What is DMVPN Phase 3? What is the difference between DMVPN phases 1, 2, and 3? How to configure DMVPN Phase 3?

 

DMVPN (Dynamic Multipoint VPN) is a routing technology introduced by Cisco that allows you to build a VPN network with multiple sites without having to statically configure all devices. It uses a "hub and spoke" network topology, where the spokes can communicate directly without going through the hub. DMVPN supports encryption through IPsec, which makes it a popular choice for connecting different sites using regular Internet connections. It's a great backup or alternative to private networks like MPLS VPN. In other words, DMVPN combines mGRE + NHRP + DRP (dynamic routing protocol) and IPsec.

let's take a look at all the technologies: -

Multipoint GRE (mGRE)

Our regular GRE tunnels are point-to-point and don’t scale well. It becomes messy quickly so many point-to-point tunnels. but When we use GRE Multipoint, there will be only one tunnel interface on each router. mGRE interfaces do not have a tunnel destination. It keeps costs low, minimizing configuration complexity, and increasing flexibility. Multipoint GRE(Mgre) Uses tunnel source and tunnel mode (mgre). The tunnel can have many endpoints by using a single tunnel interface. The endpoint can be configured as GRE or MGRE and Mapping is done by NHRP Protocol.

https://mpls.internetworks.in/2021/02/what-is-network-tunneling-and-how-to.html

NHRP (Next Hop Resolution Protocol)

We want something that can help our router figure out what the public IP address is of the other router, we do this with the help of a protocol called NHRP (Next Hop Resolution Protocol). Next hop resolution protocol (NHRP)  Maps the tunnel IP with NBMA address (public IP ) (static or dynamic). NHRP Provides layer 2 address resolution protocol and caching services similar to ARP and inverse ARP. It only builds a dynamic database stored on the hub with information about spokes IP addresses.

https://mpls.internetworks.in/2021/02/what-is-dmvpn-dynamic-multipoint-vpn.html

Dynamic routing protocol

Dynamic routing is used to find networks and update routing tables on routers dynamically. It is easier than using static or default routing, but it will cost you in terms of router CPU processing and bandwidth on network links.

https://www.internetworks.in/2018/10/open-shortest-path-first-ospf-basic.html

https://www.internetworks.in/2018/10/eigrp-basic.html

IPsec encryption

(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec)  is a framework that helps us to protect our IP traffic on the network layer. Why? Because the ( internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session.

https://mpls.internetworks.in/2021/07/what-is-ipsec-internet-protocol.html

DMVPN has different three versions. we call phases.

Phase 1 https://mpls.internetworks.in/2021/02/what-is-dmvpn-dynamic-multipoint-vpn.html

Phase 2https://mpls.internetworks.in/2021/04/what-is-dmvpn-dynamic-multipoint-vpn.html
             https://mpls.internetworks.in/2021/04/how-to-configure-eigrp-and-ospf-over.html

Phase 3 In phase 3 we configure the (IP NHRP Redirect) command on the hub router and the IP NHRP shortcut command on the spokes routers.

Let's see the configuration:-

Topology:-

• Configure the topology as per the diagram 
• Configure the IP addresses as per the topology
• Configure static and default route 
• Configure the tunnel 192.168.1.0/24
• Configure EIGRP 1 and advertise tunnel interface and LAN 
• Configure NHRP Redirect on the HUB 
• Configure NHRP Shortcut on the spokes
• verify with show commands and trace commands.

R1(config)#hostname Site-A-R-

Site-A-R-(config)#interface serial 4/1

Site-A-R-(config-if)#ip address 1.1.1.1 255.0.0.0

Site-A-R-(config-if)#no shutdown

Site-A-R-(config-if)#exit

Site-A-R-(config)#interface fastethernet 0/0

Site-A-R-(config-if)#ip address 10.1.1.1 255.0.0.0

Site-A-R-(config-if)#no shutdown

Site-A-R-(config-if)#no keepalive

Site-A-R-(config-if)#exit

Site-A-R-(config)#end

Site-A-R-#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.1.1.1        YES manual up                    up                                                                                                                   

Serial4/1                  1.1.1.1         YES manual up                    up                                                                                                                                                                                                                                                                               

Site-A-R-# wr

Building configuration...

