What is IPsec NAT Traversal? How to configure IPsec NAT Traversal?

Internetworks November 08, 2023

IPsec NAT traversal (NAT-T), also known as UDP encapsulation, NAT-T is a technique that allows traffic to get to a specific destination when a device does not have a public IP address. NAT-T makes sure that the IPsec VPN connection is open when traffic is going through the gateways. This usually happens when your ISP is doing NAT, or when the external interface of your firewall is connected to a device that has NAT enabled.

In our topology, we have a NAT device in the middle of the topology that will break the authenticity, and integrity and in some cases cannot do anything at all with the packet. Now we know one thing NAT and IPsec are incompatible with each other, but we have a solution NAT traversal.

NAT Traversal (NAT-T) adds a UDP header and a special payload to the IPsec packet, which makes it look like a normal UDP packet to the NAT device, and the NAT device will make the required changes and process the message.

(in the next blog we see Header information)

Now let's see the configuration

(If you like this blog, please visit our YouTube channel

https://youtu.be/D0t29ZdO09I?si=xlU36M8Pv2gPxRda)

Topology: -

Goal:

configure the topology as per the diagram
assign the IP address to their respective ports
configure a default route on routers 1 and 2 toward router 3
configure a static route on router 3 which is acting as an ISP NAT device
configure ACL extended for interesting traffic
enable crypto ISAKMP
configure crypto ISAKMP policy
configure pre-shared key
configure IPsec transform-set on both sites
configure IPsec security-association lifetime
configure crypto map
apply the crypto map on interfaces
configure IP static NAT on router 3
configure inside and outside NAT on router 3
make sure 192.168.10.1 can reach 192.168.20.1 with IPsec and IP translate to 100.100.100.100

SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit

SITE-A-ROUTER(config)#interface fastethernet 0/0
SITE-A-ROUTER(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#no keepalive
SITE-A-ROUTER(config-if)#exit

SITE-A-ROUTER(config)#interface serial 4/1
SITE-A-ROUTER(config-if)#ip address 192.168.2.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit

SITE-A-ROUTER(config)#interface fastethernet 0/0
SITE-A-ROUTER(config-if)#ip address 192.168.20.1 255.255.255.0
SITE-A-ROUTER(config-if)#no shutdown
SITE-A-ROUTER(config-if)#exit

Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip address 192.168.1.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exit

Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip address 192.168.2.2 255.255.255.0
Internet-NAT-Device(config-if)#no shutdown
Internet-NAT-Device(config-if)#exit

SITE-A-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up

SITE-B-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up

Internet-NAT-Device#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up

SITE-A-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0
SITE-A-ROUTER(config)#end

SITE-B-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1
SITE-B-ROUTER(config)#end

Internet-NAT-Device(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
Internet-NAT-Device(config)#ip route 192.168.20.0 255.255.255.0 192.168.1.1
Internet-NAT-Device(config)#end

SITE-A-ROUTER(config)#ip access-list extended important-traffic
SITE-A-ROUTER(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-A-ROUTER(config-ext-nacl)#exit

SITE-A-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

SITE-B-ROUTER(config)#ip access-list extended important-traffic
SITE-B-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-B-ROUTER(config-ext-nacl)#end

SITE-B-ROUTER#show ip access-list
Extended IP access list important-traffic
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

SITE-A-ROUTER(config)#crypto isakmp enable

SITE-B-ROUTER(config)#crypto isakmp enable

SITE-A-ROUTER(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite

SITE-A-ROUTER(config)#crypto isakmp policy 20
SITE-A-ROUTER(config-isakmp)#authentication pre-share
SITE-A-ROUTER(config-isakmp)#encryption aes 256
SITE-A-ROUTER(config-isakmp)#hash sha
SITE-A-ROUTER(config-isakmp)#group 5
SITE-A-ROUTER(config-isakmp)#lifetime 3600
SITE-A-ROUTER(config-isakmp)#exit

