Topology
IP Addressing
Table
Device
|
Interface
|
IP Address
|
Subnet
Mask
|
Default
Gateway
|
Switch
Port
|
R1
|
FA0/1
|
192.168.1.1
|
255.255.255.0
|
N/A
|
S1 FA0/5
|
|
S0/0/0
(DCE)
|
10.1.1.1
|
255.255.255.252
|
N/A
|
N/A
|
R2
|
S0/0/0
|
10.1.1.2
|
255.255.255.252
|
N/A
|
N/A
|
|
S0/0/1
(DCE)
|
10.2.2.2
|
255.255.255.252
|
N/A
|
N/A
|
R3
|
FA0/1
|
192.168.3.1
|
255.255.255.0
|
N/A
|
S3 FA0/5
|
|
S0/0/1
|
10.2.2.1
|
255.255.255.252
|
N/A
|
N/A
|
PC-A
|
NIC
|
192.168.1.3
|
255.255.255.0
|
192.168.1.1
|
S1 FA0/6
|
PC-C
|
NIC
|
192.168.3.3
|
255.255.255.0
|
192.168.3.1
|
S3 FA0/18
|
Objectives
Part 1: Basic Router
Configuration
·
Configure host names, interface IP addresses,
and access passwords.
·
Configure the EIGRP dynamic routing protocol.
Part 2: Configure a Site-to-Site VPN Using Cisco IOS
·
Configure IPsec VPN settings on R1 and R3
·
Verify site-to-site IPsec VPN
configuration
·
Test IPsec VPN operation
Part 3: Configure a Site-to-Site VPN Using SDM
·
Configure IPsec VPN settings on R1
·
Create a mirror configuration for R3
·
Apply the mirror configuration to R3
·
Verify the configuration
·
Test the VPN
configuration using SDM
Background
In this lab, you build a multi-router network and configure the
routers and hosts. You use Cisco IOS and SDM to configure a site-to-site IPsec
VPN and test it. The IPsec VPN tunnel is from router R1 to router R3 via R2. R2
acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of
sensitive information over unprotected networks such as the Internet. IPsec
acts at the network layer, protecting and authenticating IP packets between
participating IPsec devices (peers), such as Cisco routers.
Note: The router
commands and output in this lab are from a Cisco 1841 with Cisco IOS Release
12.4(20)T (Advanced IP image). Other routers and Cisco IOS versions can be
used. See the Router Interface Summary table at the end of the lab to determine
which interface identifiers to use based on the equipment in the lab. Depending
on the router model and Cisco IOS version, the commands available and output
produced might vary from what is shown in this lab.
Note: Make sure that the routers and the
switches have been erased and have no startup configurations.
Instructor Note:
Instructions for erasing switches and
routers are provided in the Lab Manual, located on Academy Connection in the
Tools section.
Required Resources
·
3 routers with SDM 2.5 installed (Cisco 1841
with Cisco IOS Release 12.4(20)T1
or comparable)
·
2 switches (Cisco 2960 or comparable)
·
PC-A (Windows XP or Vista)
·
PC-C (Windows XP or Vista)
·
Serial and Ethernet cables as shown in the
topology
·
Rollover cables to configure the routers via the
console
Instructor Notes:
This lab
is divided into three parts. Each part can be
administered individually or in combination with others as time permits. The main
goal is to configure a site-to-site VPN between two routers, first using the
Cisco IOS CLI and then using SDM. R1 and R3 are on separate networks and
communicate through R2, which simulates an ISP. The routers in this lab are
configured with EIGRP, although it is not
typical for stub networks to communicate with an ISP using an interior routing
protocol. You can also use static routes for basic (non-VPN) communication
between R1 and R2 and between R1 and R3, if desired.
Students
can work in teams of two for router configuration, one person configuring R1
and the other R3.
Although
switches are shown in the topology, students can omit the switches and use
crossover cables between the PCs and routers R1 and R3.
The
running configs for all three routers are captured after Part 1 of the lab is
completed. The running configs for R1 and R3 from Part 2 and Part 3 are
captured and listed separately. All configs are found at the end of the lab.
Part 1: Basic Router Configuration
In Part 1 of this lab, you set up the network topology and
configure basic settings, such as the interface IP addresses, dynamic routing,
device access, and passwords.
Note: All tasks should
be performed on routers R1, R2, and R3. The procedure for R1 is shown here as
an example.
Step 1: Cable the network as shown in the topology.
Attach the devices shown in the topology diagram, and cable as
necessary.
Step 2: Configure basic settings for each router.
a.
Configure host names as shown in the topology.
b.
Configure the interface IP addresses as shown in
the IP addressing table.
c.
Configure a clock rate for the serial router
interfaces with a DCE serial cable attached.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000
Step 3. Disable DNS lookup.
To prevent the router from attempting to translate incorrectly
entered commands, disable DNS lookup.
R1(config)#no
ip domain-lookup
Step 4: Configure the EIGRP routing protocol on R1, R2, and R3.
a.
On R1, use the following commands.
R1(config)#router
eigrp 101
R1(config-router)#network
192.168.1.0 0.0.0.255
R1(config-router)#network
10.1.1.0 0.0.0.3
R1(config-router)#no
auto-summary
b.
On R2, use the following commands.
R2(config)#router
eigrp 101
R2(config-router)#network
10.1.1.0 0.0.0.3
R2(config-router)#network
10.2.2.0 0.0.0.3
R2(config-router)#no
auto-summary
c.
On R3, use the following commands.
R3(config)#router
eigrp 101
R3(config-router)#network
192.168.3.0 0.0.0.255
R3(config-router)#network
10.2.2.0 0.0.0.3
R3(config-router)#no
auto-summary
Step 5: Configure PC host IP settings.
a.
Configure a static IP address, subnet mask, and
default gateway for PC-A, as shown in the IP addressing table.
b.
Configure a static IP address, subnet mask, and
default gateway for PC-C, as shown in the IP addressing table.
Step 6: Verify basic network connectivity.
a.
Ping from R1 to the R3 Fa0/1 interface at IP
address 192.168.3.1.
Were the results successful? Yes.
If the pings are not successful, troubleshoot the basic device
configurations before continuing.
b.
Ping from PC-A on the R1 LAN to PC-C on the R3
LAN.
Were the results successful? Yes.
If the pings are not successful, troubleshoot the basic device
configurations before continuing.
Note: If you can
ping from PC-A to PC-C, you have demonstrated that the EIGRP routing protocol
is configured and functioning correctly. If you cannot ping but the device
interfaces are up and IP addresses are correct, use the show
run and show ip route commands to help identify
routing protocol-related problems.
