CCNASv1.1 Chp08 Lab a Site2Site VPN Instructor

CCNA Security

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP (Instructor Version) rey !igh"ighting – !igh"ighting – indicates answers answers provided on instructor instructor lab copies only

#opo"ogy

Note: ISR G2 devices have Gigabit Ethernet interfaces instead of astEthernet Interfaces!

"ll contents are #opyright #opyright $ %&&2–2'%2 #isco Systes Systes Inc! "ll rights reserved! *his docuent is #isco #isco +ublic Inforation!

+age % of ,'

CCNA Security

IP Addressing #ab"e $e%ice R%

Interface a'-%

IP Address %&2!%./!%!%

Subnet &as' 200!200!200!'

$efau"t ate(ay 1-"

S(itch Port S% a'-0

S'-'-' (#E)

%'!%!%!%

200!200!200!202

1-"

1-"

S'-'-'

%'!%!%!2

200!200!200!202

1-"

1-"

S'-'-% (#E)

%'!2!2!2

200!200!200!202

1-"

1-"

a'-%

%&2!%./!3!%

200!200!200!'

1-"

S3 a'-0

S'-'-%

%'!2!2!%

200!200!200!202

1-"

1-"

+#4"

1I#

%&2!%./!%!3

200!200!200!'

%&2!%./!%!%

S% a'-.

+#4#

1I#

%&2!%./!3!3

200!200!200!'

%&2!%./!3!%

S3 a'-%/

R2 R3

Ob)ecti%es Part *: +asic ,outer Configuration •

#onfigure host naes interface I+ addresses and access passwords!

•

#onfigure the EIGR+ dynaic routing protocol!

Part : Configure a Site-to-Site VPN Using Cisco IOS •

#onfigure I+sec V+1 settings on R% and R3!

•

Verify site4to4site I+sec V+1 configuration!

•

*est I+sec V+1 operation!

Part .: Configure a Site-to-Site VPN Using CCP •

#onfigure I+sec V+1 settings on R%!

•

#reate a irror configuration for R3!

•

"pply the irror irror configuration to to R3!

•

Verify the configuration!

•

*est the V+1 configuration using ##+

+ac'ground V+1s can provide a secure ethod of transitting data over a public networ5 such as the Internet! V+1 connections can help reduce the costs associated with leased lines! Site4to4Site V+1s typically provide a secure (I+sec or other) tunnel between a branch office and a central office! "nother coon ipleentation that uses V+1 technology is reote access to a corporate office fro a telecouter location such as a sall office or hoe office! In this lab you will build and configure a ulti4router networ5 and then use #isco I6S and ##+ to configure a site4to4site I+sec V+1 and then test it! *he I+sec V+1 tunnel is fro router R% to router R3 via R2! R2 acts as a pass4through and has no 5nowledge of the V+1! I+sec provides secure transission of sensitive inforation over unprotected networ5s such as the Internet! I+sec acts at the networ5 layer protecting and authenticating I+ pac5ets between participating I+sec devices (peers) such as #isco routers! Note: *he Note: *he router coands and output in this lab are fro a #isco %/,% with #isco I6S Release %2!,(2')* ("dvanced I+ iage)! 6ther routers and #isco I6S versions can be used! See the Router Interface Suary table at the end of the lab to deterine which interface identifiers to use based on the e7uipent in the lab! epending on the router odel and #isco I6S version the coands available and the output produced ight vary fro what is shown in this lab! "ll contents are #opyright #opyright $ %&&2–2'%2 #isco Systes Systes Inc! "ll rights reserved! *his docuent is #isco #isco +ublic Inforation!

+age 2 of ,'

CCNA Security

IP Addressing #ab"e $e%ice R%

Interface a'-%

IP Address %&2!%./!%!%

Subnet &as' 200!200!200!'

$efau"t ate(ay 1-"

S(itch Port S% a'-0

S'-'-' (#E)

%'!%!%!%

200!200!200!202

1-"

1-"

S'-'-'

%'!%!%!2

200!200!200!202

1-"

1-"

S'-'-% (#E)

%'!2!2!2

200!200!200!202

1-"

1-"

a'-%

%&2!%./!3!%

200!200!200!'

1-"

S3 a'-0

S'-'-%

%'!2!2!%

200!200!200!202

1-"

1-"

+#4"

1I#

%&2!%./!%!3

200!200!200!'

%&2!%./!%!%

S% a'-.

+#4#

1I#

%&2!%./!3!3

200!200!200!'

%&2!%./!3!%

S3 a'-%/

R2 R3

Ob)ecti%es Part *: +asic ,outer Configuration •

#onfigure host naes interface I+ addresses and access passwords!

•

#onfigure the EIGR+ dynaic routing protocol!

Part : Configure a Site-to-Site VPN Using Cisco IOS •

#onfigure I+sec V+1 settings on R% and R3!

•

Verify site4to4site I+sec V+1 configuration!

•

*est I+sec V+1 operation!

Part .: Configure a Site-to-Site VPN Using CCP •

#onfigure I+sec V+1 settings on R%!

•

#reate a irror configuration for R3!

•

"pply the irror irror configuration to to R3!

•

Verify the configuration!

•

*est the V+1 configuration using ##+

+ac'ground V+1s can provide a secure ethod of transitting data over a public networ5 such as the Internet! V+1 connections can help reduce the costs associated with leased lines! Site4to4Site V+1s typically provide a secure (I+sec or other) tunnel between a branch office and a central office! "nother coon ipleentation that uses V+1 technology is reote access to a corporate office fro a telecouter location such as a sall office or hoe office! In this lab you will build and configure a ulti4router networ5 and then use #isco I6S and ##+ to configure a site4to4site I+sec V+1 and then test it! *he I+sec V+1 tunnel is fro router R% to router R3 via R2! R2 acts as a pass4through and has no 5nowledge of the V+1! I+sec provides secure transission of sensitive inforation over unprotected networ5s such as the Internet! I+sec acts at the networ5 layer protecting and authenticating I+ pac5ets between participating I+sec devices (peers) such as #isco routers! Note: *he Note: *he router coands and output in this lab are fro a #isco %/,% with #isco I6S Release %2!,(2')* ("dvanced I+ iage)! 6ther routers and #isco I6S versions can be used! See the Router Interface Suary table at the end of the lab to deterine which interface identifiers to use based on the e7uipent in the lab! epending on the router odel and #isco I6S version the coands available and the output produced ight vary fro what is shown in this lab! "ll contents are #opyright #opyright $ %&&2–2'%2 #isco Systes Systes Inc! "ll rights reserved! *his docuent is #isco #isco +ublic Inforation!

+age 2 of ,'

CCNA Security Note: 8a5e sure that the routers and the switches have been erased and have no startup configurations! Instructor Note: Instructions for erasing switches and routers are provided in the 9ab 8anual located on "cadey #onnection in the *ools section! section!

,e/uired ,esources •

3 routers with (#isco %/,% with #isco I6S Release %2!,(2')*% or coparable)

•

2 switches (#isco 2&.' or coparable)

•

+#4": ;indows <+ Vista or ;indows = with ##+ 2!0 installed

•

+#4#: ;indows <+ Vista or ;indows = with ##+ 2!0 installed

•

Serial and Ethernet cables as shown in the topology

•

Rollover cables to configure the routers via the console

CCP Notes: •

•

•

Refer to #hp '' 9ab " for instructions on h ow to install ##+! >ardware-software recoendations recoendations for ##+ include ;indows <+ Vista or ;indows = with ?ava version %!.!'@%% up to %!.!'@2% Internet EAplorer .!' or above and lash +layer Version %'!'!%2!3. and later! If the +# on which ##+ is installed is running ;indows Vista or ;indows = it ay be necessary to right4clic5 on the ##+ icon or enu ite and choose ,un as ad0inistrator ! In order to run ##+ it ay be necessary to teporarily disable antivirus progras and 6-S firewalls! 8a5e sure that all pop4up bloc5ers are turned off in the browser!