SITE-A-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-B-ROUTER(config)#crypto isakmp policy 20
SITE-B-ROUTER(config-isakmp)#authentication pre-share
SITE-B-ROUTER(config-isakmp)#encryption aes 256
SITE-B-ROUTER(config-isakmp)#hash sha
SITE-B-ROUTER(config-isakmp)#group 5
SITE-B-ROUTER(config-isakmp)#lifetime 3600
SITE-B-ROUTER(config-isakmp)#end

SITE-B-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-A-ROUTER(config)#crypto isakmp key 0 internetworks address 192.168.2.1
SITE-A-ROUTER(config)#end

SITE-A-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.2.1 internetworks

SITE-B-ROUTER(config)#crypto isakm key 0 internetworks address 100.100.100.100

SITE-B-ROUTER(config)#end

as you can see the above command, i have changed the address 192.168.1.1 to 100.100.100.100 on router 2 because the router 1 IP 192.168.1.1 will look different on the other side 100.100.100.100 Also I am going to change peer address in the crypto map only on router 2, so we have to change the address to static NAT address in order to get successful IPsec VPN result.

SITE-B-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetworks

SITE-A-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-A-ROUTER(cfg-crypto-trans)#end

SITE-A-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-B-ROUTER(config)#crypto ipsec transform-set TRANSF-SET esp-aes 256 esp-sha-hmac
SITE-B-ROUTER(cfg-crypto-trans)#end

SITE-B-ROUTER#show crypto ipsec transform-set
Transform set TRANSF-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-A-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-A-ROUTER(config)#exit

SITE-A-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds

SITE-B-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-B-ROUTER(config)#end

SITE-B-ROUTER#show crypto ipsec security-association lifetime
Security association lifetime: 4608000 kilobytes/1800 seconds

SITE-A-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-A-ROUTER(config-crypto-map)#match address important-traffic
SITE-A-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-A-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-A-ROUTER(config-crypto-map)#exit
SITE-A-ROUTER(config)#end

*Oct 28 12:45:25.923: %CRYPTO-4-IKMP_NO_SA: IKE message from 100.100.100.100 has no SA and is not an initialization offer

SITE-A-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:

SITE-B-ROUTER(config)#crypto map CRYPTO-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-B-ROUTER(config-crypto-map)#match address important-traffic

SITE-B-ROUTER(config-crypto-map)#set peer 100.100.100.100

SITE-B-ROUTER(config-crypto-map)#set transform-set TRANSF-SET
SITE-B-ROUTER(config-crypto-map)#END

SITE-B-ROUTER#show crypto map
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:

SITE-A-ROUTER(config)#interface serial 4/0
SITE-A-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-A-ROUTER(config-if)#exit

*Oct 28 12:34:30.711: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-A-ROUTER#show crypto map interface serial 4/0
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
Serial4/0

SITE-B-ROUTER(config)#interface serial 4/1
SITE-B-ROUTER(config-if)#crypto map CRYPTO-MAP
SITE-B-ROUTER(config-if)#end

*Oct 28 12:35:00.695: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-B-ROUTER#show crypto map interface serial 4/1
Crypto Map "CRYPTO-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Extended IP access list important-traffic
access-list important-traffic permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSF-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRYPTO-MAP:
Serial4/1

SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/100 ms

SITE-A-ROUTER#show crypto ipsec sa
interface: Serial4/0
Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0
current outbound spi: 0xFD7D51CD(4252848589)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4546969/1781)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 32/62/96 ms

SITE-B-ROUTER#show crypto ipsec sa
interface: Serial4/1
Crypto map tag: CRYPTO-MAP, local addr 192.168.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 199, #pkts encrypt: 199, #pkts digest: 199
#pkts decaps: 199, #pkts decrypt: 199, #pkts verify: 199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1
current outbound spi: 0x367632C(57107244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFD7D51CD(4252848589)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x367632C(57107244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80000046, crypto map: CRYPTO-MAP
sa timing: remaining key lifetime (k/sec): (4383954/1725)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:

Internet-NAT-Device(config)#ip nat inside source static 192.168.1.1 100.100.100.100