Step 7: Configure a minimum password length.
Note: Passwords
in this lab are set to a minimum of 10 characters but are relatively simple for
the benefit of performing the lab. More complex passwords are recommended in a
production network.
Use the security
passwords command to set a minimum password length of 10 characters.
R1(config)#security passwords min-length 10
Step 8: Configure the basic console and vty lines.
a.
Configure a console password and enable login
for router R1. For additional security, the exec-timeout command causes the
line to log out after 5 minutes of inactivity. The logging
synchronous command prevents console messages from interrupting command entry.
Note: To avoid
repetitive logins during this lab, the exec-timeout can
be set to 0 0, which prevents it from expiring. However, this is not considered
a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
b.
Configure the password on the vty lines for
router R1.
R1(config)#line
vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
c.
Repeat these configurations on both R2 and R3.
Step 9: Encrypt clear text passwords.
a.
Use the service
password-encryption command to encrypt the console, aux, and vty
passwords.
R1(config)#service
password-encryption
b.
Issue the show run command. Can
you read the console, aux, and vty passwords? Why or why not?
No, the passwords
are now encrypted
c.
Repeat this configuration on both R2 and R3.
Step 10: Save the basic running configuration for all three routers.
a.
Save the running configuration to the startup
configuration from the privileged EXEC prompt.
R1#copy running-config startup-config
Step 11: Save the configuration on R1 and R3 for later
restoration.
Use HyperTerminal or another means such as copy and paste to
save the R1 and R3 running configurations from Part 1 of this lab and edit them
so that they can be used to restore the routers in Part 3 of the lab to
configure the VPN with SDM.
Note: When editing
the captured running config text, remove all occurrences of “- - More - -.”
Remove any commands that are not related to the items you configured in Part 1
of the lab, such as the Cisco IOS version number, no service pad, and so on.
Many commands are entered automatically by the Cisco IOS software. Also replace
the encrypted passwords with the correct ones specified previously and be sure
to use the no shutdown command for interfaces that need to be
enabled.
Part 2: Configure a
Site-to-Site VPN with Cisco IOS
In Part 2 of this lab, you configure an IPsec VPN tunnel between
R1 and R3 that passes through R2. You will configure R1 and R3 using the Cisco
IOS CLI. You then review and test the resulting configuration.
Task 1: Configure IPsec VPN Settings on R1 and R3
Step 1: Verify connectivity from the R1 LAN to the R3 LAN.
In this task, you verify that with no tunnel in place, the PC-A
on the R1 LAN can ping the PC-C on R3 LAN.
a. From PC-A, ping the PC-C IP address of 192.168.3.3.
PC-A:\>ping 192.168.3.3
b.
Were the results successful? Yes.
If the pings are not successful, troubleshoot the basic device
configurations before continuing.
Step 2: Enable IKE policies on R1 and R3.
IPsec is an open framework that allows the exchange of security
protocols as new technologies, such as encryption algorithms, are developed.
There are two central configuration elements to the
implementation of an IPsec VPN:
·
Implement Internet Key Exchange (IKE) parameters
·
Implement IPsec parameters
a.
Verify that IKE is supported and enabled.
IKE Phase 1 defines the key exchange method used to pass and
validate IKE policies between peers. In IKE Phase 2, the peers exchange and
match IPsec policies for the authentication and encryption of data traffic.
IKE must be enabled for IPsec to function. IKE is enabled by
default on IOS images with cryptographic feature sets. If it is disabled for
some reason, you can enable it with the command crypto isakmp enable. Use this command to verify that
the router IOS supports IKE and that it is enabled.
R1(config)#crypto isakmp enable
R3(config)#crypto isakmp enable
Note: If you cannot
execute this command on the router, you need to upgrade the IOS image to one with
a feature set that includes the Cisco cryptographic services.
b.
Establish an Internet Security Association and
Key Management Protocol (ISAKMP) policy and view the available options.
To allow IKE Phase 1 negotiation, you must create an ISAKMP
policy and configure a peer association involving that ISAKMP policy. An ISAKMP
policy defines the authentication and encryption algorithms and hash function
used to send control traffic between the two VPN endpoints. When an ISAKMP
security association has
been accepted by the IKE peers, IKE Phase 1 has been completed. IKE Phase 2
parameters will be configured later.
Issue the crypto isakmp policy number
configuration command on R1 for policy 10.
R1(config)#crypto isakmp policy 10
c.
View the various IKE parameters available using
Cisco IOS help by typing a question mark (?).
R1(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication
method for protection suite
default Set a command to its defaults
encryption Set encryption
algorithm for protection suite
exit Exit from ISAKMP protection suite
configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection
suite
lifetime Set lifetime for
ISAKMP security association
no Negate a command or set its
defaults
Step 3: Configure ISAKMP policy parameters on R1 and R3.
Your choice of an encryption algorithm
determines how confidential the control channel between the endpoints is. The
hash algorithm controls data integrity, ensuring that the data received from a
peer has not been tampered with in transit. The authentication type ensures that
the packet was indeed sent and signed by the remote peer. The Diffie-Hellman
group is used to create a secret key shared by the peers that has not been sent
across the network.
a.
Configure an authentication type of pre-shared
keys. Use AES 256 encryption, SHA as your hash algorithm, and Diffie-Hellman
group 5 key exchange for this IKE policy.
b.
Give the policy a life time of 3600 seconds (one
hour). Configure the same policy on R3. Older versions of Cisco IOS do not
support AES 256 encryption and SHA as a hash algorithm. Substitute whatever
encryption and hashing algorithm your router supports. Be sure the same changes
are made on the other VPN endpoint so that they are in sync.
Note:
You should be at the R1(config-isakmp)# at this point. The crypto isakmp policy 10
command is repeated below for clarity.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#end
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#end
c.
Verify the IKE policy with the show
crypto isakmp policy command.
R1#show
crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption
algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash
algorithm: Secure Hash Standard
authentication
method: Pre-Shared Key
Diffie-Hellman
group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
Step 4: Configure pre-shared keys.
a.
Because pre-shared keys are used as the
authentication method in the IKE policy, configure a key on each router that
points to the other VPN endpoint. These keys must match for authentication to
be successful. The global configuration command crypto isakmp key key-string
address
address
is used to enter a pre-shared key. Use the IP address of the remote peer, the
remote interface that the peer would use to route traffic to the local router.
Which
IP addresses should you use to configure the IKE peers, given the topology
diagram and IP addressing table?