Instructor Notes: *his lab is divided into three parts! Each part can be adinistered individually or in cobination with others as tie perits! *he ain goal of this lab is to configure a site4to4site V+1 between two routers first using the #isco I6S #9I and then using ##+! R% and R3 are on separate networ5s and counicate through R2 which siulates an IS+! *he routers in this lab are configured with EIGR+ although it is not typical for stub networ5s to counicate with an IS+ using an interior routing protocol! Bou can also use static routes for basic (non4V+1) counication between R% and R2 and between R% and R3 if desired! Students can wor5 in teas of two for router configuration one person configuring R% and the other R3! "lthough switches switches are shown in the the topology students can can oit the switches switches and use crossover crossover cables between the +#s and routers R% and R3! *he running configs for all three routers are captured after +art % of the lab is copleted! *he running configs for R% and R3 fro +art 2 and +art 3 are captured and listed separately! "ll configs configs are found at the end of the lab!


+age 3 of ,'

CCNA Security

Part *: +asic ,outer Configuration In +art % of this lab you set up the networ5 topology and configure basic settings such as the interface I+ addresses dynaic routing device access and passwords! Note: "ll Note: "ll tas5s should be perfored on routers R% R2 and R3! *he procedure for R% is shown here as an eAaple!

Step *: Cab"e the net(or' as sho(n in the topo"ogy1 "ttach the devices devices shown in the topology topology diagra and cable cable as necessary!

Step : Configure basic settings for each router1 a! #onfig #onfigure ure host host naes naes as show shown n in the topol topology ogy!! b! #onfigure #onfigure the the interface interface I+ addres addresses ses as shown shown in the the I+ addressi addressing ng table! table! c!

#onfigure #onfigure a cloc5 cloc5 rate for the the serial router router interf interfaces aces with with a #E serial serial cable attache attached! d!

R1(config)# interface S0/0/0 R1(config-if)# clock rate 64000

Step .: $isab"e $NS "oo'up1 *o prevent the router fro a ttepting to translate incorrectly entered coands disable 1S loo5up!

R1(config)# no ip domain-lookup

Step 2: Configure the 3I,P routing protoco" on ,*4 ,4 and ,.1 a! 6n R% R% use use the the follo followi wing ng coa coands nds!!

R1(config)# router R1(config-router)# R1(config-router)# R1(config-router)#

eigrp 101 network 192.168.1.0 0.0.0.255 network 10.1.1.0 0.0.0.3 no auto-ummar!

b! 6n R2 R2 use use the the follo followi wing ng coa coands nds!!

R2(config)# router R2(config-router)# R2(config-router)# R2(config-router)# c!


6n R3 R3 use use the the fol follow lowing ing coan coands! ds!

R3(config)# router R3(config-router)# R3(config-router)# R3(config-router)#


Step 5: Configure PC host IP settings1 a! #onfigure #onfigure a static static I+ address address subnet subnet as5 as5 and default default gateway gateway for +#4" +#4" as shown shown in the I+ addressing table! b! #onfigure #onfigure a static static I+ address address subnet subnet as5 as5 and default default gateway gateway for +#4# +#4# as shown shown in the I+ addressing table!

Step 6: Verify basic net(or' connecti%ity1 a! +ing fro fro R% R% to the the R3 a'-% a'-% interf interface ace at I+ I+ address address %&2!%./! %&2!%./!3!%! 3!%!


+age , of ,'

CCNA Security ;ere the results successfulC Bes! If the pings are not successful troubleshoot the basic device configurations before continuing! b!

+ing fro +#4" on the R% 9"1 to +#4# on the R3 9"1! ;ere the results successfulC Bes! If the pings are not successful troubleshoot the basic device configurations before continuing!

Note: If you can ping fro +#4" to +#4# you have deonstrated that the EIGR+ routing protocol is configured and functioning correctly! If you cannot ping but the device interfaces are up and I+ addresses are correct use the "ow run and "ow ip route coands to help identify routing protocol4related probles!

Step 7: Configure a 0ini0u0 pass(ord "ength1 Note: +asswords in this lab are set to a iniu of %' characters but are relatively siple for the benefit of perforing the lab! 8ore copleA passwords are recoended in a production networ5! Dse the ecurit! paword coand to set a iniu password length of %' characters!

R1(config)# ecurit! paword min-lengt" 10

Step 8: Configure the basic conso"e and %ty "ines1 a!

#onfigure a console password and enable login for router R%! or additional security the e#ectimeout coand causes the line to log out after 0 inutes of inactivity! *he logging !nc"ronou coand prevents console essages fro interrupting coand entry! Note: *o avoid repetitive logins during this lab the e#ec-timeout can be set to ' ' which prevents it fro eApiring! >owever this is not considered a good security practice!

R1(config)# line conole 0 R1(config-line)# paword cicoconpa R1(config-line)# e#ec-timeout 5 0 R1(config-line)# login R1(config-line)# logging !nc"ronou b!

#onfigure the password on the vty lines for router R%! R1(config)# line $t! 0 4 R1(config-line)# paword

cico$t!pa R1(config-line)# e#ec-timeout 5 0 R1(config-line)# login c!

Repeat these configurations on both R2 and R3!

Step : 3ncrypt c"ear te9t pass(ords1 a! Dse the er$ice paword-encr!ption coand to encrypt the console auA and vty passwords!

R1(config)# er$ice paword-encr!ption b! Issue the "ow run coand! #an you read the console auA and vty passwordsC ;hy or why notC 1o! *he passwords are now encrypted! c!

Repeat this configuration on both R2 and R3!

Step *: Sa%e the basic running configuration for a"" three routers1 Save the running configuration to the startup configuration fro the privileged E
"ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 0 of ,'

CCNA Security R1#

cop! running-config tartup-config

Step **: Sa%e the configuration on ,* and ,. for "ater restoration1 Dsing a progra such as >yper*erinal copy-paste functions or **+ save the R% and R3 running configurations fro +art % of this lab! *hese can be used later in +art 3 of this lab to restore the routers in order to configure the V+1 with ##+! Note: ;hen editing the captured running config teAt reove all occurrences of 4 4 8ore 4 4!F Reove any coands that are not related to the ites you configured in +art % of the lab such as the #isco I6S version nuber no service pad and so on! 8any coands are entered autoatically by the #isco I6S software! "lso replace the encrypted passwords with the correct ones specified previously and be sure to use the no "utdown coand for interfaces that need to be enabled!

Part : Configure a Site-to-Site VPN (ith Cisco IOS In +art 2 of this lab you configure an I+sec V+1 tunnel between R% and R3 that passes through R2! Bou will configure R% and R3 using the #isco I6S #9I! Bou then review and test the resulting configuration!

#as' *: Configure IPsec VPN Settings on ,* and ,. Step *: Verify connecti%ity fro0 the ,* LAN to the ,. LAN1 In this tas5 you verify that with no tunnel in place the +#4" on the R% 9"1 can ping the +#4# on R3 9"1! a!

ro +#4" ping the +#4# I+ address of %&2!%./!3!3!

PC-A:\> ping 192.168.3.3 b! "re the results successfulC Bes! If the pings are not successful troubleshoot the basic device configurations before continuing!

Step : 3nab"e I;3 po"icies on ,* and ,.1 I+sec is an open fraewor5 that allows the eAchange of security protocols as new technologies such as encryption algoriths are developed! *here are two central configuration eleents to the ipleentation of an I+sec V+1: •

Ipleent Internet ey EAchange (IE) paraeters

•

Ipleent I+sec paraeters

a! Verify that IE is supported and enabled! IE +hase % defines the 5ey eAchange ethod used to pass and validate IE policies between peers! In IE +hase 2 the peers eAchange and atch I+sec policies for the authentication and encryption of data traffic! IE ust be enabled for I+sec to function! IE is enabled by default on I6S iages with cryptographic feature sets! If it is disabled for soe reason you can enable it with the coand cr!pto iakmp ena%le ! Dse this coand to verify that the router I6S supports IE and that it is enabled!

