Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 3-7: Configuring a Secure GRE Tunnel with the IOS CLI


Lab3-7.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab3-7/workingconfig

[[3640]]
#  Specify 3640 IOS image on Windows here:
#  image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.extracted.bin
#  Specify 3640 IOS image on Linux here:
 image = /opt/dynamips/images/c3640-jk.bin
 ram = 128
 disk0 = 0
 disk1 = 0
 # Choose an idlepc value from the below
 idlepc = 0x605ac7b8
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
 [[Router R1]]
  model = 3640
  console = 2001
  slot0 = NM-1FE-TX

 [[Router R2]]
  model = 3640
  console = 2002
  slot0 = NM-1FE-TX
  slot1 = NM-4T
  F0/0 = R1 F0/0
  S1/0 = R3 S0/0

 [[Router R3]]
  model = 3640
  console = 2003
  slot0 = NM-4T

Objective:
‧ Configure EIGRP on the routers
‧ Create a GRE tunnel between two routers
‧ Use IPsec to secure the GRE tunnel


Scenario:
In this lab, you will use the Cisco Command Line Interface (CLI) to configure a secure generic routing encapsulation (GRE) tunnel using IPsec.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host R*


Step 1: Configure Addressing
R1:
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!       
interface fastEthernet 0/0
 ip address 192.168.12.1 255.255.255.0
 no shutdown


R2:
interface fastEthernet 0/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial1/0
 ip address 192.168.23.2 255.255.255.0
 clock rate 64000
 no shutdown

R3:
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!             
interface Serial0/0
 ip address 192.168.23.3 255.255.255.0
 no shutdown


Step 2: Configure EIGRP AS1
R1
router eigrp 1
 network 192.168.12.0
 no auto-summary

R2
router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary

R3:
router eigrp 1
 network 192.168.23.0
 no auto-summary


Step 3: Configure the GRE Tunnel
R1
interface Tunnel0
 ip address 172.16.13.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 192.168.23.3

R3
interface Tunnel0
 ip address 172.16.13.3 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.12.1

R1#ping 172.16.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

R3#ping 172.16.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
R3#


Step 4: Configure EIGRP AS 2 over the Tunnel
R1& R3:
router eigrp 2
 network 172.16.0.0
 no auto-summary


Step 5: Create IKE Policies and Peers
R1:
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3

R3:
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1


Step 6: Configure the IPsec Transform Sets
R1 & R3:
crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ah-sha-hmac


Step 7: Define the Traffic to be Encrypted
R1:
access-list 101 permit gre host 192.168.12.1 host 192.168.23.3

R3:
access-list 101 permit gre host 192.168.23.3 host 192.168.12.1


Step 8: Create and Apply Crypto Maps
R1:
crypto map mymap 10 ipsec-isakmp
 match address 101
 set peer 192.168.23.3
 set transform-set mytrans
!
interface fastEthernet 0/0
 crypto map mymap


R3:
crypto map mymap 10 ipsec-isakmp
 match address 101
 set peer 192.168.12.1
 set transform-set mytrans
!
interface serial 0/0
 crypto map mymap


Step 9: Verify Crypto Operation
R1 & R3:
show crypto ipsec sa
show crypto map


Final Configurations
R1:
hostname R1
!
no ip domain lookup
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
!
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 192.168.23.3
 set transform-set mytrans
 match address 101
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.13.1 255.255.255.0
 tunnel source FastEthernet0/0
 tunnel destination 192.168.23.3
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 crypto map mymap
 no shutdown
!
router eigrp 1
 network 192.168.12.0
 no auto-summary
!
router eigrp 2
 network 172.16.0.0
 no auto-summary
!
!
access-list 101 permit gre host 192.168.12.1 host 192.168.23.3
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


R2:
hostname R2
!
no ip domain lookup
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial1/0
 ip address 192.168.23.2 255.255.255.0
 clock rate 64000
 no shutdown
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
 no auto-summary
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


R3:
hostname R3
!
no ip domain lookup
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 192.168.12.1
 set transform-set mytrans
 match address 101
!
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.13.3 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.12.1
!
interface Serial0/0
 ip address 192.168.23.3 255.255.255.0
 crypto map mymap
 no shutdown
!
router eigrp 1
 network 192.168.23.0
 no auto-summary
!
router eigrp 2
 network 172.16.0.0
 no auto-summary
!
access-list 101 permit gre host 192.168.23.3 host 192.168.12.1
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.09.25 / 2018.06.11

0 comments:

張貼留言