Pages

Pages

How to configure IPsec VPN site to sites?

 

(Internet Protocol Security) IPsec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec allows two or more hosts to communicate with authentication by encrypting each IP packet of its session.


we already discussed IPsec and DMVPN in the previous blogs, so before starting this easy lab we need to look few topics. 




access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)

crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data. 

Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints. 


ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults


The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.

crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.

R1(config)#crypto ipsec transform-set INTERNETWORKS ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

 6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer.

in this lab, we are going to configure IPsec VPN using Cisco IOS and encrypt the traffic from router-1 to r2, r3,r4, and vice versa from fastethernet 0/0. 

let's see the topology: -



  • configure the topology as per the diagram 
  • assign the IP addresses 
  • configure the default route on router 1,2,3,4 and configure the static route of router 5
  • make sure all the routers can ping
  • configure extended ACL 
  • enable crypto ISAKMP
  • configure ISAKMP policy authentication, encryption, DH group, and hash sha
  • configure pre-shared keys and share 
  • configure IPsec transform set 
  • configure lifetimes 
  • configure crypto map 
  • apply crypto map on the interface


R1(config)#Hostname SITE-ONE-ROUTE
SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit


SITE-ONE-ROUTE(config)#interface fastethernet 0/0
SITE-ONE-ROUTE(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#no keepalive
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE(config)#interface loopback 1
SITE-ONE-ROUTE(config-if)#ip address 11.1.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit


SITE-ONE-ROUTE#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.10.1    YES manual up                    up
Serial4/0                      192.168.1.1     YES manual up                    up
Loopback1                  11.1.1.1        YES manual up                    up

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit

R2(config)#interface loopback 1
R2(config-if)#ip address 22.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit


R2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.20.1    YES manual up                    up
Serial4/1                  192.168.2.1     YES manual up                    up
Loopback1                  22.1.1.1        YES manual up                    up



R3(config)#interface serial 4/2
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 1
R3(config-if)#ip address 33.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.30.1    YES manual up                    up
Serial4/2                      192.168.3.1     YES manual up                    up
Loopback1                  33.1.1.1        YES manual up                    up


R4(config)#interface serial 4/3
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface loopback 1
R4(config-if)#ip address 44.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#end

R4#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.40.1    YES manual up                    up
Serial4/3                  192.168.4.1     YES manual up                    up
Loopback1                  44.1.1.1        YES manual up                    up



INTERNET-ROUTER(config)#interface serial 4/0
INTERNET-ROUTER(config-if)#ip address 192.168.1.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/1
INTERNET-ROUTER(config-if)#ip address 192.168.2.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/2
INTERNET-ROUTER(config-if)#ip address 192.168.3.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/3
INTERNET-ROUTER(config-if)#ip address 192.168.4.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#end

INTERNET-ROUTER#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol

Serial4/0                  192.168.1.2     YES manual up                    up
Serial4/1                  192.168.2.2     YES manual up                    up
Serial4/2                  192.168.3.2     YES manual up                    up
Serial4/3                  192.168.4.2     YES manual up                    up




INTERNET-ROUTER(config)#ip route 192.168.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 11.1.1.0 255.255.255.0 192.168.1.1

INTERNET-ROUTER(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 22.1.1.0 255.255.255.0 192.168.2.1

INTERNET-ROUTER(config)#ip route 192.168.3.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.30.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 33.1.1.0 255.255.255.0 192.168.3.1

INTERNET-ROUTER(config)#ip route 192.168.4.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 192.168.40.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 44.1.1.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#exit

SITE-ONE-ROUTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
SITE-ONE-ROUTE(config)#exit

SITE-ONE-ROUTE#show ip route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C    192.168.10.0/24 is directly connected, FastEthernet0/0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.1.1.0 is directly connected, Loopback1
C    192.168.1.0/24 is directly connected, Serial4/0
S*   0.0.0.0/0 [1/0] via 192.168.1.2

SITE-ONE-ROUTE#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/62/68 ms

SITE-ONE-ROUTE#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms

SITE-ONE-ROUTE#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms


SITE-TWO-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show ip route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0
     22.0.0.0/24 is subnetted, 1 subnets
C       22.1.1.0 is directly connected, Loopback1
C    192.168.20.0/24 is directly connected, FastEthernet0/0
C    192.168.2.0/24 is directly connected, Serial4/1
S*   0.0.0.0/0 [1/0] via 192.168.2.2

SITE-TWO-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/68 ms

SITE-TWO-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/100 ms

SITE-TWO-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/116 ms


SITE-THREE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
SITE-THREE-ROUTER(config)#EXIT
SITE-THREE-ROUTER#end

