CCNA Extra Class 04: Configure the IPSec VPN Site to Site Tunnel in Cisco

-

 How to Configure IPSec VPN Site to Site Tunneling in Cisco Routers


Addressing Table

Device

Interface

IP address

Gateway

Comment

R1

Gig0/0

192.168.10.1/24

 

 

Se0/0/0

10.10.10.1/30

 

 

R2

Se0/0/0

10.10.10.2/30

 

 

Se0/0/1

10.20.20.2/30

 

 

Gig0/0

192.168.20.1/24

 

 

R3

Gig0/0

192.168.30.1/24

 

 

Se0/0/0

10.20.20.1/30

 

 

PC-A

Fa0

192.168.10.10/24

192.168.10.1

 

PC-B

Fa0

192.168.20.10/24

192.168.20.1

 

PC-C

Fa0

192.168.30.10/24

192.168.30.1

 


ISAKMP Phase 1 Policy Parameters

Parameters

R1 (Site-1)

R3 (Site-3)

Key Distribution Method

Manual or ISAKMP

ISAKMP Policy 100

ISAKMP Policy 100

Hash Algorithm

MD5 or SHA-1

SHA-1

SHA-1

Authentication Method

Pre-shared keys or RSA

pre-share

pre-share

Group: Key Exchange

DH Group 1, 2, or 5

DH 5

DH 5

Lifetime: IKE SA Lifetime

86400 seconds or less

86400

86400

Encryption Algorithm

DES, 3DES, or AES

AES 128

AES 128

ISAKMP Key

 

VPN

VPN

 

IPsec Phase 2 Policy Parameters

Parameters

R1 (Site-1)

R3 (Site-3)

Transform Set Name

VPN-SET

VPN-SET

ESP Transform Encryption

esp-aes

esp-aes

ESP Transform Authentication

esp-sha-hmac

esp-sha-hmac

Peer IP Address

10.20.20.1

10.10.10.1

Traffic to be Encrypted

access-list 110 (source

192.168.10.0 dest 192.168.30.0)

access-list 110 (source

192.168.30.0 dest 192.168.10.0)

Crypto Map Name

VPN-MAP

VPN-MAP

SA Establishment

ipsec-isakmp

ipsec-isakmp

N:B: All the bold characters should be changed while configuring each sites.


Objectives - 

Part 1: Configure IPsec Parameters on R1 (site-01)

Step-01: Basic Network, Devices, Routing Protocol Configuration

Step-02: Before starting VPN Configuration, to ensure installed the Security Technology Packages of the Routers.

Step-03: Identify Interesting Traffic on R1

Step-04: Configure the Internet Key Exchange (IKE) Phase 1 ISAKMP Policy on R1.

Step-05: Configure IKE Phase 2 IPSec Policy on R1

Step-06: Configure Crypto Map on the Outgoing Interface


Part 2: Configure IPsec Parameters on R3 (Site-03)

Perform all step according to the R1 (site-01)


Part 3: Verify the IPsec VPN

Step 1: Verify the tunnel prior to interesting traffic.

Step 2: Create interesting traffic.

Step 3: Verify the tunnel after interesting traffic

Step 4: Create uninteresting traffic

Step 5: Verify the tunnel.

Step 6: Check results.


Configuration as Per Instructions -

Part 1: Configure IPsec Parameters on R1 (site-01)

Step-01: Test connectivity

Ping "PC-A to PC-C" for testing connectivity check and tracert command for checking the path selection while travelling data source to destination.

Step-02: Enable the Security Technology package.

R1#show version


R1(config)#license boot module c2900 technology-package securityk9


R1#show version

Step 3: Permission Specific IP addresses on R1(Site-1 to Site-3).

R1(config)# access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R1(config)#access-list 110 deny ip any any (optional)

Step 4: Configure the IKE Phase 1 ISAKMP policy on R1 according to given parameters.

R1(config)# crypto isakmp policy 100
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)#hash sha
R1(config-isakmp)# exit
R1(config)# crypto isakmp key VPN address 10.2.2.2

Step 5: Configure the IKE Phase 2 IPsec policy on R1(site-1).