The IP addresses should be R1
S0/0/0 IP address 10.1.1.1 and R3 S0/0/1 IP address 10.2.2.1 because these are
the addresses that are used to send normal traffic between R1 and R3.
b.
Each IP address that is used to configure the
IKE peers is also referred to as the IP address of the remote VPN endpoint.
Configure the pre-shared key of cisco123 on router R1 using the following
command. Production networks should use a complex key. This command points to
the remote peer R3 S0/0/1 IP address.
R1(config)#crypto isakmp key cisco123
address 10.2.2.1
c.
The command for R3 points to the R1 S0/0/0 IP
address. Configure the pre-shared key on router R1 using the following command.
R3(config)#crypto isakmp key cisco123
address 10.1.1.1
Step 5:
Configure the IPsec transform set and life times.
a.
The IPsec transform set is another crypto
configuration parameter that routers negotiate to form a security association.
To create an IPsec transform set, use the crypto
ipsec transform-set tag
parameters. Use ? to see which
parameters are available.
R1(config)#crypto ipsec transform-set 50 ?
ah-md5-hmac AH-HMAC-MD5
transform
ah-sha-hmac AH-HMAC-SHA
transform
comp-lzs IP Compression using
the LZS compression algorithm
esp-3des ESP transform using
3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using
HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160
bits)
esp-sha-hmac ESP transform using
HMAC-SHA auth
b.
On R1 and R3, create a transform set with tag 50
and use an Encapsulating Security Protocol (ESP) transform with an AES 256
cipher with ESP and the SHA hash function. The transform sets must match.
R1(config)#crypto ipsec transform-set 50
esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#exit
R3(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R3(cfg-crypto-trans)#exit
c.
What is the function of the IPsec transform set?
The IPsec transform set
specifies the cryptographic algorithms and functions (transforms) that a router
employs on the actual data packets sent through the IPsec tunnel. These
algorithms include the encryption, encapsulation, authentication, and data
integrity services that IPsec can apply.
d.
You can also change the IPsec security
association life times from the default of 3600 seconds or 4,608,000 kilobytes,
whichever comes first. On R1 and R3, set the IPsec security association life
time to 30 minutes, or 1800 seconds.
R1(config)#crypto ipsec
security-association lifetime seconds 1800
R3(config)#crypto ipsec
security-association lifetime seconds 1800
Step 6: Define
interesting traffic.
a.
To make use of the IPsec encryption with the
VPN, it is necessary to define extended access lists to tell the router which
traffic to encrypt. A packet that is permitted by an access list used for
defining IPsec traffic is encrypted if the IPsec session is configured
correctly. A packet that is denied by one of these access lists is not dropped,
but sent unencrypted. Also, like any other access list, there is an implicit
deny at the end, which, in this case, means the default action is to not
encrypt traffic. If there is no IPsec security association correctly
configured, no traffic is encrypted, and traffic is forwarded as unencrypted.
b.
In this
scenario, the traffic you want to encrypt is traffic going from R1’s Ethernet
LAN to R3’s Ethernet LAN, or vice versa. These access lists are used outbound
on the VPN endpoint interfaces and must mirror each other.
c.
Configure
the IPsec VPN interesting traffic ACL on R1.
R1(config)#access-list 101 permit ip
192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
d.
Configure the IPsec VPN interesting traffic ACL
on R3.
R3(config)#access-list 101 permit ip
192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
e.
Does IPsec evaluate whether the access lists are
mirrored as a requirement to negotiate its security association? Yes, IPsec does evaluate whether
access lists are mirrored. IPsec does not form a security association if the
peers do not have mirrored access lists to select interesting traffic.
Step
7: Create and apply a crypto map.
A crypto map associates traffic that matches
an access list to a peer and various IKE and IPsec settings. After the crypto
map is created, it can be applied to one or more interfaces. The interfaces
that it is applied to should be the ones facing the IPsec peer.
a.
To create a crypto map, use the global
configuration command crypto
map name sequence-num type
to enter the crypto map configuration mode for that sequence number. Multiple
crypto map statements can belong to the same crypto map and are evaluated in
ascending numerical order. Enter the crypto map configuration mode on R1. Use a
type of ipsec-isakmp, which means IKE is used to establish IPsec security
associations.
b.
Create the crypto map on R1, name it CMAP, and
use 10 as the sequence number. A message will display after the command is
issued.
R1(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled
until a peer
and a valid access list have been configured.
c.
Use the match
address access-list
command to specify which access list defines which traffic to encrypt.
R1(config-crypto-map)#match
address 101
d.
To view the list of possible set commands that you can do
in a crypto map, use the help function.
R1(config-crypto-map)#set
?
Identity Identity restriction.
Ip
Interface
Internet Protocol config commands
isakmp-profile
Specify
isakmp Profile
nat Set
NAT translation
peer Allowed
Encryption/Decryption peer.
pfs Specify
pfs settings
security-association
Security association parameters
transform-set
Specify
list of transform sets in priority order
e.
Setting a peer IP or host name is required, so
set it to R3’s remote VPN endpoint interface using the following command.
R1(config-crypto-map)#set
peer 10.2.2.1
f.
Hard code the transform set to be used with this
peer, using the set transform-set tag command. Set the perfect
forwarding secrecy type using the set
pfs type command,
and also modify the default IPsec security association life time with the set
security-association lifetime seconds seconds command.
R1(config-crypto-map)#set
pfs group5
R1(config-crypto-map)#set
transform-set 50
R1(config-crypto-map)#set
security-association lifetime seconds 900
R1(config-crypto-map)#exit
g.
Create a mirrored matching crypto map on R3.
R3(config)#crypto map CMAP 10 ipsec-isakmp
R3(config-crypto-map)#match
address 101
R3(config-crypto-map)#set
peer 10.1.1.1
R3(config-crypto-map)#set
pfs group5
R3(config-crypto-map)#set
transform-set 50
R3(config-crypto-map)#set
security-association lifetime seconds 900
R3(config-crypto-map)#exit
h.
The last step is applying the maps to
interfaces. Note that the security associations (SAs) will not be established
until the crypto map has been activated by interesting traffic. The router will
generate a notification that crypto is now on.
i.
Apply the crypto maps to the appropriate
interfaces on R1 and R3.
R1(config)#interface S0/0/0
R1(config-if)#crypto map CMAP
*Jan 28 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is ON
R1(config)#end
R3(config)#interface S0/0/1
R3(config-if)#crypto map CMAP
*Jan 28 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is ON
R3(config)#end
Task 2: Verify Site-to-Site IPsec
VPN Configuration
Step 1: Verify the IPsec configuration on R1 and R3.
a.