*Oct 28 12:39:58.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

Internet-NAT-Device(config)#interface serial 4/0
Internet-NAT-Device(config-if)#ip nat inside
Internet-NAT-Device(config-if)#exit

Internet-NAT-Device(config)#interface serial 4/1
Internet-NAT-Device(config-if)#ip nat outside
Internet-NAT-Device(config-if)#exit

SITE-A-ROUTER#clear crypto isakmp

SITE-A-ROUTER#clear crypto session

SITE-A-ROUTER#ping 192.168.20.1 source fastEthernet 0/0 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/60/140 ms

SITE-B-ROUTER#ping 192.168.10.1 source fastEthernet 0/0 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 24/60/144 ms

Internet-NAT-Device#show ip nat translations

Pro Inside global Inside local Outside local Outside global

udp 100.100.100.100:4500 192.168.1.1:4500 192.168.2.1:4500 192.168.2.1:4500

--- 100.100.100.100 192.168.1.1 --- ---

SITE-A-ROUTER#show crypto ipsec sa

interface: Serial4/0

Crypto map tag: CRYPTO-MAP, local addr 192.168.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

current_peer 192.168.2.1 port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 2219, #pkts encrypt: 2219, #pkts digest: 2219

#pkts decaps: 2219, #pkts decrypt: 2219, #pkts verify: 2219

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial4/0

current outbound spi: 0x3BD9F3C0(1004139456)

PFS (Y/N): N, DH group: none

What is IPsec NAT Exemption? How to configure IPsec tunnel with NAT Exempt?

Internetworks October 25, 2023

IPsec NAT Exemption

NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges.

Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.

The nature of NAT and IPsec is different, NAT manipulates an IP packet and IPsec preserves the IP packets. IPsec does not work with NAT. we have to exclude (bypass NAT) the traffic to be encrypted from the NAT operation. Nat must not occur for proper IPsec network communication but NAT should be for inside hosts in order to access the internet.

NAT exemption is a method that excludes traffic from being translated with NAT. NAT exemption is preferred when bypassing traffic flowing over a VPN tunnel.

R1(config)#ip access-list extended NAT-TRAFFIC

R1(config-ext-nacl)#5 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

NAT exemption is usually used in the following scenarios:

Legacy policy-based IPsec VPNs

Remote access VPNs

Site-to-site VPN tunnels

When we have a lot of VPN tunnels with customers and we don't want to conflict with IPs on their network

let's see the configuration for a better understanding:

topology:-

Goal:

First, configure the IP addresses as per the topology above
Configure the default route and static routes
verify the Default and static routing with ping from pc 192.168.10.2 to 192.168.30.2 and vice versa
enable crypto isakmp on both sites
configure extended ACL to tell the router which traffic is to encrypt.
configure Crypto isakmp policy on both sites
configure the crypto key on both sites make sure its identical
configure IPsec transform-set name will be IPsec-tunnel for both sites
configure IPsec security association timer 1800 on both sites
configure crypto map name of the map will be map on both sites
apply the crypto map on interface serial 4/0 on router 1 and serial 4/1 on router 2

IPsec VPN

How to configure IPsec VPN site to sites?

Internetworks October 07, 2023

(Internet Protocol Security) IPsec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session. IPsec allows two or more hosts to communicate with authentication by encrypting each IP packet of its session.

we already discussed IPsec and DMVPN in the previous blogs, so before starting this easy lab we need to look few topics.

An access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)

crypto isakmp enable. This command is used to enable IKE for IPsec function. IKE is enabled by default, but if it's disabled, then you must enable it with the help of this command. IKE is also called ISAKMP. It's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. Phase 1 is used to create the first tunnel. Phase 2 creates the tunnel that protects data.

Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints.

ISAKMP commands:

authentication Set authentication method for protection suite

default Set a command to its defaults

encryption Set encryption algorithm for protection suite

exit Exit from ISAKMP protection suite configuration mode

group Set the Diffie-Hellman group

hash Set hash algorithm for protection suite

lifetime Set lifetime for ISAKMP security association

no Negate a command or set its defaults

The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.

crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.

