CCNASv1.1 Chp08 Lab A Site2Site VPN Instructor

CCNA Security
Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP (Instructor Version)
rey !igh"ighting indicates answers provided on instructor lab copies only
#opo"ogy
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of astEthernet Interfaces!
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation!
+age % of ,'
CCNA Security IP Addressing #ab"e

$e%ice R% R2 R3 +#4" +#4# Interface a'-% S'-'-' (2#E) S'-'-' S'-'-% (2#E) a'-% S'-'-% 1I# 1I# IP Address %&2!%./!%!% %'!%!%!% %'!%!%!2 %'!2!2!2 %&2!%./!3!% %'!2!2!% %&2!%./!%!3 %&2!%./!3!3 Subnet &as' 200!200!200!' 200!200!200!202 200!200!200!202 200!200!200!202 200!200!200!' 200!200!200!202 200!200!200!' 200!200!200!' $efau"t ate(ay 1-" 1-" 1-" 1-" 1-" 1-" %&2!%./!%!% %&2!%./!3!% S(itch Port S% a'-0 1-" 1-" 1-" S3 a'-0 1-" S% a'-. S3 a'-%/
Ob)ecti%es
Part *: +asic ,outer Configuration #onfigure host na(es) interface I+ addresses) and access passwords! #onfigure the EIGR+ dyna(ic routing protocol!
Part -: Configure a Site-to-Site VPN Using Cisco IOS #onfigure I+sec V+1 settings on R% and R3! Verify site4to4site I+sec V+1 configuration! *est I+sec V+1 operation!
Part .: Configure a Site-to-Site VPN Using CCP #onfigure I+sec V+1 settings on R%! #reate a (irror configuration for R3! "pply the (irror configuration to R3! Verify the configuration! *est the V+1 configuration using ##+
+ac'ground
V+1s can provide a secure (ethod of trans(itting data over a public networ5) such as the Internet! V+1 connections can help reduce the costs associated with leased lines! Site4to4Site V+1s typically provide a secure (I+sec or other) tunnel between a branch office and a central office! "nother co((on i(ple(entation that uses V+1 technology is re(ote access to a corporate office fro( a teleco((uter location such as a s(all office or ho(e office! In this lab you will build and configure a (ulti4router networ5) and then use #isco I6S and ##+ to configure a site4to4site I+sec V+1 and then test it! *he I+sec V+1 tunnel is fro( router R% to router R3 via R2! R2 acts as a pass4through and has no 5nowledge of the V+1! I+sec provides secure trans(ission of sensitive infor(ation over unprotected networ5s such as the Internet! I+sec acts at the networ5 layer) protecting and authenticating I+ pac5ets between participating I+sec devices (peers)) such as #isco routers! Note: *he router co((ands and output in this lab are fro( a #isco %/,% with #isco I6S Release %2!,(2')* ("dvanced I+ i(age)! 6ther routers and #isco I6S versions can be used! See the Router Interface Su((ary table at the end of the lab to deter(ine which interface identifiers to use based on the e7uip(ent in the lab! 2epending on the router (odel and #isco I6S version) the co((ands available and the output produced (ight vary fro( what is shown in this lab!
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 2 of ,'
CCNA Security
Note: 8a5e sure that the routers and the switches have been erased and have no startup configurations! Instructor Note: Instructions for erasing switches and routers are provided in the 9ab 8anual) located on "cade(y #onnection in the *ools section!
,e/uired ,esources
3 routers with (#isco %/,% with #isco I6S Release %2!,(2')*% or co(parable) 2 switches (#isco 2&.' or co(parable) +#4": ;indows <+) Vista) or ;indows = with ##+ 2!0 installed +#4#: ;indows <+) Vista) or ;indows = with ##+ 2!0 installed Serial and Ethernet cables as shown in the topology Rollover cables to configure the routers via the console
CCP Notes: Refer to #hp '' 9ab " for instructions on how to install ##+! >ardware-software reco((endations for ##+ include ;indows <+) Vista) or ;indows = with ?ava version %!.!'@%% up to %!.!'@2%) Internet EAplorer .!' or above and lash +layer Version %'!'!%2!3. and later! If the +# on which ##+ is installed is running ;indows Vista or ;indows =) it (ay be necessary to right4clic5 on the ##+ icon or (enu ite() and choose ,un as ad0inistrator! In order to run ##+) it (ay be necessary to te(porarily disable antivirus progra(s and 6-S firewalls! 8a5e sure that all pop4up bloc5ers are turned off in the browser!
Instructor Notes:
*his lab is divided into three parts! Each part can be ad(inistered individually or in co(bination with others as ti(e per(its! *he (ain goal of this lab is to configure a site4to4site V+1 between two routers) first using the #isco I6S #9I and then using ##+! R% and R3 are on separate networ5s and co((unicate through R2) which si(ulates an IS+! *he routers in this lab are configured with EIGR+) although it is not typical for stub networ5s to co((unicate with an IS+ using an interior routing protocol! Bou can also use static routes for basic (non4V+1) co((unication between R% and R2 and between R% and R3) if desired! Students can wor5 in tea(s of two for router configuration) one person configuring R% and the other R3! "lthough switches are shown in the topology) students can o(it the switches and use crossover cables between the +#s and routers R% and R3! *he running configs for all three routers are captured after +art % of the lab is co(pleted! *he running configs for R% and R3 fro( +art 2 and +art 3 are captured and listed separately! "ll configs are found at the end of the lab!
+age 3 of ,'
CCNA Security
Part *: +asic ,outer Configuration

