Introduction Of MPLS

Introduction Of MPLS
MPLS defines protocol that make different paradigm for a way routers forward packets. rather than forwarding packets based on the packets destination IP address, MPLS defines how router can forward packets based on MPLS label.

What Is OSPF Sham Links? How To Configure OSPF Sham Links?

What Is OSPF Sham Links? How To Configure OSPF Sham Links?
OSPF Sham links is a logical inter-area link carried by the super backbone. A Sham links is required only between two VPN sites that belong to the same area and have a backdoor link for backup purposes. OSPF adjacency is established across the sham link.

How To Configure MPLS L3 With BGP AS OVERRIDE?

How To Configure MPLS L3 With BGP AS OVERRIDE?
BGP has a simple loop prevention mechanism for external BGP. When you see your own Autonomous system number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue

What Is MPLS L3 VPN ? How To Configure?

What Is MPLS L3 VPN ? How To Configure?
In MPLS Layer 3 the service provider will participate in routing with the customers. The customers will run static, OSPF, EIGRP, BGP or any other routing protocol with the service provider; these routes can be shared with other sites of the customers. In VPN routing information from one customer is completely separated from other customers and tunneled over the service provider MPLS network.

Latest Posts

What is DMVPN Phase 3? What is the difference between DMVPN phases 1, 2, and 3? How to configure DMVPN Phase 3?

Internetworks

 

DMVPN (Dynamic Multipoint VPN) is a routing technology introduced by Cisco that allows you to build a VPN network with multiple sites without having to statically configure all devices. It uses a "hub and spoke" network topology, where the spokes can communicate directly without going through the hub. DMVPN supports encryption through IPsec, which makes it a popular choice for connecting different sites using regular Internet connections. It's a great backup or alternative to private networks like MPLS VPN. In other words, DMVPN combines mGRE + NHRP + DRP (dynamic routing protocol) and IPsec.





let's take a look at all the technologies: -

Multipoint GRE (mGRE)

Our regular GRE tunnels are point-to-point and don’t scale well. It becomes messy quickly so many point-to-point tunnels. but When we use GRE Multipoint, there will be only one tunnel interface on each router. mGRE interfaces do not have a tunnel destination. It keeps costs low, minimizing configuration complexity, and increasing flexibility. Multipoint GRE(Mgre) Uses tunnel source and tunnel mode (mgre). The tunnel can have many endpoints by using a single tunnel interface. The endpoint can be configured as GRE or MGRE and Mapping is done by NHRP Protocol.

https://mpls.internetworks.in/2021/02/what-is-network-tunneling-and-how-to.html


NHRP (Next Hop Resolution Protocol)

We want something that can help our router figure out what the public IP address is of the other router, we do this with the help of a protocol called NHRP (Next Hop Resolution Protocol). Next hop resolution protocol (NHRP)  Maps the tunnel IP with NBMA address (public IP ) (static or dynamic). NHRP Provides layer 2 address resolution protocol and caching services similar to ARP and inverse ARP. It only builds a dynamic database stored on the hub with information about spokes IP addresses.

https://mpls.internetworks.in/2021/02/what-is-dmvpn-dynamic-multipoint-vpn.html


Dynamic routing protocol

Dynamic routing is used to find networks and update routing tables on routers dynamically. It is easier than using static or default routing, but it will cost you in terms of router CPU processing and bandwidth on network links.

https://www.internetworks.in/2018/10/open-shortest-path-first-ospf-basic.html

https://www.internetworks.in/2018/10/eigrp-basic.html


IPsec encryption

(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec)  is a framework that helps us to protect our IP traffic on the network layer. Why? Because the ( internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session.

https://mpls.internetworks.in/2021/07/what-is-ipsec-internet-protocol.html


DMVPN has different three versions. we call phases.

Phase 1 https://mpls.internetworks.in/2021/02/what-is-dmvpn-dynamic-multipoint-vpn.html

Phase 2https://mpls.internetworks.in/2021/04/what-is-dmvpn-dynamic-multipoint-vpn.html
             https://mpls.internetworks.in/2021/04/how-to-configure-eigrp-and-ospf-over.html

Phase 3 In phase 3 we configure the (IP NHRP Redirect) command on the hub router and the IP NHRP shortcut command on the spokes routers.