R1(config)#crypto ipsec transform-set INTERNETWORKS ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

comp-lzs IP Compression using the LZS compression algorithm

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-seal ESP transform using SEAL cipher (160 bits)

esp-sha-hmac ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-seal ESP transform using SEAL cipher (160 bits)

esp-sha-hmac ESP transform using HMAC-SHA auth

<cr>

6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer.

For video, please click here

In this lab, we will configure IPsec VPN using Cisco IOS and encrypt the traffic from router-1 to r2, r3,r4, and vice versa from fastethernet 0/0.

Let's see the topology: -

configure the topology as per the diagram
assign the IP addresses
configure the default route on router 1,2,3,4 and configure the static route of router 5
make sure all the routers can ping
configure extended ACL
enable crypto ISAKMP
configure ISAKMP policy authentication, encryption, DH group, and hash sha
configure pre-shared keys and share
configure IPsec transform set
configure lifetimes
configure crypto map
apply crypto map on the interface

R1(config)#Hostname SITE-ONE-ROUTE
SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#ip address 192.168.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE(config)#interface fastethernet 0/0

SITE-ONE-ROUTE(config-if)#ip address 192.168.10.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#no keepalive
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE(config)#interface loopback 1
SITE-ONE-ROUTE(config-if)#ip address 11.1.1.1 255.255.255.0
SITE-ONE-ROUTE(config-if)#no shutdown
SITE-ONE-ROUTE(config-if)#exit

SITE-ONE-ROUTE#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
Serial4/0 192.168.1.1 YES manual up up
Loopback1 11.1.1.1 YES manual up up

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#no keepalive
R2(config-if)#exit

R2(config)#interface loopback 1
R2(config-if)#ip address 22.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.20.1 YES manual up up
Serial4/1 192.168.2.1 YES manual up up
Loopback1 22.1.1.1 YES manual up up

R3(config)#interface serial 4/2
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 192.168.30.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#no keepalive
R3(config-if)#exit

R3(config)#interface loopback 1
R3(config-if)#ip address 33.1.1.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.30.1 YES manual up up
Serial4/2 192.168.3.1 YES manual up up
Loopback1 33.1.1.1 YES manual up up

R4(config)#interface serial 4/3
R4(config-if)#ip address 192.168.4.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastethernet 0/0
R4(config-if)#ip address 192.168.40.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface loopback 1
R4(config-if)#ip address 44.1.1.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#end

R4#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.40.1 YES manual up up
Serial4/3 192.168.4.1 YES manual up up
Loopback1 44.1.1.1 YES manual up up

INTERNET-ROUTER(config)#interface serial 4/0
INTERNET-ROUTER(config-if)#ip address 192.168.1.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/1
INTERNET-ROUTER(config-if)#ip address 192.168.2.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/2
INTERNET-ROUTER(config-if)#ip address 192.168.3.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit

INTERNET-ROUTER(config)#interface serial 4/3
INTERNET-ROUTER(config-if)#ip address 192.168.4.2 255.255.255.0
INTERNET-ROUTER(config-if)#no shutdown
INTERNET-ROUTER(config-if)#exit
INTERNET-ROUTER(config)#end

INTERNET-ROUTER#show ip interface brief
Interface IP-Address OK? Method Status Protocol

Serial4/0 192.168.1.2 YES manual up up
Serial4/1 192.168.2.2 YES manual up up
Serial4/2 192.168.3.2 YES manual up up
Serial4/3 192.168.4.2 YES manual up up

INTERNET-ROUTER(config)#ip route 192.168.1.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 192.168.10.0 255.255.255.0 192.168.1.1
INTERNET-ROUTER(config)#ip route 11.1.1.0 255.255.255.0 192.168.1.1

INTERNET-ROUTER(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 192.168.20.0 255.255.255.0 192.168.2.1
INTERNET-ROUTER(config)#ip route 22.1.1.0 255.255.255.0 192.168.2.1

