Configuring a Site-to-Site VPN Using Cisco IOS and CCP

  • IP Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Poort
R1 Fa0/1 192.168.1.1 255.255.255.0 N/A S1 Fa0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 Fa0/1 192.168.3.1 255.255.255.0 N/A S3 Fa0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa0/18
  • Topology

1

Configure Basic Device Settings

you will set up the network topology and configure basic settings, such as the interface IP addresses, dynamic routing, device access, and passwords.
  • Configure the OSPF routing protocol on R1, R2, and R3.

a.       On R1, use the following commands:

R1(config)# router ospf 101

R1(config-router)# network 192.168.1.0 0.0.0.255 area 0

R1(config-router)# network 10.1.1.0 0.0.0.3 area 0

b.       On R2, use the following commands:

R2(config)# router ospf 101

R2(config-router)# network 10.1.1.0 0.0.0.3 area 0

R2(config-router)# network 10.2.2.0 0.0.0.3 area 0

c.        On R3, use the following commands:

R3(config)# router ospf 101

R3(config-router)# network 192.168.3.0 0.0.0.255 area 0

R3(config-router)# network 10.2.2.0 0.0.0.3 area 0

  •  Configure a minimum password length.

Use the security passwords command to set a minimum password length of 10 characters.

R1(config)# security passwords min-length 10

  • Encrypt clear text passwords.

a.       Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)# service password-encryption

b.       Issue the show run command. Can you read the console, aux, and vty passwords? Explain.

No, the passwords are now encrypted.

  • Save the basic running configuration for all three routers.

Save the running configuration to the startup configuration from the privileged EXEC mode prompt on R1, R2, and R3.

R1# copy running-config startup-config

Repeat this configuration on both R2 and R3.
  •  Configure a Site-to-Site VPN with Cisco IOS

Task 1: Configure IPsec VPN Settings on R1 and R3.

  • Verify connectivity from the R1 LAN to the R3 LAN.

From PC-A, ping the PC-C IP address of 192.168.3.3.

PC-A:,  ping 192.168.3.3

If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.

  • Enable IKE policies on R1 and R3.

R1(config)# crypto isakmp enable 

R3(config)# crypto isakmp enable

Issue the crypto isakmp policy number global configuration mode command on R1 for policy 10.

R1(config)# crypto isakmp policy 10

Configure ISAKMP policy parameters on R1 and R3                                                

Configure an ISAKMP policy with a priority of 10. Use pre-shared key as the authentication type,.aes 256 for the encryption algorithm, sha as the hash algorithm, and Diffie-Hellman group 5 key exchange. Give the policy a lifetime of 3600 seconds (one hour).

R1(config)# crypto isakmp policy 10

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# encryption aes 256

R1(config-isakmp)# hash sha

R1(config-isakmp)# group 5

R1(config-isakmp)# lifetime 3600

R1(config-isakmp)# end

Configure the same policy on R3.

R3(config)# crypto isakmp policy 10

R3(config-isakmp)# authentication pre-share

R3(config-isakmp)# encryption aes 256

R3(config-isakmp)# hash sha

R3(config-isakmp)# group 5

R3(config-isakmp)# lifetime 3600

R3(config-isakmp)# end

Verify the IKE policy with the show crypto isakmp policy

R1# show crypto isakmp policy

 

  • Configure pre-shared keys.

Which IP addresses should you use to configure the IKE peers, given the topology diagram and IP addressing table?

The IP addresses should be R1 S0/0/0 IP address 10.1.1.1 and R3 S0/0/1 IP address 10.2.2.1 because these are the addresses that are used to send normal traffic between R1 and R3.

R1(config)# crypto isakmp key cisco123 address 10.2.2.1

R3(config)# crypto isakmp key cisco123 address 10.1.1.1

  • Configure the IPsec transform set and life times.

R1(config)# crypto ipsec transform-set 50 ?

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  comp-lzs      IP Compression using the LZS compression algorithm

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

R1(cfg-crypto-trans)# exit

R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

R3(cfg-crypto-trans)# exit

What is the function of the IPsec transform set?

The IPsec transform set specifies the cryptographic algorithms and functions (transforms) that a router employs on the actual data packets sent through the IPsec tunnel. These algorithms include the encryption, encapsulation, authentication, and data integrity services that IPsec can apply.

On R1 and R3, set the IPsec security association life time to 30 minutes, or 1800 seconds.

R1(config)# crypto ipsec security-association lifetime seconds 1800

R3(config)# crypto ipsec security-association lifetime seconds 1800

  • Define interesting traffic.

These access lists are used outbound on the VPN endpoint interfaces and must mirror each other.

