Introduction Of MPLS

Introduction Of MPLS
MPLS defines protocol that make different paradigm for a way routers forward packets. rather than forwarding packets based on the packets destination IP address, MPLS defines how router can forward packets based on MPLS label.

What Is OSPF Sham Links? How To Configure OSPF Sham Links?

What Is OSPF Sham Links? How To Configure OSPF Sham Links?
OSPF Sham links is a logical inter-area link carried by the super backbone. A Sham links is required only between two VPN sites that belong to the same area and have a backdoor link for backup purposes. OSPF adjacency is established across the sham link.

How To Configure MPLS L3 With BGP AS OVERRIDE?

How To Configure MPLS L3 With BGP AS OVERRIDE?
BGP has a simple loop prevention mechanism for external BGP. When you see your own Autonomous system number in the AS path, we do not accept the prefix. This mechanism is fine for Internet routing but there are some other scenarios where this might be an issue

What Is MPLS L3 VPN ? How To Configure?

What Is MPLS L3 VPN ? How To Configure?
In MPLS Layer 3 the service provider will participate in routing with the customers. The customers will run static, OSPF, EIGRP, BGP or any other routing protocol with the service provider; these routes can be shared with other sites of the customers. In VPN routing information from one customer is completely separated from other customers and tunneled over the service provider MPLS network.

Latest Posts

How to configure IPsec on GRE Dynamic Virtual-Template interface?

Internetworks
 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers but there is a problem with GRE tunnels it is clear text and GRE needs to provide better-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security which provides good-grade security. we already configure IPsec with GRE click here. but in this blog, we will configure an IPsec with a Dynamic Virtual-Template interface.



VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows the configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel.
 

let's see the configuration- in this topology, we have head office router 1 and branch routers 3 and 4. Router 2 is acting as an internet. 

Topology:-


Goal: is to make sure all the traffic is encrypted with IPsec 
  1. Configure the topology as per the diagram 
  2. Configure the IP addresses as per the topology
  3. Configure default route on head office and branch routers
  4. Configure crypto ISAKMP policy
  5. Configure crypto keyring
  6. Configure crypto ISAKMP profile
  7.  Configure crypto IPsec transform-set
  8. Configure crypto IPsec Profile
  9. Configure dynamic virtual-template 1 type tunnel
  10. Configure EIGRP 100
  11. Configure tunnel 0 on branches.
  12. Apply the IPsec protection on the virtual tunnel 
  13. make sure all the traffic is encrypted 
  14. verify the configuration with show commands and ping + trace

R1(config)#interface serial 3/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address  192.168.111.1 255.255.255.0
R1(config-if)#exit


 
R2(config)#interface serial 3/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/1
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/2
R2(config-if)#ip address 192.168.24.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
 


 
R3(config)#interface serial 3/1
R3(config-if)#ip address 192.168.23.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 0
R3(config-if)#ip address  192.168.133.1 255.255.255.0
R3(config-if)#exit
 


 
R4(config)#interface serial 3/2
R4(config-if)#ip address 192.168.24.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface loopback 0
R4(config-if)#ip address  192.168.144.1 255.255.255.0
R4(config-if)#exit



 
R1(config)#ip route 0.0.0.0 0.0.0.0 serial 3/0


R2(config)#ip route 192.168.10.0 255.255.255.0 serial 3/0
R2(config)#ip route 192.168.30.0 255.255.255.0 serial 3/1
R2(config)#ip route 192.168.40.0 255.255.255.0 serial 3/2
 
R3(config)#ip route 0.0.0.0 0.0.0.0 serial 3/1


R4(config)#ip route 0.0.0.0 0.0.0.0 serial 3/2
 
R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES manual up                    up
Serial3/0              192.168.12.1    YES manual up                    up
Loopback0              192.168.111.1   YES manual up                    up

 
 
R2#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Serial3/0              192.168.12.2    YES manual up                    up
Serial3/1              192.168.23.2    YES manual up                    up
Serial3/2              192.168.24.2    YES manual up                    up

 
R3#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES manual up                    up
Serial3/1              192.168.23.1    YES manual up                    up
Loopback0              192.168.133.1   YES manual up                    up