In +art % of this lab) you set up the networ5 topology and configure basic settings) such as the interface I+ addresses) dyna(ic routing) device access) and passwords! Note: "ll tas5s should be perfor(ed on routers R%) R2) and R3! *he procedure for R% is shown here as an eAa(ple!
Step *: Cab"e the net(or' as sho(n in the topo"ogy1

"ttach the devices shown in the topology diagra() and cable as necessary!
Step -: Configure basic settings for each router1

a! #onfigure host na(es as shown in the topology! b! #onfigure the interface I+ addresses as shown in the I+ addressing table! c! #onfigure a cloc5 rate for the serial router interfaces with a 2#E serial cable attached! R1(config)# interface S0/0/0 R1(config-if)# clock rate 64000
Step .: $isab"e $NS "oo'up1

*o prevent the router fro( atte(pting to translate incorrectly entered co((ands) disable 21S loo5up! R1(config)# no ip domain-lookup
Step 2: Configure the 3I ,P routing protoco" on ,*4 ,-4 and ,.1

a! 6n R%) use the following co((ands! R1(config)# router R1(config-router)# R1(config-router)# R1(config-router)# R2(config)# router R2(config-router)# R2(config-router)# R2(config-router)# c! R3(config)# router R3(config-router)# R3(config-router)# R3(config-router)# eigrp 101 network 192.168.1.0 0.0.0.255 network 10.1.1.0 0.0.0.3 no auto- ummar! eigrp 101 network 10.1.1.0 0.0.0.3 network 10.2.2.0 0.0.0.3 no auto- ummar! eigrp 101 network 192.168.3.0 0.0.0.255 network 10.2.2.0 0.0.0.3 no auto- ummar!
b! 6n R2) use the following co((ands!
6n R3) use the following co((ands!
Step 5: Configure PC host IP settings1

a! #onfigure a static I+ address) subnet (as5) and default gateway for +#4") as shown in the I+ addressing table! b! #onfigure a static I+ address) subnet (as5) and default gateway for +#4#) as shown in the I+ addressing table!
Step 6: Verify basic net(or' connecti%ity1

a! +ing fro( R% to the R3 a'-% interface at I+ address %&2!%./!3!%!
+age , of ,'
CCNA Security
;ere the results successfulC Bes! If the pings are not successful) troubleshoot the basic device configurations before continuing! b! +ing fro( +#4" on the R% 9"1 to +#4# on the R3 9"1! ;ere the results successfulC Bes! If the pings are not successful) troubleshoot the basic device configurations before continuing! Note: If you can ping fro( +#4" to +#4#) you have de(onstrated that the EIGR+ routing protocol is configured and functioning correctly! If you cannot ping but the device interfaces are up and I+ addresses are correct) use the "ow run and "ow ip route co((ands to help identify routing protocol4related proble(s!
Step 7: Configure a 0ini0u0 pass(ord "ength1