R1(config)# cr!pto iakmp ena%le R3(config)# cr!pto iakmp ena%le


+age . of ,'

CCNA Security Note: If you cannot eAecute this coand on the router you need to upgrade the I6S iage to one with a feature set that includes the #isco cryptographic services! b!

Establish an Internet Security "ssociation and ey 8anageent +rotocol (IS"8+) policy and view the available options! *o allow IE +hase % negotiation you ust create an IS"8+ policy and configure a peer association involving that IS"8+ policy! "n IS"8+ policy defines the authentication and encryption algoriths and hash function used to send control traffic between the two V+1 endpoints! ;hen an IS"8+ security association has been accepted by the IE peers IE +hase % has been copleted! IE +hase 2 paraeters will be configured later! Issue the cr!pto iakmp polic! number configuration coand on R% for policy %'!

R1(config)# cr!pto iakmp polic! 10 c!

View the various IE paraeters available using #isco I6S help by typing a 7uestion ar5 (C)!

R1(config-isakmp)# & !A"P comman$s: aut%entication !et aut%entication met%o$ for protection suite $efault !et a comman$ to its $efaults encr&ption !et encr&ption algorit%m for protection suite e'it 'it from !A"P protection suite configuration mo$e group !et t%e iffie-*ellman group %as% !et %as% algorit%m for protection suite lifetime !et lifetime for !A"P securit& association no +egate a comman$ or set its $efaults

Step .: Configure ISA;&P po"icy para0eters on ,* and ,.1 Bour choice of an encryption algorith deterines how confidential the control channel between the endpoints is! *he hash algorith controls data integrity ensuring that the data received fro a peer has not been tapered with in transit! *he authentication type ensures that the pac5et was indeed sent and signed by the reote peer! *he iffie4>ellan group is used to create a secret 5ey shared by the peers that has not been sent across the networ5! a!

#onfigure an authentication type of pre4shared 5eys! Dse "ES 20. encryption S>" as your hash algorith and iffie4>ellan group 0 5ey eAchange for this IE policy!

b!

Give the policy a life tie of 3.'' seconds (one hour)! #onfigure the sae policy on R3! 6lder versions of #isco I6S do n ot support "ES 20. encryption and S>" as a hash algorith! Substitute whatever encryption and hashing algorith your router supports! He sure the sae changes are ade on the other V+1 endpoint so that they are in sync!

Note: Bou should be at the R%(config4isa5p) at this point! *he cr!pto iakmp polic! 10 coand is repeated below for clarity!

R1(config)# cr!pto R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)#

iakmp polic! 10 aut"entication pre-"are encr!ption ae 256 "a" "a group 5 lifetime 3600 end

R3(config)# cr!pto R3(config-isakmp)# R3(config-isakmp)# R3(config-isakmp)# R3(config-isakmp)#

iakmp polic! 10 aut"entication pre-"are encr!ption ae 256 "a" "a group 5


+age = of ,'

CCNA Security R3(config-isakmp)# lifetime 3600 R3(config-isakmp)# end c!

Verify the IE policy with the "ow cr!pto iakmp polic! coand!

R1# "ow cr!pto iakmp polic! ,loal " polic& Protection suite of priorit& 1. encr&ption algorit%m: A! - A$/ance$ ncr&ption !tan$ar$ (20 it ke&s) %as% algorit%m: !ecure *as% !tan$ar$ aut%entication met%o$: Pre-!%are$ "e& iffie-*ellman group: #0 (103 it) lifetime: 3.. secon$s no /olume limit

Step 2: Configure pre-shared 'eys1 a!

Hecause pre4shared 5eys are used as the authentication ethod in the IE policy configure a 5ey on each router that points to the other V+1 endpoint! *hese 5eys ust atch for authentication to be successful! *he global configuration coand cr!pto iakmp ke! key-string addre address is used to enter a pre4shared 5ey! Dse the I+ address of the reote peer the reote interface that the peer would use to route traffic to the local router! ;hich I+ addresses should you use to configure the IE peers given the topology diagra and I+ addressing tableC *he I+ addresses should be R% S'-'-' I+ address %'!%!%!% and R3 S'-'-% I+ address %'!2!2!%! *hese are the addresses that are used to send noral traffic between R% and R3!

b!

Each I+ address that is used to configure the IE peers is also referred to as the I+ address of the reote V+1 endpoint! #onfigure the pre4shared 5ey of cisco%23 on router R% using the following coand! +roduction networ5s should use a copleA 5ey! *his coand points to the reote peer R3 S'-'-% I+ address!

R1(config)# cr!pto iakmp ke! cico123 addre 10.2.2.1 c!

*he coand for R3 points to the R% S'-'-' I+ address! #onfigure the pre4shared 5ey on router R% using the following coand!

R3(config)# cr!pto iakmp ke! cico123 addre 10.1.1.1

Step 5: Configure the IPsec transfor0 set and "ife ti0es1 a!

*he I+sec transfor set is another crypto configuration paraeter that routers negotiate to for a security association! *o create an I+sec transfor set use the cr!pto ipec tranform-et tag paraeters! Dse & to see which paraeters are available!

R1(config)# cr!pto ipec tranform-et 50 & a%-m$0-%mac A*-*AC-0 transform a%-s%a-%mac A*-*AC-!*A transform comp-l4s P Compression using t%e 56! compression algorit%m esp-3$es !P transform using 3!() cip%er (17 its) esp-aes !P transform using A! cip%er esp-$es !P transform using ! cip%er (0 its) esp-m$0-%mac !P transform using *AC-0 aut% esp-null !P transform 89o cip%er esp-seal !P transform using !A5 cip%er (1. its) esp-s%a-%mac !P transform using *AC-!*A aut%


+age / of ,'

CCNA Security b!

6n R% and R3 create a transfor set with tag 0' and use an Encapsulating Security +rotocol (ES+) transfor with an "ES 20. cipher with ES+ and the S>" hash function! *he transfor sets ust atch!

R1(config)# cr!pto ipec tranform-et 50 ep-ae 256 ep-"a-"mac R1(cfg-cr&pto-trans)# e#it R3(config)# cr!pto ipec tranform-et 50 ep-ae 256 ep-"a-"mac R3(cfg-cr&pto-trans)# e#it c!

;hat is the function of the I+sec transfor setC *he I+sec transfor set specifies the cryptographic algoriths and functions (transfors) that a router eploys on the actual data pac5ets sent through the I+sec tunnel! *hese algoriths include the encryption encapsulation authentication and data integrity services that I+sec can apply!

d!

Bou can also change the I+sec security association life ties fro the default of 3.'' seconds or ,.'/''' 5ilobytes whichever coes first! 6n R% and R3 set the I+sec security association life tie to 3' inutes or %/'' seconds!

R1(config)# cr!pto ipec ecurit!-aociation lifetime econd 1800 R3(config)# cr!pto ipec ecurit!-aociation lifetime econd 1800

Step 6: $efine interesting traffic1 a!

*o a5e use of the I+sec encryption with the V+1 it is necessary to define eAtended access lists to tell the router which traffic to encrypt! " pac5et that is peritted by an access list used for defining I+sec traffic is encrypted if the I+sec session is configured correctly! " pac5et that is denied by one of these access lists is not dropped but sent unencrypted! "lso li5e any other access list there is an iplicit deny at the end which in this case eans the default action is to not encrypt traffic! If there is no I+sec security association correctly configured no traffic is encrypted and traffic is forwarded as unencrypted!

b!

In this scenario the traffic you want to encrypt is traffic going fro R%Js Ethernet 9"1 to R3Js Ethernet 9"1 or vice versa! *hese access lists are used outbound on the V+1 endpoint interfaces and ust irror each other!

c!