[OK]

R2(config)#hostname Site-B-R-

Site-B-R-(config)#interface serial 4/2

Site-B-R-(config-if)#ip address 2.2.2.1 255.0.0.0

Site-B-R-(config-if)#no shutdown

Site-B-R-(config-if)#exit

Site-B-R-(config)#interface fastEthernet 0/0

Site-B-R-(config-if)#ip address 20.1.1.1 255.0.0.0

Site-B-R-(config-if)#no shutdown

Site-B-R-(config-if)#no keepalive

Site-B-R-(config-if)#exit

Site-B-R-(config)#end

Site-B-R-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            20.1.1.1        YES manual up                    up

Serial4/2                  2.2.2.1         YES manual up                    up

Site-B-R-#wr

Building configuration...

[OK]

Site-C-R-(config)#interface serial 4/3

Site-C-R-(config-if)#ip address 3.3.3.1 255.0.0.0

Site-C-R-(config-if)#no shutdown

Site-C-R-(config-if)#exit

Site-C-R-(config)#interface fastethernet 0/0

Site-C-R-(config-if)#ip address 30.1.1.1 255.0.0.0

Site-C-R-(config-if)#no keepalive

Site-C-R-(config-if)#no shutdown

Site-C-R-(config-if)#exit

Site-C-R-(config)#end

Site-C-R-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            30.1.1.1        YES manual up                    up

Serial4/3                  3.3.3.1         YES manual up                    up

Site-C-R-# wr

Building configuration...

[OK]

R4(config)#hostname Site-D-R-

Site-D-R-(config)#interface serial 4/4

Site-D-R-(config-if)#ip address 4.4.4.1 255.0.0.0

Site-D-R-(config-if)#no shutdown

Site-D-R-(config-if)#exit

Site-D-R-(config)#interface fastEthernet 0/0

Site-D-R-(config-if)#ip address 40.1.1.1 255.0.0.0

Site-D-R-(config-if)#no shutdown

Site-D-R-(config-if)#exit

Site-D-R-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            40.1.1.1        YES manual up                    up

Serial4/4                  4.4.4.1         YES manual up                    up

Site-D-R-#wr

Building configuration...

[OK]

R5(config)#hostname INTERNET-ROUTER-

INTERNET-ROUTER-(config)#interface serial 4/1

INTERNET-ROUTER-(config-if)#ip address 1.1.1.2 255.0.0.0

INTERNET-ROUTER-(config-if)#no shutdown

INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-(config)#interface serial 4/2

INTERNET-ROUTER-(config-if)#ip address 2.2.2.2 255.0.0.0

INTERNET-ROUTER-(config-if)#no shutdown

INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-(config)#interface serial 4/3

INTERNET-ROUTER-(config-if)#ip address 3.3.3.2 255.0.0.0

INTERNET-ROUTER-(config-if)#no shutdown

INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-(config)#interface serial 4/4

INTERNET-ROUTER-(config-if)#ip address 4.4.4.2 255.0.0.0

INTERNET-ROUTER-(config-if)#no shutdown

INTERNET-ROUTER-(config-if)#exit

INTERNET-ROUTER-#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

Serial4/1                  1.1.1.2         YES manual up                    up

Serial4/2                  2.2.2.2         YES manual up                    up

Serial4/3                  3.3.3.2         YES manual up                    up

Serial4/4                  4.4.4.2         YES manual up                    up

INTERNET-ROUTER-#wr

Building configuration...

[OK]

Site-A-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

Site-A-R-(config)#end

Site-A-R-#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/1

Site-A-R-#wr

Building configuration...

[OK]

Site-B-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

Site-B-R-(config)#end

Site-B-R-#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/2

Site-B-R-#write

Building configuration...

[OK]

Site-C-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/3

Site-C-R-(config)#end

Site-C-R-#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/3

Site-C-R-#write

Building configuration...

[OK]

Site-D-R-(config)#ip route 0.0.0.0 0.0.0.0 serial 4/4

Site-D-R-(config)#end

Site-D-R-#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/4

Site-D-R-#write

Building configuration...

