MPLS: How to configure IPsec VPN site to sites?

(Internet Protocol Security) IPsec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec allows two or more hosts to communicate with authentication by encrypting each IP packet of its session.

we already discussed IPsec and DMVPN in the previous blogs, so before starting this easy lab we need to look few topics.

access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)

crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data.

Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints.

ISAKMP commands:

authentication Set authentication method for protection suite

default Set a command to its defaults

encryption Set encryption algorithm for protection suite

exit Exit from ISAKMP protection suite configuration mode

group Set the Diffie-Hellman group

hash Set hash algorithm for protection suite

lifetime Set lifetime for ISAKMP security association

no Negate a command or set its defaults

The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.

crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.

R1(config)#crypto ipsec transform-set INTERNETWORKS ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

comp-lzs IP Compression using the LZS compression algorithm

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-seal ESP transform using SEAL cipher (160 bits)

esp-sha-hmac ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-seal ESP transform using SEAL cipher (160 bits)

esp-sha-hmac ESP transform using HMAC-SHA auth

<cr>

6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer.

in this lab, we are going to configure IPsec VPN using Cisco IOS and encrypt the traffic from router-1 to r2, r3,r4, and vice versa from fastethernet 0/0.

let's see the topology: -

configure the topology as per the diagram
assign the IP addresses
configure the default route on router 1,2,3,4 and configure the static route of router 5
make sure all the routers can ping
configure extended ACL
enable crypto ISAKMP
configure ISAKMP policy authentication, encryption, DH group, and hash sha
configure pre-shared keys and share
configure IPsec transform set
configure lifetimes
configure crypto map
apply crypto map on the interface

R1(config)#Hostname SITE-ONE-ROUTE
SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE(config)#interface fastethernet 0/0

SITE-ONE-ROUTE(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#no keepalive
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE(config)#interface loopback 1
SITE-ONE-ROUTE(config-if)#ip address 11.1.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up
Loopback1 11.1.1.1 YES manual up up

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit

R2(config)#interface loopback 1
R2(config-if)#ip address 22.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up
Loopback1 22.1.1.1 YES manual up up

R3(config)#interface serial 4/2
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 1
R3(config-if)#ip address 33.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES manual up up
Serial4/2 192.168.3.1 YES manual up up
Loopback1 33.1.1.1 YES manual up up

R4(config)#interface serial 4/3
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface loopback 1
R4(config-if)#ip address 44.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#end

R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.40.1 YES manual up up
Serial4/3 192.168.4.1 YES manual up up
Loopback1 44.1.1.1 YES manual up up

INTERNET-ROUTER(config)#interface serial 4/0
INTERNET-ROUTER(config-if)#ip address 192.168.1.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/1
INTERNET-ROUTER(config-if)#ip address 192.168.2.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/2
INTERNET-ROUTER(config-if)#ip address 192.168.3.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/3
INTERNET-ROUTER(config-if)#ip address 192.168.4.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#end

INTERNET-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol

Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
Serial4/2 192.168.3.2 YES manual up up
Serial4/3 192.168.4.2 YES manual up up

INTERNET-ROUTER(config)#ip route 192.168.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 11.1.1.0 255.255.255.0 192.168.1.1

INTERNET-ROUTER(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 22.1.1.0 255.255.255.0 192.168.2.1

INTERNET-ROUTER(config)#ip route 192.168.3.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.30.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 33.1.1.0 255.255.255.0 192.168.3.1

INTERNET-ROUTER(config)#ip route 192.168.4.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 192.168.40.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 44.1.1.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#exit

SITE-ONE-ROUTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
SITE-ONE-ROUTE(config)#exit

SITE-ONE-ROUTE#show ip route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.1.1.0 is directly connected, Loopback1
C 192.168.1.0/24 is directly connected, Serial4/0
S* 0.0.0.0/0 [1/0] via 192.168.1.2

SITE-ONE-ROUTE#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/62/68 ms

SITE-ONE-ROUTE#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms

SITE-ONE-ROUTE#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms

SITE-TWO-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show ip route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0
22.0.0.0/24 is subnetted, 1 subnets
C 22.1.1.0 is directly connected, Loopback1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Serial4/1
S* 0.0.0.0/0 [1/0] via 192.168.2.2

SITE-TWO-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/68 ms

SITE-TWO-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/100 ms

SITE-TWO-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/116 ms

SITE-THREE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
SITE-THREE-ROUTER(config)#EXIT
SITE-THREE-ROUTER#end

SITE-THREE-ROUTER#show ip route

Gateway of last resort is 192.168.3.2 to network 0.0.0.0
33.0.0.0/24 is subnetted, 1 subnets
C 33.1.1.0 is directly connected, Loopback1
C 192.168.30.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial4/2
S* 0.0.0.0/0 [1/0] via 192.168.3.2

SITE-THREE-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/68 ms

SITE-THREE-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms

SITE-THREE-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms

SITE-FOUR-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
SITE-FOUR-ROUTER(config)#EXIT

SITE-FOUR-ROUTER#show ip route

Gateway of last resort is 192.168.4.2 to network 0.0.0.0
C 192.168.40.0/24 is directly connected, FastEthernet0/0
C 192.168.4.0/24 is directly connected, Serial4/3
44.0.0.0/24 is subnetted, 1 subnets
C 44.1.1.0 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 192.168.4.2

SITE-FOUR-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/72 ms

SITE-FOUR-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/64 ms

SITE-FOUR-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/64 ms

SITE-ONE-ROUTE(config)#ip access-list extended INTERNETWORKS
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#exit