SITE-THREE-ROUTER#show ip route

Gateway of last resort is 192.168.3.2 to network 0.0.0.0
     33.0.0.0/24 is subnetted, 1 subnets
C       33.1.1.0 is directly connected, Loopback1
C    192.168.30.0/24 is directly connected, FastEthernet0/0
C    192.168.3.0/24 is directly connected, Serial4/2
S*   0.0.0.0/0 [1/0] via 192.168.3.2

SITE-THREE-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/68 ms

SITE-THREE-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms

SITE-THREE-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms

SITE-FOUR-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
SITE-FOUR-ROUTER(config)#EXIT

SITE-FOUR-ROUTER#show ip route

Gateway of last resort is 192.168.4.2 to network 0.0.0.0
C    192.168.40.0/24 is directly connected, FastEthernet0/0
C    192.168.4.0/24 is directly connected, Serial4/3
     44.0.0.0/24 is subnetted, 1 subnets
C       44.1.1.0 is directly connected, Loopback1
S*   0.0.0.0/0 [1/0] via 192.168.4.2

SITE-FOUR-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/72 ms

SITE-FOUR-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/64 ms

SITE-FOUR-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/64 ms

SITE-ONE-ROUTE(config)#ip access-list extended INTERNETWORKS
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#exit

SITE-ONE-ROUTE#show access-lists
Extended IP access list INTERNETWORKS
    10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
    20 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
    30 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255



SITE-TWO-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#exit

SITE-TWO-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
    20 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
    30 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255




SITE-THREE-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
    10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
    20 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
    30 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255



SITE-FOUR-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0$0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#exit

SITE-FOUR-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
    10 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
    20 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
    30 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255


SITE-ONE-ROUTE(config)#crypto isakmp enable

SITE-ONE-ROUTE#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit

SITE-TWO-ROUTER(config)#crypto isakmp enable
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit

SITE-THREE-ROUTER(config)#crypto isakmp enable
SITE-THREE-ROUTER(config)#end

SITE-THREE-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit


SITE-FOUR-ROUTER(config)#crypto isakmp enable
SITE-FOUR-ROUTER(config)#end

SITE-FOUR-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit

SITE-ONE-ROUTE(config)#crypto isakmp policy 10
SITE-ONE-ROUTE(config-isakmp)#authentication pre-share
SITE-ONE-ROUTE(config-isakmp)#encryption aes 256
SITE-ONE-ROUTE(config-isakmp)#hash sha
SITE-ONE-ROUTE(config-isakmp)#group 5
SITE-ONE-ROUTE(config-isakmp)#lifetime 3600
SITE-ONE-ROUTE(config-isakmp)#exit

SITE-TWO-ROUTER(config)#crypto isakmp policy 10
SITE-TWO-ROUTER(config-isakmp)#authentication pre-share
SITE-TWO-ROUTER(config-isakmp)#encryption aes 256
SITE-TWO-ROUTER(config-isakmp)#hash sha
SITE-TWO-ROUTER(config-isakmp)#group 5
SITE-TWO-ROUTER(config-isakmp)#lifetime 3600
SITE-TWO-ROUTER(config-isakmp)#exit

SITE-THREE-ROUTER(config)#crypto isakmp policy 10
SITE-THREE-ROUTER(config-isakmp)#authentication pre-share
SITE-THREE-ROUTER(config-isakmp)#encryption aes 256
SITE-THREE-ROUTER(config-isakmp)#hash sha
SITE-THREE-ROUTER(config-isakmp)#group 5
SITE-THREE-ROUTER(config-isakmp)#lifetime 3600
SITE-THREE-ROUTER(config-isakmp)#exit

SITE-FOUR-ROUTER(config)#crypto isakmp policy 10
SITE-FOUR-ROUTER(config-isakmp)#authentication pre-share
SITE-FOUR-ROUTER(config-isakmp)#encryption aes 256
SITE-FOUR-ROUTER(config-isakmp)#hash sha
SITE-FOUR-ROUTER(config-isakmp)#group 5
SITE-FOUR-ROUTER(config-isakmp)#lifetime 3600
SITE-FOUR-ROUTER(config-isakmp)#exit


SITE-ONE-ROUTE#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit

SITE-TWO-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit

SITE-THREE-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit

SITE-FOUR-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               3600 seconds, no volume limit

SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-ONE-ROUTE(config)#end

SITE-ONE-ROUTE#show crypto isakmp key
Keyring      Hostname/Address                            Preshared Key
default      192.168.2.1                                 internetwork.in
                 192.168.3.1                                 internetwork.in
                 192.168.4.1                                 internetwork.in





SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show crypto isakmp key
Keyring      Hostname/Address                            Preshared Key
default      192.168.1.1                                 internetwork.in
             192.168.3.1                                 internetwork.in
             192.168.4.1                                 internetwork.in


SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-THREE-ROUTER(config)#end

SITE-THREE-ROUTER#show crypto isakmp key
Keyring      Hostname/Address                            Preshared Key
default      192.168.1.1                                 internetwork.in
                 192.168.2.1                                 internetwork.in
                 192.168.4.1                                 internetwork.in



SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-FOUR-ROUTER(config)#end

SITE-FOUR-ROUTER#show crypto isakmp key
Keyring      Hostname/Address                            Preshared Key
default      192.168.1.1                                 internetwork.in
                 192.168.2.1                                 internetwork.in
                 192.168.3.1                                 internetwork.in


SITE-ONE-ROUTE(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-ONE-ROUTE(cfg-crypto-trans)#exit

SITE-TWO-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-TWO-ROUTER(cfg-crypto-trans)#exit

SITE-THREE-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-THREE-ROUTER(cfg-crypto-trans)#exit

SITE-FOUR-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-FOUR-ROUTER(cfg-crypto-trans)#exit

SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },

SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },


SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },

SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },


SITE-ONE-ROUTE(config)#crypto ipsec security-association lifetime seconds 1800
SITE-TWO-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-THREE-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-FOUR-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800



SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.

SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-ONE-ROUTE(config-crypto-map)#match address INTERNETWORKS
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.2.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.3.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.4.1
SITE-ONE-ROUTE(config-crypto-map)#set transform-set IPSEC-SET
SITE-ONE-ROUTE(config-crypto-map)#exit


SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.


SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-TWO-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-TWO-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-TWO-ROUTER(config-crypto-map)#exit

SITE-THREE-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.


SITE-THREE-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-THREE-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-THREE-ROUTER(config-crypto-map)#exit


SITE-FOUR-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.

SITE-FOUR-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-FOUR-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-FOUR-ROUTER(config-crypto-map)#exit

SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#crypto map CRY-MAP
SITE-ONE-ROUTE(config-if)#exit


*Oct  6 13:18:16.863: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-TWO-ROUTER(config)#interface serial 4/1
SITE-TWO-ROUTER(config-if)#crypto map CRY-MAP
SITE-TWO-ROUTER(config-if)#exit

*Oct  6 13:18:32.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-THREE-ROUTER(config)#interface serial 4/2
SITE-THREE-ROUTER(config-if)#crypto map CRY-MAP
SITE-THREE-ROUTER(config-if)#exit

*Oct  6 13:18:48.283: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-FOUR-ROUTER(config)#interface serial 4/3
SITE-FOUR-ROUTER(config-if)#crypto map CRY-MAP
SITE-FOUR-ROUTER(config-if)#exit

*Oct  6 13:19:04.939: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON



SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },


SITE-ONE-ROUTE#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
        Peer = 192.168.2.1
        Peer = 192.168.3.1
        Peer = 192.168.4.1

        Extended IP access list INTERNETWORKS
            access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

        Current peer: 192.168.2.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                IPSEC-SET:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map CRY-MAP:
                Serial4/0



SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },


SITE-TWO-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
        Peer = 192.168.2.1
        Peer = 192.168.3.1
        Peer = 192.168.4.1
        Peer = 192.168.1.1

        Extended IP access list INTERNETWORKS
            access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255

        Current peer: 192.168.2.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                IPSEC-SET:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map CRY-MAP:
                Serial4/1



SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },


SITE-THREE-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
        Peer = 192.168.1.1
        Peer = 192.168.2.1
        Peer = 192.168.4.1

        Extended IP access list INTERNETWORKS
            access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

        Current peer: 192.168.1.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                IPSEC-SET:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map CRY-MAP:
                Serial4/2



SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  }
   will negotiate = { Transport,  },


SITE-FOUR-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
        Peer = 192.168.1.1
        Peer = 192.168.2.1
        Peer = 192.168.3.1

        Extended IP access list INTERNETWORKS
            access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
            access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

        Current peer: 192.168.1.1
        Security association lifetime: 4608000 kilobytes/1800 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                IPSEC-SET:  { esp-256-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map CRY-MAP:
                Serial4/3


SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA



SITE-ONE-ROUTE#ping 192.168.20.1 source 192.168.10.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/168 ms


SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.2.1     192.168.1.1     QM_IDLE           1001 ACTIVE






No comments:

Post a Comment