Let's see the configuration:-

Topology:-






  • Configure the topology as per the diagram 
  • Configure the IP addresses as per the topology
  • Configure static and default route 
  • Configure the tunnel 192.168.1.0/24
  • Configure EIGRP 1 and advertise tunnel interface and LAN 
  • Configure NHRP Redirect on the HUB 
  • Configure NHRP Shortcut on the spokes
  • verify with show commands and trace commands.


R1(config)#hostname Site-A-R-

Site-A-R-(config)#interface serial 4/1
Site-A-R-(config-if)#ip address 1.1.1.1 255.0.0.0
Site-A-R-(config-if)#no shutdown
Site-A-R-(config-if)#exit

Site-A-R-(config)#interface fastethernet 0/0
Site-A-R-(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-R-(config-if)#no shutdown
Site-A-R-(config-if)#no keepalive
Site-A-R-(config-if)#exit
Site-A-R-(config)#end


Site-A-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up                                                                                                                   
Serial4/1                  1.1.1.1         YES manual up                    up                                                                                                                                                                                                                                                                               
Site-A-R-# wr
Building configuration...
[OK]




R2(config)#hostname Site-B-R-

Site-B-R-(config)#interface serial 4/2
Site-B-R-(config-if)#ip address 2.2.2.1 255.0.0.0
Site-B-R-(config-if)#no shutdown
Site-B-R-(config-if)#exit

Site-B-R-(config)#interface fastEthernet 0/0
Site-B-R-(config-if)#ip address 20.1.1.1 255.0.0.0
Site-B-R-(config-if)#no shutdown
Site-B-R-(config-if)#no keepalive
Site-B-R-(config-if)#exit
Site-B-R-(config)#end

Site-B-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            20.1.1.1        YES manual up                    up
Serial4/2                  2.2.2.1         YES manual up                    up

Site-B-R-#wr
Building configuration...
[OK]


Site-C-R-(config)#interface serial 4/3
Site-C-R-(config-if)#ip address 3.3.3.1 255.0.0.0
Site-C-R-(config-if)#no shutdown
Site-C-R-(config-if)#exit

Site-C-R-(config)#interface fastethernet 0/0
Site-C-R-(config-if)#ip address 30.1.1.1 255.0.0.0
Site-C-R-(config-if)#no keepalive
Site-C-R-(config-if)#no shutdown
Site-C-R-(config-if)#exit
Site-C-R-(config)#end

Site-C-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/3                  3.3.3.1         YES manual up                    up

Site-C-R-# wr
Building configuration...
[OK]


R4(config)#hostname Site-D-R-

Site-D-R-(config)#interface serial 4/4
Site-D-R-(config-if)#ip address 4.4.4.1 255.0.0.0
Site-D-R-(config-if)#no shutdown
Site-D-R-(config-if)#exit

Site-D-R-(config)#interface fastEthernet 0/0
Site-D-R-(config-if)#ip address 40.1.1.1 255.0.0.0
Site-D-R-(config-if)#no shutdown
Site-D-R-(config-if)#exit

Site-D-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            40.1.1.1        YES manual up                    up
Serial4/4                  4.4.4.1         YES manual up                    up

Site-D-R-#wr
Building configuration...
[OK]


R5(config)#hostname INTERNET-ROUTER-

INTERNET-ROUTER-(config)#interface serial 4/1
INTERNET-ROUTER-(config-if)#ip address 1.1.1.2 255.0.0.0
INTERNET-ROUTER-(config-if)#no shutdown
INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-(config)#interface serial 4/2
INTERNET-ROUTER-(config-if)#ip address 2.2.2.2 255.0.0.0
INTERNET-ROUTER-(config-if)#no shutdown
INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-(config)#interface serial 4/3
INTERNET-ROUTER-(config-if)#ip address 3.3.3.2 255.0.0.0
INTERNET-ROUTER-(config-if)#no shutdown
INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-(config)#interface serial 4/4
INTERNET-ROUTER-(config-if)#ip address 4.4.4.2 255.0.0.0
INTERNET-ROUTER-(config-if)#no shutdown
INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol

Serial4/1                  1.1.1.2         YES manual up                    up
Serial4/2                  2.2.2.2         YES manual up                    up
Serial4/3                  3.3.3.2         YES manual up                    up
Serial4/4                  4.4.4.2         YES manual up                    up

INTERNET-ROUTER-#wr
Building configuration...
[OK]


Site-A-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
Site-A-R-(config)#end

Site-A-R-#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/1

Site-A-R-#wr
Building configuration...
[OK]


Site-B-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2
Site-B-R-(config)#end

Site-B-R-#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/2

Site-B-R-#write
Building configuration...
[OK]


Site-C-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/3
Site-C-R-(config)#end

Site-C-R-#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/3

Site-C-R-#write
Building configuration...
[OK]

Site-D-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/4
Site-D-R-(config)#end

Site-D-R-#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/4

Site-D-R-#write
Building configuration...
[OK


Site-A-R-(config)#interface tunnel 1
Site-A-R-(config-if)#ip address 192.168.1.1 255.255.255.0
Site-A-R-(config-if)#tunnel source 1.1.1.1
Site-A-R-(config-if)#tunnel mode gre multipoint
Site-A-R-(config-if)#ip nhrp network-id 1
Site-A-R-(config-if)#ip nhrp map multicast dynamic
Site-A-R-(config-if)#exit

Site-A-R-#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.1.1/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1
  Tunnel protocol/transport multi-GRE/IP








Site-A-R-(config)#router eigrp 1
Site-A-R-(config-router)#network 192.168.1.0
Site-A-R-(config-router)#network 10.0.0.0
Site-A-R-(config-router)#no au
Site-A-R-(config-router)#no auto-summary
Site-A-R-(config-router)#exit




Site-A-R-(config)#interface tunnel 1
Site-A-R-(config-if)#no ip split-horizon eigrp 1
Site-A-R-(config-if)#ip next-hop-self eigrp 1
Site-A-R-(config-if)#ip nhrp redirect
Site-A-R-(config-if)#exit
Site-A-R-(config)#end




Site-B-R-(config)#interface tunnel 1
Site-B-R-(config-if)#ip address 192.168.1.2 255.255.255.0
Site-B-R-(config-if)#tunnel source 2.2.2.1
Site-B-R-(config-if)#tunnel mode gre multipoint
Site-B-R-(config-if)#ip nhrp network-id 2
Site-B-R-(config-if)#ip nhrp map 192.168.1.1 1.1.1.1
Site-B-R-(config-if)#ip nhrp nhs 192.168.1.1
Site-B-R-(config-if)#ip nhrp map multicast 1.1.1.1
Site-B-R-(config-if)#exit

Site-B-R-#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.1.2/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 2.2.2.1
  Tunnel protocol/transport multi-GRE/IP



Site-B-R-(config)#router eigrp 1
Site-B-R-(config-router)#network 192.168.1.0
Site-B-R-(config-router)#network 20.0.0.0
Site-B-R-(config-router)#no auto-summary
Site-B-R-(config-router)#exit




Site-B-R-(config)#interface tunnel 1
Site-B-R-(config-if)#ip nhrp shortcut
Site-B-R-(config-if)#exit
Site-B-R-(config)#end






Site-B-R-#traceroute 10.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 10.1.1.1

  1 192.168.1.1 56 msec 56 msec 60 msec


Site-C-R-(config)#interface tunnel 1
Site-C-R-(config-if)#ip address 192.168.1.3 255.255.255.0
Site-C-R-(config-if)#tunnel source 3.3.3.1
Site-C-R-(config-if)#tunnel mode gre multipoint
Site-C-R-(config-if)#ip nhrp network-id 3
Site-C-R-(config-if)#ip nhrp map 192.168.1.1 1.1.1.1
Site-C-R-(config-if)#ip nhrp nhs 192.168.1.1
Site-C-R-(config-if)#ip nhrp map multicast 1.1.1.1
Site-C-R-(config-if)#exit

Site-C-R-#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.1.3/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 3.3.3.1
  Tunnel protocol/transport multi-GRE/IP



Site-C-R-(config)#router eigrp 1
Site-C-R-(config-router)#network 192.168.1.0
Site-C-R-(config-router)#network 30.0.0.0
Site-C-R-(config-router)#no auto-summary
Site-C-R-(config-router)#exit

