(Internet Protocol Security) IPsec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec allows two or more hosts to communicate with authentication by encrypting each IP packet of its session.
access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)
crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data.
Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints.
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.
crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.
R1(config)#crypto ipsec transform-set INTERNETWORKS ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer.
in this lab, we are going to configure IPsec VPN using Cisco IOS and encrypt the traffic from router-1 to r2, r3,r4, and vice versa from fastethernet 0/0.
let's see the topology: -
- configure the topology as per the diagram
- assign the IP addresses
- configure the default route on router 1,2,3,4 and configure the static route of router 5
- make sure all the routers can ping
- configure extended ACL
- enable crypto ISAKMP
- configure ISAKMP policy authentication, encryption, DH group, and hash sha
- configure pre-shared keys and share
- configure IPsec transform set
- configure lifetimes
- configure crypto map
- apply crypto map on the interface
R1(config)#Hostname SITE-ONE-ROUTE
SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit
SITE-ONE-ROUTE(config)#interface fastethernet 0/0
SITE-ONE-ROUTE(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#no keepalive
SITE-ONE-ROUTE(config-if)#exit
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#no keepalive
SITE-ONE-ROUTE(config-if)#exit
SITE-ONE-ROUTE(config)#interface loopback 1
SITE-ONE-ROUTE(config-if)#ip address 11.1.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit
SITE-ONE-ROUTE#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up
Loopback1 11.1.1.1 YES manual up up
R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
SITE-ONE-ROUTE(config-if)#ip address 11.1.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit
SITE-ONE-ROUTE#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up
Loopback1 11.1.1.1 YES manual up up
R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit
R2(config)#interface loopback 1
R2(config-if)#ip address 22.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up
Loopback1 22.1.1.1 YES manual up up
R3(config)#interface serial 4/2
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R2(config-if)#ip address 22.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up
Loopback1 22.1.1.1 YES manual up up
R3(config)#interface serial 4/2
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit
R3(config)#interface loopback 1
R3(config-if)#ip address 33.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES manual up up
Serial4/2 192.168.3.1 YES manual up up
Loopback1 33.1.1.1 YES manual up up
R4(config)#interface serial 4/3
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R3(config-if)#ip address 33.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES manual up up
Serial4/2 192.168.3.1 YES manual up up
Loopback1 33.1.1.1 YES manual up up
R4(config)#interface serial 4/3
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
R4(config)#interface loopback 1
R4(config-if)#ip address 44.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#end
R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.40.1 YES manual up up
Serial4/3 192.168.4.1 YES manual up up
Loopback1 44.1.1.1 YES manual up up
INTERNET-ROUTER(config)#interface serial 4/0
INTERNET-ROUTER(config-if)#ip address 192.168.1.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
R4(config-if)#ip address 44.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#end
R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.40.1 YES manual up up
Serial4/3 192.168.4.1 YES manual up up
Loopback1 44.1.1.1 YES manual up up
INTERNET-ROUTER(config)#interface serial 4/0
INTERNET-ROUTER(config-if)#ip address 192.168.1.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#interface serial 4/1
INTERNET-ROUTER(config-if)#ip address 192.168.2.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config-if)#ip address 192.168.2.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#interface serial 4/2
INTERNET-ROUTER(config-if)#ip address 192.168.3.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#interface serial 4/3
INTERNET-ROUTER(config-if)#ip address 192.168.4.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#end
INTERNET-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
Serial4/2 192.168.3.2 YES manual up up
Serial4/3 192.168.4.2 YES manual up up
INTERNET-ROUTER(config)#ip route 192.168.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 11.1.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 22.1.1.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.3.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.30.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 33.1.1.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.4.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 192.168.40.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 44.1.1.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#exit