Note: +asswords in this lab are set to a (ini(u( of %' characters but are relatively si(ple for the benefit of perfor(ing the lab! 8ore co(pleA passwords are reco((ended in a production networ5! Dse the ecurit! pa R1(config)# word co((and to set a (ini(u( password length of %' characters! ecurit! pa word min-lengt" 10
Step 8: Configure the basic conso"e and %ty "ines1

a! #onfigure a console password and enable login for router R%! or additional security) the e#ectimeout co((and causes the line to log out after 0 (inutes of inactivity! *he logging !nc"ronou co((and prevents console (essages fro( interrupting co((and entry! Note: *o avoid repetitive logins during this lab) the e#ec-timeout can be set to ' ') which prevents it fro( eApiring! >owever) this is not considered a good security practice! R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)# R1(config-line)# R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)# c! con ole 0 pa word ci coconpa e#ec-timeout 5 0 login logging !nc"ronou $t! 0 4 pa word ci co$t!pa e#ec-timeout 5 0 login
b! #onfigure the password on the vty lines for router R%!
Repeat these configurations on both R2 and R3!
Step 8: 3ncrypt c"ear te9t pass(ords1

a! Dse the er$ice pa passwords! R1(config)# word-encr!ption co((and to encrypt the console) auA) and vty word-encr!ption
er$ice pa
b! Issue the "ow run co((and! #an you read the console) auA) and vty passwordsC ;hy or why notC 1o! *he passwords are now encrypted! c! Repeat this configuration on both R2 and R3!
Step *:: Sa%e the basic running configuration for a"" three routers1
Save the running configuration to the startup configuration fro( the privileged E<E# pro(pt!
+age 0 of ,'
CCNA Security
R1# cop! running-config tartup-config
Step **: Sa%e the configuration on ,* and ,. for "ater restoration1

Dsing a progra( such as >yper*er(inal) copy-paste functions) or * *+) save the R% and R3 running configurations fro( +art % of this lab! *hese can be used later) in +art 3 of this lab) to restore the routers in order to configure the V+1 with ##+! Note: ;hen editing the captured running config teAt) re(ove all occurrences of E4 4 8ore 4 4!F Re(ove any co((ands that are not related to the ite(s you configured in +art % of the lab) such as the #isco I6S version nu(ber) no service pad) and so on! 8any co((ands are entered auto(atically by the #isco I6S software! "lso replace the encrypted passwords with the correct ones specified previously and be sure to use the no "utdown co((and for interfaces that need to be enabled!
Part -: Configure a Site-to-Site VPN (ith Cisco IOS

In +art 2 of this lab) you configure an I+sec V+1 tunnel between R% and R3 that passes through R2! Bou will configure R% and R3 using the #isco I6S #9I! Bou then review and test the resulting configuration!
#as' *: Configure IPsec VPN Settings on ,* and ,.

Step *: Verify connecti%ity fro0 the ,* LAN to the ,. LAN1
In this tas5) you verify that with no tunnel in place) the +#4" on the R% 9"1 can ping the +#4# on R3 9"1! a! ro( +#4") ping the +#4# I+ address of %&2!%./!3!3! PC-A:\> ping 192.168.3.3 b! "re the results successfulC Bes! If the pings are not successful) troubleshoot the basic device configurations before continuing!
Step -: 3nab"e I;3 po"icies on ,* and ,.1

I+sec is an open fra(ewor5 that allows the eAchange of security protocols as new technologies) such as encryption algorith(s) are developed! *here are two central configuration ele(ents to the i(ple(entation of an I+sec V+1: I(ple(ent Internet Gey EAchange (IGE) para(eters I(ple(ent I+sec para(eters IGE +hase % defines the 5ey eAchange (ethod used to pass and validate IGE policies between peers! In IGE +hase 2) the peers eAchange and (atch I+sec policies for the authentication and encryption of data traffic! IGE (ust be enabled for I+sec to function! IGE is enabled by default on I6S i(ages with cryptographic feature sets! If it is disabled for so(e reason) you can enable it with the co((and cr!pto i akmp ena%le! Dse this co((and to verify that the router I6S supports IGE and that it is enabled! R1(config)# cr!pto i akmp ena%le R3(config)# cr!pto i akmp ena%le
a! Verify that IGE is supported and enabled!
+age . of ,'
CCNA Security
Note: If you cannot eAecute this co((and on the router) you need to upgrade the I6S i(age to one with a feature set that includes the #isco cryptographic services! b! Establish an Internet Security "ssociation and Gey 8anage(ent +rotocol (IS"G8+) policy and view the available options! *o allow IGE +hase % negotiation) you (ust create an IS"G8+ policy and configure a peer association involving that IS"G8+ policy! "n IS"G8+ policy defines the authentication and encryption algorith(s and hash function used to send control traffic between the two V+1 endpoints! ;hen an IS"G8+ security association has been accepted by the IGE peers) IGE +hase % has been co(pleted! IGE +hase 2 para(eters will be configured later! Issue the cr!pto i akmp polic! number configuration co((and on R% for policy %'! R1(config)# cr!pto i akmp polic! 10 c! View the various IGE para(eters available using #isco I6S help by typing a 7uestion (ar5 (C)! R1(config-isakmp)# & !A"#P comman$s: aut%entication !et aut%entication met%o$ for protection suite $efault !et a comman$ to its $efaults encr&ption !et encr&ption algorit%m for protection suite e'it ('it from !A"#P protection suite configuration mo$e group !et t%e )iffie-*ellman group %as% !et %as% algorit%m for protection suite lifetime !et lifetime for !A"#P securit& association no +egate a comman$ or set its $efaults
Step .: Configure ISA;&P po"icy para0eters on ,* and ,.1