Site-C-R-(config)#interface tunnel 1
Site-C-R-(config-if)#ip nhrp shortcut
Site-C-R-(config-if)#exit
Site-C-R-(config)#end








Site-C-R-#traceroute 10.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 10.1.1.1

  1 192.168.1.1 64 msec 64 msec 60 msec

Site-C-R-#traceroute 20.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 20.1.1.1

  1 192.168.1.2 56 msec 64 msec 60 msec



Site-D-R-(config)#interface tunnel 1
Site-D-R-(config-if)#ip address 192.168.1.4 255.255.255.0
Site-D-R-(config-if)#tunnel source 4.4.4.1
Site-D-R-(config-if)#tunnel mode gre multipoint
Site-D-R-(config-if)#ip nhrp network-id 4
Site-D-R-(config-if)#ip nhrp map 192.168.1.1 1.1.1.1
Site-D-R-(config-if)#ip nhrp nhs 192.168.1.1
Site-D-R-(config-if)#ip nhrp map multicast 1.1.1.1
Site-D-R-(config-if)#exit

Site-D-R-#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.1.4/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 4.4.4.1
  Tunnel protocol/transport multi-GRE/IP


Site-D-R-(config)#router eigrp 1
Site-D-R-(config-router)#network 192.168.1.0
Site-D-R-(config-router)#network 40.0.0.0
Site-D-R-(config-router)#exit

Site-D-R-(config)#interface tunnel 1
Site-D-R-(config-if)#ip nhrp shortcut
Site-D-R-(config-if)#exit
Site-D-R-(config)#end






Site-D-R-#traceroute 10.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 10.1.1.1

  1 192.168.1.1 56 msec 52 msec 72 msec


Site-D-R-#traceroute 20.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 20.1.1.1

  1 192.168.1.1 56 msec 64 msec 56 msec
  2 192.168.1.2 128 msec 116 msec 100 msec


Site-D-R-#traceroute 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 192.168.1.1 56 msec 60 msec 72 msec
  2 192.168.1.3 128 msec 144 msec92 msec




What is SVTI Virtual Tunnel Interface? How to configure IPsec Static virtual tunnel?

Internetworks

 

The virtual tunnel is also called native IPsec, VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows to configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel. 

There are two types of VTI (Virtual Tunnel Interface)

1.      Static Virtual Tunnel Interface

2.      Dynamic Virtual Tunnel Interface


configuration for SVTI is very simple we do not need to define interesting (ACL) traffic. configuration same just like we configure GRE with IPsec but with a small difference, we have to define the tunnel mode. 

let's see the topology:-



  • configure the topology as per the diagram 
  • assign the IP addresses as per the topology 
  • configure static and default route 
  • configure tunnel between Site-A-R to Site-B-R 
  • configure EIGRP advertise tunnel interface and LAN network on both sites
  • configure IPsec and apply on the tunnel interface 
  • make sure data will encrypt 


Site-A-router(config)#interface serial 4/0
Site-A-router(config-if)#ip address 1.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

Site-A-router(config)#interface fastEthernet 0/0
Site-A-router(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

INTERNET(config)#interface serial 4/0
INTERNET(config-if)#ip address 1.1.1.2 255.0.0.0
INTERNET(config-if)#no shutdown
INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/1
INTERNET(config-if)#ip address 3.3.3.1 255.0.0.0
INTERNET(config-if)#no shutdown
INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/2
INTERNET(config-if)#ip address 4.4.4.1 255.0.0.0
INTERNET(config-if)#no shutdown
INTERNET(config-if)#exit

Site-B-router(config)#interface serial 4/1
Site-B-router(config-if)#ip address 3.3.3.2 255.0.0.0
Site-B-router(config-if)#no shutdown
Site-B-router(config-if)#exit

Site-B-router(config)#interface fastEthernet 0/0
Site-B-router(config-if)#ip address 30.1.1.1 255.0.0.0
Site-B-router(config-if)#no shutdown
Site-B-router(config-if)#exit

Site-C-router(config)#interface serial 4/2
Site-C-router(config-if)#ip address 4.4.4.2 255.0.0.0
Site-C-router(config-if)#no shutdown
Site-C-router(config-if)#exit