 
R4#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.40.1    YES manual up                    up
Serial3/2              192.168.24.1    YES manual up                    up
Loopback0              192.168.144.1   YES manual up                    up


R1(config)#crypto isakmp policy 11
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#hash sha256
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit

R1(config)#crypto keyring DVTI-KEYRING
R1(conf-keyring)#pre-shared-key address 192.168.23.1 key INTERNET
R1(conf-keyring)#pre-shared-key address 192.168.24.1 key INTERNET
R1(conf-keyring)#exit

R1(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring DVTI-KEYRING
R1(conf-isa-prof)#match identity address 192.168.23.1
R1(conf-isa-prof)#match identity address 192.168.24.1
R1(conf-isa-prof)#virtual-template 1
R1(conf-isa-prof)#exit

R1(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit

R1(config)#crypto ipsec profile DVTI-IPSEC
R1(ipsec-profile)#set transform-set TRANS-SET
R1(ipsec-profile)#exit


R1#show crypto isakmp profile
 
IKEv1 PROFILE DVTI-ISAKMP
Ref Count = 5
   Identities matched are:
    ip-address 192.168.23.1 255.255.255.255
    ip-address 192.168.24.1 255.255.255.255

   Certificate maps matched are:
   keyring(s): DVTI-KEYRING
   trustpoint(s): <all>
   virtual-template: 1


 
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
 
Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }
   will negotiate = { Tunnel,  },


R1#show crypto ipsec profile
IPSEC profile DVTI-IPSEC
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,

        }
 
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,





R3(config)#crypto isakmp policy 11
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#hash sha256
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#exit

R3(config)#crypto keyring DVTI-KEYRING
R3(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R3(conf-keyring)#exit

R3(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R3(conf-isa-prof)#keyring DVTI-KEYRING
R3(conf-isa-prof)#match identity address 192.168.12.1
R3(conf-isa-prof)#exit

R3(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit

R3(config)#crypto ipsec profile DVTI-IPSEC
R3(ipsec-profile)#set transform-set TRANS-SET
R3(ipsec-profile)#exit



R3#show crypto isakmp profile

IKEv1 PROFILE DVTI-ISAKMP
Ref Count = 1
   Identities matched are:
    ip-address 192.168.12.1 255.255.255.255
   Certificate maps matched are:
   keyring(s): DVTI-KEYRING
   trustpoint(s): <all>

R3#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }
   will negotiate = { Tunnel,  },


R3#show crypto ipsec profile
IPSEC profile DVTI-IPSEC
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,
        }

IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,




 

R4(config)#crypto isakmp policy 11
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 14
R4(config-isakmp)#hash sha256
R4(config-isakmp)#encryption aes 256
R4(config-isakmp)#lifetime 3600
R4(config-isakmp)#exit

R4(config)#crypto keyring DVTI-KEYRING
R4(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R4(conf-keyring)#exit

R4(config)#crypto isakmp profile DVTI-ISAKMP
% A profile is deemed incomplete until it has match identity statements
R4(conf-isa-prof)#keyring DVTI-KEYRING
R4(conf-isa-prof)#match identity address 192.168.12.1

R4(conf-isa-prof)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R4(cfg-crypto-trans)#mode tunnel
R4(cfg-crypto-trans)#exit

R4(config)#crypto ipsec profile DVTI-IPSEC
R4(ipsec-profile)#set transform-set TRANS-SET
R4(ipsec-profile)#exit



R4#show crypto isakmp profile

IKEv1 PROFILE DVTI-ISAKMP
Ref Count = 2
   Identities matched are:
    ip-address 192.168.12.1 255.255.255.255
   Certificate maps matched are:
   keyring(s): DVTI-KEYRING
   trustpoint(s): <all>



R4#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set TRANS-SET: { esp-256-aes esp-sha256-hmac  }
   will negotiate = { Tunnel,  },



R4#show crypto ipsec profile
IPSEC profile DVTI-IPSEC
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-SET:  { esp-256-aes esp-sha256-hmac  } ,
        }

IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                default:  { esp-aes esp-sha-hmac  } ,
        }