[OK

Site-A-R-(config)#interface tunnel 1

Site-A-R-(config-if)#ip address 192.168.1.1 255.255.255.0

Site-A-R-(config-if)#tunnel source 1.1.1.1

Site-A-R-(config-if)#tunnel mode gre multipoint

Site-A-R-(config-if)#ip nhrp network-id 1

Site-A-R-(config-if)#ip nhrp map multicast dynamic

Site-A-R-(config-if)#exit

Site-A-R-#show interfaces tunnel 1

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 192.168.1.1/24

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 1.1.1.1

  Tunnel protocol/transport multi-GRE/IP

Site-A-R-(config)#router eigrp 1

Site-A-R-(config-router)#network 192.168.1.0

Site-A-R-(config-router)#network 10.0.0.0

Site-A-R-(config-router)#no au

Site-A-R-(config-router)#no auto-summary

Site-A-R-(config-router)#exit

Site-A-R-(config)#interface tunnel 1

Site-A-R-(config-if)#no ip split-horizon eigrp 1

Site-A-R-(config-if)#ip next-hop-self eigrp 1

Site-A-R-(config-if)#ip nhrp redirect

Site-A-R-(config-if)#exit

Site-A-R-(config)#end

Site-B-R-(config)#interface tunnel 1

Site-B-R-(config-if)#ip address 192.168.1.2 255.255.255.0

Site-B-R-(config-if)#tunnel source 2.2.2.1

Site-B-R-(config-if)#tunnel mode gre multipoint

Site-B-R-(config-if)#ip nhrp network-id 2

Site-B-R-(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

Site-B-R-(config-if)#ip nhrp nhs 192.168.1.1

Site-B-R-(config-if)#ip nhrp map multicast 1.1.1.1

Site-B-R-(config-if)#exit

Site-B-R-#show interfaces tunnel 1

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 192.168.1.2/24

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 2.2.2.1

  Tunnel protocol/transport multi-GRE/IP

Site-B-R-(config)#router eigrp 1

Site-B-R-(config-router)#network 192.168.1.0

Site-B-R-(config-router)#network 20.0.0.0

Site-B-R-(config-router)#no auto-summary

Site-B-R-(config-router)#exit

Site-B-R-(config)#interface tunnel 1

Site-B-R-(config-if)#ip nhrp shortcut

Site-B-R-(config-if)#exit

Site-B-R-(config)#end

Site-B-R-#traceroute 10.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 10.1.1.1

  1 192.168.1.1 56 msec 56 msec 60 msec

Site-C-R-(config)#interface tunnel 1

Site-C-R-(config-if)#ip address 192.168.1.3 255.255.255.0

Site-C-R-(config-if)#tunnel source 3.3.3.1

Site-C-R-(config-if)#tunnel mode gre multipoint

Site-C-R-(config-if)#ip nhrp network-id 3

Site-C-R-(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

Site-C-R-(config-if)#ip nhrp nhs 192.168.1.1

Site-C-R-(config-if)#ip nhrp map multicast 1.1.1.1

Site-C-R-(config-if)#exit

Site-C-R-#show interfaces tunnel 1

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 192.168.1.3/24

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 3.3.3.1

  Tunnel protocol/transport multi-GRE/IP

Site-C-R-(config)#router eigrp 1

Site-C-R-(config-router)#network 192.168.1.0

Site-C-R-(config-router)#network 30.0.0.0

Site-C-R-(config-router)#no auto-summary

Site-C-R-(config-router)#exit

Site-C-R-(config)#interface tunnel 1

Site-C-R-(config-if)#ip nhrp shortcut

Site-C-R-(config-if)#exit

Site-C-R-(config)#end

Site-C-R-#traceroute 10.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 10.1.1.1

  1 192.168.1.1 64 msec 64 msec 60 msec

Site-C-R-#traceroute 20.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 20.1.1.1

  1 192.168.1.2 56 msec 64 msec 60 msec

Site-D-R-(config)#interface tunnel 1

Site-D-R-(config-if)#ip address 192.168.1.4 255.255.255.0

Site-D-R-(config-if)#tunnel source 4.4.4.1

Site-D-R-(config-if)#tunnel mode gre multipoint

Site-D-R-(config-if)#ip nhrp network-id 4

Site-D-R-(config-if)#ip nhrp map 192.168.1.1 1.1.1.1

Site-D-R-(config-if)#ip nhrp nhs 192.168.1.1

Site-D-R-(config-if)#ip nhrp map multicast 1.1.1.1

Site-D-R-(config-if)#exit

Site-D-R-#show interfaces tunnel 1

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 192.168.1.4/24

  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 4.4.4.1

  Tunnel protocol/transport multi-GRE/IP

Site-D-R-(config)#router eigrp 1

Site-D-R-(config-router)#network 192.168.1.0

Site-D-R-(config-router)#network 40.0.0.0

Site-D-R-(config-router)#exit

Site-D-R-(config)#interface tunnel 1

Site-D-R-(config-if)#ip nhrp shortcut

Site-D-R-(config-if)#exit

Site-D-R-(config)#end

Site-D-R-#traceroute 10.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 10.1.1.1

  1 192.168.1.1 56 msec 52 msec 72 msec

Site-D-R-#traceroute 20.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 20.1.1.1

  1 192.168.1.1 56 msec 64 msec 56 msec

  2 192.168.1.2 128 msec 116 msec 100 msec

Site-D-R-#traceroute 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.1.1 56 msec 60 msec 72 msec

  2 192.168.1.3 128 msec 144 msec92 msec

Read More

What is SVTI Virtual Tunnel Interface? How to configure IPsec Static virtual tunnel?

