Lab3-5.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 3.5 Configuring Site-to-Site IPsec VPNs with the IOS CLI
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab3-5/workingconfig
[[3640]]
# Specify 3640 IOS image on Windows here:
# image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.extracted.bin
# Specify 3640 IOS image on Linux here:
image = /opt/dynamips/images/c3640-jk.bin
ram = 128
disk0 = 0
disk1 = 0
# Choose an idlepc value from the below
idlepc = 0x605ac7b8
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3640
console = 2001
slot0 = NM-1FE-TX
[[Router R2]]
model = 3640
console = 2002
slot0 = NM-1FE-TX
slot1 = NM-4T
F0/0 = R1 F0/0
S1/0 = R3 S0/0
[[Router R3]]
model = 3640
console = 2003
slot0 = NM-4T
Objective:
‧ Configure EIGRP on the routers
‧ Create a site-to-site IPsec VPN using IOS
‧ Verify IPsec operation
Scenario:
In this lab, you will configure a site-to-site IPsec VPN.
Once you have configured the VPN, the traffic between the loopback interfaces on R1 and R3 will be encrypted.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Step 1: Configure Addressing
R1:
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface fastEthernet 0/0
ip address 192.168.12.1 255.255.255.0
no shutdown
R2:
interface fastEthernet 0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
clock rate 64000
no shutdown
R3:
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.23.3 255.255.255.0
no shutdown
Step 2: Configure EIGRP
R1
router eigrp 1
network 172.16.0.0
network 192.168.12.0
no auto-summary
R2
router eigrp 1
network 192.168.0.0 0.0.255.255
no auto-summary
R3:
router eigrp 1
network 172.16.0.0
network 192.168.23.0
no auto-summary
!!!Verify!!!
R1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms
R3#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/20 ms
Step 3: Create IKE Policies
R1 & R3:
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
Step 4: Configure Pre-Shared Keys
R1:
crypto isakmp key 6 cisco address 192.168.23.3
R3:
crypto isakmp key 6 cisco address 192.168.12.1
Step 5: Configure the IPsec Transform Set and Lifetimes
R1 & R3:
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
crypto ipsec security-association lifetime seconds 1800
Step 6: Define Interesting Traffic
R1:
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
R3:
access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Step 7: Create and Apply Crypto Maps
R1:
crypto map MYMAP 20 ipsec-isakmp
match address 101
set peer 192.168.23.3
set pfs group5
set transform-set 50
set security-association lifetime seconds 900
!
interface fastEthernet 0/0
crypto map MYMAP
R3:
crypto map MYMAP 20 ipsec-isakmp
match address 101
set peer 192.168.12.1
set pfs group5
set transform-set 50
set security-association lifetime seconds 900
!
interface serial 0/0
crypto map MYMAP
Step 8: Verify IPsec Configuration
R1 & R3:
#show crypto ipsec transform-set
Transform set 50: { ah-sha-hmac }
will negotiate = { Tunnel, },
{ esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
R1#show crypto map
Crypto Map "MYMAP" 20 ipsec-isakmp
Peer = 192.168.23.3
Extended IP access list 101
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
Current peer: 192.168.23.3
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50,
}
Interfaces using crypto map MYMAP:
FastEthernet0/0
R3#show crypto map
Crypto Map "MYMAP" 20 ipsec-isakmp
Peer = 192.168.12.1
Extended IP access list 101
access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Current peer: 192.168.12.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50,
}
Interfaces using crypto map MYMAP:
Serial0/0
Step 9: Verify IPsec Operation
R1 & R3:
show crypto isakmp sa
dst src state conn-id slot status
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 192.168.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
current_peer 192.168.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R3#show crypto ipsec sa
interface: Serial0/0
Crypto map tag: MYMAP, local addr 192.168.23.3
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 192.168.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.23.3, remote crypto endpt.: 192.168.12.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R3#
Step 10: Interpret IPsec Event Debugging
R1 & R3
debug crypto isakmp
R1#ping 172.16.3.1 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms
R1 & R3
no debug all
show crypto isakmp sa
show crypto ipsec sa
Final Configurations
R1:
hostname R1
!
no ip domain lookup
!
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 20 ipsec-isakmp
set peer 192.168.23.3
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
crypto map MYMAP
no shutdown
!
router eigrp 1
network 172.16.0.0
network 192.168.12.0
no auto-summary
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial1/0
ip address 192.168.23.2 255.255.255.0
clock rate 64000
no shutdown
!
router eigrp 1
network 192.168.0.0 0.0.255.255
no auto-summary
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
R3:
hostname R3
!
no ip domain lookup
!
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 20 ipsec-isakmp
set peer 192.168.12.1
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.23.3 255.255.255.0
crypto map MYMAP
no shutdown
!
router eigrp 1
network 172.16.0.0
network 192.168.23.0
no auto-summary
!
access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.09.16 / 2018.06.11
0 comments:
張貼留言