 R1(config)#interface virtual-template 1 type tunnel
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination dynamic
R1(config-if)#tunnel protection ipsec profile DVTI-IPSEC
R1(config-if)#no ip split-horizon eigrp 100
R1(config-if)#no ip next-hop-self eigrp 100
R1(config-if)#exit

R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 192.168.111.0
R1(config-router)#no auto-summary
R1(config-router)#exit
 
*Apr  8 12:06:26.907: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:09:06.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr  8 12:09:58.035: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr  8 12:28:57.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr  8 12:29:58.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency


R1#show interfaces virtual-template 1
Virtual-Template1 is up, line protocol is down
  Hardware is Virtual Template interface
  Interface is unnumbered. Using address of Loopback0 (192.168.111.1)
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 192.168.12.1
  

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.12.1    192.168.24.1    QM_IDLE           1007 ACTIVE
192.168.12.1    192.168.23.1    QM_IDLE           1006 ACTIVE


R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES manual up                    up
Serial3/0              192.168.12.1    YES manual up                    up
Loopback0              192.168.111.1   YES manual up                    up
Virtual-Access1        192.168.111.1   YES unset  up                    up
Virtual-Access2        192.168.111.1   YES unset  up                    up
Virtual-Template1      192.168.111.1   YES unset  up                    down


R3(config)#interface tunnel 0
R3(config-if)#ip unnumbered loopback 0
R3(config-if)#tunnel source serial 3/1
R3(config-if)#tunnel destination 192.168.12.1
R3(config-if)#tunnel protection ipsec profile DVTI-IPSEC
R3(config-if)#no ip split-horizon eigrp 100
R3(config-if)#no ip next-hop-self eigrp 100
R3(config-if)#exit

R3(config)#router eigrp 100
R3(config-router)#network 192.168.30.0
R3(config-router)#network 192.168.133.0
R3(config-router)#no auto-summary
R3(config-router)#exit


*Apr  8 12:09:03.531: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:07:48.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Apr  8 12:08:31.939: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr  8 12:09:57.203: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency


R4(config)#interface tunnel 0
R4(config-if)#ip unnumbered loopback 0
R4(config-if)#tunnel source 192.168.24.1
R4(config-if)#tunnel destination 192.168.12.1
R4(config-if)#tunnel protection ipsec profile DVTI-IPSEC
R4(config-if)#no ip split-horizon eigrp 100
R4(config-if)#no ip next-hop-self eigrp 100
R4(config-if)#exit

R4(config)#router eigrp 100
R4(config-router)#network 192.168.40.0
R4(config-router)#network 192.168.144.0
R4(config-router)#no auto-summary
R4(config-router)#exit
R4(config)#end


R4# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.12.1    192.168.24.1    QM_IDLE           1003 ACTIVE

IPv6 Crypto ISAKMP SA



*Apr  8 12:28:55.243: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Apr  8 12:28:32.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Apr  8 12:29:58.335: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.111.1 (Tunnel0) is up: new adjacency
*Apr  8 12:26:54.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down


R1#traceroute 192.168.30.1
Type escape sequence to abort.
Tracing the route to 192.168.30.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.133.1 80 msec 60 msec 52 msec

R1#traceroute 192.168.40.1
Type escape sequence to abort.
Tracing the route to 192.168.40.1
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.144.1 56 msec 60 msec 56 msec


R3#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 192.168.23.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.23.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.12.1/255.255.255.255/47/0)
   current_peer 192.168.12.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1487, #pkts encrypt: 1487, #pkts digest: 1487
    #pkts decaps: 1498, #pkts decrypt: 1498, #pkts verify: 1498
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.23.1, remote crypto endpt.: 192.168.12.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/1
     current outbound spi: 0xE987DEF7(3917995767)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x34186AB2(874015410)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4337556/3569)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE987DEF7(3917995767)
        transform: esp-256-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4337556/3569)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:


R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.23.1    192.168.12.1    QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

What is IKEv2? How to configure IKEv2?

Internetworks
 

Internet Key Exchange or IKE Is used by IPsec to establish security parameters between two sites. IKE allows us to exchange keys securely used for encryption and authentication over the internet. In the previous blog we discussed KE click here  

IKEv2 phase 2 is also known as child mode. the IKEv2 initiator sends a CREATE_CHILD_SA request, containing a list of acceptable proposals for the child SA.