INTERNET-ROUTER(config)#ip route 192.168.3.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 192.168.30.0 255.255.255.0 192.168.3.1
INTERNET-ROUTER(config)#ip route 33.1.1.0 255.255.255.0 192.168.3.1

INTERNET-ROUTER(config)#ip route 192.168.4.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 192.168.40.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#ip route 44.1.1.0 255.255.255.0 192.168.4.1
INTERNET-ROUTER(config)#exit

SITE-ONE-ROUTE(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2
SITE-ONE-ROUTE(config)#exit

SITE-ONE-ROUTE#show ip route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 192.168.10.0/24 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.1.1.0 is directly connected, Loopback1
C 192.168.1.0/24 is directly connected, Serial4/0
S* 0.0.0.0/0 [1/0] via 192.168.1.2

SITE-ONE-ROUTE#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/62/68 ms

SITE-ONE-ROUTE#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms

SITE-ONE-ROUTE#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms

SITE-TWO-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show ip route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0
22.0.0.0/24 is subnetted, 1 subnets
C 22.1.1.0 is directly connected, Loopback1
C 192.168.20.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, Serial4/1
S* 0.0.0.0/0 [1/0] via 192.168.2.2

SITE-TWO-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/61/68 ms

SITE-TWO-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/81/100 ms

SITE-TWO-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/89/116 ms

SITE-THREE-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2
SITE-THREE-ROUTER(config)#EXIT
SITE-THREE-ROUTER#end

SITE-THREE-ROUTER#show ip route

Gateway of last resort is 192.168.3.2 to network 0.0.0.0
33.0.0.0/24 is subnetted, 1 subnets
C 33.1.1.0 is directly connected, Loopback1
C 192.168.30.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial4/2
S* 0.0.0.0/0 [1/0] via 192.168.3.2

SITE-THREE-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/68 ms

SITE-THREE-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/62/80 ms

SITE-THREE-ROUTER#ping 192.168.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/63/80 ms

SITE-FOUR-ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.4.2
SITE-FOUR-ROUTER(config)#EXIT

SITE-FOUR-ROUTER#show ip route

Gateway of last resort is 192.168.4.2 to network 0.0.0.0
C 192.168.40.0/24 is directly connected, FastEthernet0/0
C 192.168.4.0/24 is directly connected, Serial4/3
44.0.0.0/24 is subnetted, 1 subnets
C 44.1.1.0 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 192.168.4.2

SITE-FOUR-ROUTER#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/72 ms

SITE-FOUR-ROUTER#ping 192.168.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/64 ms

SITE-FOUR-ROUTER#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/64 ms

SITE-ONE-ROUTE(config)#ip access-list extended INTERNETWORKS
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#permit ip 92.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-ONE-ROUTE(config-ext-nacl)#exit

SITE-ONE-ROUTE#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

SITE-TWO-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
SITE-TWO-ROUTER(config-ext-nacl)#exit

SITE-TWO-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
30 permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255

SITE-THREE-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255

SITE-FOUR-ROUTER(config)#ip access-list extended INTERNETWORKS
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0$0 0.0.0.255 192.168.20.0 0.0.0.255

SITE-FOUR-ROUTER(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
SITE-FOUR-ROUTER(config-ext-nacl)#exit

SITE-FOUR-ROUTER#show access-lists
Extended IP access list INTERNETWORKS
10 permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
30 permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255

SITE-ONE-ROUTE(config)#crypto isakmp enable

SITE-ONE-ROUTE#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-TWO-ROUTER(config)#crypto isakmp enable
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-THREE-ROUTER(config)#crypto isakmp enable
SITE-THREE-ROUTER(config)#end

SITE-THREE-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-FOUR-ROUTER(config)#crypto isakmp enable
SITE-FOUR-ROUTER(config)#end

SITE-FOUR-ROUTER#show crypto isakmp policy
Default IKE policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit

SITE-ONE-ROUTE(config)#crypto isakmp policy 10
SITE-ONE-ROUTE(config-isakmp)#authentication pre-share
SITE-ONE-ROUTE(config-isakmp)#encryption aes 256
SITE-ONE-ROUTE(config-isakmp)#hash sha
SITE-ONE-ROUTE(config-isakmp)#group 5
SITE-ONE-ROUTE(config-isakmp)#lifetime 3600
SITE-ONE-ROUTE(config-isakmp)#exit

SITE-TWO-ROUTER(config)#crypto isakmp policy 10
SITE-TWO-ROUTER(config-isakmp)#authentication pre-share
SITE-TWO-ROUTER(config-isakmp)#encryption aes 256
SITE-TWO-ROUTER(config-isakmp)#hash sha
SITE-TWO-ROUTER(config-isakmp)#group 5
SITE-TWO-ROUTER(config-isakmp)#lifetime 3600
SITE-TWO-ROUTER(config-isakmp)#exit

SITE-THREE-ROUTER(config)#crypto isakmp policy 10
SITE-THREE-ROUTER(config-isakmp)#authentication pre-share
SITE-THREE-ROUTER(config-isakmp)#encryption aes 256
SITE-THREE-ROUTER(config-isakmp)#hash sha
SITE-THREE-ROUTER(config-isakmp)#group 5
SITE-THREE-ROUTER(config-isakmp)#lifetime 3600
SITE-THREE-ROUTER(config-isakmp)#exit

SITE-FOUR-ROUTER(config)#crypto isakmp policy 10
SITE-FOUR-ROUTER(config-isakmp)#authentication pre-share
SITE-FOUR-ROUTER(config-isakmp)#encryption aes 256
SITE-FOUR-ROUTER(config-isakmp)#hash sha
SITE-FOUR-ROUTER(config-isakmp)#group 5
SITE-FOUR-ROUTER(config-isakmp)#lifetime 3600
SITE-FOUR-ROUTER(config-isakmp)#exit

SITE-ONE-ROUTE#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-TWO-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-THREE-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-FOUR-ROUTER#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-ONE-ROUTE(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-ONE-ROUTE(config)#end

SITE-ONE-ROUTE#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.2.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in

SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-TWO-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-TWO-ROUTER(config)#end

SITE-TWO-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.3.1 internetwork.in
192.168.4.1 internetwork.in

SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-THREE-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.4.1
SITE-THREE-ROUTER(config)#end

SITE-THREE-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.4.1 internetwork.in

SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.1.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.2.1
SITE-FOUR-ROUTER(config)#crypto isakmp key 0 internetwork.in address 192.168.3.1
SITE-FOUR-ROUTER(config)#end

SITE-FOUR-ROUTER#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 192.168.1.1 internetwork.in
192.168.2.1 internetwork.in
192.168.3.1 internetwork.in

SITE-ONE-ROUTE(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-ONE-ROUTE(cfg-crypto-trans)#exit

SITE-TWO-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-TWO-ROUTER(cfg-crypto-trans)#exit

SITE-THREE-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-THREE-ROUTER(cfg-crypto-trans)#exit

SITE-FOUR-ROUTER(config)#crypto ipsec transform-set IPSEC-SET esp-aes 256 esp-sha-hmac
SITE-FOUR-ROUTER(cfg-crypto-trans)#exit

SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-ONE-ROUTE(config)#crypto ipsec security-association lifetime seconds 1800
SITE-TWO-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-THREE-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800
SITE-FOUR-ROUTER(config)#crypto ipsec security-association lifetime seconds 1800

SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-ONE-ROUTE(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-ONE-ROUTE(config-crypto-map)#match address INTERNETWORKS
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.2.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.3.1
SITE-ONE-ROUTE(config-crypto-map)#set peer 192.168.4.1
SITE-ONE-ROUTE(config-crypto-map)#set transform-set IPSEC-SET
SITE-ONE-ROUTE(config-crypto-map)#exit

SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-TWO-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
SITE-TWO-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-TWO-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-TWO-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-TWO-ROUTER(config-crypto-map)#exit

