Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 3-5-a: Configuring Site-to-Site IPsec VPNs with the IOS CLI


Lab3-5.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 3.5 Configuring Site-to-Site IPsec VPNs with the IOS CLI
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab3-5/workingconfig

[[3640]]
#  Specify 3640 IOS image on Windows here:
#  image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.extracted.bin
#  Specify 3640 IOS image on Linux here:
 image = /opt/dynamips/images/c3640-jk.bin
 ram = 128
 disk0 = 0
 disk1 = 0
 # Choose an idlepc value from the below
 idlepc = 0x605ac7b8
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
 [[Router R1]]
  model = 3640
  console = 2001
  slot0 = NM-1FE-TX

 [[Router R2]]
  model = 3640
  console = 2002
  slot0 = NM-1FE-TX
  slot1 = NM-4T
  F0/0 = R1 F0/0
  S1/0 = R3 S0/0

 [[Router R3]]
  model = 3640
  console = 2003
  slot0 = NM-4T



Objective:
‧ Configure EIGRP on the routers
‧ Create a site-to-site IPsec VPN using IOS
‧ Verify IPsec operation


Scenario:
In this lab, you will configure a site-to-site IPsec VPN.
Once you have configured the VPN, the traffic between the loopback interfaces on R1 and R3 will be encrypted.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host R*


Step 1: Configure Addressing
R1:
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!       
interface fastEthernet 0/0
 ip address 192.168.12.1 255.255.255.0
 no shutdown


R2:
interface fastEthernet 0/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial1/0
 ip address 192.168.23.2 255.255.255.0
 clock rate 64000
 no shutdown

R3:
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!             
interface Serial0/0
 ip address 192.168.23.3 255.255.255.0
 no shutdown


Step 2: Configure EIGRP
R1
router eigrp 1
 network 172.16.0.0
 network 192.168.12.0
 no auto-summary

R2
router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary

R3:
router eigrp 1
 network 172.16.0.0
 network 192.168.23.0
 no auto-summary

!!!Verify!!!
R1#ping 172.16.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/24 ms

R3#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/20 ms


Step 3: Create IKE Policies
R1 & R3:
crypto isakmp enable
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600

R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit

R3#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit


Step 4: Configure Pre-Shared Keys
R1:
crypto isakmp key 6 cisco address 192.168.23.3
R3:
crypto isakmp key 6 cisco address 192.168.12.1


Step 5: Configure the IPsec Transform Set and Lifetimes
R1 & R3:
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
crypto ipsec security-association lifetime seconds 1800


Step 6: Define Interesting Traffic
R1:
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

R3:
access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255


Step 7: Create and Apply Crypto Maps
R1:
crypto map MYMAP 20 ipsec-isakmp
 match address 101
 set peer 192.168.23.3
 set pfs group5
 set transform-set 50
 set security-association lifetime seconds 900
!
interface fastEthernet 0/0
 crypto map MYMAP


R3:
crypto map MYMAP 20 ipsec-isakmp
 match address 101
 set peer 192.168.12.1
 set pfs group5
 set transform-set 50
 set security-association lifetime seconds 900
!
interface serial 0/0
 crypto map MYMAP


Step 8: Verify IPsec Configuration
R1 & R3:
#show crypto ipsec transform-set
Transform set 50: { ah-sha-hmac  }
   will negotiate = { Tunnel,  },
   { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

R1#show crypto map
Crypto Map "MYMAP" 20 ipsec-isakmp
        Peer = 192.168.23.3
        Extended IP access list 101
            access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
        Current peer: 192.168.23.3
        Security association lifetime: 4608000 kilobytes/900 seconds
        PFS (Y/N): Y
        DH group:  group5
        Transform sets={
                50,
        }
        Interfaces using crypto map MYMAP:
                FastEthernet0/0


R3#show crypto map
Crypto Map "MYMAP" 20 ipsec-isakmp
        Peer = 192.168.12.1
        Extended IP access list 101
            access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
        Current peer: 192.168.12.1
        Security association lifetime: 4608000 kilobytes/900 seconds
        PFS (Y/N): Y
        DH group:  group5
        Transform sets={
                50,
        }
        Interfaces using crypto map MYMAP:
                Serial0/0


Step 9: Verify IPsec Operation
R1 & R3:
show crypto isakmp sa
dst             src             state          conn-id slot status
R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: MYMAP, local addr 192.168.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
   current_peer 192.168.23.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
        
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

R3#show crypto ipsec sa

interface: Serial0/0
    Crypto map tag: MYMAP, local addr 192.168.23.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer 192.168.12.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.23.3, remote crypto endpt.: 192.168.12.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
        
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
R3#


Step 10: Interpret IPsec Event Debugging
R1 & R3
debug crypto isakmp

R1#ping 172.16.3.1 source 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms

R1 & R3
no debug all
show crypto isakmp sa
show crypto ipsec sa


Final Configurations
R1:
hostname R1
!
no ip domain lookup
!
crypto isakmp enable
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 20 ipsec-isakmp
 set peer 192.168.23.3
 set security-association lifetime seconds 900
 set transform-set 50
 set pfs group5
 match address 101
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 crypto map MYMAP
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 network 192.168.12.0
 no auto-summary
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial1/0
 ip address 192.168.23.2 255.255.255.0
 clock rate 64000
 no shutdown
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


R3:
hostname R3
!
no ip domain lookup
!
crypto isakmp enable
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 20 ipsec-isakmp
 set peer 192.168.12.1
 set security-association lifetime seconds 900
 set transform-set 50
 set pfs group5
 match address 101
!
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!
interface Serial0/0
 ip address 192.168.23.3 255.255.255.0
 crypto map MYMAP
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 network 192.168.23.0
 no auto-summary
!
access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.09.16 / 2018.06.11

0 comments:

張貼留言