 R3#show crypto ikev2 session
 IPv4 Crypto IKEv2 Session
 
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.31.1/500      192.168.123.1/500     none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2923 sec
Child sa:
local selector  192.168.30.0/0 - 192.168.30.255/65535
          remote selector 192.168.10.0/0 - 192.168.10.255/65535
          ESP spi in/out: 0xCF0FA2FE/0x5AAC2F32
 
 IPv6 Crypto IKEv2 Session






The attributes that can be negotiated include the following:

Protocol (AH 0r ESP) AH, and ESP are the two protocols we use to protect user data. Both of them can be used in transport or tunnel mode, let’s see all the possible options.

Encapsulation mode (tunnel or transport) Transport mode is very simple, it just adds an AH header just after the IP header. Here’s an example of an IP packet that carries some TCP traffic:

Encryption algorithm (for example DES,3DES, or AES)

Authentication algorithm (for example, HMAC-MD5 or HMAC-SHA) peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.

Diffle-hellman group information (for example, group 1, group 2, group 5, or group 14) DH group determines how strong the key is and how it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.

CLICK HERE FOR MORE TO LEARN







For gns3 IKEv2 supported in IOS 15.1.1t

 


To configure IKEv2 simple only 8 steps:-
  1. Interesting traffic (ACL)
  2. IKEv2 Proposal
  3. IKEv2 Policy 
  4. IKEv2 Keyring
  5. IKEv2 Profile
  6. IPsec Transform set
  7. Crypto map
  8. Apply Map on an interface



Let's see the configuration:-

Topology:-




Goal: 

  • Configure the topology as per the diagram
  • Configure the IP addresses as per the topology
  • Configure ACL and permit Fa0/0 traffic
  • Configure IKEv2 Proposal
  • Configure IKEv2 Policy
  • Configure  IKEv2 Keyring
  • Configure IKEv2 Profile
  • Configure Transform set
  • Configure Crypto map
  • Apply Crypto map on an interface   
  • verify with show commands and ping 



R1(config)#interface serial 3/0
R1(config-if)#ip address 192.168.123.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit

R1(config)#ip route 0.0.0.0 0.0.0.0 serial 3/0


R2(config)#interface serial 3/0
R2(config-if)#ip address 192.168.123.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 3/1
R2(config-if)#ip address 192.168.31.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#ip route 192.168.10.0 255.255.255.0 serial 3/0
R2(config)#ip route 192.168.30.0 255.255.255.0 serial 3/1



R3(config)#interface serial 3/1
R3(config-if)#ip address 192.168.31.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#ip route 0.0.0.0 0.0.0.0 serial 3/1


R1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/59/72 ms

 

R1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.10.1    YES manual up                    up
Serial3/0              192.168.123.1   YES manual up                    up

R3(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/64/76 ms


 
R3#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        192.168.30.1    YES manual up                    up
Serial3/1              192.168.31.1    YES manual up                    up





R3#show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
 
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 
S*    0.0.0.0/0 is directly connected, Serial3/1
 


Interesting traffic (ACL)



R1(config)#ip access-list extended ACL-TRAFFIC
R1(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
R1(config-ext-nacl)#exit
 
R1#show access-lists
Extended IP access list ACL-TRAFFIC
    10 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 (6 matches)

 

R3(config)#ip access-list extended ACL-TRAFFIC
R3(config-ext-nacl)# permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
R3(config-ext-nacl)#exit

R3#show access-list
Extended IP access list ACL-TRAFFIC
    10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 (9 matches)



IKEv2 Proposal



R1(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal MUST have atleast an encryption algorithm, an integrity algorithm and a dh group configured
R1(config-ikev2-proposal)# encryption 3des aes-cbc-128 aes-cbc-256
R1(config-ikev2-proposal)# integrity sha1 sha256 sha384 sha512
R1(config-ikev2-proposal)# group 5 2 14 15
R1(config-ikev2-proposal)#exit
R1(config)#exit
 