SITE-ONE-ROUTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
SITE-ONE-ROUTE(config)#exit
SITE-ONE-ROUTE#show ip route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.1.1.0 is directly connected, Loopback1
C 192.168.1.0/24 is directly connected, Serial4/0
S* 0.0.0.0/0 [1/0] via 192.168.1.2
INTERNET-ROUTER(config-if)#ip address 192.168.3.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#interface serial 4/3
INTERNET-ROUTER(config-if)#ip address 192.168.4.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#end
INTERNET-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
Serial4/2 192.168.3.2 YES manual up up
Serial4/3 192.168.4.2 YES manual up up
INTERNET-ROUTER(config)#ip route 192.168.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 11.1.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 22.1.1.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.3.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.30.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 33.1.1.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.4.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 192.168.40.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 44.1.1.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#exit
SITE-ONE-ROUTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
SITE-ONE-ROUTE(config)#exit
SITE-ONE-ROUTE#show ip route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.1.1.0 is directly connected, Loopback1
C 192.168.1.0/24 is directly connected, Serial4/0
S* 0.0.0.0/0 [1/0] via 192.168.1.2
SITE-ONE-ROUTE#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/62/68 ms
SITE-ONE-ROUTE#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms
SITE-ONE-ROUTE#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms
SITE-TWO-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
SITE-TWO-ROUTER(config)#end
SITE-TWO-ROUTER#show ip route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
22.0.0.0/24 is subnetted, 1 subnets
C 22.1.1.0 is directly connected, Loopback1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Serial4/1
S* 0.0.0.0/0 [1/0] via 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms
SITE-TWO-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
SITE-TWO-ROUTER(config)#end
SITE-TWO-ROUTER#show ip route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
22.0.0.0/24 is subnetted, 1 subnets
C 22.1.1.0 is directly connected, Loopback1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Serial4/1
S* 0.0.0.0/0 [1/0] via 192.168.2.2
SITE-TWO-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/68 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/68 ms
SITE-TWO-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/100 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/100 ms
SITE-TWO-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/116 ms
SITE-THREE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
SITE-THREE-ROUTER(config)#EXIT
SITE-THREE-ROUTER#end
SITE-THREE-ROUTER#show ip route
Gateway of last resort is 192.168.3.2 to network 0.0.0.0
33.0.0.0/24 is subnetted, 1 subnets
C 33.1.1.0 is directly connected, Loopback1
C 192.168.30.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial4/2
S* 0.0.0.0/0 [1/0] via 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/116 ms
SITE-THREE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
SITE-THREE-ROUTER(config)#EXIT
SITE-THREE-ROUTER#end
SITE-THREE-ROUTER#show ip route
Gateway of last resort is 192.168.3.2 to network 0.0.0.0
33.0.0.0/24 is subnetted, 1 subnets
C 33.1.1.0 is directly connected, Loopback1
C 192.168.30.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial4/2
S* 0.0.0.0/0 [1/0] via 192.168.3.2
SITE-THREE-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/68 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/68 ms
SITE-THREE-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms
SITE-THREE-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms
SITE-FOUR-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
SITE-FOUR-ROUTER(config)#EXIT
SITE-FOUR-ROUTER#show ip route
Gateway of last resort is 192.168.4.2 to network 0.0.0.0
C 192.168.40.0/24 is directly connected, FastEthernet0/0
C 192.168.4.0/24 is directly connected, Serial4/3
44.0.0.0/24 is subnetted, 1 subnets
C 44.1.1.0 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 192.168.4.2
SITE-FOUR-ROUTER(config)#EXIT
SITE-FOUR-ROUTER#show ip route
Gateway of last resort is 192.168.4.2 to network 0.0.0.0
C 192.168.40.0/24 is directly connected, FastEthernet0/0
C 192.168.4.0/24 is directly connected, Serial4/3
44.0.0.0/24 is subnetted, 1 subnets
C 44.1.1.0 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 192.168.4.2