Configure the IPsec VPN interesting traffic ACL on R1.

R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Configure the IPsec VPN interesting traffic ACL on R3.

R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Does IPsec evaluate whether the access lists are mirrored as a requirement to negotiate its security association?

Yes, IPsec does evaluate whether access lists are mirrored. IPsec does not form a security association if the peers do not have mirrored access lists to select interesting traffic.

  • Create and apply a crypto map

R1(config)# crypto map CMAP 10 ipsec-isakmp

Use the match address access-list command to specify which access list defines which traffic to encrypt.

R1(config-crypto-map)# match address 101

To view the list of possible set commands that you can do in a crypto map, use the help function.

R1(config-crypto-map)# set ?

Setting a peer IP or hostname is required. Set it to R3’s remote VPN endpoint interface using the following command.

R1(config-crypto-map)# set peer 10.2.2.1

Hard code the transform set to be used with this peer, using the set transform-set tag Set the perfect forwarding secrecy type using the set pfs type command, and also modify the default IPsec security association life time with the set security-association lifetime seconds seconds command.

R1(config-crypto-map)# set pfs group5

R1(config-crypto-map)# set transform-set 50

R1(config-crypto-map)# set security-association lifetime seconds 900

R1(config-crypto-map)# exit

Create a mirrored matching crypto map on R3.

R3(config)# crypto map CMAP 10 ipsec-isakmp

R3(config-crypto-map)# match address 101

R3(config-crypto-map)# set peer 10.1.1.1

R3(config-crypto-map)# set pfs group5

R3(config-crypto-map)# set transform-set 50

R3(config-crypto-map)# set security-association lifetime seconds 900

R3(config-crypto-map)# exit

Apply the crypto maps to the appropriate interfaces on R1 and R3.

R1(config)# interface S0/0/0

R1(config-if)# crypto map CMAP

*Jan 28 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1(config)# end

R3(config)# interface S0/0/1

R3(config-if)# crypto map CMAP

*Jan 28 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config)# end

Task 2:Verify the Site-to-Site IPsec VPN Configuration.

  • Verify the IPsec configuration on R1 and R3.

R1# show crypto ipsec transform-set

R3# show crypto ipsec transform-set

Use the show crypto map command to display the crypto maps that will be applied to the router.

R1# show crypto map

Crypto Map “CMAP” 10 ipsec-isakmp

        Peer = 10.2.2.1

        Extended IP access list 101

            access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

        Current peer: 10.2.2.1

        Security association lifetime: 4608000 kilobytes/900 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): Y

        DH group:  group5

        Transform sets={

                50:  { esp-256-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map CMAP:

                Serial0/0/0

 

R3# show crypto map

Crypto Map “CMAP” 10 ipsec-isakmp

        Peer = 10.1.1.1

        Extended IP access list 101

            access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

        Current peer: 10.1.1.1

        Security association lifetime: 4608000 kilobytes/900 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): Y

        DH group:  group5

        Transform sets={

                50:  { esp-256-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map CMAP:

                Serial0/0/1

Task 3:Verify the IPsec VPN Operation.

  • Display isakmp security associations.

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst  src state conn-id status

IPv6 Crypto ISAKMP SA

  • Display IPsec security associations.

The show crypto ipsec sa command shows the unused SA between R1 and R3

R1# show crypto ipsec sa

interface: Serial0/0/0

    Crypto map tag: CMAP, local addr 10.1.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   current_peer 10.2.2.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Why have no SAs been negotiated?

Because no interesting traffic has been identified, IPsec has not begun to negotiate a security association over which it will encrypt traffic

  • Generate some uninteresting test traffic and observe the results.                                          
  1. Ping from R1 to the R3 S0/0/1 interface IP address 2.2.1. These pings should be successful.
  2. Ping from R1 to the R3 Fa01 interface IP address 168.3.1. These pings should be successful.
  3. Issue the show crypto isakmp sa command again. Was an SA created for these pings? Explain.

No SA was created. The source address of both pings was the R1 S0/0/0 address of 10.1.1.1. In the first case, the destination address was 10.2.2.1. In the second case, the destination address was 192.168.3.1. This is not “interesting” traffic. The ACL 101 that is associated with the crypto map for R1 defines interesting traffic as IP packets from the 192.168.1.0/24 network to the 192.168.3.0/24 network.

Issue the debug ip ospf hello command. You should see OSPF hello packets passing between R1 and R3.