R1#show crypto ikev2 proposal
 IKEv2 proposal: IKEV2-PROPOSAL
     Encryption : 3DES AES-CBC-128 AES-CBC-256
     Integrity  : SHA96 SHA256 SHA384 SHA512
     PRF        : SHA1 SHA256 SHA384 SHA512
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
 DH_GROUP_2048_MODP/Group 14 DH_GROUP_3072_MODP/Group 15
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2



R3(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal MUST have atleast an encryption algorithm, an integrity algorithm and a dh group configured
R3(config-ikev2-proposal)# encryption 3des aes-cbc-128 aes-cbc-256
R3(config-ikev2-proposal)# integrity sha1 sha256 sha384 sha512
R3(config-ikev2-proposal)# group 5 2 14 15
R3(config-ikev2-proposal)#exit
 
 
R3#show crypto ikev2 proposal
 IKEv2 proposal: IKEV2-PROPOSAL
     Encryption : 3DES AES-CBC-128 AES-CBC-256
     Integrity  : SHA96 SHA256 SHA384 SHA512
     PRF        : SHA1 SHA256 SHA384 SHA512
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2 DH_GROUP_2048_MODP/Group 14 DH_GROUP_3072_MODP/Group 15

 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2




IKEv2 Policy 




R1(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy MUST have atleast one complete proposal attached
R1(config-ikev2-policy)# proposal IKEV2-PROPOSAL
R1(config-ikev2-policy)#exit
R1(config)#
 
 
R1#show crypto ikev2 policy
 
 IKEv2 policy : IKEV2-POLICY
      Match fvrf  : global
      Match address local : any
      Proposal    : IKEV2-PROPOSAL22

 
 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default




R3(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy MUST have atleast one complete proposal attached
R3(config-ikev2-policy)# proposal IKEV2-PROPOSAL
R3(config-ikev2-policy)#exit
 
 
R3#show crypto ikev2 policy
 
 IKEv2 policy : IKEV2-POLICY
      Match fvrf  : global
      Match address local : any
      Proposal    : IKEV2-PROPOSAL

 
 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default



IKEv2 Keyring





R1(config)#crypto ikev2 keyring IKEV2-KEYRING
R1(config-ikev2-keyring)# peer R3
R1(config-ikev2-keyring-peer)#  address 192.168.31.1
R1(config-ikev2-keyring-peer)#  pre-shared-key local internet
R1(config-ikev2-keyring-peer)#  pre-shared-key remote internet
R1(config-ikev2-keyring-peer)# exit
R1(config-ikev2-keyring)#exit



R3(config)#crypto ikev2 keyring IKEV2-KEYRING
R3(config-ikev2-keyring)# peer R1
R3(config-ikev2-keyring-peer)#  address 192.168.123.1
R3(config-ikev2-keyring-peer)#  pre-shared-key local internet
R3(config-ikev2-keyring-peer)#  pre-shared-key remote internet
R3(config-ikev2-keyring-peer)# exit
R3(config-ikev2-keyring)#exit



IKEv2 Profile




R1(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.

R1(config-ikev2-profile)#match identity remote address 192.168.31.1 255.255.255.255
R1(config-ikev2-profile)# authentication remote pre-share
R1(config-ikev2-profile)# authentication local pre-share
R1(config-ikev2-profile)# keyring local IKEV2-KEYRING
R1(config-ikev2-profile)#exit
 
R1#show crypto ikev2 profile IKEV2-PROFILE
 
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 2
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.31.1 255.255.255.255

  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share

 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none




R3(config)#crypto ikev2 profile IKEV2-PROFILE
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate statement.

R3(config-ikev2-profile)#match identity remote address 192.168.123.1 255.255.255.255
R3(config-ikev2-profile)# authentication remote pre-share
R3(config-ikev2-profile)# authentication local pre-share
R3(config-ikev2-profile)# keyring local IKEV2-KEYRING
R3(config-ikev2-profile)#exit
 
R3#show crypto ikev2 profile IKEV2-PROFILE
 
IKEv2 profile: IKEV2-PROFILE
 Ref Count: 2
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 192.168.123.1 255.255.255.255

  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share

 EAP options: none
 Keyring: IKEV2-KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none


Transform-set




R1(config)#crypto ipsec transform-set TRANS-set esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#exit
 
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

 
Transform set TRANS-set: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },



R3(config)#crypto ipsec transform-set TRANS-set esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#exit
 
 
R3#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

 
Transform set TRANS-set: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  }
,



Crypto Map


R1(config)#crypto map CRYPTO-MAP 11 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.