 

The virtual tunnel is also called native IPsec, VTI does the same job that GRE with IPsec does. They both encrypt the tunnel with IPsec. VTI removed the additional 4 bytes GRE header, thus reducing the bandwidth for sending encrypted data. VTI allows to configuration of ACL, NAT, and QoS. remember the default mode for a tunnel is GRE you have to define the mode IPsec IPv4 to configure the SVTI tunnel. 

There are two types of VTI (Virtual Tunnel Interface)

1.      Static Virtual Tunnel Interface

2.      Dynamic Virtual Tunnel Interface

configuration for SVTI is very simple we do not need to define interesting (ACL) traffic. configuration same just like we configure GRE with IPsec but with a small difference, we have to define the tunnel mode. 

let's see the topology:-https://youtu.be/b3wNC8mAI9E?si=NtBhT1iXmevfqbu7

• configure the topology as per the diagram 
• assign the IP addresses as per the topology 
• configure static and default route 
• configure tunnel between Site-A-R to Site-B-R 
• configure EIGRP advertise tunnel interface and LAN network on both sites
• configure IPsec and apply on the tunnel interface 
• make sure data will encrypt 

Site-A-router(config)#interface serial 4/0
Site-A-router(config-if)#ip address 1.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

Site-A-router(config)#interface fastEthernet 0/0
Site-A-router(config-if)#ip address 10.1.1.1 255.0.0.0
Site-A-router(config-if)#no shutdown
Site-A-router(config-if)#exit

INTERNET(config)#interface serial 4/0

INTERNET(config-if)#ip address 1.1.1.2 255.0.0.0

INTERNET(config-if)#no shutdown

INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/1

INTERNET(config-if)#ip address 3.3.3.1 255.0.0.0

INTERNET(config-if)#no shutdown

INTERNET(config-if)#exit

INTERNET(config)#interface serial 4/2

INTERNET(config-if)#ip address 4.4.4.1 255.0.0.0

INTERNET(config-if)#no shutdown

INTERNET(config-if)#exit

Site-B-router(config)#interface serial 4/1

Site-B-router(config-if)#ip address 3.3.3.2 255.0.0.0

Site-B-router(config-if)#no shutdown

Site-B-router(config-if)#exit

Site-B-router(config)#interface fastEthernet 0/0

Site-B-router(config-if)#ip address 30.1.1.1 255.0.0.0

Site-B-router(config-if)#no shutdown

Site-B-router(config-if)#exit

Site-C-router(config)#interface serial 4/2

Site-C-router(config-if)#ip address 4.4.4.2 255.0.0.0

Site-C-router(config-if)#no shutdown

Site-C-router(config-if)#exit

Site-C-router(config)#interface fastEthernet 0/0

Site-C-router(config-if)#ip address 40.1.1.1 255.0.0.0

Site-C-router(config-if)#no shutdown

Site-C-router(config-if)#exit

Site-A-router(config)#do show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

INTERNET(config-if)#do show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

Serial4/0                  1.1.1.2         YES manual up                    up

Serial4/1                  3.3.3.1         YES manual up                    up

Serial4/2                  4.4.4.1         YES manual up                    up

Site-B-router#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            30.1.1.1        YES manual up                    up

Serial4/1                  3.3.3.2         YES manual up                    up

Site-C-router#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            40.1.1.1        YES manual up                    up

Serial4/2                  4.4.4.2         YES manual up                    up

Site-A-router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2

INTERNET(config)#ip route 10.0.0.0 255.0.0.0 1.1.1.1

INTERNET(config)#ip route 30.0.0.0 255.0.0.0 3.3.3.2

Site-B-router(config)#ip route 0.0.0.0 0.0.0.0 3.3.3.1

Site-A-router(config)#do trace 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 1.1.1.2 16 msec 48 msec 20 msec