#onfigure the I+sec V+1 interesting traffic "#9 on R%!

R1(config)# acce-lit 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0

0.0.0.255 d!

#onfigure the I+sec V+1 interesting traffic "#9 on R3!

R3(config)# acce-lit 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0

0.0.0.255 e!

oes I+sec evaluate whether the access lists are irrored as a re7uireent to negotiate its security associationC Bes! I+sec does evaluate whether access lists are irrored! I+sec does not for a security association if the peers do not have irrored access lists to select interesting traffic!

Step 7: Create and app"y a crypto 0ap1 " crypto ap associates traffic that atches an access list to a peer and various IE and I+sec settings! "fter the crypto ap is created it can be applied to one or ore interfaces! *he interfaces that it is applied to should be the ones facing the I+sec peer! a!

*o create a crypto ap use the global configuration coand cr!pto map name sequence-num type to enter the crypto ap configuration ode for that se7uence nuber! &u"tip"e crypto 0ap state0ents can belong to the sae crypto 0ap and are evaluated in ascending nuerical order! Enter the crypto ap configuration ode on R%! Dse a type of ipsec4isa5p which eans IE is used to establish I+sec security associations!


+age & of ,'

CCNA Security b!

#reate the crypto ap on R% nae it #8"+ and use %' as the se7uence nuber! " essage will display after the coand is issued!

R1(config)# cr!pto map '()* 10 ipec-iakmp  +;<: <%is ne8 cr&pto map 8ill remain $isale$ until a peer an$ a /ali$ access list %a/e een configure$ c!

Dse the matc" addre access-list coand to specify which access list defines which traffic to encrypt!

R1(config-cr&pto-map)# matc" addre 101 d! *o view the list of possible et coands that you can do in a crypto ap use the help function!

R1(config-cr&pto-map)# et & $entit& $entit& restriction p nterface nternet Protocol config comman$s isakmp-profile !pecif& isakmp Profile nat !et +A< translation peer Allo8e$ ncr&ption9ecr&ption peer pfs !pecif& pfs settings securit&-association !ecurit& association parameters transform-set !pecif& list of transform sets in priorit& or$er e!

Setting a peer I+ or host nae is re7uired so set it to R3Js reote V+1 endpoint interface using the following coand!

R1(config-cr&pto-map)# et peer 10.2.2.1 f!

>ard code the transfor set to be used with this peer using the et tranform-et tag coand! Set the perfect forwarding secrecy type using the et pf type coand and also odify the default I+sec security association life tie with the et ecurit!-aociation lifetime econd seconds coand!

R1(config-cr&pto-map)# R1(config-cr&pto-map)# R1(config-cr&pto-map)# R1(config-cr&pto-map)#

et pf group5 et tranform-et 50 et ecurit!-aociation lifetime econd 900 e#it

g! #reate a irrored atching crypto ap on R3!

R3(config)# cr!pto map '()* 10 ipec-iakmp R3(config-cr&pto-map)# matc" addre 101 R3(config-cr&pto-map)# et peer 10.1.1.1 R3(config-cr&pto-map)# et pf group5 R3(config-cr&pto-map)# et tranform-et 50 R3(config-cr&pto-map)# et ecurit!-aociation lifetime econd 900 R3(config-cr&pto-map)# e#it h!

*he last step is applying the aps to interfaces! 1ote that the security associations (S"s) will not be established until the crypto ap has been activated by interesting traffic! *he router will generate a notification that crypto is now on!

i!

"pply the crypto aps to the appropriate interfaces on R% and R3!

R1(config)# interface S0/0/0 R1(config-if)# cr!pto map '()* =an 27 .?:.@:.@10.: CRP<;--!A"PB;+B;: !A"P is ;+ R1(config)# end R3(config)# interface S0/0/1 R3(config-if)# cr!pto map '()* =an 27 .?:1.:0?137: CRP<;--!A"PB;+B;: !A"P is ;+ R3(config)# end "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age %' of ,'

CCNA Security

#as' : Verify Site-to-Site IPsec VPN Configuration Step *: Verify the IPsec configuration on ,* and ,.1 a! +reviously you used the "ow cr!pto iakmp polic! coand to show the configured IS"8+ policies on the router! Siilarly the "ow cr!pto ipec tranform-et coand displays the configured I+sec policies in the for of the transfor sets!

R1# "ow cr!pto ipec tranform-et
E

E

E

E

b! Dse the "ow cr!pto map coand to display the crypto aps that will be applied to the router!

R1# "ow cr!pto map Cr&pto ap ICAPI 1. ipsec-isakmp Peer F 1.221 'ten$e$ P access list 1.1 access-list 1.1 permit ip 1@2171. ...200 1@2173. ...200 Current peer: 1.221 !ecurit& association lifetime: ?.7... kilo&tes9@.. secon$s P! (9+):  * group: group0
+age %% of ,'

CCNA Security E nterfaces using cr&pto map AP: !erial.9.91 Note: *he output of these "ow coands does not change if interesting traffic goes across the connection! Bou test various types of traffic in the neAt tas5!

#as' .: Verify IPsec VPN Operation Step *: $isp"ay isa'0p security associations1 *he "ow cr!pto iakmp a coand reveals that no IE S"s eAist yet! ;hen interesting traffic is sent this coand output will change!

R1# "ow cr!pto iakmp a $st

src

state

conn-i$ slot status

Step : $isp"ay IPsec security associations1 a! *he "ow cr!pto ipec a coand shows the unused S" between R% and R3! 1ote the nuber of pac5ets sent across and the lac5 of any security associations listed toward the botto of the output! *he output for R% is shown here!

R1# "ow cr!pto ipec a interface: !erial.9.9. Cr&pto map tag: CAP local a$$r 1.111 protecte$ /rf: (none) local i$ent (a$$r9mask9prot9port): (1@2171.9200200200.9.9.) remote i$ent (a$$r9mask9prot9port): (1@2173.9200200200.9.9.) currentBpeer 1.221 port 0.. PR< flagsFDoriginBisBaclE #pkts encaps: . #pkts encr&pt: . #pkts $igest: . #pkts $ecaps: . #pkts $ecr&pt: . #pkts /erif&: . #pkts compresse$: . #pkts $ecompresse$: . #pkts not compresse$: . #pkts compr faile$: . #pkts not $ecompresse$: . #pkts $ecompress faile$: . #sen$ errors . #rec/ errors . local cr&pto en$pt: 1.111 remote cr&pto en$pt: 1.221 pat% mtu 10.. ip mtu 10.. ip mtu i$ !erial.9.9. current outoun$ spi: .'.(.) inoun$ esp sas: inoun$ a% sas: inoun$ pcp sas: outoun$ esp sas: outoun$ a% sas: outoun$ pcp sas: b!

;hy have no security associations (S"s) been negotiatedC Hecause no interesting traffic has been identified I+sec has not begun to negotiate a security association over which it will encrypt traffic!

Step .: enerate so0e uninteresting test traffic and obser%e the resu"ts1 a!

+ing fro R% to the R3 S'-'-% interface I+ address %'!2!2!%! ;ere the pings successfulC Bes!

b! Issue the "ow cr!pto iakmp a coand! ;as an S" created between R% and R3C 1o! c!

+ing fro R% to the R3 a'% interface I+ address %&2!%./!3!%! ;ere the pings successfulC Bes!


+age %2 of ,'

CCNA Security d! Issue the "ow cr!pto iakmp a coand again! ;as an S" created for these pingsC ;hy or why notC 1o S" was created! *he source address of both pings was the R% S'-'-' address of %'!%!%!%! In the first case the destination address was %'!2!2!%! In the second case the destination address was %&2!%./!3!%! *his is not interestingF traffic! *he "#9 %'% that is associated with the crypto ap for R% defines interesting traffic as I+ pac5ets fro the %&2!%./!%!'-2, networ5 to the %&2!%./!3!'-2, networ5! e! Issue the coand de%ug eigrp packet ! Bou should see EIGR+ hello pac5ets passing between R% and R3!