Site-C-router(config)#interface fastEthernet 0/0
Site-C-router(config-if)#ip address 40.1.1.1 255.0.0.0
Site-C-router(config-if)#no shutdown
Site-C-router(config-if)#exit

Site-A-router(config)#do show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up

INTERNET(config-if)#do show ip int br
Interface                  IP-Address      OK? Method Status                Protocol

Serial4/0                  1.1.1.2         YES manual up                    up
Serial4/1                  3.3.3.1         YES manual up                    up
Serial4/2                  4.4.4.1         YES manual up                    up

Site-B-router#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                  3.3.3.2         YES manual up                    up

Site-C-router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            40.1.1.1        YES manual up                    up
Serial4/2                  4.4.4.2         YES manual up                    up



Site-A-router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2

INTERNET(config)#ip route 10.0.0.0 255.0.0.0 1.1.1.1
INTERNET(config)#ip route 30.0.0.0 255.0.0.0 3.3.3.2

Site-B-router(config)#ip route 0.0.0.0 0.0.0.0 3.3.3.1


Site-A-router(config)#do trace 30.1.1.1

Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 1.1.1.2 16 msec 48 msec 20 msec
  2 3.3.3.2 68 msec 60 msec 64 msec

Site-A-router(config)#interface tunnel 1234
Site-A-router(config-if)#ip address 192.168.123.1 255.255.255.0
Site-A-router(config-if)#ip mtu 1400
Site-A-router(config-if)#ip tcp adjust-mss 1360
Site-A-router(config-if)#tunnel source 1.1.1.1
Site-A-router(config-if)#tunnel destination 3.3.3.2
Site-A-router(config-if)#exit

Site-B-router(config)#interface tunnel 123
Site-B-router(config-if)#ip address 192.168.123.2 255.255.255.0
Site-B-router(config-if)#ip mtu 1400
Site-B-router(config-if)#ip tcp adjust-mss 1360
Site-B-router(config-if)#tunnel source 3.3.3.2
Site-B-router(config-if)#tunnel destination 1.1.1.1
Site-B-router(config-if)#exit

Site-A-router(config)#router eigrp 123
Site-A-router(config-router)#network 192.168.123.0
Site-A-router(config-router)#network 10.0.0.0
Site-A-router(config-router)#no auto-summary
Site-A-router(config-router)#exit

Site-B-router(config)#router eigrp 123
Site-B-router(config-router)#network 192.168.123.0
Site-B-router(config-router)#network 30.0.0.0
Site-B-router(config-router)#no auto-summary
Site-B-router(config-router)#exit


*Jan 11 12:20:47.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel1234) is up:new adjacency

*Jan 11 12:20:47.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is up: new adjacency


Site-A-router#show ip eigrp neighbors
IP-EIGRP neighbors for process 123
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.123.2           Tu1234            11 00:01:26   66  1362  0  5

Site-B-router#show ip eigrp neighbors
IP-EIGRP neighbors for process 123
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.123.1           Tu123             11 00:01:02   67  1362  0  4





Site-B-router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 3.3.3.1 to network 0.0.0.0
C    192.168.123.0/24 is directly connected, Tunnel123
C    3.0.0.0/8 is directly connected, Serial4/1
D    10.0.0.0/8 [90/26882560] via 192.168.123.1, 00:01:11, Tunnel123
C    30.0.0.0/8 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 3.3.3.1



Site-A-router(config)#crypto isakmp policy 123
Site-A-router(config-isakmp)#authentication pre-share
Site-A-router(config-isakmp)#hash sha
Site-A-router(config-isakmp)#group 5
Site-A-router(config-isakmp)#encryption aes
Site-A-router(config-isakmp)#exit

Site-A-router(config)#crypto isakmp key 0 internet address 3.3.3.2

Site-B-router(config)#crypto isakmp policy 123
Site-B-router(config-isakmp)#authentication pre-share
Site-B-router(config-isakmp)#hash sha
Site-B-router(config-isakmp)#group 5
Site-B-router(config-isakmp)#encryption aes
Site-B-router(config-isakmp)#exit