  2 3.3.3.2 68 msec 60 msec 64 msec

Site-A-router(config)#interface tunnel 1234

Site-A-router(config-if)#ip address 192.168.123.1 255.255.255.0

Site-A-router(config-if)#ip mtu 1400

Site-A-router(config-if)#ip tcp adjust-mss 1360

Site-A-router(config-if)#tunnel source 1.1.1.1

Site-A-router(config-if)#tunnel destination 3.3.3.2

Site-A-router(config-if)#exit

Site-B-router(config)#interface tunnel 123

Site-B-router(config-if)#ip address 192.168.123.2 255.255.255.0

Site-B-router(config-if)#ip mtu 1400

Site-B-router(config-if)#ip tcp adjust-mss 1360

Site-B-router(config-if)#tunnel source 3.3.3.2

Site-B-router(config-if)#tunnel destination 1.1.1.1

Site-B-router(config-if)#exit

Site-A-router(config)#router eigrp 123

Site-A-router(config-router)#network 192.168.123.0

Site-A-router(config-router)#network 10.0.0.0

Site-A-router(config-router)#no auto-summary

Site-A-router(config-router)#exit

Site-B-router(config)#router eigrp 123

Site-B-router(config-router)#network 192.168.123.0

Site-B-router(config-router)#network 30.0.0.0

Site-B-router(config-router)#no auto-summary

Site-B-router(config-router)#exit

*Jan 11 12:20:47.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel1234) is up:new adjacency

*Jan 11 12:20:47.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is up: new adjacency

Site-A-router#show ip eigrp neighbors
IP-EIGRP neighbors for process 123
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   192.168.123.2           Tu1234            11 00:01:26   66  1362  0  5

Site-B-router#show ip eigrp neighbors

IP-EIGRP neighbors for process 123

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

0   192.168.123.1           Tu123             11 00:01:02   67  1362  0  4

Site-B-router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 3.3.3.1 to network 0.0.0.0
C    192.168.123.0/24 is directly connected, Tunnel123
C    3.0.0.0/8 is directly connected, Serial4/1
D    10.0.0.0/8 [90/26882560] via 192.168.123.1, 00:01:11, Tunnel123
C    30.0.0.0/8 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 3.3.3.1

Site-A-router(config)#crypto isakmp policy 123

Site-A-router(config-isakmp)#authentication pre-share

Site-A-router(config-isakmp)#hash sha

Site-A-router(config-isakmp)#group 5

Site-A-router(config-isakmp)#encryption aes

Site-A-router(config-isakmp)#exit

Site-A-router(config)#crypto isakmp key 0 internet address 3.3.3.2

Site-B-router(config)#crypto isakmp policy 123
Site-B-router(config-isakmp)#authentication pre-share
Site-B-router(config-isakmp)#hash sha
Site-B-router(config-isakmp)#group 5
Site-B-router(config-isakmp)#encryption aes
Site-B-router(config-isakmp)#exit

Site-B-router(config)#crypto isakmp key 0 internet address 1.1.1.1

Site-A-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-A-router(cfg-crypto-trans)#mode ?
  transport  transport (payload encapsulation) mode
  tunnel     tunnel (datagram encapsulation) mode
Site-A-router(cfg-crypto-trans)#mode tunnel
Site-A-router(cfg-crypto-trans)#exit

Site-B-router(config)#crypto ipsec transform-set TRANS-SET esp-aes esp-sha-hmac
Site-B-router(cfg-crypto-trans)#mode tunnel
Site-B-router(cfg-crypto-trans)#exit

Site-A-router(config)#crypto ipsec profile SVTI

Site-A-router(ipsec-profile)#set transform-set TRANS-SET

Site-A-router(ipsec-profile)#exit

Site-B-router(config)#crypto ipsec profile SVTI

Site-B-router(ipsec-profile)#set transform-set TRANS-SET

Site-B-router(ipsec-profile)#exit

Site-A-router(config)#interface tunnel 1234

Site-A-router(config-if)#tunnel protection ipsec profile SVTI

Site-A-router(config-if)#tunnel mode ipsec ipv4

Site-A-router(config-if)#end

Site-B-router(config)#interface tunnel 123

Site-B-router(config-if)#tunnel protection ipsec profile SVTI

Site-B-router(config-if)#tunnel mode ipsec ipv4

Site-B-router(config-if)#exit

Site-A-router#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

Serial4/0                        1.1.1.1         YES manual up                    up

Tunnel1234                 192.168.123.1   YES manual up                up

Site-B-router#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            30.1.1.1        YES manual up                    up

Serial4/1                        3.3.3.2         YES manual up                    up

Tunnel123                  192.168.123.2   YES manual up                 up

Site-A-router#show interfaces tunnel 1234

Tunnel1234 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 192.168.123.1/24

