VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows the configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel.
- Configure the topology as per the diagram
- Configure the IP addresses as per the topology
- Configure default route on head office and branch routers
- Configure crypto ISAKMP policy
- Configure crypto keyring
- Configure crypto ISAKMP profile
- Configure crypto IPsec transform-set
- Configure crypto IPsec Profile
- Configure dynamic virtual-template 1 type tunnel
- Configure EIGRP 100
- Configure tunnel 0 on branches.
- Apply the IPsec protection on the virtual tunnel
- make sure all the traffic is encrypted
- verify the configuration with show commands and ping + trace
R1(config)#interface serial 3/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.111.1 255.255.255.0
R1(config-if)#exit
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config-if)#ip address 192.168.24.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R3(config-if)#ip address 192.168.23.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit
R3(config-if)#ip address 192.168.133.1 255.255.255.0
R3(config-if)#exit
R4(config-if)#ip address 192.168.24.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit
R4(config-if)#ip address 192.168.144.1 255.255.255.0
R4(config-if)#exit
R2(config)#ip route 192.168.10.0 255.255.255.0 serial 3/0
R2(config)#ip route 192.168.30.0 255.255.255.0 serial 3/1
R2(config)#ip route 192.168.40.0 255.255.255.0 serial 3/2
R4(config)#ip route 0.0.0.0 0.0.0.0 serial 3/2
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial3/0 192.168.12.1 YES manual up up
Loopback0 192.168.111.1 YES manual up up
Interface IP-Address OK? Method Status Protocol
Serial3/0 192.168.12.2 YES manual up up
Serial3/1 192.168.23.2 YES manual up up
Serial3/2 192.168.24.2 YES manual up up
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES manual up up
Serial3/1 192.168.23.1 YES manual up up
Loopback0 192.168.133.1 YES manual up up
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.40.1 YES manual up up
Serial3/2 192.168.24.1 YES manual up up
Loopback0 192.168.144.1 YES manual up up
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#hash sha256
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#exit
R1(conf-keyring)#pre-shared-key address 192.168.23.1 key INTERNET
R1(conf-keyring)#pre-shared-key address 192.168.24.1 key INTERNET
R1(conf-keyring)#exit
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#keyring DVTI-KEYRING
R1(conf-isa-prof)#match identity address 192.168.23.1
R1(conf-isa-prof)#match identity address 192.168.24.1
R1(conf-isa-prof)#virtual-template 1
R1(conf-isa-prof)#exit
R1(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit
R1(ipsec-profile)#set transform-set TRANS-SET
R1(ipsec-profile)#exit
Ref Count = 5
Identities matched are:
ip-address 192.168.23.1 255.255.255.255
ip-address 192.168.24.1 255.255.255.255
Certificate maps matched are:
keyring(s): DVTI-KEYRING
trustpoint(s): <all>
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
will negotiate = { Tunnel, },
R1#show crypto ipsec profile
IPSEC profile DVTI-IPSEC
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANS-SET: { esp-256-aes esp-sha256-hmac } ,
}
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#group 14
R3(config-isakmp)#hash sha256
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#exit
R3(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R3(conf-keyring)#exit
% A profile is deemed incomplete until it has match identity statements
R3(conf-isa-prof)#keyring DVTI-KEYRING
R3(conf-isa-prof)#match identity address 192.168.12.1
R3(config)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R3(cfg-crypto-trans)#mode tunnel
R3(cfg-crypto-trans)#exit
R3(ipsec-profile)#set transform-set TRANS-SET
R3(ipsec-profile)#exit
R4(config-isakmp)#authentication pre-share
R4(config-isakmp)#group 14
R4(config-isakmp)#hash sha256
R4(config-isakmp)#encryption aes 256
R4(config-isakmp)#lifetime 3600
R4(config-isakmp)#exit
R4(conf-keyring)#pre-shared-key address 192.168.12.1 key INTERNET
R4(conf-keyring)#exit
% A profile is deemed incomplete until it has match identity statements
R4(conf-isa-prof)#keyring DVTI-KEYRING
R4(conf-isa-prof)#match identity address 192.168.12.1
R4(conf-isa-prof)#crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha256-hmac
R4(cfg-crypto-trans)#mode tunnel
R4(cfg-crypto-trans)#exit
R4(ipsec-profile)#set transform-set TRANS-SET
R4(ipsec-profile)#exit
R1(config-if)#ip unnumbered loopback 0
R1(config-if)#tunnel source 192.168.12.1
R1(config-if)#tunnel destination dynamic
R1(config-if)#tunnel protection ipsec profile DVTI-IPSEC
R1(config-if)#no ip split-horizon eigrp 100
R1(config-if)#no ip next-hop-self eigrp 100
R1(config-if)#exit
R1(config)#router eigrp 100
R1(config-router)#network 192.168.10.0
R1(config-router)#network 192.168.111.0
R1(config-router)#no auto-summary
R1(config-router)#exit
*Apr 8 12:09:06.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Apr 8 12:09:58.035: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.133.1 (Virtual-Access1) is up: new adjacency
*Apr 8 12:28:57.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Apr 8 12:29:58.979: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.168.144.1 (Virtual-Access2) is up: new adjacency
0 comments:
Post a Comment