R1# de%ug eigrp packet ,RP Packets $eugging is on (JPA< RKJ!< KJR RP5 *55; PL!AP PR;M AC" !
*urn off debugging with the no de%ug eigrp packet or unde%ug all coand!

g!

Issue the "ow cr!pto iakmp a coand again! ;as an S" created between R% and R3C ;hy or why notC 1o! *his is router4to4router routing protocol traffic! *he source and destination of these pac5ets is not interesting does not initiate the S" and is not encrypted!

Step 2: enerate so0e interesting test traffic and obser%e the resu"ts1 a!

Dse an eAtended ping fro R% to the R3 a'% interface I+ address %&2!%./!3!%! EAtended ping allows you to control the source address of the pac5ets! Respond as shown in the following eAaple! +ress enter to accept the defaults eAcept where a specific response is indicated!

R1# ping Protocol ipQ:
+age %3 of ,'

CCNA Security b! Issue the "ow cr!pto iakmp a coand again!

R1# "ow cr!pto iakmp a P/? Cr&pto !A"P !A $st src 1.221 1.111

state KB5

conn-i$ slot status 1..1 . AC<S

c!

;hy was an S" created between R% and R3 this tieC *he source was %&2!%./!%!% and the destination was %&2!%./!3!%! *his is interesting traffic based on the "#9 %'% definition! "n S" is established and pac5ets travel through the tunnel as encrypted traffic!

d!

;hat are the endpoints of the I+sec V+1 tunnelC Src: %'!%!%!% (R% S'-'-') st: %'!2!2!% (R3 S'-'-%)!

e!

+ing fro +#4" to +#4#! ;ere the pings successfulC Bes!

f!

Issue the "ow cr!pto ipec a coand! >ow any pac5ets have been transfored between R% and R3C 1ine: five pac5ets fro the R% to R3 pings four pac5ets fro the +#4" to R3 pings and one pac5et for each echo re7uest! *he nuber of pac5et ay vary depending on how any pings have been issued and fro where!

R1# "ow cr!pto ipec a interface: !erial.9.9. Cr&pto map tag: CAP local a$$r 1.111 protecte$ /rf: (none) local i$ent (a$$r9mask9prot9port): (1@2171.9200200200.9.9.) remote i$ent (a$$r9mask9prot9port): (1@2173.9200200200.9.9.) currentBpeer 1.221 port 0.. PR< flagsFDoriginBisBaclE #pkts encaps: @ #pkts encr&pt: @ #pkts $igest: @ #pkts $ecaps: @ #pkts $ecr&pt: @ #pkts /erif&: @ #pkts compresse$: . #pkts $ecompresse$: . #pkts not compresse$: . #pkts compr faile$: . #pkts not $ecompresse$: . #pkts $ecompress faile$: . #sen$ errors . #rec/ errors . local cr&pto en$pt: 1.111 remote cr&pto en$pt: 1.221 pat% mtu 10.. ip mtu 10.. ip mtu i$ !erial.9.9. current outoun$ spi: .'C1.07(2.327.?O2) inoun$ esp sas: spi: .'0O12.(3O?O.20?23) transform: esp-20-aes esp-s%a-%mac  in use settings FD
+age %, of ,'

CCNA Security sa timing: remaining ke& lifetime (k9sec): (??701@097OO) S si4e: 1 &tes repla& $etection support:  !tatus: AC<S outoun$ a% sas: outoun$ pcp sas: g!

*he previous eAaple used pings to generate interesting traffic! ;hat other types of traffic would result in an S" foring and tunnel establishentC "ny traffic initiated fro R% with a source address in the %&2!%./!%!'-2, networ5 and a destination address in the %&2!%./!3!'-2, networ5! 6n R3 interesting traffic is any traffic with a source address in the %&2!%./!3!'-2, networ5 and a destination address in the %&2!%./!%!'-2, networ5! *his includes *+ >**+ *elnet and others!

Part .: Configure a Site-to-Site IPsec VPN (ith CCP In +art 3 of this lab configure an I+sec V+1 tunnel between R% and R3 that passes through R2! *as5 % will restore the router to the basic settings using your saved configurations! In tas5 2 configure R% using #isco ##+! In *as5 3 irror those settings to R3 using ##+ utilities! inally review and test the resulting configuration!

#as' *: ,estore ,outer ,* and ,. to the +asic Settings *o avoid confusion as to what was entered in +art 2 of the lab start by restoring R% and R3 to the basic configuration as described in +art % of this lab! Step *: 3rase and re"oad the router1 a!

#onnect to the router console and enter privileged E
b! Erase the startup config and then issue the reload coand to restart the router! Step : ,estore the basic configuration1 a!

;hen the router restarts enter privileged Eyper*erinal #ransfer < Send =i"e function copy and paste or use another ethod to load the basic startup config for R% and R3 that was created and saved in +art % of this lab!

b!

Save the running config to the startup config for R% and R3 using the cop! run tart coand!

c!

*est connectivity by pinging fro host +#4" to +#4#! If the pings are not successful troubleshoot the router and +# configurations before continuing!

#as' : Configure IPsec VPN Settings on ,* Using CCP Step *: Configure a userna0e and pass(ord pair and enab"e !##P router access1 a!

ro the #9I configure a usernae and password for use with ##+ on R% and R3!

R1(config)# uername admin pri$ilege 15 ecret cico12345 R3(config)# uername admin pri$ilege 15 ecret cico12345 b! Enable the >**+ server on R% and R3!

R1(config)# ip "ttp er$er


+age %0 of ,'

CCNA Security R3(config)# ip "ttp er$er

c! #onfigure local database authentication of web sessions to support ''* connecti$it!. R1(config)# ip "ttp aut"entication local R3(config)# ip "ttp aut"entication local

Step : Access CCP and disco%er ,*1 a! Run the ##+ application on +#4"! In the Se"ect>&anage Co00unity window input the R% I+ address *1*681*1* in the >ostnae-"ddress field ad0in in the Dsernae field and cisco*.25 in the +assword field! #lic5 the O; button!

b! "t the ##+ ashboard clic5 on the $isco%ery button to discover and connect to R%! If the discovery process fails use the $isco%er $etai"s button to deterine the proble so that you can resolve the issue!

Step .: Start the CCP VPN (i?ard to configure ,*1 a! #lic5 the Configure button at the top of the ##+ screen and choose Security < VPN < Site-to-Site VPN! Read through the description of this option! "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age %. of ,'

CCNA Security b!

;hat ust you 5now to coplete the configurationC *he reote device (R3 S'-'-%) I+ address and the pre4shared 5ey (cisco%23,0) which will be established in *as5 2 Step ,!

c!

#lic5 the Launch the se"ected tas' button to begin the ##+ Site4to4Site V+1 wiKard!

d!

6n the initial Site4to4Site V+1 ;iKard window the Luic5 Setup option is selected by default! #lic5 the Vie( $efau"ts button to see what settings this option uses! ;hat type of encryption does the default transfor set useC ES+43ES

e!

ro the initial Site4to4Site V+1 wiKard window choose the Step by Step wiKard and then clic5 Ne9t! ;hy would you use this option over the Luic5 setup optionC So that you have ore control over the V+1 settings used!

Step 2: Configure basic VPN connection infor0ation settings1 a!

ro the V+1 #onnection Inforation window select the interface for the connection which should be R% Seria">>!

b! In the +eer Identity section select Peer (ith static IP address and enter the I+ address of reote peer R3 S'-'-% (*111*)! c!

In the "uthentication section clic5 Pre-shared ;eys and enter the pre4shared V+1 5ey cisco*.25! Re4enter the 5ey for confiration! *his 5ey authenticates the initial eAchange to establish the Security "ssociation between devices! ;hen finished your screen should loo5 siilar to the following! 6nce you have entered these settings correctly clic5 Ne9t!