SITE-THREE-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

SITE-THREE-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-THREE-ROUTER(config-crypto-map)#set peer 192.168.4.1
SITE-THREE-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-THREE-ROUTER(config-crypto-map)#exit

SITE-FOUR-ROUTER(config)#crypto map CRY-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
SITE-FOUR-ROUTER(config-crypto-map)#match address INTERNETWORKS
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.1.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.2.1
SITE-FOUR-ROUTER(config-crypto-map)#set peer 192.168.3.1
SITE-FOUR-ROUTER(config-crypto-map)#set transform-set IPSEC-SET
SITE-FOUR-ROUTER(config-crypto-map)#exit

SITE-ONE-ROUTE(config)#interface serial 4/0
SITE-ONE-ROUTE(config-if)#crypto map CRY-MAP
SITE-ONE-ROUTE(config-if)#exit

*Oct 6 13:18:16.863: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-TWO-ROUTER(config)#interface serial 4/1
SITE-TWO-ROUTER(config-if)#crypto map CRY-MAP
SITE-TWO-ROUTER(config-if)#exit

*Oct 6 13:18:32.399: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-THREE-ROUTER(config)#interface serial 4/2
SITE-THREE-ROUTER(config-if)#crypto map CRY-MAP
SITE-THREE-ROUTER(config-if)#exit

*Oct 6 13:18:48.283: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-FOUR-ROUTER(config)#interface serial 4/3
SITE-FOUR-ROUTER(config-if)#crypto map CRY-MAP
SITE-FOUR-ROUTER(config-if)#exit

*Oct 6 13:19:04.939: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

SITE-ONE-ROUTE#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-ONE-ROUTE#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Peer = 192.168.3.1
Peer = 192.168.4.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/0

SITE-TWO-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-TWO-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.2.1
Peer = 192.168.3.1
Peer = 192.168.4.1
Peer = 192.168.1.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.2.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/1

SITE-THREE-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-THREE-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Peer = 192.168.2.1
Peer = 192.168.4.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.30.0 0.0.0.255 192.168.40.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/2

SITE-FOUR-ROUTER#show crypto ipsec transform-set
Transform set IPSEC-SET: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },

SITE-FOUR-ROUTER#show crypto map
Crypto Map "CRY-MAP" 10 ipsec-isakmp
Peer = 192.168.1.1
Peer = 192.168.2.1
Peer = 192.168.3.1
Extended IP access list INTERNETWORKS
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list INTERNETWORKS permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
Current peer: 192.168.1.1
Security association lifetime: 4608000 kilobytes/1800 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
IPSEC-SET: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRY-MAP:
Serial4/3

SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA

SITE-ONE-ROUTE#ping 192.168.20.1 source 192.168.10.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (99/100), round-trip min/avg/max = 44/63/168 ms

SITE-ONE-ROUTE#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.2.1 192.168.1.1 QM_IDLE 1001 ACTIVE

MPLS

What is IPsec NAT Traversal? How to configure IPsec NAT Traversal?

(If you like this blog, please visit our YouTube channel

https://youtu.be/D0t29ZdO09I?si=xlU36M8Pv2gPxRda)

What is IPsec NAT Exemption? How to configure IPsec tunnel with NAT Exempt?

IPsec NAT Exemption

NAT (Network Address Translation) is used to translate private IP addresses into public IP addresses. NAT changes the source and destination IP addresses and ports. NAT Address translation reduces the need for IPv4 public addresses and it also hides private network address ranges.

Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. IPsec allows two or more hosts to communicate in a secure manner by authenticating and encrypting each IP packet of a communication session.

NAT exemption is a method that excludes traffic from being translated with NAT. NAT exemption is preferred when bypassing traffic flowing over a VPN tunnel.

How to configure IPsec VPN site to sites?

Labels

Pages

Popular Posts

Follow us on Facebook

Featured post

How to configure Overlapping VPN?

Labels

About me

Pages

Popular Posts

subscribe