R1# debug ip ospf hello

OSPF hello events debugging is on

R1#

*Apr  7 18:04:46.467: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.1.1

*Apr  7 18:04:50.055: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/0 from 10.1.1.1

*Apr  7 18:04:52.463: OSPF: Rcv hello from 10.2.2.2 area 0 from Serial0/0/0 10.1.1.2

*Apr  7 18:04:52.463: OSPF: End of hello processing

*Apr  7 18:04:55.675: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.1.1

*Apr  7 18:04:59.387: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/0 from 10.1.1.1

*Apr  7 18:05:02.431: OSPF: Rcv hello from 10.2.2.2 area 0 from Serial0/0/0 10.1.1.2

*Apr  7 18:05:02.431: OSPF: End of hello processing

Turn off debugging with the no debug ip ospf hello or undebug all

Re-issue the show crypto isakmp sa Was an SA created between R1 and R3? Explain.

No. This is router-to-router routing protocol traffic. The source and destination of these packets is not interesting, does not initiate the SA, and is not encrypted.

  • Generate some interesting test traffic and observe the results.

R1# ping

Protocol [ip]:

Target IP address: 192.168.3.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.1.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

 

Packet sent with a source address of 192.168.1.1

..!!!

Success rate is 100 percent (3/5), round-trip min/avg/max = 92/92/92 ms

Re-issue the show crypto isakmp sa

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.2.2.1  10.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

Why was an SA created between R1 and R3 this time?

The source was 192.168.1.1, and the destination was 192.168.3.1. This is interesting traffic based on the ACL 101 definition. An SA is established, and packets travel through the tunnel as encrypted traffic.

What are the endpoints of the IPsec VPN tunnel?

Src: 10.1.1.1 (R1 S0/0/0), Dst: 10.2.2.1 (R3 S0/0/1)

Ping from PC-A to PC-C. If the pings were successful, issue the show crypto ipsec sa How many packets have been transformed between R1 and R3?

Nine, Five packets from the R1 to R3 pings, and four packets from the PC-A to R3 pings. One packet for each echo request. The number of packet may vary depending on how many pings have been issued and from where.

R1# show crypto ipsec sa

interface: Serial0/0/0

    Crypto map tag: CMAP, local addr 10.1.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   current_peer 10.2.2.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0

     current outbound spi: 0xC1DD058(203280472)

     inbound esp sas:

      spi: 0xDF57120F(3747025423)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2005, flow_id: FPGA:5, crypto map: CMAP

        sa timing: remaining key lifetime (k/sec): (4485195/877)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xC1DD058(203280472)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2006, flow_id: FPGA:6, crypto map: CMAP

        sa timing: remaining key lifetime (k/sec): (4485195/877)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

The previous example used pings to generate interesting traffic. What other types of traffic would result in an SA forming and tunnel establishment?

Any traffic initiated from R1 with a source address in the 192.168.1.0/24 network and a destination address in the 192.168.3.0/24 network. On R3, interesting traffic is any traffic with a source address in the 192.168.3.0/24 network and a destination address in the 192.168.1.0/24 network. This includes FTP, HTTP, Telnet, and others.

  • Configure a Site-to-Site IPsec VPN with CCP

    Task 1: Restore Router R1 and R3 to the Basic Settings.

  • Restore the basic configuration.

R1# reload

System configuration has been modified. Save? [yes/no]: no

Proceed with reload? [confirm]

Repeat on R3.

Task 2 :Configure IPsec VPN Settings on R1 Using CCP.

  • Configure a username and password pair and enable HTTP router access. 

From the CLI, configure a username admin and password cisco12345 to use with CCP on R1 and R3.

R1(config)# username admin privilege 15 secret cisco12345

R3(config)# username admin privilege 15 secret cisco12345

Enable the secure HTTP server on R1 and R3.

R1(config)#ip http secure-server

R3(config)#ip http secure-server

Configure local database authentication of web sessions to support CCP connectivity.

R1(config)# ip http authentication local

R3(config)# ip http authentication local

  • Access CCP and discover R1  

    Run the CCP application on PC-A. In the Select/Manage Community window, in the Hostname/Address field, enter the R1 IP address 168.1.1, in the Username field, enter admin, and in the Password field, cisco12345. Click the Connect Securely check box, and then click OK.

2

At the CCP Dashboard, click Discover to discover and connect to R1. If the discovery process fails, click Discover Details to determine the problem and resolve the issue.

3

Start the CCP VPN wizard to configure R1

On the CCP menu bar, click Configure, and click Security > VPN > Site-to-Site VPN. Read through the description of this option.

What must you know to complete the configuration?

The remote device (R3 S0/0/1) IP address and the pre-shared key (cisco12345), which will be established in Task 2, Step 4.

5

In the initial Site-to-Site VPN wizard window, choose the Step by Step wizard, and then click Next. Why would you use this option over the Quick setup option?

