address Preshared Key default 12.1.1.1 sandeep@123 Verify IPsec Transform-set R3#show crypto ipsec transform-set TSET { esp-aes esp-md5-hmac } will negotiate = { Tunnel, }, Verify proxy Id R3#show ip access-lists Extended IP access list VPN 10 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  • 26. https://www.linkedin.com/in/sandeep-kumarr/ Page 26 Verify Crypto Map R3#show crypto map Interfaces using crypto map NiStTeSt1: Crypto Map IPv4 "SITE_B" 1 ipsec-isakmp Peer = 12.1.1.1 Extended IP access list VPN access-list VPN permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 Current peer: 12.1.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Mixed-mode : Disabled Transform sets={ TSET: { esp-aes esp-md5-hmac } , } Reverse Route Injection Enabled Interfaces using crypto map SITE_B: Ethernet0/1 Verify Routing Table R3#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2
  • 27. https://www.linkedin.com/in/sandeep-kumarr/ Page 27 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 23.1.1.2 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 23.1.1.2, Ethernet0/1 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 23.1.1.0/30 is directly connected, Ethernet0/1 L 23.1.1.1/32 is directly connected, Ethernet0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, Ethernet0/0 L 172.16.1.1/32 is directly connected, Ethernet0/0 S 192.168.1.0/24 [1/0] via 12.1.1.1 So we are done with the configuration part of all the devices. It’s time to verify VPN connection establishment between SITE_A and SITE_B.
  • 28. https://www.linkedin.com/in/sandeep-kumarr/ Page 28 Verification of the TASK: Generate some traffic from PC1 for PC2. So here from 192.168.1.10 (PC1) ping to 172.16.1.10 (PC2) Now check ISAKMP sa on Router R1 R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 23.1.1.1 12.1.1.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA Now check IPsec sa on Router R1 R1#show crypto ipsec sa interface: Ethernet0/0 Crypto map tag: SITE_A, local addr 12.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
  • 29. https://www.linkedin.com/in/sandeep-kumarr/ Page 29 remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) current_peer 23.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0 current outbound spi: 0xAEDF3447(2933863495) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x600FE16E(1611653486) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: SITE_A sa timing: remaining key lifetime (k/sec): (4176059/3487) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE)
  • 30. https://www.linkedin.com/in/sandeep-kumarr/ Page 30 inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xAEDF3447(2933863495) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: SITE_A sa timing: remaining key lifetime (k/sec): (4176059/3487) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: Check Crypto session on Router R1 R1#show crypto session Crypto session current status Interface: Ethernet0/0 Session status: UP-ACTIVE Peer: 23.1.1.1 port 500 Session ID: 0 IKEv1 SA: local 12.1.1.1/500 remote 23.1.1.1/500 Active IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 172.16.1.0/255.255.255.0 Active SAs: 2, origin: crypto map
  • 31. https://www.linkedin.com/in/sandeep-kumarr/ Page 31 Check similar things on Router R3 R3#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 23.1.1.1 12.1.1.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA Check ipsec sa on Router R3 R3#show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: SITE_B, local addr 23.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 12.1.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 23.1.1.1, remote crypto endpt.: 12.1.1.1 plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1 current outbound spi: 0x600FE16E(1611653486)
  • 32. https://www.linkedin.com/in/sandeep-kumarr/ Page 32 PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xAEDF3447(2933863495) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: SITE_B sa timing: remaining key lifetime (k/sec): (4257465/3134) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x600FE16E(1611653486) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: SITE_B sa timing: remaining key lifetime (k/sec): (4257465/3134) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:
  • 33. https://www.linkedin.com/in/sandeep-kumarr/ Page 33 Check crypto session on Router R3 R3#show crypto session Crypto session current status Interface: Ethernet0/1 Session status: UP-ACTIVE Peer: 12.1.1.1 port 500 Session ID: 0 IKEv1 SA: local 23.1.1.1/500 remote 12.1.1.1/500 Active IPSEC FLOW: permit ip 172.16.1.0/255.255.255.0 192.168.1.0/255.255.255.0 Active SAs: 2, origin: crypto map END of Task.