Previously, you used the show
crypto isakmp policy command to show the configured ISAKMP policies
on the router. Similarly, the show
crypto ipsec transform-set command displays the configured IPsec
policies in the form of the transform sets.
R1#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform
set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform
set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
R3#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform
set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform
set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
b.
Use the show
crypto map command to display the crypto maps that will be applied
to the router.
R1#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer =
10.2.2.1
Extended IP
access list 101
access-list
101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Current
peer: 10.2.2.1
Security
association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH
group: group5
Transform
sets={
50: {
esp-256-aes esp-sha-hmac } ,
}
Interfaces
using crypto map MYMAP: Serial0/0/0
R3#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer =
10.1.1.1
Extended IP
access list 101
access-list
101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current
peer: 10.1.1.1
Security
association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH
group: group5
Transform
sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces
using crypto map MYMAP: Serial0/0/1
Note: The
output of these show commands
does not change if interesting traffic goes across the connection. You test
various types of traffic in the next task.
Task 3: Verify IPsec VPN
Operation
Step 1: Display isakmp security associations.
The show crypto
isakmp sa command reveals that no IKE SAs exist yet. When interesting
traffic is sent, this command output will change.
R1#show crypto isakmp sa
dst src state conn-id
slot status
Step 2: Display IPsec security associations.
a.
The show
crypto ipsec sa command shows the unused SA between R1 and R3. Note
the number of packets sent across and the lack of any security associations
listed toward the bottom of the output. The output for R1 is shown here.
R1#show crypto ipsec sa
interface: Serial0/0/0
Crypto map
tag: CMAP, local addr 10.1.1.1
protected
vrf: (none)
local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT,
flags={origin_is_acl,}
#pkts
encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts
decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts
compressed: 0, #pkts decompressed: 0
#pkts not
compressed: 0, #pkts compr. failed: 0
#pkts not
decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local
crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu
1500, ip mtu 1500, ip mtu idb Serial0/0/0
current
outbound spi: 0x0(0)
inbound
esp sas:
inbound
ah sas:
inbound
pcp sas:
outbound
esp sas:
outbound
ah sas:
outbound
pcp sas:
b.
Why have no security associations (SAs) been
negotiated? Because no
interesting traffic has been identified, IPsec has not begun to negotiate a
security association over which it will encrypt traffic.
Step 3: Generate some uninteresting test traffic and observe the
results.
a.
Ping from R1 to the R3 S0/0/1 interface IP
address 10.2.2.1. Were the pings successful? Yes
b.
Issue the show crypto isakmp sa command. Was
an SA created between R1 and R3? No.
c.
Ping from R1 to the R3 Fa01 interface IP address
192.168.3.1. Were the pings successful? Yes
d.
Issue the show crypto isakmp sa command
again. Was an SA created for these pings? Why or why not? No SA was created. The source
address of both pings was the R1 S0/0/0 address of 10.1.1.1. In the first case,
the destination address was 10.2.2.1. In the second case, the destination
address was 192.168.3.1. This is not “interesting” traffic. The ACL 101 that is
associated with the crypto map for R1 defines interesting traffic as IP packets
from the 192.168.1.0/24 network to the 192.168.3.0/24 network.
e.
Issue the command debug eigrp packets.
You should see EIGRP hello packets passing between R1 and R3.
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE,
REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY)
R1#
*Jan 29 16:05:41.243: EIGRP: Received HELLO on
Serial0/0/0 nbr 10.1.1.2
*Jan 29 16:05:41.243: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ
un/rely 0/0 pe
erQ un/rely 0/0
*Jan 29 16:05:41.887: EIGRP: Sending HELLO on
Serial0/0/0
*Jan 29 16:05:41.887: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ
un/rely 0/0
R1#
*Jan 29 16:05:43.143: EIGRP: Sending HELLO on
FastEthernet0/1
*Jan 29 16:05:43.143: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ
un/rely 0/0
R1#
f.
Turn off debugging with the no
debug eigrp packets or undebug
all command.
g.
Issue the show crypto isakmp sa command
again. Was an SA created between R1 and R3? Why or why not? No. This is router-to-router
routing protocol traffic. The source and destination of these packets is not
interesting, does not initiate the SA, and is not encrypted.
Step 4: Generate some interesting test traffic and observe the
results.
a.
Use an extended ping from R1 to the R3 Fa01
interface IP address 192.168.3.1. Extended ping allows you to control the
source address of the packets. Respond as shown in the following example. Press
enter to accept the defaults, except where a specific response is indicated.
R1#ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate
reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1,
timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 92/92/92 ms
b.
Issue the show crypto isakmp sa command
again.
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src state conn-id slot status
10.2.2.1
10.1.1.1 QM_IDLE 1001 0 ACTIVE
c.
Why was an SA created between R1 and R3 this
time? The source was
192.168.1.1, and the destination was 192.168.3.1. This is interesting traffic based
on the ACL 101 definition. An SA is established, and packets travel through the
tunnel as encrypted traffic.
d. What
are the endpoints of the IPsec VPN tunnel? Src: 10.1.1.1 (R1 S0/0/0),
Dst: 10.2.2.1 (R3 S0/0/1)
e.
Ping from PC-A to PC-C. Were the pings
successful? Yes
f.
Issue the show crypto ipsec sa command. How
many packets have been transformed between R1 and R3? Nine, Five packets from the R1 to R3 pings, and
four packets from the PC-A to R3 pings. One packet for each echo request. The
number of packet may vary depending on how many pings have been issued and from
where.
R1#show
crypto ipsec sa
interface: Serial0/0/0
Crypto map
tag: CMAP, local addr 10.1.1.1
protected
vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT,
flags={origin_is_acl,}
#pkts
encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts
decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts
compressed: 0, #pkts decompressed: 0
#pkts not
compressed: 0, #pkts compr. failed: 0
#pkts not
decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local
crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu
1500, ip mtu 1500, ip mtu idb Serial0/0/0
current
outbound spi: 0xC1DD058(203280472)
inbound
esp sas:
spi:
0xDF57120F(3747025423)
transform: esp-256-aes esp-sha-hmac ,
in use
settings ={Tunnel, }
conn
id: 2005, flow_id: FPGA:5, crypto map: CMAP
sa
timing: remaining key lifetime (k/sec): (4485195/877)
IV
size: 16 bytes
replay
detection support: Y
Status: ACTIVE
inbound
ah sas:
inbound
pcp sas:
outbound
esp sas:
spi:
0xC1DD058(203280472)
transform: esp-256-aes esp-sha-hmac ,
in use
settings ={Tunnel, }
conn
id: 2006, flow_id: FPGA:6, crypto map: CMAP
sa
timing: remaining key lifetime (k/sec): (4485195/877)
IV
size: 16 bytes
replay
detection support: Y
Status: ACTIVE
outbound
ah sas:
outbound
pcp sas:
g.