So that you have more control over the VPN settings used.

  • Configure basic VPN connection information settings.
  1. In the VPN Connection Information window, select the interface for the connection, which should be R1 Serial0/0/0.
  2. In the Peer Identity section, select Peer with static IP address, and enter the IP address of remote peer R3 S0/0/1 (2.2.1).

6

  • Configure IKE policy parameters. 

    In the IKE Proposals window, a default policy proposal is displayed. You can use this one or create a new one. What function does this IKE proposal serve?

The IKE proposal specifies the encryption algorithm, authentication algorithm, and key exchange method used by this router when negotiating a VPN connection with a remote router.

Set up the security policy as shown in the Add IKE Policy dialog box. These settings are matched later on R3. When finished, click OK to add the policy, and click Next.

7

For assistance in answering the following questions, click Help. What is the function of the encryption algorithm in the IKE policy?

The encryption algorithm encrypts and decrypts the payload of the control packets that pass over the secure IKE channel.

What is the purpose of the hash function?

The hash validates that the entire control packet has not been tampered with during transit. The hash also authenticates the remote peer as the origin of the packet via a secret key.

What function does the authentication method serve?

Both endpoints verify that the IPsec traffic that they have received is sent by the remote IPsec peer.

How is the Diffie-Hellman group in the IKE policy used?

The Diffie-Hellman group is used by each of the endpoints to generate a shared secret key, which is never transmitted across the network. Each Diffie-Hellman group has an associated key length.

What event happens at the end of the IKE policy’s lifetime?

IKE renegotiates the IKE association.

  • Configure a transform set.

A CCP default transform set is displayed. Click Add to create a new transform set.

Set up the transform set, as shown in the Add Transform Set dialog box. These settings are matched later on R3. When finished, click OK to add the transform set, and click Next.

8

 

  • Define interesting traffic

In the Traffic to protect window, enter the information as shown below. These are the opposite of the settings configured on R3 later in the lab. When finished, click Next.

9

  • Review the summary configuration and deliver commands to the router.

10

Task 3: Create a Mirror Configuration for R3

  • Use CCP on R1 to generate a mirror configuration for R3

On R1, on the CCP menu bar, click Configure, and then click Security > VPN > Site-to-Site VPN. Select the Edit Site to Site VPN You should see the VPN configuration listed that you just created on R1. What is the description of the VPN?

Tunnel to 10.2.2.1 

What is the status of the VPN and why?

Down. The IKE security association could not be established because the VPN peer R3 has not yet been configured. R3 must be configured with the appropriate VPN parameters, such as matching IKE proposals and IPsec policies and a mirrored access list, before the IKE and IPsec security associations will activate.

11

  • Apply the crypto map to the R3 S0/0/1 interface.

R3(config)# interface S0/0/1

R3(config-if)# crypto map SDM_CMAP_1

*Jan 30 13:00:38.184: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

  • Verify the VPN configuration on R3 using Cisco IOS

R3# show run | begin 0/0/1

interface Serial0/0/1

 ip address 10.2.2.1 255.255.255.252

 crypto map SDM_CMAP_1

 On R3, use the show crypto isakmp policy command to show the configured ISAKMP policies on the router.

R3# show crypto isakmp policy

Global IKE policy

Protection suite of priority 1

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

 

Protection suite of priority 10

        encryption algorithm:   AES – Advanced Encryption Standard (256 bit keys).

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:   86400 seconds, no volume limit

  In the above output, how many ISAKMP policies are there?

Two, the SDM default with priority 1 and the one with priority 10, which was created during the SDM session with R1 and copied as part of the mirror configuration.

  •  Issue the show crypto ipsec transform-set command to display the configured IPsec policies in the form of the transform sets.

R3# show crypto ipsec transform-set

Transform set Lab-Transform: { esp-256-aes esp-sha-hmac  }

will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }

will negotiate = { Transport,  },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }

will negotiate = { Transport,  },

  •  Use the show crypto map command to display the crypto maps that will be applied to the router.

R3# show crypto map

Crypto Map “SDM_CMAP_1” 1 ipsec-isakmp

        Description: Apply the crypto map on the peer router’s interface having IP address 10.2.2.1 that connects to this router.

        Peer = 10.1.1.1

        Extended IP access list SDM_1

            access-list SDM_1 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

        Current peer: 10.1.1.1

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                Lab-Transform:  { esp-256-aes esp-sha-hmac  } ,

        }

        Interfaces using crypto map SDM_CMAP_1:

                Serial0/0/1

  • The crypto map references in the R1 and R3 router configurations.