Site-B-router(config)#crypto isakmp key 0 internet address 1.1.1.1

Site-A-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-A-router(cfg-crypto-trans)#mode ?
  transport  transport (payload encapsulation) mode
  tunnel     tunnel (datagram encapsulation) mode
Site-A-router(cfg-crypto-trans)#mode tunnel
Site-A-router(cfg-crypto-trans)#exit


Site-B-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-B-router(cfg-crypto-trans)#mode tunnel
Site-B-router(cfg-crypto-trans)#exit

Site-A-router(config)#crypto ipsec profile SVTI
Site-A-router(ipsec-profile)#set transform-set TRANS-SET
Site-A-router(ipsec-profile)#exit

Site-B-router(config)#crypto ipsec profile SVTI
Site-B-router(ipsec-profile)#set transform-set TRANS-SET
Site-B-router(ipsec-profile)#exit

Site-A-router(config)#interface tunnel 1234
Site-A-router(config-if)#tunnel protection ipsec profile SVTI
Site-A-router(config-if)#tunnel mode ipsec ipv4
Site-A-router(config-if)#end

Site-B-router(config)#interface tunnel 123
Site-B-router(config-if)#tunnel protection ipsec profile SVTI
Site-B-router(config-if)#tunnel mode ipsec ipv4
Site-B-router(config-if)#exit

Site-A-router#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial4/0                        1.1.1.1         YES manual up                    up
Tunnel1234                 192.168.123.1   YES manual up                up

Site-B-router#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                        3.3.3.2         YES manual up                    up
Tunnel123                  192.168.123.2   YES manual up                 up

Site-A-router#show interfaces tunnel 1234
Tunnel1234 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.123.1/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 3.3.3.2
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "SVTI")




Site-B-router#show interfaces tunnel 123
Tunnel123 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 192.168.123.2/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 3.3.3.2, destination 1.1.1.1
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "SVTI")


Site-A-router#traceroute 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 192.168.123.2 44 msec 68 msec 60 msec



Site-A-router#show crypto ipsec sa

interface: Tunnel1234
    Crypto map tag: Tunnel1234-head-0, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 3.3.3.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     


Site-B-router#ping 10.1.1.1 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/62/80 ms



Site-B-router#show crypto ipsec sa

interface: Tunnel123
    Crypto map tag: Tunnel123-head-0, local addr 3.3.3.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1250, #pkts encrypt: 1250, #pkts digest: 1250
    #pkts decaps: 1251, #pkts decrypt: 1251, #pkts verify: 1251
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
     current outbound spi: 0x452C1DB(72532443)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x591B0BB3(1494944691)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4478462/2938)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x452C1DB(72532443)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4478462/2938)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (3.3.3.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
     current outbound spi: 0xE345F7FE(3813013502)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9FEF2C28(2683251752)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4533007/2960)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE345F7FE(3813013502)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000046, crypto map: Tunnel123-head-0
        sa timing: remaining key lifetime (k/sec): (4533007/2960)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


How to configure Encrypted GRE Tunnel with IPsec ESP security?

Internetworks



When do we use the GRE? 

GRE is used when packets need to be sent from one network to another over the internet.

 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers but there is a problem with GRE tunnels it is clear text and GRE does not provide good-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security which provides good-grade security.


let's see the configuration of the Encrypt GRE tunnel. 

Topology:- https://youtu.be/5_sfxQGPlg0?si=D4x3RWf8AoZHGvSY






(As you can see from the topology above here, we have 3 Sites, to encrypt the tunnel you have to configure the GRE tunnel first, So first we configure the GRE tunnel between Site-A to Site-B and Site-A to Site-C, after establishing the GRE tunnels we will encrypt the entire tunnel with IPsec ESP between Site-A to Site-B only.) 


GOAL: Youtube

  • Configure the topology as per the diagram 
  • Assign the IP addresses as per the topology
  • Configure default route at Site-A, Site-B and Site-C
  • Configure static routing on router 2 which is acting as an internet router
  • Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24
  • Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP
  • Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 
  • Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C. 
  • After establishing the GRE tunnel, 
  • Configure IPsec and apply the tunnel protection IPsec profile on the tunnel interface. 
  • Make sure the entire tunnel will encrypt data. 