SITE-FOUR-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/72 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/72 ms
SITE-FOUR-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/64 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/64 ms
SITE-FOUR-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/64 ms
SITE-ONE-ROUTE(config)#ip access-list extended INTERNETWORKS
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#exit
SITE-ONE-ROUTE#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#exit
SITE-TWO-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-THREE-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-FOUR-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0$0 0.0.0.255 192.168.20.0 0.0.0.255
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/64 ms
SITE-ONE-ROUTE(config)#ip access-list extended INTERNETWORKS
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#exit
SITE-ONE-ROUTE#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#exit
SITE-TWO-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-THREE-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-FOUR-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0$0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#exit
SITE-FOUR-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config)#crypto isakmp enable
SITE-ONE-ROUTE#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-FOUR-ROUTER(config-ext-nacl)#exit
SITE-FOUR-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config)#crypto isakmp enable
SITE-ONE-ROUTE#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-TWO-ROUTER(config)#crypto isakmp enable
SITE-TWO-ROUTER(config)#end
SITE-TWO-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-THREE-ROUTER(config)#crypto isakmp enable
SITE-THREE-ROUTER(config)#end
SITE-THREE-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-FOUR-ROUTER(config)#crypto isakmp enable
SITE-FOUR-ROUTER(config)#end
SITE-FOUR-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-ONE-ROUTE(config)#crypto isakmp policy 10
SITE-ONE-ROUTE(config-isakmp)#authentication pre-share
SITE-ONE-ROUTE(config-isakmp)#encryption aes 256
SITE-ONE-ROUTE(config-isakmp)#hash sha
SITE-ONE-ROUTE(config-isakmp)#group 5
SITE-ONE-ROUTE(config-isakmp)#lifetime 3600
SITE-ONE-ROUTE(config-isakmp)#exit
SITE-TWO-ROUTER(config)#end
SITE-TWO-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-THREE-ROUTER(config)#crypto isakmp enable
SITE-THREE-ROUTER(config)#end
SITE-THREE-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-FOUR-ROUTER(config)#crypto isakmp enable
SITE-FOUR-ROUTER(config)#end
SITE-FOUR-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
SITE-ONE-ROUTE(config)#crypto isakmp policy 10
SITE-ONE-ROUTE(config-isakmp)#authentication pre-share
SITE-ONE-ROUTE(config-isakmp)#encryption aes 256
SITE-ONE-ROUTE(config-isakmp)#hash sha
SITE-ONE-ROUTE(config-isakmp)#group 5
SITE-ONE-ROUTE(config-isakmp)#lifetime 3600
SITE-ONE-ROUTE(config-isakmp)#exit
SITE-TWO-ROUTER(config)#crypto isakmp policy 10
SITE-TWO-ROUTER(config-isakmp)#authentication pre-share
SITE-TWO-ROUTER(config-isakmp)#encryption aes 256
SITE-TWO-ROUTER(config-isakmp)#hash sha
SITE-TWO-ROUTER(config-isakmp)#group 5
SITE-TWO-ROUTER(config-isakmp)#lifetime 3600
SITE-TWO-ROUTER(config-isakmp)#exit
SITE-THREE-ROUTER(config)#crypto isakmp policy 10
SITE-THREE-ROUTER(config-isakmp)#authentication pre-share
SITE-THREE-ROUTER(config-isakmp)#encryption aes 256
SITE-THREE-ROUTER(config-isakmp)#hash sha
SITE-THREE-ROUTER(config-isakmp)#group 5
SITE-THREE-ROUTER(config-isakmp)#lifetime 3600
SITE-THREE-ROUTER(config-isakmp)#exit
SITE-FOUR-ROUTER(config)#crypto isakmp policy 10
SITE-FOUR-ROUTER(config-isakmp)#authentication pre-share
SITE-FOUR-ROUTER(config-isakmp)#encryption aes 256
SITE-FOUR-ROUTER(config-isakmp)#hash sha
SITE-FOUR-ROUTER(config-isakmp)#group 5
SITE-FOUR-ROUTER(config-isakmp)#lifetime 3600
SITE-FOUR-ROUTER(config-isakmp)#exit
SITE-ONE-ROUTE#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-TWO-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-THREE-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-FOUR-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-ONE-ROUTE(config)#end
SITE-ONE-ROUTE#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.2.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-TWO-ROUTER(config)#end
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-THREE-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-FOUR-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-ONE-ROUTE(config)#end
SITE-ONE-ROUTE#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.2.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-TWO-ROUTER(config)#end
SITE-TWO-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-THREE-ROUTER(config)#end
SITE-THREE-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.4.1 internetwork.in
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-FOUR-ROUTER(config)#end
