Lab3-8.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 3.8 Configuring IPsec VTIs
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab3-8/workingconfig
[[3640]]
# Specify 3640 IOS image on Windows here:
# image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.extracted.bin
# Specify 3640 IOS image on Linux here:
image = /opt/dynamips/images/c3640-jk.bin
ram = 128
disk0 = 0
disk1 = 0
# Choose an idlepc value from the below
idlepc = 0x605ac7b8
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router HQ]]
model = 3640
console = 2001
slot0 = NM-4T
slot1 = NM-1FE-TX
f1/0 = BRANCH f1/0
[[Router ISP]]
model = 3640
console = 2002
slot0 = NM-4T
s0/0 = HQ s0/0
s0/1 = BRANCH s0/0
[[Router BRANCH]]
model = 3640
console = 2003
slot0 = NM-4T
slot1 = NM-1FE-TX
Objective:
‧ Configure EIGRP on a router
‧ Configure an IPsec Virtual Tunnel Interface
‧ Configure the VTI to be used for backup purposes only
Scenario:
The headquarters and branch office routers of International Travel Agency are connected over a leased line, which they receive as an Ethernet connection. They also both have slower, serial links connecting them to the Internet. This lab will cover configuring an IPsec Virtual Tunnel Interface, or VTI, to be used as a backup connection, running over the public internet.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host *
Step 1: Configure Addressing
HQ:
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.12.1 255.255.255.0
clock rate 64000
no shutdown
!
interface FastEthernet1/0
ip address 172.16.13.1 255.255.255.0
no shutdown
ISP:
interface Serial0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial0/1
ip address 192.168.23.2 255.255.255.0
clock rate 64000
no shutdown
BRANCH:
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.23.3 255.255.255.0
no shutdown
!
interface FastEthernet1/0
ip address 172.16.13.3 255.255.255.0
no shutdown
Step 2: Configure EIGRP AS 1
HQ & BRANCH:
router eigrp 1
no auto-summary
network 172.16.0.0
Step 3: Configure Static Routing
On the HQ and BRANCH routers, add a static default route pointing towards ISP through the serial interfaces. This will simulate a connection to the internet.
HQ:
ip route 0.0.0.0 0.0.0.0 192.168.12.2
BRANCH
ip route 0.0.0.0 0.0.0.0 192.168.23.2
HQ#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms
HQ#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Step 4: Create IKE Policies and Peers
HQ:
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
BRANCH:
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
Step 5: Create IPsec Transform Sets
HQ & BRANCH:
crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ah-sha-hmac
Step 6: Create an IPsec Profile
Now that you have created the transform set, create an IPsec profile. An IPsec profile is similar to a crypto map, in that it binds the set of independent parameters and associations negotiated in IKE Phase I with the transform sets for Phase II. It also creates a structure that can, like a crypto map, be applied to an interface. However, an IPsec profile differs from a crypto map in that there is no match clause, only set statements, because it is applied to an interface. All traffic sent into or out of the tunnel interface will be encrypted.
HQ & BRANCH:
crypto ipsec profile myprof
set transform-set mytrans
Step 7: Create the IPsec VTI
HQ:
interface Tunnel0
ip address 172.16.113.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.23.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile myprof
BRANCH:
interface Tunnel0
ip address 172.16.113.3 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile myprof
HQ & BRANCH:
show crypto ipsec sa
show crypto isakmp sa
Step 8: Verify Proper EIGRP Behavior
HQ & BRANCH:
show ip route
BRANCH:
interface fastEthernet 1/0
shutdown
HQ & BRANCH:
show ip route
BRANCH:
interface fastEthernet 1/0
no shutdown
HQ & BRANCH:
show ip route
Final Configurations
HQ:
hostname HQ
!
no ip domain lookup
!
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile myprof
set transform-set mytrans
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.113.1 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.23.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile myprof
!
interface Serial0/0
ip address 192.168.12.1 255.255.255.0
clock rate 64000
no shutdown
!
interface FastEthernet1/0
ip address 172.16.13.1 255.255.255.0
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
ISP:
hostname ISP
!
no ip domain lookup
!
interface Serial0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
!
interface Serial0/1
ip address 192.168.23.2 255.255.255.0
clock rate 64000
no shutdown
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
BRANCH:
hostname BRANCH
!
no ip domain lookup
!
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
!
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile myprof
set transform-set mytrans
!
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.113.3 255.255.255.0
tunnel source Serial0/0
tunnel destination 192.168.12.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile myprof
!
interface Serial0/0
ip address 192.168.23.3 255.255.255.0
no shutdown
!
interface FastEthernet1/0
ip address 172.16.13.3 255.255.255.0
no shutdown
!
router eigrp 1
network 172.16.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.09.26 / 2018.06.11
0 comments:
張貼留言