  • Assign the IP addresses as per the topology



SITE-A-router(config)#interface serial 4/0
SITE-A-router(config-if)#ip address 1.1.1.1 255.0.0.0
SITE-A-router(config-if)#no shutdown
SITE-A-router(config-if)#exit

SITE-A-router(config)#interface fastethernet 0/0
SITE-A-router(config-if)#ip address 10.1.1.1 255.0.0.0
SITE-A-router(config-if)#no shutdown
SITE-A-router(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 1.1.1.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 3.3.3.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/2
R2(config-if)#ip address 4.4.4.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

SITE-B-router(config)#interface serial 4/1
SITE-B-router(config-if)#ip address 3.3.3.2 255.0.0.0
SITE-B-router(config-if)#no shutdown
SITE-B-router(config-if)#exit

SITE-B-router(config)#interface fastethernet 0/0
SITE-B-router(config-if)#ip address 30.1.1.1 255.0.0.0
SITE-B-router(config-if)#no keepalive
SITE-B-router(config-if)#no shutdown
SITE-B-router(config-if)#exit

SITE-C-router(config)#interface serial 4/2
SITE-C-router(config-if)#ip address 4.4.4.2 255.0.0.0
SITE-C-router(config-if)#no shutdown
SITE-C-router(config-if)#exit

SITE-C-router(config)#interface fastethernet 0/0
SITE-C-router(config-if)#ip address 40.1.1.1 255.0.0.0
SITE-C-router(config-if)#no keepalive
SITE-C-router(config-if)#no shutdown
SITE-C-router(config-if)#exit

  • Configure default route at Site-A, Site-B and Site-C


SITE-A-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

SITE-B-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

SITE-C-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

  • Configure static routing on router 2 which is acting as an internet router


internet(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0
internet(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1
internet(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2




SITE-A-router#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/0

SITE-B-router#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/1

SITE-C-router#show ip route static
S*   0.0.0.0/0 is directly connected, Serial4/2



  • Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24


SITE-A-router(config)#interface tunnel 123
SITE-A-router(config-if)#ip address 192.168.123.1 255.255.255.0
SITE-A-router(config-if)#ip mtu 1400
SITE-A-router(config-if)#ip tcp adjust-mss 1360
SITE-A-router(config-if)#tunnel source 1.1.1.1
SITE-A-router(config-if)#tunnel destination 3.3.3.2
SITE-A-router(config-if)#exit

*Jan  5 14:54:33.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124,changed state to up

SITE-B-router(config)#interface tunnel 123
SITE-B-router(config-if)#ip address 192.168.123.2 255.255.255.0
SITE-B-router(config-if)#ip mtu 1400
SITE-B-router(config-if)#ip tcp adjust-mss 1360
SITE-B-router(config-if)#tunnel source 3.3.3.2
SITE-B-router(config-if)#tunnel destination 1.1.1.1
SITE-B-router(config-if)#exit

*Jan  5 14:44:06.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel123,changed state to up


SITE-A-router#show ip interface brief | ex unass
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual down              up                                                                                                                                    
Serial4/0                       1.1.1.1         YES manual up                    up                                                                                                                                     
Tunnel123                  192.168.123.1   YES manual up                up 


  • Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP


SITE-A-router(config)#router eigrp 123
SITE-A-router(config-router)#network 10.0.0.0
SITE-A-router(config-router)#network 192.168.123.0
SITE-A-router(config-router)#no auto-summary
SITE-A-router(config-router)#exit

*Jan  5 14:45:42.327: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is up: new adjacency

*Jan  5 14:45:54.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is resync: peer graceful-restart


SITE-B-router(config)#router eigrp 123
SITE-B-router(config-router)#network 30.0.0.0
SITE-B-router(config-router)#network 192.168.123.0
SITE-B-router(config-router)#no auto-summary
SITE-B-router(config-router)#exit

*Jan  5 14:45:53.559: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is resync: summary configured

*Jan  5 14:45:41.811: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1 (Tunnel123) is up: new adjacency

SITE-A-router#ping 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/64 ms


  • Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 192.168.123.2 56 msec 64 msec 56 msec



SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.
Tracing the route to 40.1.1.1

  1 1.1.1.2 52 msec 32 msec 36 msec
  2 4.4.4.2 56 msec 64 msec 68 msec


Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C.