The previous example used pings to generate
interesting traffic. What other types of traffic would result in an SA forming
and tunnel establishment? Any
traffic initiated from R1 with a source address in the 192.168.1.0/24 network
and a destination address in the 192.168.3.0/24 network. On R3, interesting
traffic is any traffic with a source address in the 192.168.3.0/24 network and
a destination address in the 192.168.1.0/24 network. This includes FTP, HTTP,
Telnet, and others.
Part 3: Configure a
Site-to-Site IPsec VPN with SDM
In Part 3 of this lab, you configure an IPsec VPN tunnel between
R1 and R3 that passes through R2. In Task 2, you configure R1 using Cisco SDM.
In Task 3, you mirror those settings to R3 using SDM utilities. You then review
and test the resulting configuration.
Task 1: Restore Router R1 and R3 to the Basic Settings
To avoid confusion as to what was entered in Part 2 of the lab,
start by restoring R1 and R3 to the basic configuration as described in Part 1
of this lab.
Step 1: Erase and
reload the router.
a.
Connect to the router console, and enter
privileged EXEC mode.
b.
Erase the startup config and then issue the reload command to restart
the router.
Step 2: Restore the
basic configuration.
a.
When the
router restarts, enter privileged EXEC mode with the enable command, and then enter global config mode. Use the HyperTerminal Transfer > Send File function, copy and paste or use another
method to load the basic startup config for R1 and R3 that was created and
saved in Part 1 of this lab.
b.
Save the running config to the startup config for
R1 and R3 using the copy run start
command.
c.
Test connectivity by pinging from host PC-A to
PC-C. If the pings are not successful, troubleshoot the router and PC
configurations before continuing.
Task 2: Configure IPsec VPN Settings on R1 Using SDM
Step 1: Configure the enable secret password and HTTP router
access prior to starting SDM.
a.
From the CLI, configure the enable secret
password for use with SDM on R1 and R3.
R1(config)#enable secret cisco12345
R3(config)#enable secret cisco12345
b.
Enable the HTTP server on R1 and R3.
R1(config)#ip http server
R3(config)#ip http server
Step 2: Access SDM and set command delivery preferences.
a.
Run the SDM application, or open a browser on
PC-A and start SDM by entering the R1 IP address 192.168.1.1 in the address
field.
Note: You might be
prompted by Internet Explorer to allow ActiveX during several of these steps.
Click Allow.
b.
Log in with no username and the enable secret
password cisco12345.
c.
In the Authentication Required dialog box, leave
the Username field blank and enter cisco12345
in the Password field. Click Yes.
d.
If the IOS IPS login dialog displays, click the Cancel button to bypass this option.
e.
Select Edit > Preferences to configure
SDM to allow you to preview the commands before sending them to the router. In the User Preferences window, check the
Preview commands before delivering to
router check box and click OK.
Step 3: Start the SDM
VPN wizard to configure R1.
a.
Click the Configure
button at the top of the SDM screen, and then click the VPN button. Select Site-to-Site
VPN from the list of options. The default option is Create Site-to-Site
VPN. Read through the description of this option.
b.
What must you know to complete the
configuration? The remote
device (R3 S0/0/1) IP address and the pre-shared key (cisco12345), which will
be established in Task 2, Step 4.
c.
Click the
Launch the selected task button to begin the SDM Site-to-Site VPN wizard.
d.
On the initial Site-to-Site VPN wizard window,
the Quick Setup option is selected
by default. Click the View Details
button to see what settings this option uses. What type of encryption does the
default transform set use? ESP-3DES
e.
From the initial Site-to-Site VPN wizard window,
select the Step by Step wizard, and then click Next.
Why would you use this option over the Quick setup option? So that you have more control
over the VPN settings used.
Step 4: Configure basic
VPN connection information settings.
a.
From the VPN Connection Information window,
select the interface for the connection, which should be R1 Serial0/0/0.
b.
In the Peer Identity section, select Peer with static address and enter the
IP address of remote peer R3 S0/0/1 (10.2.2.1).
c.
In the Authentication section, click Pre-shared keys, and enter the
pre-shared VPN key cisco12345.
Re-enter the key for confirmation. This key is what protects the VPN and keeps
it secure. When finished, your screen should look similar to the following.
Once you have entered these settings correctly, click Next.
Step 5: Configure IKE
policy parameters.
IKE policies are used while setting up the control channel
between the two VPN endpoints for key exchange. This is also referred to as the
IKE secure association (SA). In contrast, the IPsec policy is used during IKE
Phase II to negotiate an IPsec security association to pass target data
traffic.
a.
In the IKE Proposals window, a default policy
proposal is displayed. You can use this one or create a new one. What function
does this IKE proposal serve? The IKE proposal specifies the encryption algorithm, authentication
algorithm, and key exchange method used by this router when negotiating a VPN connection
with a remote router.
b.
Click the Add
button to create a new IKE policy.
c.
Set up the security policy as shown in the Add
IKE Policy dialog box below. These settings are matched later on R3. When
finished, click OK to add the
policy. Then click Next.
d.
Click the Help
button to assist you with answering the following questions. What is the
function of the encryption algorithm in the IKE policy? The encryption algorithm encrypts and decrypts the
payload of the control packets that pass over the secure IKE channel.
e.
What is the purpose of the hash function? The hash validates that the
entire control packet has not been tampered with during transit. The hash also
authenticates the remote peer as the origin of the packet via a secret key.
f.
What function does the authentication method
serve? Both endpoints
verify that the IPsec traffic that they have received is sent by the remote IPsec
peer.
g.
How is the Diffie-Hellman group in the IKE
policy used? The
Diffie-Hellman group is used by each of the endpoints to generate a shared
secret key, which is never transmitted across the network. Each Diffie-Hellman
group has an associated key length.
h.
What event happens at the end of the IKE
policy’s lifetime? IKE
renegotiates the IKE association.
Step 6: Configure a transform
set.
The transform set is the IPsec policy used to encrypt, hash, and
authenticate packets that pass through the tunnel. The transform set is the IKE
Phase 2 policy.
a.
An SDM default transform set is displayed. Click
the Add button to create a new transform
set.
b.
Set up the transform set as shown in the Transform
Set dialog box below. These settings are matched later on R3. When finished,
click OK to add the transform set.
