Pages

Wednesday 16 November 2016

Site to Site IPsec VPN

CCNP Route (300-101) Lab: Configuring Site to Site IPsec VPN



Scenario: Site to Site VPN connects 2 different offices network to each other securely (encrypted traffic). End users do not require a VPN client to connect. Traffic will be routed through the VPN gateways. Users in 10.1.1.0/24 network will be connected via Site to Site VPN to users in 172.16.1.0/24 network.

VPN Configuration Steps

1. ISAKMP Policy
- Specifies the initial VPN security details

2. IPsec Details
- Specifies how the IPsec packets will be encapsulated

3. Crypto ACL
- Specifies the traffic that will trigger the VPN to activate

4. VPN Tunnel Information
- Creates the crypto map that combies ISAKMP policy, IPsec transform set, VPN peer address, and crypto ACL

5. Apply the Crypto Map
- Identifies which interface is actively looking to create a VPN

Configuration:

R1
en
conf t
host R1
int s0/0/0
ip add 1.1.1.1 255.255.255.0
no shut
int fa0/0
ip add 10.1.1.1 255.255.255.0
no shut
exit
router eigrp 1
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
no auto-summary
exit

crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key cisco123 address 2.2.2.1
crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac
access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
crypto map HQ-MAP 10 ipsec-isakmp
set transform-set HQ-VPN
set peer 2.2.2.1
match address 110
exit 
int s0/0/0
crypto map HQ-MAP
exit

R2
en
conf t
host R2
int s0/0/0
ip add 1.1.1.2 255.255.255.0
no shut
int s0/0/1
ip add 2.2.2.2 255.255.255.0
no shut
exit
router eigrp 1
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
no auto-summary
exit

R3
en
conf t
host R3
int s0/0/1
ip add 2.2.2.1 255.255.255.0
no shut
int fa0/0
ip add 172.16.1.1 255.255.255.0
no shut
exit
router eigrp 1
network 2.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
no auto-summary
exit

crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key cisco123 address 1.1.1.1
crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac
access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto map HQ-MAP 10 ipsec-isakmp
set transform-set HQ-VPN
set peer 1.1.1.1
match address 110
exit 
int s0/0/1
crypto map HQ-MAP
exit

Show Commands:
To check whether the tunnel was successfully established, you may use the following show commands:

show crypto isakmp sa
show crypto ipsec sa
show crypto session
show crypto map

Example:
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
2.2.2.1         1.1.1.1         QM_IDLE           1070    0 ACTIVE


IPv6 Crypto ISAKMP SA


R1#

Note: You must have basic knowledge of CCNA or equivalent as this is the prerequisite for CCNP. This lab is using Packet Tracer with C2811 router. Only C2811 and C1841 router images in Packet Tracer supports VPN commands.
Posted by at No comments:
Labels: , , , , , , , , , , , ,

Monday 14 November 2016

OSPF Multi Area Virtual Link

CCNP Route (300-101) Lab: Configuring OSPF Multi Area Virtual Link



Scenario: Virtual link is used when connecting the backbone (area 0) to non backbone area. Loopback IP address of R1 should be able to ping loopback IP address of R4, vice versa. R4 is not directly connected to area 0. Hence, a virtual link must be established between R3 and R4 in order for R1 and R4 to ping each other.

Syntax: area <number> virtual-link <neighbor router ID>

Configuration:

 R1
en
conf t
host R1
int s0/0
ip add 200.1.1.1 255.255.255.252
no shut
int lo0
ip add 10.1.1.1 255.255.255.0
no shut
exit
router ospf 1
router-id 10.1.1.1
network 10.1.1.0 0.0.0.255 area 1
network 200.1.1.0 0.0.0.3 area 0
exit

R2
en
conf t
host R2
int s0/0
ip add 200.1.1.2 255.255.255.252
no shut
int s0/1
ip add 200.1.1.5 255.255.255.252
no shut
exit
router ospf 1
router-id 200.1.1.5
network 200.1.1.0 0.0.0.3 area 0
network 200.1.1.4 0.0.0.3 area 0
exit

R3
en
conf t
host R3
int s0/1
ip add 200.1.1.6 255.255.255.252
no shut
int fa0/0
ip add 100.1.1.1 255.255.255.0
no shut
int lo0
ip add 192.168.1.1 255.255.255.0
no shut
exit
router ospf 1
router-id 192.168.1.1
network 100.1.1.0 0.0.0.255 area 2
network 192.168.1.0 0.0.0.255 area 2
network 200.1.1.4 0.0.0.3 area 0
area 2 virtual-link 20.1.1.1
exit

R4
en
conf t
host R4
int fa0/0
ip add 100.1.1.2 255.255.255.0
no shut
int lo0
ip add 20.1.1.1 255.255.255.0
no shut
exit
router ospf 1
router-id 20.1.1.1
network 20.1.1.0 0.0.0.255 area 3
network 100.1.1.0 0.0.0.255 area 2
area 2 virtual-link 192.168.1.1
exit

Note: You must have basic knowledge of CCNA or equivalent as this is the prerequisite for CCNP. This lab is using GNS3 with C3745 router.
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)