Packet Tracer Configuring VPNs (Optional)



Similar documents
Cisco 1841 MyDigitalShield BYOG Integration Guide

Lab Configure a PIX Firewall VPN

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and SDM

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Deploying IPSec VPN in the Enterprise

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Triple DES Encryption for IPSec

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

Cisco to Juniper point-to-multipoint IPsec solution - spoke devices migration.

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Most Common DMVPN Troubleshooting Solutions

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel


iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

REMOTE ACCESS VPN NETWORK DIAGRAM

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

IPsec VPN Application Guide REV:

Virtual Private Network (VPN)

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Configure ISDN Backup and VPN Connection

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

iementor CCIE Service Provider Workbook v1.0 Lab13 Solutions: Layer 2 VPN II

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Introduction to Security and PIX Firewall

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Lab a Configure Remote Access Using Cisco Easy VPN

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Configuring IPsec VPN Fragmentation and MTU

Module 6 Configure Remote Access VPN

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

LAN-Cell to Cisco Tunneling

IPSEC VPN CISCO DRAYTEK ADSL Kurulum Dökümanı

Configuring L2TP over IPSec

Configuring Tunnel Default Gateway on Cisco IOS EasyVPN/DMVPN Server to Route Tunneled Traffic

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

CCNA Security 1.1 Instructional Resource

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Network Security 2. Module 6 Configure Remote Access VPN

VPN. VPN For BIPAC 741/743GE

ISG50 Application Note Version 1.0 June, 2011

VPN SECURITY POLICIES

Application Note 25. Configure an IPsec VPN tunnel between a Digi Transport router and a Cisco router using Certificates and SCEP

Configuring Remote Access IPSec VPNs

Lab Configure Remote Access Using Cisco Easy VPN

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Understanding the Cisco VPN Client

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Configuring Internet Key Exchange Security Protocol

Configuring L2TP over IPsec

How To Industrial Networking

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

GregSowell.com. Mikrotik VPN

IPSec Pass through via Gateway to Gateway VPN Connection

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Connecting Remote Offices by Setting Up VPN Tunnels

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

How to configure VPN function on TP-LINK Routers

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Using IPsec VPN to provide communication between offices

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

How to configure VPN function on TP-LINK Routers

IPSec Network Security Commands

Objectives. Background. Required Resources. CCNA Security

Chapter 4 Virtual Private Networking

Device Interface IP Address Subnet Mask Default Gateway

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

IPSec. User Guide Rev 2.2

Troubleshooting IPSec Design and Implementation

VPN Configuration Guide. Cisco ASA 5500 Series

Skills Assessment Student Training Exam

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Dynamic routing protocols over IPSec tunnels between Palo Alto Networks and Cisco routers

Interconnection between the Windows Azure

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Point-to-Point GRE over IPsec Design and Implementation

How To Design An Ipsec Vpn Network Connection

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Introduction. Quick Configuration Guide (QCG) Configuring a VPN for Multiple Subnets in AOS

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

IINS Implementing Cisco IOS Network Security Exam.

Case Study for Layer 3 Authentication and Encryption

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Scenario 1: One-pair VPN Trunk

Amazon Virtual Private Cloud. Network Administrator Guide API Version

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Encrypted Preshared Key

ZyWALL USG-Series. How to setup a Site-to-site VPN connection between two ZyWALL USG series.

Case Studies. Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study. Overview CHAPTER

Transcription:

Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway R1 G0/0 192.168.1.1 255.255.255.0 N/A S0/0/0 10.1.1.2 255.255.255.252 N/A G0/0 192.168.2.1 255.255.255.0 N/A R2 S0/0/0 10.1.1.1 255.255.255.252 N/A S0/0/1 10.2.2.1 255.255.255.252 N/A R3 G0/0 192.168.3.1 255.255.255.0 N/A S0/0/1 10.2.2.2 255.255.255.252 N/A PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 PC-B NIC 192.168.2.3 255.255.255.0 192.168.2.1 PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 6

ISAKMP Phase 1 Policy Parameters Parameters R1 R3 Key distribution method Manual or ISAKMP ISAKMP ISAKMP Encryption algorithm DES, 3DES, or AES AES AES Hash algorithm MD5 or SHA-1 SHA-1 SHA-1 Authentication method Pre-shared keys or RSA pre-share pre-share Key exchange DH Group 1, 2, or 5 DH 2 DH 2 IKE SA Lifetime 86400 seconds or less 86400 86400 ISAKMP Key cisco cisco Bolded parameters are defaults. Other parameters need to be explicitly configured. IPsec Phase 2 Policy Parameters Objectives Part 1: Enable Security Features Parameters R1 R3 Transform Set VPN-SET VPN-SET Peer Hostname R3 R1 Peer IP Address 10.2.2.2 10.1.1.2 Network to be encrypted 192.168.1.0/24 192.168.3.0/24 Crypto Map name VPN-MAP VPN-MAP SA Establishment ipsec-isakmp ipsec-isakmp Part 2: Configure IPsec Parameters on R1 Part 3: Configure IPsec Parameters on R3 Part 4: Verify the IPsec VPN Scenario In this activity, you will configure two routers to support a site-to-site IPsec VPN for traffic flowing from their respective LANs. The IPsec VPN traffic will pass through another router that has no knowledge of the VPN. IPsec provides secure transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers. Part 1: Enable Security Features Step 1: Activate securityk9 module. The Security Technology Package license must be enabled to complete this activity. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 6