Then click Next.
Step 7: Define interesting traffic.
You must define interesting traffic to be protected through the
VPN tunnel. Interesting traffic will be defined through an access list when
applied to the router. If you enter source and destination subnets, SDM
generates the appropriate simple access list for you.
In the Traffic to protect window, enter the information as shown below.
These are the opposite of the settings configured on R3 later in the lab. When
finished, click Next.
Step 8: Review the summary configuration and deliver commands to
the router.
a.
Review the summary of the Configuration window.
It should look similar to the one below. Do not select the checkbox for Test
VPN connectivity after configuring. This is done after configuring R3.
b.
In the Deliver Configuration to router window,
select Save running config to router’s
startup config and click the Deliver
button. After the commands have been delivered, click OK. How many commands were delivered? 31 with SDM 2.5
Task 3: Create a Mirror Configuration for R3
Step 1: Use SDM on R1 to generate a mirror configuration for R3.
a.
On R1, select VPN > Site-to-Site VPN and click the Edit Site-to-Site VPN tab. You should see the VPN configuration you
just created on R1 listed. What is the description of the VPN? Tunnel to 10.2.2.1
b.
What is the status of the VPN and why? Down. The IKE security
association could not be established because the VPN peer R3 has not yet been
configured. R3 must be configured with the appropriate VPN parameters, such as
matching IKE proposals and IPsec policies and a mirrored access list, before the
IKE and IPsec security associations will activate.
c.
Select the VPN policy you just configured on R1 and
click the Generate Mirror button in
the lower right of the window. The Generate Mirror window displays the commands
necessary to configure R3 as a VPN peer. Scroll through the window to see all
the commands generated.
d.
The text at the top of the window states that
the configuration generated should only be used as a guide for setting up a
site-to-site VPN. What commands are missing to allow this crypto policy to
function on R3? The
commands to apply the crypto map to the S0/0/1 interface.
Hint: Look at the
description entry following the crypto map SDM_CMAP_1 command.
Step 2: Save the configuration commands for R3.
a.
Click the Save
button to create a text file for use in the next task.
b.
Save the commands to the desktop or other
location and name it VPN-Mirror-Cfg-for-R3.txt.
Note: You can also
copy the commands directly from the Generate
Mirror window.
c.
(Optional) Edit the file to remove the explanation
text at the beginning and the description entry following the crypto
map SDM_CMAP_1 command.
Task 4: Apply the Mirror Configuration to R3 and Verify the Configuration
Step 1: Access the R3 CLI and copy the mirror commands.
Note: You can also
use SDM on R3 to create the appropriate VPN configuration, but copying and
pasting the mirror commands generated from R1 is easier.
a. On
R3, enter privileged EXEC mode and then global config mode.
b. Copy
the commands from the text file into the R3 CLI.
Step 2: Apply the crypto map to the R3 S0/0/1 interface.
R3(config)#interface s0/0/1
R3(config-if)#crypto map SDM_CMAP_1
*Jan 30 13:00:38.184: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is ON
Step 3: Verify the VPN configuration on R3 using Cisco IOS.
a.
Display the running config beginning with the
first line that contains the string “0/0/1” to verify that the crypto map is
applied to S0/0/1.
R3#sh run | beg 0/0/1
interface Serial0/0/1
ip address
10.2.2.1 255.255.255.252
crypto map
SDM_CMAP_1
b.
On R3, use the show crypto isakmp policy
command to show the configured ISAKMP policies on the router. Note that the
default SDM policy is also present.
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key
triple DES
hash
algorithm: Secure Hash Standard
authentication method: Pre-Shared
Key
Diffie-Hellman group: #2 (1024
bit)
lifetime: 86400
seconds, no volume limit
Protection suite of priority 10
encryption algorithm: AES -
Advanced Encryption Standard (256 bit keys
).
hash
algorithm: Message Digest 5
authentication method: Pre-Shared
Key
Diffie-Hellman group: #5 (1536
bit)
lifetime: 28800
seconds, no volume limit
c.
In the above output, how many ISAKMP policies
are there? Two, the SDM
default with priority 1 and the one with priority 10, which was created during
the SDM session with R1 and copied as part of the mirror configuration.
d.
Issue the show crypto ipsec transform-set command
to display the configured IPsec policies in the form of the transform sets.
R3#show crypto ipsec transform-set
Transform set Lab-Transform: { esp-256-aes
esp-sha-hmac }
will
negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes
esp-sha-hmac }
will
negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des
esp-sha-hmac }
will
negotiate = { Transport, },
e.
Use the show crypto map command to display
the crypto maps that will be applied to the router.
R3#show crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Apply the crypto map on the peer router's interface having
IP address 10.2.2.1 that connects to this router.
Peer =
10.1.1.1
Extended IP access list SDM_1
access-list SDM_1 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
Lab-Transform: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
Serial0/0/1
f.
In the above output, the ISAKMP policy being
used by the crypto map is the SDM default policy with sequence number priority
1, indicated by the number 1 in the first output line: Crypto Map “SDM_CMAP_1”
1 ipsec-isakmp. Why is it not using the one you created in the SDM session — the
one shown with priority 10 in Step 3b above? The SDM crypto map config defaults to using the default
ISAKMP policy.
g.
(Optional) You can force the routers to use the
more stringent policy that you created by changing the crypto map references in the R1 and R3 router configs as
shown below. If this is done, the default ISAKMP policy 1 can be removed from
both routers.
R1(config)#interface s0/0/0
R1(config-if)#no crypto map SDM_CMAP_1
R1(config-if)#exit
*Jan 30 17:01:46.099: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is OFF
R1(config)#no crypto map SDM_CMAP_1 1
R1(config)#crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled
until a peer
and a
valid access list have been configured.
R1(config-crypto-map)#description
Tunnel to 10.2.2.1
R1(config-crypto-map)#set
peer 10.2.2.1
R1(config-crypto-map)#set
transform-set Lab-Transform
R1(config-crypto-map)#match
address 100
R1(config-crypto-map)#exit
R1(config)#int s0/0/0
R1(config-if)#crypto map SDM_CMAP_1
R1(config-if)#e
*Jan 30 17:03:16.603: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is ON
R3(config)#interface s0/0/1
R3(config-if)#no crypto map SDM_CMAP_1
R3(config-if)#exit
R3(config)#no crypto map SDM_CMAP_1 1
R3(config)#crypto map SDM_CMAP_1 10
ipsec-isakmp
% NOTE: This new crypto map will remain disabled
until a peer
and a
valid access list have been configured.