+age %= of ,'

CCNA Security

Step 5: Configure I;3 po"icy para0eters1 IE policies are used while setting up the control channel between the two V+1 endpoints for 5ey eAchange! *his is also referred to a s the IE secure association (S")! In contrast the I+sec policy is used during IE +hase II to negotiate an I+sec security association to pass target data traffic! a!

In the IE +roposals window a default policy proposal is displayed! Bou can use this one or create a new one! ;hat function does this IE proposal serveC *he IE proposal specifies the encryption algorith authentication algorith and 5ey eAchange ethod used by this router when negotiating a V+1 connection with a reote router!

b! #lic5 the Add button to create a new IE policy! c!

Set up the security policy as shown in the "dd IE +olicy dialog boA below! *hese settings are atched later on R3! ; hen finished clic5 O; to add the policy! *hen clic5 Ne9t!

d! #lic5 the !e"p button for assistance in answering the following 7uestions! ;hat is the function of the encryption algorith in the IE policyC *he encryption algorith encrypts and decrypts the payload of the control pac5ets that pass over the secure IE channel! "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age %/ of ,'

CCNA Security e!

;hat is the purpose of the hash functionC *he hash validates that the entire control pac5et has not been tapered with during transit! *he hash also authenticates the reote peer as the origin of the pac5et via a secret 5ey!

f!

;hat function does the authentication ethod serveC Hoth endpoints verify that the I+sec traffic that they have received is sent by the reote I+sec peer!

g!

>ow is the iffie4>ellan group in the IE policy usedC *he iffie4>ellan group is used by each of the endpoints to generate a shared secret 5ey which is never transitted across the networ5! Each iffie4>ellan group has an associated 5ey length!

h!

;hat event happens at the end of the IE policyJs lifetieC IE renegotiates the IE association!

Step 6: Configure a transfor0 set1 *he transfor set is the I+sec policy used to encrypt hash and authenticate pac5ets that pass through the tunnel! *he transfor set is the IE +hase 2 policy! a!

" ##+ default transfor set is displayed! #lic5 the Add button to create a new transfor set!

b!

Set up the transfor set as shown in the *ransfor Set dialog boA below! *hese settings are atched later on R3! ; hen finished clic5 O; to add the transfor set! *hen clic5 Ne9t!

Step 7: $efine interesting traffic1 Bou ust define interesting traffic to be protected through the V+1 tunnel! Interesting traffic is defined through an access list applied to the router! Hy entering the source and destination subnets that you would li5e to protect through the V+1 tunnel ##+ generates the appropriate siple access list for you! In the *raffic to protect window enter the inforation as shown below! *hese are the opposite of the settings configured on R3 later in the lab! ;hen finished clic5 Ne9t!


+age %& of ,'

CCNA Security

Step 8: ,e%ie( the su00ary configuration and de"i%er co00ands to the router1 a!

Review the Suary of the #onfiguration window! It should loo5 siilar to the one below! o not select the chec5boA for *est V+1 connectivity after configuring! *his is done after configuring R3!

b!

In the eliver #onfiguration to router window select Sa%e running config to router@s startup config and clic5 the $e"i%er button! "fter the coands have been delivered clic5 O;! >ow any coands were deliveredC 3% with ##+ 2!0


+age 2' of ,'

CCNA Security

#as' .: Create a &irror Configuration for ,. Step *: Use CCP on ,* to generate a 0irror configuration for ,.1 a! 6n R% clic5 the Configure button at the top of the ##+ screen and then choose Security < VPN < Site-to-Site VPN! #lic5 the 3dit Site to Site VPN tab! Bou should see the V+1 configuration listed that you Must created on R%! ;hat is the description of the V+1C *unnel to %'!2!2!% b!

;hat is the status of the V+1 and whyC own! *he IE security association could not be established because the V+1 peer R3 has not yet been configured! R3 ust be configured with the appropriate V+1 paraeters such as atching IE proposals and I+sec policies and a irrored access list before the IE and I+sec security associations will activate!

c!

Select the V+1 policy you Must configured on R% and clic5 the enerate &irror button in the lower right of the window! *he Generate 8irror window displays the coands necessary to configure R3 as a V+1 peer! Scroll through the window to see all the coands generated!

d!

*he teAt at the top of the window states that the configuration generated should only be used as a guide for setting up a site4to4site V+1! ;hat coands are issing to allow this crypto policy to function on R3C *he coands to apply the crypto ap to the S'-'-% interface!

!int: 9oo5 at the description entry following the cr!pto map S+(,'()*,1 coand!

Step : Sa%e the configuration co00ands for ,.1 a! #lic5 the Sa%e button to create a teAt file for use in the neAt tas5! b!

Save the coands to the des5top or other location and nae it V+148irror4#fg4for4R3!tAt!

Note: Bou can also copy the coands directly fro the enerate &irror window! c!

(6ptional) Edit the file to reove the eAplanation teAt at the beginning and the description entry following the cr!pto map S+(,'()*,1 coand!


+age 2% of ,'

CCNA Security

#as' 2: App"y the &irror Configuration to ,. and Verify the Configuration Step *: Access the ,. CLI and copy the 0irror co00ands1 Note: Bou can also use ##+ on R3 to create the appropriate V+1 configuration but copying and pasting the irror coands generated fro R% is easier! a!

6n R3 enter privileged E
b!

#opy the coands fro the teAt file into the R3 #9I!

Step : App"y the crypto 0ap to the ,. S>>* interface1 R3(config)# interface S0/0/1 R3(config-if)# cr!pto map S+(,'()*,1 =an 3. 13:..:3717?: CRP<;--!A"PB;+B;: !A"P is ;+

Step .: Verify the VPN configuration on ,. using Cisco IOS1 a!

isplay the running config beginning with the first line that contains the string '-'-%F to verify that the crypto ap is applied to S'-'-%!

R3# " run  %eg 0/0/1 interface !erial.9.91 ip a$$ress 1.221 200200200202 cr&pto map !BCAPB1 b! 6n R3 use the "ow cr!pto iakmp polic! coand to show the configured IS"8+ policies on the router! 1ote that the default ##+ policy is also present!

R3# "ow cr!pto iakmp polic! ,loal " polic& Protection suite of priorit& 1 encr&ption algorit%m: %as% algorit%m: aut%entication met%o$: iffie-*ellman group: lifetime: Protection suite of priorit& 1. encr&ption algorit%m: it ke&s ) %as% algorit%m: aut%entication met%o$: iffie-*ellman group: lifetime: c!

<%ree ke& triple ! !ecure *as% !tan$ar$ Pre-!%are$ "e& #2 (1.2? it) 7?.. secon$s no /olume limit

A! - A$/ance$ ncr&ption !tan$ar$ (20

essage igest 0 Pre-!%are$ "e& #0 (103 it) 277.. secon$s no /olume limit

In the above output how any IS"8+ policies are thereC *wo the ##+ default with priority % and the one with priority %' which was created during the ##+ session with R% and copied as part of the irror configuration!

d! Issue the "ow cr!pto ipec tranform-et coand to display the configured I+sec policies in the for of the transfor sets!

E

E

+age 22 of ,'

CCNA Security

E

e! Dse the "ow cr!pto map coand to display the crypto aps that will be applied to the router!

R3# "ow cr!pto map Cr&pto ap I!BCAPB1I 1 ipsec-isakmp escription: Appl& t%e cr&pto map on t%e peer routerTs interface %a/ing P a$$ress 1.221 t%at connects to t%is router Peer F 1.111 'ten$e$ P access list !B1 access-list !B1 permit ip 1@2173. ...200 1@2171. ...200 Current peer: 1.111 !ecurit& association lifetime: ?.7... kilo&tes93.. secon$s P! (9+): +
In the above output the IS"8+ policy being used by the crypto ap is the ##+ default policy with se7uence nuber priority % indicated by the nuber % in the first output line: Cr&pto ap U!BCAPB1 F % ipsec4isa5p! ;hy is it not using the one you created in the ##+ session N the one shown with priority %' in Step 3b aboveC *he ##+ crypto ap config defaults to using the default IS"8+ policy!

g!