SITE-A-router(config)#interface tunnel 124
SITE-A-router(config-if)#ip address 192.168.124.1 255.255.255.0
SITE-A-router(config-if)#ip mtu 1400
SITE-A-router(config-if)#ip tcp adjust-mss 1360
SITE-A-router(config-if)#tunnel source 1.1.1.1
SITE-A-router(config-if)#tunnel destination 4.4.4.2
SITE-A-router(config-if)#exit

*Jan  5 19:52:36.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up


SITE-C-router(config)#interface tunnel 124
SITE-C-router(config-if)#ip address 192.168.124.2 255.255.255.0
SITE-C-router(config-if)#ip mtu 1400
SITE-C-router(config-if)#ip tcp adjust-mss 1360
SITE-C-router(config-if)#tunnel source 4.4.4.2
SITE-C-router(config-if)#tunnel destination
SITE-C-router(config-if)#tunnel destination 1.1.1.1
SITE-C-router(config-if)#exit

*Jan  5 19:53:48.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-A-router(config)#router eigrp 123
SITE-A-router(config-router)#network 192.168.124.0
SITE-A-router(config-router)#exit

SITE-C-router(config)#router eigrp 123
SITE-C-router(config-router)#network 192.168.124.0
SITE-C-router(config-router)#network 40.0.0.0
SITE-C-router(config-router)#no auto-summary
SITE-C-router(config-router)#exit



SITE-A-router#show ip interface brief | exclude unass
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up
Serial4/0                       1.1.1.1         YES manual up                    up
Tunnel123                  192.168.123.1   YES manual up                    up
Tunnel124                  192.168.124.1   YES manual up                    up



SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.
Tracing the route to 40.1.1.1
  1 192.168.124.2 72 msec 48 msec 56 msec

SITE-A-router#traceroute 30.1.1.1
Type escape sequence to abort.
Tracing the route to 30.1.1.1

  1 192.168.123.2 52 msec 56 msec 64 msec




How to configure IPsec VPN on Cisco ASA Firewall?

Internetworks

 

(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session. we already discussed in click here




previously that we configured IPsec VPN with routers, in this lab we are going to configure an ASA firewall. I'm using the Cisco Adaptive Security Appliance Software Version 8.4(2). if you are using an older version some of the commands may be different like ikev1 to isakmp. I'm assuming you follow our blogs and are familiar with IKE, if not then click here

IKE (Internet Key Exchange) Phase 1 

The main reason for IKE Phase 1 is to establish security for IKE Phase 2 or IPsec. let's understand Phase 1 in steps 

  • The first step is Negotiation between future neighbors or peers have traffic to be 

Step 1: Negotiation

the neighbor (peer) who has traffic and wants to protect will initiate the INK phase 1 negotiation. Peers will negotiate about the following:

  • Hashing : peers will use a hashing algorithm to verify the integrity and use MD5 or SHA.
  • Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
  • DH (Diffie Hellman) group: DH group determines how strong the key is and how it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
  • Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each vendor uses a different lifetime; a default value is 86400 seconds (1 day).
  • Encryption: algorithm we use for encryption DES, 3DES, or AES.



access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)

crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data. 

Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints. 


ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults


The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.

crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.

R1(config)#crypto ipsec transform-set INTERNETWORKS ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

 6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer. for more information click here 

Topology: - we need to encrypt the traffic 10.0.0.0/8 going to 20.0.0.0/8 and vice versa 





Goal: -

  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology
  • configure gig0 outside on ASA 1 and configure gig1 outside on ASA 2
  • configure Fa0/0 inside on both the ASA 
  • configure the default route on both ASA firewall
  • ensure the connection with the PING 
  • define the traffic that we want to encrypt from 10.0.0.0/8 going to 20.0.0.0/8 and vice versa on both ASA using Extended ACL and name (IP-TRAFFIC) 
  • configure ikve1 phase 1 on both ASA
  • configure Phase 2 on both ASAs
  • make sure traffic will be encrypted with IPsec VPN.

Our Team

  • R.J AnthonyPython programmer / Instructor
  • Edgar C FrancisCCIE Technical Instructor/Network consultant
  • Noel AnthonyNetwork Automation / Instructor
  • J N AnthonyCCNA,CCNP / Instructor
  • Vikram ThakurComputer Hardware and Network Engineer