R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

R1(config)# crypto map VPN-MAP 100 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3 at Site-03
R1(config-crypto-map)# set peer 10.20.20.1
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# exit

Step 6: Configure the crypto map on the outgoing interface.

R1(config)# interface s0/0/0
R1(config-if)# crypto map VPN-MAP


Part 2: Configure IPsec Parameters on R3 (Site-03)

Configure the Router 03 of Site-03 same as Router 01 according to given information from upper tables.

Commands : -
R3(config)# access-list 110 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255

R3(config)# crypto isakmp policy 100
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 5
R3(config-isakmp)# exit
R3(config)# crypto isakmp key VPN address 10.10.10.1

R3(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
R3(config)# crypto map VPN-MAP 100 ipsec-isakmp
R3(config-crypto-map)# description VPN connection to R1
R3(config-crypto-map)# set peer 10.10.10.1
R3(config-crypto-map)# set transform-set VPN-SET
R3(config-crypto-map)# match address 110
R3(config-crypto-map)# exit

R3(config)# interface s0/0/0
R3(config-if)# crypto map VPN-MAP 


Part 3: Verify the IPsec VPN


R1#show crypto ipsec sa
R1#show crypto isakmp sa
R1#show crypto isakmp policy

tracert PC-A to PC-B and vice versa.




Popular posts from this blog

RHCSA-EX200: Vendor Exam Problem Solving

-
Image
Vendor Exam Module List following this link:  https://www.redhat.com/en/services/training/ex200-red-hat-certified-system-administrator-rhcsa-exam?section=objectives   Question-01: Manage basic networking  Configure network and set the static parameters. Consider a machine configured as DHCP, and need to configure it with static parameters. IP-ADDRESS= 172.25.250.10 | 192.168.213.10/24 NETMASK= 255.255.255.0 GATEWAY= 172.25.250.254 | 192.168.213.1 Nameserver= 172.24.254.254 | 192.168.213.1 Hostname= servera.lab.example.com Solution Step-01: Changed the hostname of Linux Machine.  #hostnamectl set-hostname servera.lab.example.com #hostname or hostnamectl #cat /etc/hostname Step-02: Changed/Create/Modify Network Adapter following information #nmcli connection show #nmcli device status #nmcli connection modify <profile_name> ipv4.addresses 172.25.250.10/24 ipv4.gateway 172.24.250.254 ipv4.dns 172.24.254.254 ipv4.method manual connection.autoconnect yes #systemctl r...
Read more

CCNA Class 11: Distance vector Routing Protocol (RIPv1 & RIPv2) Configuration

-
Image
DISTANCE VECTOR ROUTING PROTOCOL RIP is known as Distance Vector Routing Protocol. Here Distance means number of hop counts which is calculated by Router to reach traffic source to destination and Vector means direction. In a word, RIP - to choose the least path by calculating metric value from the entire network direction while travelling traffic from source to destination. Here the scenario, when the traffic travels from R1 to destination subnet X via the upper path (R1=>R2....R8=>Subnet-X) of Network, It takes the Metric 4 value. Or, the metric will be 3 while traveling R1 to Destination Subnet X via the middle path (R1=> R5...R8=>Subnet-X) of the network and Vice versa. How to RIP Work - RIP is a distance vector protocol that exchanges routing information between routers periodically. Each router maintains a routing table that contains the next hop and the hop count for each destination network. Every 30 seconds, the router sends its entire routing table to its dir...
Read more

CCNA Class 10: Introduction of Routed & Routing Protocols and Configuration

-
Image
Introduction of Routing Protocols Routing Fundamental Routing is the process of forwarding data packets from their source to their destination across interconnected networks. It is a critical function in both small-local area networks (LANs) and large-scale wide-area networks (WANs), including the Internet. There are two types of data packets - Routed Protocols and Routing Protocols.   Fig: Basic Routing Key Concepts in Routing Router: A router is a networking device responsible for forwarding data packets between networks based on their IP addresses. It operates at the network layer (Layer 3) of the OSI model. Routing Table: A database stored in a router that contains information about network destinations and how to reach them. Consists of: Destination network Next hop: The next router or device to which the packet should be sent. Metric: A value indicating the "Cost" of reaching a destination (hop count, bandwidth, latency, reliability, load). Interface: The router i...
Read more