R3(config-crypto-map)#description
Tunnel to 10.1.1.1
R3(config-crypto-map)#set
peer 10.1.1.1
R3(config-crypto-map)#set
transform-set Lab-Transform
R3(config-crypto-map)#match
address 100
R3(config-crypto-map)#exit
R3(config)#int s0/0/1
R3(config-if)#crypto map SDM_CMAP_1
R3(config-if)#
*Jan 30 22:18:28.487: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is ON
Task 5: Test the VPN Configuration Using SDM on R1.
a.
On R1, use SDM to test the IPsec VPN tunnel
between the two routers. Select VPN >
Site-to-Site VPN and click the Edit
Site-to-Site VPN tab.
b.
From the Edit
Site to Site VPN tab, select the VPN and click Test Tunnel.
c.
When the VPN Troubleshooting window displays, click
the Start button to
have SDM start troubleshooting the tunnel.
d.
When the SDM Warning window displays indicating
that SDM will enable router debugs and generate some tunnel traffic, click Yes to continue.
e.
In the next VPN Troubleshooting window, the IP
address of the R1 Fa0/1 interface in the source network is displayed by default
(192.168.1.1). Enter the IP address of the R3 Fa0/1 interface in the
destination network field (192.168.3.1) and click Continue to begin the debugging process.
f.
If the debug is successful and the tunnel is up,
you should see the screen below. If the testing fails, SDM displays failure
reasons and recommended actions. Click OK
to remove the window.
g.
You can save the report if desired; otherwise,
click Close.
Note: If you want to
reset the tunnel and test again, you can click the Clear Connection button from the Edit Suite-to-Site VPN window.
This can also be accomplished at the CLI using the clear crypto session
command.
h.
Display the running config for R3 beginning with
the first line that contains the string 0/0/1 to verify that the crypto map is
applied to S0/0/1.
R3#sh run | beg 0/0/1
interface Serial0/0/1
ip address
10.2.2.1 255.255.255.252
crypto map
SDM_CMAP_1
<output omitted>
i.
Issue the show crypto isakmp sa command on
R3 to view the security association created.
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src state conn-id slot status
10.2.2.1
10.1.1.1 QM_IDLE 1001 0 ACTIVE
j.
Issue the show crypto ipsec sa command. How
many packets have been transformed between R1 and R3? 116 from the SDM testing
R3#show crypto ipsec sa
interface: Serial0/0/1
Crypto map
tag: SDM_CMAP_1, local addr 10.2.2.1
protected
vrf: (none)
local ident (addr/mask/prot/port):
(192.168.3.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer
10.1.1.1 port 500
PERMIT,
flags={origin_is_acl,}
#pkts
encaps: 116, #pkts encrypt: 116, #pkts digest: 116
#pkts
decaps: 116, #pkts decrypt: 116, #pkts verify: 116
#pkts
compressed: 0, #pkts decompressed: 0
#pkts not
compressed: 0, #pkts compr. failed: 0
#pkts not
decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local
crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.1.1.1
path mtu
1500, ip mtu 1500, ip mtu idb Serial0/0/1
current
outbound spi: 0x207AAD8A(544910730)
inbound
esp sas:
spi: 0xAF102CAE(2937072814)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn
id: 2007, flow_id: FPGA:7, crypto map: SDM_CMAP_1
sa
timing: remaining key lifetime (k/sec): (4558294/3037)
IV
size: 16 bytes
replay
detection support: Y
Status: ACTIVE
inbound
ah sas:
inbound
pcp sas:
outbound
esp sas:
spi: 0x207AAD8A(544910730)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn
id: 2008, flow_id: FPGA:8, crypto map: SDM_CMAP_1
sa
timing: remaining key lifetime (k/sec): (4558294/3037)
IV
size: 16 bytes
replay
detection support: Y
Status: ACTIVE
outbound
ah sas:
outbound
pcp sas:
Task 6: Reflection
a.
Would traffic on the Fast Ethernet link between
PC-A and the R1 Fa0/0 interface be encrypted by the site-to-site IPsec VPN
tunnel? Why or why not? No,
this site-to-site VPN only encrypts from router R1 to R3. A sniffer could be
used to see the traffic from PC-A to the R1 default gateway.
b.
What are some factors to consider when
configuring site-to-site IPsec VPNs using the manual CLI compared to using the
SDM VPN wizard GUI?
Answers will vary but could
include:
Traditional CLI methods are
time-consuming and prone to keystroke errors. They also require the
administrator to have an extensive knowledge of IPsec VPNs and Cisco IOS
command syntax.
SDM gives the maximum flexibility
and greatly simplifies IPsec VPN configuration. SDM also provides help and
explanations on various technologies and settings available.
Router Interface Summary Table
Router Interface
Summary
|
Router Model
|
Ethernet Interface #1
|
Ethernet Interface #2
|
Serial Interface #1
|
Serial Interface #2
|
1700
|
Fast Ethernet 0 (FA0)
|
Fast Ethernet 1 (FA1)
|
Serial 0 (S0)
|
Serial 1 (S1)
|
1800
|
Fast
Ethernet 0/0 (FA0/0)
|
Fast
Ethernet 0/1 (FA0/1)
|
Serial
0/0/0 (S0/0/0)
|
Serial
0/0/1 (S0/0/1)
|
2600
|
Fast Ethernet 0/0 (FA0/0)
|
Fast Ethernet 0/1 (FA0/1)
|
Serial 0/0 (S0/0)
|
Serial 0/1 (S0/1)
|
2800
|
Fast Ethernet 0/0 (FA0/0)
|
Fast Ethernet 0/1 (FA0/1)
|
Serial 0/0/0 (S0/0/0)
|
Serial 0/0/1 (S0/0/1)
|
Note: To find out how the
router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list
all the combinations of configurations for each router class. This table
includes identifiers for the possible combinations of Ethernet and Serial interfaces
in the device. The table does not include any other type of interface, even
though a specific router may contain one. An example of this might be an ISDN
BRI interface. The string in parenthesis is the legal abbreviation that can
be used in Cisco IOS commands to represent the interface.
|
Router Configs
Router R1 after Part 1
R1#sh run
Building configuration...
Current configuration : 1385 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
ip address
10.1.1.1 255.255.255.252
no
fair-queue
clock rate
64000
!
interface Serial0/0/1
no ip
address
shutdown
clock rate
2000000
!
interface Vlan1
no ip
address
!
router eigrp 101
network
10.1.1.0 0.0.0.3
network
192.168.1.0
no
auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password 7
14141B180F0B29242A38322631
logging
synchronous
login
line aux 0
exec-timeout 5 0
password 7
045802150C2E4D5B1109040401
login
line vty 0 4
exec-timeout 5 0
password 7
05080F1C2243581D0015160118
login
!
scheduler allocate 20000 1000
end
Router R2 after Part 1
R2#sh run
Building configuration...