Note: Both the user EXEC and privileged EXEX pass word is cisco. a. Issue the show version command in the user EXEC or privileged EXEC mode to verify that the Security Technology Package license is activated. ---------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ----------------------------------------------------------------- ipbase ipbasek9 Permanent ipbasek9 security None None None uc None None None data None None None Configuration register is 0x2102 b. If not, activate the securityk9 module for the next boot of the router, accept the license, save the configuration, and reboot. R1(config)# license boot module c2900 technology-package securityk9 R1(config)# end R1# copy running-config startup-config R1# reload c. After the reloading is completed, issue the show version again to verify the Security Technology Package license activation. Technology Package License Information for Module:'c2900' ---------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ----------------------------------------------------------------- ipbase ipbasek9 Permanent ipbasek9 security securityk9 Evaluation securityk9 uc None None None data None None None d. Repeat Steps 1a to 1c with R3. Part 2: Configure IPsec Parameters on R1 Step 1: Test connectivity. Ping from PC-A to PC-C. Step 2: Identify interesting traffic on R1. Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as interesting. This interesting traffic will trigger the IPsec VPN to be implemented whenever there is traffic between R1 to R3 LANs. All other traffic sourced from the LANs will not be encrypted. Remember that due to the implicit deny any, there is no need to add the statement to the list. R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 6

Step 3: Configure the ISAKMP Phase 1 properties on R1. Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key cisco. Refer to the ISAKMP Phase 1 table for the specific parameters to configure. Default values do not have to be configured therefore only the encryption, key exchange method, and DH method must be configured. R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# exit R1(config)# crypto isakmp key cisco address 10.2.2.2 Step 4: Configure the ISAKMP Phase 2 properties on R1. Create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the crypto map VPN- MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsecisakmp map. R1(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac R1(config)# crypto map VPN-MAP 10 ipsec-isakmp R1(config-crypto-map)# description VPN connection to R3 R1(config-crypto-map)# set peer 10.2.2.2 R1(config-crypto-map)# set transform-set VPN-SET R1(config-crypto-map)# match address 110 R1(config-crypto-map)# exit Step 5: Configure the crypto map on the outgoing interface. Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface. Note: This is not graded. R1(config)# interface S0/0/0 R1(config-if)# crypto map VPN-MAP Part 3: Configure IPsec Parameters on R3 Step 1: Configure router R3 to support a site-to-site VPN with R1. Now configure reciprocating parameters on R3. Configure ACL 110 identifying the traffic from the LAN on R3 to the LAN on R1 as interesting. R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 Step 2: Configure the ISAKMP Phase 1 properties on R3. Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key cisco. R3(config)# crypto isakmp policy 10 R3(config-isakmp)# encryption aes R3(config-isakmp)# authentication pre-share R3(config-isakmp)# group 2 R3(config-isakmp)# exit R3(config)# crypto isakmp key cisco address 10.1.1.2 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 6

Step 3: Configure the ISAKMP Phase 2 properties on R1. Like you did on R1, create the transform-set VPN-SET to use esp-3des and esp-sha-hmac. Then create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-isakmp map. R3(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac R3(config)# crypto map VPN-MAP 10 ipsec-isakmp R3(config-crypto-map)# description VPN connection to R1 R3(config-crypto-map)# set peer 10.1.1.2 R3(config-crypto-map)# set transform-set VPN-SET R3(config-crypto-map)# match address 110 R3(config-crypto-map)# exit Step 4: Configure the crypto map on the outgoing interface. Finally, bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface. Note: This is not graded. R3(config)# interface S0/0/1 R3(config-if)# crypto map VPN-MAP Part 4: Verify the IPsec VPN Step 1: Verify the tunnel prior to interesting traffic. Issue the show crypto ipsec sa command on R1. Notice that the number of packets encapsulated, encrypted, decapsulated and decrypted are all set to 0. R1# show crypto ipsec sa interface: Serial0/0/0 Crypto map tag: VPN-MAP, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.1.1.2, remote crypto endpt.:10.2.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x0(0) <output omitted> Step 2: Create interesting traffic. Ping PC-C from PC-A. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 6

Step 3: Verify the tunnel after interesting traffic. On R1, re-issue the show crypto ipsec sa command. Now notice that the number of packets is more than 0 indicating that the IPsec VPN tunnel is working. R1# show crypto ipsec sa interface: Serial0/0/0 Crypto map tag: VPN-MAP, local addr 10.1.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer 10.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 0 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.1.1.2, remote crypto endpt.:10.2.2.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0 current outbound spi: 0x0A496941(172583233) <output omitted> Step 4: Create uninteresting traffic. Ping PC-B from PC-A. Step 5: Verify the tunnel. On R1, re-issue the show crypto ipsec sa command. Finally, notice that the number of packets has not changed verifying that uninteresting traffic is not encrypted. 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information