(6ptional) Bou can force the routers to use the ore stringent policy that you created by changing the crypto ap references in the R% and R3 router configs as shown below! If this is done the default IS"8+ policy % can be reoved fro both routers!

R1(config)# interface S0/0/1 R1(config-if)# no cr!pto map S+(,'()*,1 R1(config-if)# e#it =an 3. 1O:.1:?.@@: CRP<;--!A"PB;+B;: !A"P is ; R1(config)# no cr!pto map S+(,'()*,1 1 R1(config)# cr!pto map S+(,'()*,1 10 ipec-iakmp  +;<: <%is ne8 cr&pto map 8ill remain $isale$ until a peer an$ a /ali$ access list %a/e een configure$ R1(config-cr&pto-map)# decription unnel to 10.2.2.1 R1(config-cr&pto-map)# et peer 10.2.2.1 R1(config-cr&pto-map)# et tranform-et a%-ranform R1(config-cr&pto-map)# matc" addre 100 R1(config-cr&pto-map)# e#it R1(config)# int S0/0/1 R1(config-if)# cr!pto map S+(,'()*,1 R1(config-if)#e =an 3. 1O:.3:1.3: CRP<;--!A"PB;+B;: !A"P is ;+ R3(config)# interface S0/0/1 R3(config-if)# no cr!pto map S+(,'()*,1 R3(config-if)# e#it R3(config)# no cr!pto map S+(,'()*,1 1 R3(config)# cr!pto map S+(,'()*,1 10 ipec-iakmp  +;<: <%is ne8 cr&pto map 8ill remain $isale$ until a peer an$ a /ali$ access list %a/e een configure$ R3(config-cr&pto-map)# decription unnel to 10.1.1.1 "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 23 of ,'

CCNA Security R3(config-cr&pto-map)# et peer 10.1.1.1 R3(config-cr&pto-map)# et tranform-et a%-ranform R3(config-cr&pto-map)# matc" addre 100 R3(config-cr&pto-map)# e#it R3(config)# int S0/0/1 R3(config-if)# cr!pto map S+(,'()*,1 R3(config-if)# =an 3. 22:17:27?7O: CRP<;--!A"PB;+B;: !A"P is ;+

#as' 5: #est the VPN Configuration Using CCP on ,*1 a!

6n R% use ##+ to test the I+sec V+1 tunnel between the two routers! #hoose the folder Security < VPN < Site-to-Site VPN and clic5 the 3dit Site-to-Site VPN tab!

b!

ro the Edit Site to Site V+1 tab choose the V+1 and clic5 #est #unne"!

c!

;hen the V+1 *roubleshooting window displays clic5 the Start button to have ##+ start troubleshooting the tunnel!

d!

;hen the ##+ ;arning window displays indicating that ##+ will enable router debugs and generate soe tunnel traffic clic5 es to continue!

e!

In the neAt V+1 *roubleshooting window the I+ address of the R% a'-% interface in the source networ5 is displayed by default (%&2!%./!%!%)! Enter the I+ address of the R3 a'-% interface in the destination networ5 field (*1*681.1*) and clic5 Continue to begin the debugging process!

f!

If the debug is successful and the tunnel is up you should see the screen below! If the testing fails ##+ displays failure reasons and recoended actions! #lic5 O; to reove the window!


+age 2, of ,'

CCNA Security

g!

Bou can save the report if desiredO otherwise clic5 C"ose!

Note: If you want to reset the tunnel and test again you can clic5 the C"ear Connection button fro the Edit Suite4to4Site V+1 window! *his can also be accoplished at the #9I using the clear cr!pto eion coand! h!

isplay the running config for R3 beginning with the first line that contains the string '-'-%F to verify that the crypto ap is applied to S'-'-%!

R3# " run  %eg 0/0/1 interface !erial.9.91 ip a$$ress 1.221 200200200202 cr&pto map !BCAPB1 Voutput omitte$> i!

Issue the "ow cr!pto iakmp a coand on R3 to view the security association created!

R3# "ow cr!pto iakmp a P/? Cr&pto !A"P !A $st src 1.221 1.111 M!

state KB5

conn-i$ slot status 1..1 . AC<S

Issue the "ow cr!pto ipec a coand! >ow any pac5ets have been transfored between R% and R3C %%. fro the ##+ testing

R3# "ow cr!pto ipec a interface: !erial.9.91 Cr&pto map tag: !BCAPB1 local a$$r 1.221 protecte$ /rf: (none) "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 20 of ,'

CCNA Security local i$ent (a$$r9mask9prot9port): (1@2173.9200200200.9.9.) remote i$ent (a$$r9mask9prot9port): (1@2171.9200200200.9.9.) currentBpeer 1.111 port 0.. PR< flagsFDoriginBisBaclE #pkts encaps: 11 #pkts encr&pt: 11 #pkts $igest: 11 #pkts $ecaps: 11 #pkts $ecr&pt: 11 #pkts /erif&: 11 #pkts compresse$: . #pkts $ecompresse$: . #pkts not compresse$: . #pkts compr faile$: . #pkts not $ecompresse$: . #pkts $ecompress faile$: . #sen$ errors . #rec/ errors . local cr&pto en$pt: 1.221 remote cr&pto en$pt: 1.111 pat% mtu 10.. ip mtu 10.. ip mtu i$ !erial.9.91 current outoun$ spi: .'2.OAA7A([email protected].) inoun$ esp sas: spi: .'A1.2CA([email protected]?) transform: esp-20-aes esp-s%a-%mac  in use settings FD

+age 2. of ,'

CCNA Security

,ef"ection %! ;ould traffic on the ast Ethernet lin5 between +#4" and the R% a'-' interface be encrypted by the site4 to4site I+sec V+1 tunnelC ;hy or why notC 1o! *his site4to4site V+1 only encrypts fro router R% to R3! " sniffer could be used to see the traffic fro +#4" to the R% default gateway! 2!

#opared to using the ##+ V+1 wiKard GDI what are soe factors to consider when configuring site4to4 site I+sec V+1s using the anual #9IC "nswers will vary but could include the following: *raditional #9I ethods are tie4consuing and prone to 5eystro5e errors! *hey also re7uire the adinistrator to have an eAtensive 5nowledge of I+sec V+1s and #isco I6S coand syntaA! ##+ gives the aAiu fleAibility and greatly siplifies I+sec V+1 configuration! ##+ also provides help and eAplanations on various technologies and settings available!

,outer Interface Su00ary #ab"e ,outer Interface Su00ary Router 8odel

Ethernet Interface Ethernet Interface Serial Interface Serial Interface % 2 % 2 ast Ethernet '-' ast Ethernet '-% Serial '-'-' Serial '-'-% %/'' (a'-') (a'-%) (S'-'-') (S'-'-%) Gigabit Ethernet '-' Gigabit Ethernet '-% Serial '-'-' Serial '-'-% %&'' (G'-') (G'-%) (S'-'-') (S'-'-%) ast Ethernet '-' ast Ethernet '-% Serial '-'-' Serial '-'-% 2/'' (a'-') (a'-%) (S'-'-') (S'-'-%) Gigabit Ethernet '-' Gigabit Ethernet '-% Serial '-'-' Serial '-'-% 2&'' (G'-') (G'-%) (S'-'-') (S'-'-%) Note: *o find out how the router is configured loo5 at the interfaces to identify the type of router and how any interfaces the router has! *here is no way to effectively list all the cobinations of configurations for each router class! *his table includes identifiers for the possible cobinations of Ethernet and Serial interfaces in the device! *he table does not include any other type of interface even though a specific router ay contain one! "n eAaple of this ight be an IS1 HRI interface! *he string in parenthesis is the legal abbreviation that can be used in #isco I6S coands to represent the interface!