SITE-FOUR-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.3.1 internetwork.in
SITE-ONE-ROUTE(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-ONE-ROUTE(cfg-crypto-trans)#exit
SITE-TWO-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-TWO-ROUTER(cfg-crypto-trans)#exit
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-THREE-ROUTER(config)#end
SITE-THREE-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.4.1 internetwork.in
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-FOUR-ROUTER(config)#end
SITE-FOUR-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.3.1 internetwork.in
SITE-ONE-ROUTE(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-ONE-ROUTE(cfg-crypto-trans)#exit
SITE-TWO-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-TWO-ROUTER(cfg-crypto-trans)#exit
SITE-THREE-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-THREE-ROUTER(cfg-crypto-trans)#exit
SITE-FOUR-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-FOUR-ROUTER(cfg-crypto-trans)#exit
SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-ONE-ROUTE(config)#crypto ipsec security-association lifetime seconds 1800
SITE-TWO-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-THREE-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-FOUR-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-ONE-ROUTE(config-crypto-map)#match address INTERNETWORKS
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.2.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.3.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.4.1
SITE-ONE-ROUTE(config-crypto-map)#set transform-set IPSEC-SET
SITE-ONE-ROUTE(config-crypto-map)#exit
SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-TWO-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-TWO-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-TWO-ROUTER(config-crypto-map)#exit
SITE-THREE-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-THREE-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-THREE-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-THREE-ROUTER(config-crypto-map)#exit
SITE-FOUR-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-FOUR-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-FOUR-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-FOUR-ROUTER(config-crypto-map)#exit
SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#crypto map CRY-MAP
SITE-ONE-ROUTE(config-if)#exit
*Oct 6 13:18:16.863: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SITE-TWO-ROUTER(config)#interface serial 4/1
SITE-TWO-ROUTER(config-if)#crypto map CRY-MAP
SITE-TWO-ROUTER(config-if)#exit
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-THREE-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-THREE-ROUTER(config-crypto-map)#exit
SITE-FOUR-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-FOUR-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-FOUR-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-FOUR-ROUTER(config-crypto-map)#exit
SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#crypto map CRY-MAP
SITE-ONE-ROUTE(config-if)#exit
*Oct 6 13:18:16.863: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SITE-TWO-ROUTER(config)#interface serial 4/1
SITE-TWO-ROUTER(config-if)#crypto map CRY-MAP
SITE-TWO-ROUTER(config-if)#exit
*Oct 6 13:18:32.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SITE-THREE-ROUTER(config)#interface serial 4/2
SITE-THREE-ROUTER(config-if)#crypto map CRY-MAP
SITE-THREE-ROUTER(config-if)#exit
*Oct 6 13:18:48.283: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SITE-FOUR-ROUTER(config)#interface serial 4/3
SITE-FOUR-ROUTER(config-if)#crypto map CRY-MAP
SITE-FOUR-ROUTER(config-if)#exit
*Oct 6 13:19:04.939: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-ONE-ROUTE#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Peer = 192.168.3.1
Peer = 192.168.4.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/0
SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-TWO-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Peer = 192.168.3.1
Peer = 192.168.4.1
Peer = 192.168.1.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/1
SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-THREE-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Peer = 192.168.2.1
Peer = 192.168.4.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/2
SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
SITE-FOUR-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Peer = 192.168.2.1
Peer = 192.168.3.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/3
SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
SITE-ONE-ROUTE#ping 192.168.20.1 source 192.168.10.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/168 ms
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/168 ms
SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.1 192.168.1.1 QM_IDLE 1001 ACTIVE
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.1 192.168.1.1 QM_IDLE 1001 ACTIVE
No comments:
Post a Comment