Bour choice of an encryption algorith( deter(ines how confidential the control channel between the endpoints is! *he hash algorith( controls data integrity) ensuring that the data received fro( a peer has not been ta(pered with in transit! *he authentication type ensures that the pac5et was indeed sent and signed by the re(ote peer! *he 2iffie4>ell(an group is used to create a secret 5ey shared by the peers that has not been sent across the networ5! a! #onfigure an authentication type of pre4shared 5eys! Dse "ES 20. encryption) S>" as your hash algorith() and 2iffie4>ell(an group 0 5ey eAchange for this IGE policy! b! Give the policy a life ti(e of 3.'' seconds (one hour)! #onfigure the sa(e policy on R3! 6lder versions of #isco I6S do not support "ES 20. encryption and S>" as a hash algorith(! Substitute whatever encryption and hashing algorith( your router supports! He sure the sa(e changes are (ade on the other V+1 endpoint so that they are in sync! Note: Bou should be at the R%(config4isa5(p)I at this point! *he cr!pto i akmp polic! 10 co((and is repeated below for clarity!
R1(config)# cr!pto R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R3(config)# cr!pto R3(config-isakmp)# R3(config-isakmp)# R3(config-isakmp)# R3(config-isakmp)#
i akmp polic! 10 aut"entication pre- "are encr!ption ae 256 "a " "a group 5 lifetime 3600 end i akmp polic! 10 aut"entication pre- "are encr!ption ae 256 "a " "a group 5
+age = of ,'
CCNA Security
R3(config-isakmp)# lifetime 3600 R3(config-isakmp)# end c! Verify the IGE policy with the "ow cr!pto i akmp polic! co((and! R1# "ow cr!pto i akmp polic! ,lo-al "( polic& Protection suite of priorit& 1. encr&ption algorit%m: A(! - A$/ance$ (ncr&ption !tan$ar$ (201 -it ke&s)2 %as% algorit%m: !ecure *as% !tan$ar$ aut%entication met%o$: Pre-!%are$ "e& )iffie-*ellman group: #0 (1031 -it) lifetime: 31.. secon$s3 no /olume limit
Step 2: Configure pre-shared 'eys1

a! Hecause pre4shared 5eys are used as the authentication (ethod in the IGE policy) configure a 5ey on each router that points to the other V+1 endpoint! *hese 5eys (ust (atch for authentication to be successful! *he global configuration co((and cr!pto i akmp ke! key-string addre address is used to enter a pre4shared 5ey! Dse the I+ address of the re(ote peer) the re(ote interface that the peer would use to route traffic to the local router! ;hich I+ addresses should you use to configure the IGE peers) given the topology diagra( and I+ addressing tableC *he I+ addresses should be R% S'-'-' I+ address %'!%!%!% and R3 S'-'-% I+ address %'!2!2!%! *hese are the addresses that are used to send nor(al traffic between R% and R3! b! Each I+ address that is used to configure the IGE peers is also referred to as the I+ address of the re(ote V+1 endpoint! #onfigure the pre4shared 5ey of cisco%23 on router R% using the following co((and! +roduction networ5s should use a co(pleA 5ey! *his co((and points to the re(ote peer R3 S'-'-% I+ address! R1(config)# cr!pto i akmp ke! ci co123 addre c! 10.2.2.1 *he co((and for R3 points to the R% S'-'-' I+ address! #onfigure the pre4shared 5ey on router R% using the following co((and! R3(config)# cr!pto i akmp ke! ci co123 addre 10.1.1.1
Step 5: Configure the IPsec transfor0 set and "ife ti0es1