  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 1.1.1.1, destination 3.3.3.2

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Tunnel transport MTU 1438 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "SVTI")

Site-B-router#show interfaces tunnel 123

Tunnel123 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 192.168.123.2/24

  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 3.3.3.2, destination 1.1.1.1

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Tunnel transport MTU 1438 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "SVTI")

Site-A-router#traceroute 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 44 msec 68 msec 60 msec

Site-A-router#show crypto ipsec sa

interface: Tunnel1234

    Crypto map tag: Tunnel1234-head-0, local addr 1.1.1.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 3.3.3.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30

    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     

Site-B-router#ping 10.1.1.1 repeat 1000

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 44/62/80 ms

Site-B-router#show crypto ipsec sa

interface: Tunnel123

    Crypto map tag: Tunnel123-head-0, local addr 3.3.3.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 1.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1250, #pkts encrypt: 1250, #pkts digest: 1250

    #pkts decaps: 1251, #pkts decrypt: 1251, #pkts verify: 1251

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 6, #recv errors 0

     local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1

     current outbound spi: 0x452C1DB(72532443)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x591B0BB3(1494944691)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: SW:3, sibling_flags 80000046, crypto map: Tunnel123-head-0

        sa timing: remaining key lifetime (k/sec): (4478462/2938)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x452C1DB(72532443)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: SW:4, sibling_flags 80000046, crypto map: Tunnel123-head-0

        sa timing: remaining key lifetime (k/sec): (4478462/2938)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (3.3.3.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)

   current_peer 1.1.1.1 port 500

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 3.3.3.2, remote crypto endpt.: 1.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial4/1

     current outbound spi: 0xE345F7FE(3813013502)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x9FEF2C28(2683251752)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: SW:5, sibling_flags 80000046, crypto map: Tunnel123-head-0

        sa timing: remaining key lifetime (k/sec): (4533007/2960)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xE345F7FE(3813013502)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 6, flow_id: SW:6, sibling_flags 80000046, crypto map: Tunnel123-head-0

        sa timing: remaining key lifetime (k/sec): (4533007/2960)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Read More

How to configure Encrypted GRE Tunnel with IPsec ESP security?

When do we use the GRE? 

GRE is used when packets need to be sent from one network to another over the Internet.

 

Generic Routing Encapsulation (GRE) is a network tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network. GRE tunnels also allow unicast, multicast, and broadcast traffic between routers, but there is a problem with GRE tunnels it is clear text, and GRE does not provide good-grade protection. However, we can encrypt the complete GRE tunnel with IPsec security, which provides good-grade security.

let's see the configuration of the Encrypt GRE tunnel. 

Topology:- https://youtu.be/5_sfxQGPlg0?si=D4x3RWf8AoZHGvSY

(As you can see from the topology above, we have 3 Sites. To encrypt the tunnel, you have to configure the GRE tunnel first. So first we configure the GRE tunnel between Site-A to Site-B, and Site-A to Site-C. After establishing the GRE tunnels, we will encrypt the entire tunnel with IPsec ESP between Site-A to Site-B only.) 

For vide,o please click the link

GOAL: YouTube

• Configure the topology as per the diagram 
• Assign the IP addresses as per the topology
• Configure the default route at Site-A, Site-B, and Site-C
• Configure static routing on router 2, which is acting as an internet router
• Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24
• Configure EIGRP on Site-A and Site-B and advertise the LAN network and tunnel IP
• Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 
• Same way, configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B, not for Site-C. 
• After establishing the GRE tunnel, 
• Configure IPsec and apply the tunnel protection IPsec profile on the tunnel interface. 
• Make sure the entire tunnel encrypts data. 

• Assign the IP addresses as per the topology

SITE-A-router(config)#interface serial 4/0

SITE-A-router(config-if)#ip address 1.1.1.1 255.0.0.0

SITE-A-router(config-if)#no shutdown

SITE-A-router(config-if)#exit

SITE-A-router(config)#interface fastethernet 0/0

SITE-A-router(config-if)#ip address 10.1.1.1 255.0.0.0

SITE-A-router(config-if)#no shutdown

SITE-A-router(config-if)#exit

R2(config)#interface serial 4/0

R2(config-if)#ip address 1.1.1.2 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/1

R2(config-if)#ip address 3.3.3.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface serial 4/2