SITE-ONE-ROUTE#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

SITE-TWO-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#exit

SITE-TWO-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255

SITE-THREE-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

SITE-FOUR-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0$0 0.0.0.255 192.168.20.0 0.0.0.255

SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#exit

SITE-FOUR-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

SITE-ONE-ROUTE(config)#crypto isakmp enable

SITE-ONE-ROUTE#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-TWO-ROUTER(config)#crypto isakmp enable
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-THREE-ROUTER(config)#crypto isakmp enable
SITE-THREE-ROUTER(config)#end

SITE-THREE-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-FOUR-ROUTER(config)#crypto isakmp enable
SITE-FOUR-ROUTER(config)#end

SITE-FOUR-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-ONE-ROUTE(config)#crypto isakmp policy 10
SITE-ONE-ROUTE(config-isakmp)#authentication pre-share
SITE-ONE-ROUTE(config-isakmp)#encryption aes 256
SITE-ONE-ROUTE(config-isakmp)#hash sha
SITE-ONE-ROUTE(config-isakmp)#group 5
SITE-ONE-ROUTE(config-isakmp)#lifetime 3600
SITE-ONE-ROUTE(config-isakmp)#exit

SITE-TWO-ROUTER(config)#crypto isakmp policy 10
SITE-TWO-ROUTER(config-isakmp)#authentication pre-share
SITE-TWO-ROUTER(config-isakmp)#encryption aes 256
SITE-TWO-ROUTER(config-isakmp)#hash sha
SITE-TWO-ROUTER(config-isakmp)#group 5
SITE-TWO-ROUTER(config-isakmp)#lifetime 3600
SITE-TWO-ROUTER(config-isakmp)#exit

SITE-THREE-ROUTER(config)#crypto isakmp policy 10
SITE-THREE-ROUTER(config-isakmp)#authentication pre-share
SITE-THREE-ROUTER(config-isakmp)#encryption aes 256
SITE-THREE-ROUTER(config-isakmp)#hash sha
SITE-THREE-ROUTER(config-isakmp)#group 5
SITE-THREE-ROUTER(config-isakmp)#lifetime 3600
SITE-THREE-ROUTER(config-isakmp)#exit

SITE-FOUR-ROUTER(config)#crypto isakmp policy 10
SITE-FOUR-ROUTER(config-isakmp)#authentication pre-share
SITE-FOUR-ROUTER(config-isakmp)#encryption aes 256
SITE-FOUR-ROUTER(config-isakmp)#hash sha
SITE-FOUR-ROUTER(config-isakmp)#group 5
SITE-FOUR-ROUTER(config-isakmp)#lifetime 3600
SITE-FOUR-ROUTER(config-isakmp)#exit

SITE-ONE-ROUTE#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-TWO-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-THREE-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-FOUR-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-ONE-ROUTE(config)#end

SITE-ONE-ROUTE#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.2.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in

SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in

SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-THREE-ROUTER(config)#end

SITE-THREE-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.4.1 internetwork.in

SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-FOUR-ROUTER(config)#end

SITE-FOUR-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.3.1 internetwork.in

SITE-ONE-ROUTE(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-ONE-ROUTE(cfg-crypto-trans)#exit

SITE-TWO-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-TWO-ROUTER(cfg-crypto-trans)#exit

SITE-THREE-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-THREE-ROUTER(cfg-crypto-trans)#exit

SITE-FOUR-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-FOUR-ROUTER(cfg-crypto-trans)#exit

SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-ONE-ROUTE(config)#crypto ipsec security-association lifetime seconds 1800
SITE-TWO-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-THREE-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-FOUR-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800

SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-ONE-ROUTE(config-crypto-map)#match address INTERNETWORKS
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.2.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.3.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.4.1
SITE-ONE-ROUTE(config-crypto-map)#set transform-set IPSEC-SET
SITE-ONE-ROUTE(config-crypto-map)#exit

SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-TWO-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-TWO-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-TWO-ROUTER(config-crypto-map)#exit

SITE-THREE-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-THREE-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-THREE-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-THREE-ROUTER(config-crypto-map)#exit

SITE-FOUR-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-FOUR-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-FOUR-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-FOUR-ROUTER(config-crypto-map)#exit

SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#crypto map CRY-MAP
SITE-ONE-ROUTE(config-if)#exit

*Oct 6 13:18:16.863: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-TWO-ROUTER(config)#interface serial 4/1
SITE-TWO-ROUTER(config-if)#crypto map CRY-MAP
SITE-TWO-ROUTER(config-if)#exit

*Oct 6 13:18:32.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-THREE-ROUTER(config)#interface serial 4/2
SITE-THREE-ROUTER(config-if)#crypto map CRY-MAP
SITE-THREE-ROUTER(config-if)#exit

*Oct 6 13:18:48.283: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-FOUR-ROUTER(config)#interface serial 4/3
SITE-FOUR-ROUTER(config-if)#crypto map CRY-MAP
SITE-FOUR-ROUTER(config-if)#exit

*Oct 6 13:19:04.939: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-ONE-ROUTE#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Peer = 192.168.3.1
Peer = 192.168.4.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/0

SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-TWO-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Peer = 192.168.3.1
Peer = 192.168.4.1
Peer = 192.168.1.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/1

SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-THREE-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Peer = 192.168.2.1
Peer = 192.168.4.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/2

SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-FOUR-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Peer = 192.168.2.1
Peer = 192.168.3.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/3

SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA

SITE-ONE-ROUTE#ping 192.168.20.1 source 192.168.10.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/168 ms

SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.1 192.168.1.1 QM_IDLE 1001 ACTIVE

MPLS

Pages

Pages

How to configure IPsec VPN site to sites?

No comments:

Post a Comment