Current configuration : 1369 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
ip address
10.1.1.2 255.255.255.252
no fair-queue
!
interface
Serial0/0/1
ip address 10.2.2.2 255.255.255.252
clock rate
64000
!
interface Vlan1
no ip
address
!
router eigrp 101
network
10.1.1.0 0.0.0.3
network
10.2.2.0 0.0.0.3
no
auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
control-plane
!
line con 0
exec-timeout 0 0
password 7
05080F1C22434D061715160118
logging
synchronous
login
line aux 0
exec-timeout 5 0
password 7
104D000A0618131E14142B3837
login
line vty 0 4
exec-timeout 5 0
password 7
02050D4808091935555E080A16
login
!
scheduler allocate 20000 1000
end
R2#R2#
Router R3 after Part 1
R3#sh run
Building configuration...
Current configuration : 1347 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip
address
shutdown
no
fair-queue
clock rate
2000000
!
interface Serial0/0/1
ip address
10.2.2.1 255.255.255.252
!
interface Vlan1
no ip address
!
router eigrp 101
network 10.2.2.0
0.0.0.3
network
192.168.3.0
no
auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password 7
01100F17580405002F5C4F1A0A
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7
094F471A1A0A1607131C053938
login
line vty 0 4
exec-timeout 5 0
password 7
14141B180F0B3C3F3D38322631
login
!
scheduler allocate 20000 1000
end
R3#
Router R1 after Part 2
R1#sh run
Building configuration...
Current configuration : 1815 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
256
authentication pre-share
group 5
lifetime
3600
crypto isakmp key cisco123 address 10.2.2.1
!
crypto ipsec security-association lifetime seconds
1800
!
crypto ipsec transform-set 50 esp-aes 256
esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer
10.2.2.1
set
security-association lifetime seconds 900
set
transform-set 50
set pfs
group5
match
address 101
!
interface FastEthernet0/0
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
ip address
10.1.1.1 255.255.255.252
no
fair-queue
clock rate
64000
crypto map
CMAP
!
interface Serial0/0/1
no ip
address
shutdown
clock rate
2000000
!
interface Vlan1
no ip
address
!
router eigrp 101
network
10.1.1.0 0.0.0.3
network
192.168.1.0
no
auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255
192.168.3.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7
00071A150754080901314D5D1A
logging
synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7
00071A1507541D1216314D5D1A
login
!
scheduler allocate 20000 1000
end
R1#
Router R3 after Part 2
R3#sh run
Building configuration...
Current configuration : 1797 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
256
authentication pre-share
group 5
lifetime
3600
crypto isakmp key cisco123 address 10.1.1.1
!
crypto ipsec security-association lifetime seconds
1800
!
crypto ipsec transform-set 50 esp-aes 256
esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer
10.1.1.1
set
security-association lifetime seconds 900
set
transform-set 50
set pfs
group5
match
address 101
!
interface FastEthernet0/0
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip
address
shutdown
no
fair-queue
clock rate
2000000
!
interface Serial0/0/1
ip address
10.2.2.1 255.255.255.252
crypto map
CMAP
!
interface Vlan1
no ip
address
!
router eigrp 101
network
10.2.2.0 0.0.0.3
network
192.168.3.0
no
auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.3.0 0.0.0.255
192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7
03075218050022434019181604
logging
synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7
14141B180F0B3C3F3D38322631
login
!
scheduler allocate 20000 1000
end
R3#
Router R1 after Part 3
R1#sh run
Building configuration...
Current configuration : 1966 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
no logging buffered
enable secret 5 $1$jV0j$TkWKZZFegFd3ZYmfsmXaC1
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
256
hash md5
authentication
pre-share
group 5
lifetime
28800
crypto isakmp key cisco12345 address 10.2.2.1
!
crypto ipsec transform-set Lab-Transform esp-aes
256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description
Tunnel to 10.2.2.1
set peer
10.2.2.1
set transform-set
Lab-Transform
match
address 100
!
interface FastEthernet0/0
no ip
address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address
192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
ip address
10.1.1.1 255.255.255.252
clock rate
64000
crypto map
SDM_CMAP_1
!
interface Serial0/0/1
no ip
address
shutdown
clock rate
2000000
!
interface Vlan1
no ip
address
!
router eigrp 101
network
10.1.1.0 0.0.0.3
network
192.168.1.0
auto-summary
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPsec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255
192.168.3.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7
094F471A1A0A141D051C053938
logging
synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7
01100F175804101B385C4F1A0A
login
!
scheduler allocate 20000 1000
end
R1#
Router R3 after Part 3
R3#sh
run
Building
configuration...
Current
configuration : 1982 bytes
!
version
12.4
service
timestamps debug datetime msec
service
timestamps log datetime msec
service
password-encryption
!
hostname
R3
!
boot-start-marker
boot-end-marker
!
security
passwords min-length 10
logging
message-counter syslog
!
no
aaa new-model
dot11
syslog
ip
source-route
!
ip
cef
no ip
domain lookup
!
no
ipv6 cef
multilink
bundle-name authenticated
!
archive
log config
hidekeys
!
crypto
isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto
isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto
isakmp key cisco12345 address 10.1.1.1
!
!
crypto
ipsec transform-set Lab-Transform esp-aes 256 esp-sha-hmac
!
crypto
map SDM_CMAP_1 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set Lab-Transform
match address SDM_1
!
interface
FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface
FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface
FastEthernet0/1/0
!
interface
FastEthernet0/1/1
!
interface
FastEthernet0/1/2
!
interface
FastEthernet0/1/3
!
interface
Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface
Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map SDM_CMAP_1
!
interface
Vlan1
no ip address
!
router
eigrp 101
network 10.2.2.0 0.0.0.3
network 192.168.3.0
no auto-summary
!
ip
forward-protocol nd
ip
http server
no ip
http secure-server
!
ip
access-list extended SDM_1
remark SDM_ACL Category=4
remark IPsec Rule
permit ip 192.168.3.0 0.0.0.255 192.168.1.0
0.0.0.255
!
control-plane
!
line
con 0
exec-timeout 0 0
password 7 110A1016141D08030A3A2A373B
logging synchronous
login
line
aux 0
line
vty 0 4
exec-timeout 5 0
password 7 14141B180F0B3C3F3D38322631
login
!
scheduler
allocate 20000 1000
end
R3#