R1(config)# interface S0/0/0

R1(config-if)# no crypto map SDM_CMAP_1

R1(config-if)# exit

*Jan 30 17:01:46.099: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

R1(config)# no crypto map SDM_CMAP_1 1

R1(config)# crypto map SDM_CMAP_1 10 ipsec-isakmp

This new crypto map will remain disabled until a peer and a valid access list have been configured.

R1(config-crypto-map)# description Tunnel to 10.2.2.1

R1(config-crypto-map)# set peer 10.2.2.1

R1(config-crypto-map)# set transform-set Lab-Transform

R1(config-crypto-map)# match address 100

R1(config-crypto-map)# exit

R1(config)#interface S0/0/0

R1(config-if)# crypto map SDM_CMAP_1

R1(config-if)#

*Jan 30 17:03:16.603: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config)# interface S0/0/1

R3(config-if)# no crypto map SDM_CMAP_1

R3(config-if)# exit

R3(config)# no crypto map SDM_CMAP_1 1

R3(config)# crypto map SDM_CMAP_1 10 ipsec-isakmp

This new crypto map will remain disabled until a peer and a valid access list have been configured.

R3(config-crypto-map)# description Tunnel to 10.1.1.1

R3(config-crypto-map)# set peer 10.1.1.1

R3(config-crypto-map)# set transform-set Lab-Transform

R3(config-crypto-map)# match address SDM_1

R3(config-crypto-map)# exit

R3(config)# interface S0/0/1

R3(config-if)# crypto map SDM_CMAP_1

R3(config-if)#

*Jan 30 22:18:28.487: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

  • Test the VPN Configuration Using CCP on R1

 In the next VPN Troubleshooting window, the IP address of the R1 Fa0/1 interface in the source network is displayed by default (192.168.1.1). Enter the IP address of the R3 Fa0/1 interface in the destination network field (192.168.3.1), and click Continue to begin the debugging process.

13

 If the debug is successful and the tunnel is up, you should see the screen below. If the testing fails, CCP displays failure reasons and recommended actions. Click OK to remove the window.

14

 Issue the show crypto ipsec sa command. How many packets have been transformed between R1 and R3?

116 from the SDM testing

R3# show crypto ipsec sa

interface: Serial0/0/1

    Crypto map tag: SDM_CMAP_1, local addr 10.2.2.1

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer 10.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 116, #pkts encrypt: 116, #pkts digest: 116

    #pkts decaps: 116, #pkts decrypt: 116, #pkts verify: 116

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1

     current outbound spi: 0x207AAD8A(544910730)

 

     inbound esp sas:

      spi: 0xAF102CAE(2937072814)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2007, flow_id: FPGA:7, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4558294/3037)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x207AAD8A(544910730)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2008, flow_id: FPGA:8, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4558294/3037)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Would traffic on the Fast Ethernet link between PC-A and the R1 Fa0/0 interface be encrypted by the site-to-site IPsec VPN tunnel? Explain.

No, this site-to-site VPN only encrypts from router R1 to R3. A sniffer could be used to see the traffic from PC-A to the R1 default gateway.

Compared to using the CCP VPN wizard GUI, what are some factors to consider when configuring site-to-site IPsec VPNs using the manual CLI?

Traditional CLI methods are time-consuming and prone to keystroke errors. They also require the administrator to have an extensive knowledge of IPsec VPNs and Cisco IOS command syntax.

SDM gives the maximum flexibility and greatly simplifies IPsec VPN configuration. SDM also provides help and explanations on various technologies and settings available.

R1 Startup_config

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
security passwords min-length 10
!
hostname R1
!
!
!
enable secret 5 $1$mERr$WvpW0n5HghRrqnrwXCUUl.
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.252
 clock rate 64000
!
interface Serial0/0/1
 no ip address
 clock rate 2000000
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 101
 log-adjacency-changes
 network 192.168.1.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.3 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

R2 Running_config

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 10.1.1.2 255.255.255.252
!
interface Serial0/0/1
 ip address 10.2.2.2 255.255.255.252
 clock rate 64000
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 101
 log-adjacency-changes
 network 10.1.1.0 0.0.0.3 area 0
 network 10.2.2.0 0.0.0.3 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

R3 Running_config

!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 clock rate 2000000
 shutdown
!
interface Serial0/0/1
 ip address 10.2.2.1 255.255.255.252
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 101
 log-adjacency-changes
 network 192.168.3.0 0.0.0.255 area 0
 network 10.2.2.0 0.0.0.3 area 0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Reference

  1. http://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html
  2. http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

 

By S.H.M Lahiru Prabath Balasuriya.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s