Published 6月 11, 2018 by with 0 comment

CCNP-ISCW-v5.0 Lab 3-8: Configuring IPsec VTIs



Lab3-8.net file for Dynamips:

##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 3.8 Configuring IPsec VTIs
# By Happy Peter  http://blog.xuite.net/juilin77/happy
#
##################################################

autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab3-8/workingconfig

[[3640]]
#  Specify 3640 IOS image on Windows here:
#  image = C:\Program Files\Dynamips\images\c3640-jk9o3s-mz.123-14.T7.extracted.bin
#  Specify 3640 IOS image on Linux here:
 image = /opt/dynamips/images/c3640-jk.bin
 ram = 128
 disk0 = 0
 disk1 = 0
 # Choose an idlepc value from the below
 idlepc = 0x605ac7b8
 mmap = true
 ghostios = true
 confreg = 0x2102

###########################
#
# Define router instances 1
#
###########################
 
 [[Router HQ]]
  model = 3640
  console = 2001
  slot0 = NM-4T
  slot1 = NM-1FE-TX
  f1/0 = BRANCH f1/0

 [[Router ISP]]
  model = 3640
  console = 2002
  slot0 = NM-4T
  s0/0 = HQ s0/0
  s0/1 = BRANCH s0/0

 [[Router BRANCH]]
  model = 3640
  console = 2003
  slot0 = NM-4T
  slot1 = NM-1FE-TX

Objective:
‧ Configure EIGRP on a router
‧ Configure an IPsec Virtual Tunnel Interface
‧ Configure the VTI to be used for backup purposes only


Scenario:
The headquarters and branch office routers of International Travel Agency are connected over a leased line, which they receive as an Ethernet connection. They also both have slower, serial links connecting them to the Internet. This lab will cover configuring an IPsec Virtual Tunnel Interface, or VTI, to be used as a backup connection, running over the public internet.


Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
 logging synchronous
 exec-timeout 0 0
!
host *


Step 1: Configure Addressing
HQ:
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!       
interface Serial0/0
 ip address 192.168.12.1 255.255.255.0
 clock rate 64000
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.13.1 255.255.255.0
 no shutdown


ISP:
interface Serial0/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial0/1
 ip address 192.168.23.2 255.255.255.0
 clock rate 64000
 no shutdown

BRANCH:
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!       
interface Serial0/0
 ip address 192.168.23.3 255.255.255.0
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.13.3 255.255.255.0
 no shutdown


Step 2: Configure EIGRP AS 1
HQ & BRANCH:
router eigrp 1
 no auto-summary
 network 172.16.0.0


Step 3: Configure Static Routing
On the HQ and BRANCH routers, add a static default route pointing towards ISP through the serial interfaces. This will simulate a connection to the internet.
HQ:
ip route 0.0.0.0 0.0.0.0 192.168.12.2

BRANCH
ip route 0.0.0.0 0.0.0.0 192.168.23.2

HQ#ping 192.168.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms

HQ#ping 172.16.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms



Step 4: Create IKE Policies and Peers
HQ:
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3

BRANCH:
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1


Step 5: Create IPsec Transform Sets
HQ & BRANCH:
crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ah-sha-hmac


Step 6: Create an IPsec Profile
Now that you have created the transform set, create an IPsec profile. An IPsec profile is similar to a crypto map, in that it binds the set of independent parameters and associations negotiated in IKE Phase I with the transform sets for Phase II. It also creates a structure that can, like a crypto map, be applied to an interface. However, an IPsec profile differs from a crypto map in that there is no match clause, only set statements, because it is applied to an interface. All traffic sent into or out of the tunnel interface will be encrypted.
HQ & BRANCH:
crypto ipsec profile myprof
 set transform-set mytrans


Step 7: Create the IPsec VTI
HQ:
interface Tunnel0
 ip address 172.16.113.1 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.23.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myprof

BRANCH:
interface Tunnel0
 ip address 172.16.113.3 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.12.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myprof

HQ & BRANCH:
show crypto ipsec sa
show crypto isakmp sa


Step 8: Verify Proper EIGRP Behavior
HQ & BRANCH:
show ip route

BRANCH:
interface fastEthernet 1/0
 shutdown

HQ & BRANCH:
show ip route

BRANCH:
interface fastEthernet 1/0
 no shutdown

HQ & BRANCH:
show ip route


Final Configurations
HQ:
hostname HQ
!
no ip domain lookup
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.23.3
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile myprof
 set transform-set mytrans
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.113.1 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.23.3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myprof
!
interface Serial0/0
 ip address 192.168.12.1 255.255.255.0
 clock rate 64000
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.13.1 255.255.255.0
 no shutdown
!       
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


ISP:
hostname ISP
!
no ip domain lookup
!
interface Serial0/0
 ip address 192.168.12.2 255.255.255.0
 no shutdown
!
interface Serial0/1
 ip address 192.168.23.2 255.255.255.0
 clock rate 64000
 no shutdown
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


BRANCH:
hostname BRANCH
!
no ip domain lookup
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 5
 lifetime 3600
!
crypto isakmp key 6 cisco address 192.168.12.1
!
!
crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile myprof
 set transform-set mytrans
!
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!
interface Tunnel0
 ip address 172.16.113.3 255.255.255.0
 tunnel source Serial0/0
 tunnel destination 192.168.12.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myprof
!
interface Serial0/0
 ip address 192.168.23.3 255.255.255.0
 no shutdown
!
interface FastEthernet1/0
 ip address 172.16.13.3 255.255.255.0
 no shutdown
!
router eigrp 1
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 192.168.23.2
!
line con 0
 exec-timeout 0 0
 logging synchronous
!
end


Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html

CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual


最初發表 / 最後更新: 2008.09.26 / 2018.06.11

0 comments:

張貼留言