R2(config-if)#ip address 4.4.4.1 255.0.0.0

R2(config-if)#no shutdown

R2(config-if)#exit

SITE-B-router(config)#interface serial 4/1

SITE-B-router(config-if)#ip address 3.3.3.2 255.0.0.0

SITE-B-router(config-if)#no shutdown

SITE-B-router(config-if)#exit

SITE-B-router(config)#interface fastethernet 0/0

SITE-B-router(config-if)#ip address 30.1.1.1 255.0.0.0

SITE-B-router(config-if)#no keepalive

SITE-B-router(config-if)#no shutdown

SITE-B-router(config-if)#exit

SITE-C-router(config)#interface serial 4/2

SITE-C-router(config-if)#ip address 4.4.4.2 255.0.0.0

SITE-C-router(config-if)#no shutdown

SITE-C-router(config-if)#exit

SITE-C-router(config)#interface fastethernet 0/0

SITE-C-router(config-if)#ip address 40.1.1.1 255.0.0.0

SITE-C-router(config-if)#no keepalive

SITE-C-router(config-if)#no shutdown

SITE-C-router(config-if)#exit

• Configure default route at Site-A, Site-B and Site-C

SITE-A-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/0

SITE-B-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/1

SITE-C-router(config)#ip route 0.0.0.0 0.0.0.0 serial 4/2

• Configure static routing on router 2 which is acting as an internet router

internet(config)#ip route 10.0.0.0 255.0.0.0 serial 4/0

internet(config)#ip route 30.0.0.0 255.0.0.0 serial 4/1

internet(config)#ip route 40.0.0.0 255.0.0.0 serial 4/2

SITE-A-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/0

SITE-B-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/1

SITE-C-router#show ip route static

S*   0.0.0.0/0 is directly connected, Serial4/2

• Configure the GRE tunnel between Site-A to Site-B, the IP address of the tunnel will be 192.168.123.0/24

SITE-A-router(config)#interface tunnel 123

SITE-A-router(config-if)#ip address 192.168.123.1 255.255.255.0

SITE-A-router(config-if)#ip mtu 1400

SITE-A-router(config-if)#ip tcp adjust-mss 1360

SITE-A-router(config-if)#tunnel source 1.1.1.1

SITE-A-router(config-if)#tunnel destination 3.3.3.2

SITE-A-router(config-if)#exit

*Jan  5 14:54:33.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124,changed state to up

SITE-B-router(config)#interface tunnel 123

SITE-B-router(config-if)#ip address 192.168.123.2 255.255.255.0

SITE-B-router(config-if)#ip mtu 1400

SITE-B-router(config-if)#ip tcp adjust-mss 1360

SITE-B-router(config-if)#tunnel source 3.3.3.2

SITE-B-router(config-if)#tunnel destination 1.1.1.1

SITE-B-router(config-if)#exit

*Jan  5 14:44:06.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel123,changed state to up

SITE-A-router#show ip interface brief | ex unass

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual down              up                                                                                                                                    

Serial4/0                       1.1.1.1         YES manual up                    up                                                                                                                                     

Tunnel123                  192.168.123.1   YES manual up                up 

• Configure EIGRP on Site-A and Site-B and advertise LAN network and tunnel IP

SITE-A-router(config)#router eigrp 123

SITE-A-router(config-router)#network 10.0.0.0

SITE-A-router(config-router)#network 192.168.123.0

SITE-A-router(config-router)#no auto-summary

SITE-A-router(config-router)#exit

*Jan  5 14:45:42.327: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is up: new adjacency

*Jan  5 14:45:54.175: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.2 (Tunnel123) is resync: peer graceful-restart

SITE-B-router(config)#router eigrp 123

SITE-B-router(config-router)#network 30.0.0.0

SITE-B-router(config-router)#network 192.168.123.0

SITE-B-router(config-router)#no auto-summary

SITE-B-router(config-router)#exit

*Jan  5 14:45:53.559: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1(Tunnel123) is resync: summary configured

*Jan  5 14:45:41.811: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 123: Neighbor 192.168.123.1 (Tunnel123) is up: new adjacency

SITE-A-router#ping 30.1.1.1 source fastEthernet 0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/60/64 ms

• Verify the tunnel with show commands and trace commands to make sure data will travel in the tunnel created. 

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 56 msec 64 msec 56 msec

SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

  1 1.1.1.2 52 msec 32 msec 36 msec

  2 4.4.4.2 56 msec 64 msec 68 msec

Same way configure the GRE tunnel for Site-C and remember we encrypt the entire tunnel only for Site-A to Site-B not for Site-C.