,outer Configs Note: ISR G2 devices have Gigabit Ethernet interfaces instead of ast Ethernet Interfaces!

,outer ,* after Part * R1#s% run Muil$ing configuration Current configuration : 1370 &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R1 H "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 2= of ,'

CCNA Security oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H H H arc%i/e log config %i$eke&s H interface astt%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface astt%ernet.91 ip a$$ress 1@21711 200200200. $uple' auto spee$ auto H interface astt%ernet.919. H interface astt%ernet.9191 H interface astt%ernet.9192 H interface astt%ernet.9193 H interface !erial.9.9. ip a$$ress 1.111 200200200202 no fair-Nueue clock rate ?... H interface !erial.9.91 no ip a$$ress s%ut$o8n clock rate 2...... H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.11. ...3 net8ork 1@2171. no auto-summar& "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 2/ of ,'

CCNA Security H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H control-plane H line con . e'ec-timeout . . pass8or$ O 1?1?1M17..M2@2?2A3732231 logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O .0.7.1C22?3071..101.117 login H sc%e$uler allocate 2.... 1... en$

,outer , after Part * R2#s% run Muil$ing configuration Current configuration : 13@ &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R2 H oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H interface astt%ernet.9. no ip a$$ress s%ut$o8n "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 2& of ,'

CCNA Security $uple' auto spee$ auto H interface astt%ernet.91 no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface astt%ernet.919. H interface astt%ernet.9191 H interface astt%ernet.9192 H interface astt%ernet.9193 H interface !erial.9.9. ip a$$ress 1.112 200200200202 no fair-Nueue H interface !erial.9.91 ip a$$ress 1.222 200200200202 clock rate ?... H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.11. ...3 net8ork 1.22. ...3 no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H H control-plane H line con . e'ec-timeout . . pass8or$ O .0.7.1C22?3?.1O101.117 logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O .2.0.?7.7.@1@30000.7.A1 login H sc%e$uler allocate 2.... 1... en$ R2#R2#


+age 3' of ,'

CCNA Security ,outer ,. after Part * R3#s% run Muil$ing configuration Current configuration : 13?O &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R3 H oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H interface astt%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface astt%ernet.91 ip a$$ress 1@21731 200200200. $uple' auto spee$ auto H interface astt%ernet.919. H interface astt%ernet.9191 H interface astt%ernet.9192 H interface astt%ernet.9193 H interface !erial.9.9. no ip a$$ress s%ut$o8n no fair-Nueue clock rate 2...... "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 3% of ,'

CCNA Security H interface !erial.9.91 ip a$$ress 1.221 200200200202 H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.22. ...3 net8ork 1@2173. no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H control-plane H line con . e'ec-timeout . . pass8or$ O .11..1O07.?.0..20C?1A.A logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O 1?1?1M17..M3C333732231 login H sc%e$uler allocate 2.... 1... en$ R3#

,outer ,* after Part  R1#s% run Muil$ing configuration Current configuration : 1710 &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R1 H oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 32 of ,'

CCNA Security ip cef no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1. encr aes 20 aut%entication pre-s%are group 0 lifetime 3.. cr&pto isakmp ke& cisco123 a$$ress 1.221 H cr&pto ipsec securit&-association lifetime secon$s 17.. H cr&pto ipsec transform-set 0. esp-aes 20 esp-s%a-%mac H cr&pto map CAP 1. ipsec-isakmp set peer 1.221 set securit&-association lifetime secon$s @.. set transform-set 0. set pfs group0 matc% a$$ress 1.1 H interface astt%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface astt%ernet.91 ip a$$ress 1@21711 200200200. $uple' auto spee$ auto H interface astt%ernet.919. H interface astt%ernet.9191 H interface astt%ernet.9192 H interface astt%ernet.9193 H interface !erial.9.9. ip a$$ress 1.111 200200200202 no fair-Nueue clock rate ?... cr&pto map CAP H interface !erial.9.91 no ip a$$ress s%ut$o8n clock rate 2...... H "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 33 of ,'

CCNA Security interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.11. ...3 net8ork 1@2171. no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H access-list 1.1 permit ip 1@2171. ...200 1@2173. ...200 H control-plane H line con . e'ec-timeout . . pass8or$ O [email protected]?01A logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O ...O1A10.O0?112131?01A login H sc%e$uler allocate 2.... 1... en$ R1#

,outer ,. after Part  R3#s% run Muil$ing configuration Current configuration : 1O@O &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R3 H oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 3, of ,'

CCNA Security no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1. encr aes 20 aut%entication pre-s%are group 0 lifetime 3.. cr&pto isakmp ke& cisco123 a$$ress 1.111 H cr&pto ipsec securit&-association lifetime secon$s 17.. H cr&pto ipsec transform-set 0. esp-aes 20 esp-s%a-%mac H cr&pto map CAP 1. ipsec-isakmp set peer 1.111 set securit&-association lifetime secon$s @.. set transform-set 0. set pfs group0 matc% a$$ress 1.1 H interface astt%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface astt%ernet.91 ip a$$ress 1@21731 200200200. $uple' auto spee$ auto H interface astt%ernet.919. H interface astt%ernet.9191 H interface astt%ernet.9192 H interface astt%ernet.9193 H interface !erial.9.9. no ip a$$ress s%ut$o8n no fair-Nueue clock rate 2...... H interface !erial.9.91 ip a$$ress 1.221 200200200202 cr&pto map CAP H interface Slan1 no ip a$$ress "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 30 of ,'

CCNA Security H router eigrp 1.1 net8ork 1.22. ...3 net8ork 1@2173. no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H access-list 1.1 permit ip 1@2173. ...200 1@2171. ...200 H control-plane H line con . e'ec-timeout . . pass8or$ O .3.O0217.0..22?3?.1@171.? logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O 1?1?1M17..M3C333732231 login H sc%e$uler allocate 2.... 1... en$ R3#

,outer ,* after Part . R1#s% run Muil$ing configuration Current configuration : 1@ &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R1 H oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog no logging uffere$ enale secret 0 G1GWS.WG
+age 3. of ,'

CCNA Security no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1 encr 3$es aut%entication pre-s%are group 2 H cr&pto isakmp polic& 1. encr aes 20 %as% m$0 aut%entication pre-s%are group 0 lifetime 277.. cr&pto isakmp ke& cisco123?0 a$$ress 1.221 H cr&pto ipsec transform-set 5a-
+age 3= of ,'

CCNA Security H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.11. ...3 net8ork 1@2171. auto-summar& H ip for8ar$-protocol n$ ip %ttp ser/er no ip %ttp secure-ser/er H access-list 1.. remark CCPBAC5 Categor&F? access-list 1.. remark Psec Rule access-list 1.. permit ip 1@2171. ...200 1@2173. ...200 H control-plane H line con . e'ec-timeout . . pass8or$ O .@??O1A1A.A1?1.01C.03@37 logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O .11..1O07.?1.1M370C?1A.A login H sc%e$uler allocate 2.... 1... en$ R1#

,outer ,. after Part . R3#s% run Muil$ing configuration Current configuration : 1@72 &tes H /ersion 12? ser/ice timestamps $eug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R3 H oot-start-marker oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route "ll contents are #opyright $ %&&2–2'%2 #isco Systes Inc! "ll rights reserved! *his docuent is #isco +ublic Inforation!

+age 3/ of ,'

CCNA Security H ip cef no ip $omain lookup H no ip/ cef multilink un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1 encr 3$es aut%entication pre-s%are group 2 H cr&pto isakmp polic& 1. encr aes 20 %as% m$0 aut%entication pre-s%are group 0 lifetime 277.. cr&pto isakmp ke& cisco123?0 a$$ress 1.111 H H cr&pto ipsec transform-set 5a-
+age 3& of ,'

CCNASv1.1 Chp08 Lab a Site2Site VPN Instructor

Recommend Documents