R1(config-crypto-map)# set peer 192.168.31.1
R1(config-crypto-map)# set transform-set TRANS-set
R1(config-crypto-map)# set ikev2-profile IKEV2-PROFILE
R1(config-crypto-map)# match address ACL-TRAFFIC
R1(config-crypto-map)#exit


R1#show crypto map
Crypto Map IPv4 "CRYPTO-MAP" 11 ipsec-isakmp
        Peer = 192.168.31.1
        IKEv2 Profile: IKEV2-PROFILE
        Extended IP access list ACL-TRAFFIC
            access-list ACL-TRAFFIC permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
        Current peer: 192.168.31.1
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-set:  { esp-3des esp-md5-hmac  } ,
        }



 
 
R3(config)#crypto map CRYPTO-MAP 11 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)# set peer 192.168.123.1
R3(config-crypto-map)# set transform-set TRANS-set
R3(config-crypto-map)# set ikev2-profile IKEV2-PROFILE
R3(config-crypto-map)# match address ACL-TRAFFIC
R3(config-crypto-map)#exit
 
 
R1#show crypto map
Crypto Map IPv4 "CRYPTO-MAP" 11 ipsec-isakmp
        Peer = 192.168.31.1
        IKEv2 Profile: IKEV2-PROFILE
        Extended IP access list ACL-TRAFFIC
            access-list ACL-TRAFFIC permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
        Current peer: 192.168.31.1
        IKEV2 profile IKEV2-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                TRANS-set:  { esp-3des esp-md5-hmac  } ,
        }

       



Applying the Crypto Map 



R1(config)#interface serial 3/0
R1(config-if)#crypto map CRYPTO-MAP
R1(config-if)#exit

*Apr  1 17:15:52.575: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


R1(config)#do ping 192.168.30.1 source fa 0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/69/92 ms
R1(config)#end
 

 
R1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA
 
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.123.1/500     192.168.31.1/500      none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2693 sec
 
 IPv6 Crypto IKEv2  SA

 
 
 
 
 R3(config)#interface serial 3/1
R3(config-if)#crypto map CRYPTO-MAP
R3(config-if)#exit
 
*Apr  1 17:14:39.975: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3#show crypto map interface serial 3/1
        Interfaces using crypto map CRYPTO-MAP:
                Serial3/1

 
 
 


Verify the IKEv2 IPsec 



 R3#show crypto ikev2 session
 IPv4 Crypto IKEv2 Session
 
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         192.168.31.1/500      192.168.123.1/500     none/none            READY
      Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/2923 sec
Child sa: local selector  192.168.30.0/0 - 192.168.30.255/65535
          remote selector 192.168.10.0/0 - 192.168.10.255/65535
          ESP spi in/out: 0xCF0FA2FE/0x5AAC2F32
 
 IPv6 Crypto IKEv2 Session

 

 
 
R1#ping 192.168.30.1 source 192.168.10.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (100/100), round-trip min/avg/max = 52/63/112 ms



R1#show crypto ipsec sa
 
interface: Serial3/0
    Crypto map tag: CRYPTO-MAP, local addr 192.168.123.1

 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   current_peer 192.168.31.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 192.168.123.1, remote crypto endpt.: 192.168.31.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial3/0
     current outbound spi: 0xCF0FA2FE(3473908478)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0x5AAC2F32(1521233714)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4184586/795)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0xCF0FA2FE(3473908478)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: CRYPTO-MAP
        sa timing: remaining key lifetime (k/sec): (4184586/795)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 
     outbound ah sas:
 
     outbound pcp sas:
 
 
 

 

 

Our Team

  • R.J AnthonyPython programmer / Instructor
  • Edgar C FrancisCCIE Technical Instructor/Network consultant
  • Noel AnthonyNetwork Automation / Instructor
  • J N AnthonyCCNA,CCNP / Instructor
  • Vikram ThakurComputer Hardware and Network Engineer