SITE-A-router(config)#interface tunnel 124

SITE-A-router(config-if)#ip address 192.168.124.1 255.255.255.0

SITE-A-router(config-if)#ip mtu 1400

SITE-A-router(config-if)#ip tcp adjust-mss 1360

SITE-A-router(config-if)#tunnel source 1.1.1.1

SITE-A-router(config-if)#tunnel destination 4.4.4.2

SITE-A-router(config-if)#exit

*Jan  5 19:52:36.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-C-router(config)#interface tunnel 124

SITE-C-router(config-if)#ip address 192.168.124.2 255.255.255.0

SITE-C-router(config-if)#ip mtu 1400

SITE-C-router(config-if)#ip tcp adjust-mss 1360

SITE-C-router(config-if)#tunnel source 4.4.4.2

SITE-C-router(config-if)#tunnel destination

SITE-C-router(config-if)#tunnel destination 1.1.1.1

SITE-C-router(config-if)#exit

*Jan  5 19:53:48.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel124, changed state to up

SITE-A-router(config)#router eigrp 123

SITE-A-router(config-router)#network 192.168.124.0

SITE-A-router(config-router)#exit

SITE-C-router(config)#router eigrp 123

SITE-C-router(config-router)#network 192.168.124.0

SITE-C-router(config-router)#network 40.0.0.0

SITE-C-router(config-router)#no auto-summary

SITE-C-router(config-router)#exit

SITE-A-router#show ip interface brief | exclude unass

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            10.1.1.1        YES manual up                    up

Serial4/0                       1.1.1.1         YES manual up                    up

Tunnel123                  192.168.123.1   YES manual up                    up

Tunnel124                  192.168.124.1   YES manual up                    up

SITE-A-router#traceroute 40.1.1.1

Type escape sequence to abort.

Tracing the route to 40.1.1.1

  1 192.168.124.2 72 msec 48 msec 56 msec

SITE-A-router#traceroute 30.1.1.1

Type escape sequence to abort.

Tracing the route to 30.1.1.1

  1 192.168.123.2 52 msec 56 msec 64 msec

Read More

How to configure IPsec VPN on Cisco ASA Firewall?

 

(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session. we already discussed in click here

previously that we configured IPsec VPN with routers, in this lab we are going to configure an ASA firewall. I'm using the Cisco Adaptive Security Appliance Software Version 8.4(2). if you are using an older version some of the commands may be different like ikev1 to isakmp. I'm assuming you follow our blogs and are familiar with IKE, if not then click here

IKE (Internet Key Exchange) Phase 1 

The main reason for IKE Phase 1 is to establish security for IKE Phase 2 or IPsec. let's understand Phase 1 in steps 

• The first step is Negotiation between future neighbors or peers have traffic to be 

Step 1: Negotiation

the neighbor (peer) who has traffic and wants to protect will initiate the INK phase 1 negotiation. Peers will negotiate about the following:

• Hashing : peers will use a hashing algorithm to verify the integrity and use MD5 or SHA.
• Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
• DH (Diffie Hellman) group: DH group determines how strong the key is and how it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
• Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each vendor uses a different lifetime; a default value is 86400 seconds (1 day).
• Encryption: algorithm we use for encryption DES, 3DES, or AES.

access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)

crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data. 

Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints. 

ISAKMP commands:

  authentication  Set authentication method for protection suite

  default         Set a command to its defaults

  encryption      Set encryption algorithm for protection suite

  exit            Exit from ISAKMP protection suite configuration mode

  group           Set the Diffie-Hellman group

  hash            Set hash algorithm for protection suite

  lifetime        Set lifetime for ISAKMP security association

  no              Negate a command or set its defaults

The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.

crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.

R1(config)#crypto ipsec transform-set INTERNETWORKS ?

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  comp-lzs      IP Compression using the LZS compression algorithm

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

  <cr>

 6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer. for more information click here 

Topology: - we need to encrypt the traffic 10.0.0.0/8 going to 20.0.0.0/8 and vice versa 

Goal: -

• configure the topology as per the diagram 
• configure the IP addresses as per the topology
• configure gig0 outside on ASA 1 and configure gig1 outside on ASA 2
• configure Fa0/0 inside on both the ASA 
• configure the default route on both ASA firewall
• ensure the connection with the PING 
• define the traffic that we want to encrypt from 10.0.0.0/8 going to 20.0.0.0/8 and vice versa on both ASA using Extended ACL and name (IP-TRAFFIC) 
• configure ikve1 phase 1 on both ASA
• configure Phase 2 on both ASAs
• make sure traffic will be encrypted with IPsec VPN.

Read More