a! *he I+sec transfor( set is another crypto configuration para(eter that routers negotiate to for( a security association! *o create an I+sec transfor( set) use the cr!pto ip ec tran form- et tag para(eters! Dse & to see which para(eters are available! R1(config)# cr!pto ip ec tran form- et 50 & a%-m$0-%mac A*-*#AC-#)0 transform a%-s%a-%mac A*-*#AC-!*A transform comp-l4s P Compression using t%e 56! compression algorit%m esp-3$es (!P transform using 3)(!(()() cip%er (117 -its) esp-aes (!P transform using A(! cip%er esp-$es (!P transform using )(! cip%er (01 -its) esp-m$0-%mac (!P transform using *#AC-#)0 aut% esp-null (!P transform 89o cip%er esp-seal (!P transform using !(A5 cip%er (11. -its) esp-s%a-%mac (!P transform using *#AC-!*A aut%
+age / of ,'
CCNA Security
b! 6n R% and R3) create a transfor( set with tag 0' and use an Encapsulating Security +rotocol (ES+) transfor( with an "ES 20. cipher with ES+ and the S>" hash function! *he transfor( sets (ust (atch! R1(config)# cr!pto ip ec tran form- et 50 e p-ae R1(cfg-cr&pto-trans)#e#it R3(config)# cr!pto ip ec tran form- et 50 e p-ae R3(cfg-cr&pto-trans)#e#it c! 256 e p- "a-"mac 256 e p- "a-"mac
;hat is the function of the I+sec transfor( setC *he I+sec transfor( set specifies the cryptographic algorith(s and functions (transfor(s) that a router e(ploys on the actual data pac5ets sent through the I+sec tunnel! *hese algorith(s include the encryption) encapsulation) authentication) and data integrity services that I+sec can apply!
d! Bou can also change the I+sec security association life ti(es fro( the default of 3.'' seconds or ,).'/)''' 5ilobytes) whichever co(es first! 6n R% and R3) set the I+sec security association life ti(e to 3' (inutes) or %/'' seconds! R1(config)# cr!pto ip ec R3(config)# cr!pto ip ec ecurit!-a ecurit!-a ociation lifetime ociation lifetime econd econd 1800 1800
Step 6: $efine interesting traffic1

a! *o (a5e use of the I+sec encryption with the V+1) it is necessary to define eAtended access lists to tell the router which traffic to encrypt! " pac5et that is per(itted by an access list used for defining I+sec traffic is encrypted if the I+sec session is configured correctly! " pac5et that is denied by one of these access lists is not dropped) but sent unencrypted! "lso) li5e any other access list) there is an i(plicit deny at the end) which) in this case) (eans the default action is to not encrypt traffic! If there is no I+sec security association correctly configured) no traffic is encrypted) and traffic is forwarded as unencrypted! b! In this scenario) the traffic you want to encrypt is traffic going fro( R%Js Ethernet 9"1 to R3Js Ethernet 9"1) or vice versa! *hese access lists are used outbound on the V+1 endpoint interfaces and (ust (irror each other! c! #onfigure the I+sec V+1 interesting traffic "#9 on R%! R1(config)# acce 0.0.0.255 R3(config)# acce 0.0.0.255 -li t 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0
d! #onfigure the I+sec V+1 interesting traffic "#9 on R3! -li t 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0
e! 2oes I+sec evaluate whether the access lists are (irrored as a re7uire(ent to negotiate its security associationC Bes! I+sec does evaluate whether access lists are (irrored! I+sec does not for( a security association if the peers do not have (irrored access lists to select interesting traffic!
Step 7: Create and app"y a crypto 0ap1

" crypto (ap associates traffic that (atches an access list to a peer and various IGE and I+sec settings! "fter the crypto (ap is created) it can be applied to one or (ore interfaces! *he interfaces that it is applied to should be the ones facing the I+sec peer! a! *o create a crypto (ap) use the global configuration co((and cr!pto map name sequence-num type to enter the crypto (ap configuration (ode for that se7uence nu(ber! &u"tip"e crypto 0ap state0ents can belong to the sa(e crypto 0ap and are evaluated in ascending nu(erical order! Enter the crypto (ap configuration (ode on R%! Dse a type of ipsec4isa5(p) which (eans IGE is used to establish I+sec security associations!
+age & of ,'
CCNA Security
b! #reate the crypto (ap on R%) na(e it #8"+) and use %' as the se7uence nu(ber! " (essage will display after the co((and is issued! R1(config)# cr!pto map '()* 10 ip ec-i akmp : +;<(: <%is ne8 cr&pto map 8ill remain $isa-le$ until a peer an$ a /ali$ access list %a/e -een configure$2 c! Dse the matc" addre to encrypt! access-list co((and to specify which access list defines which traffic 101
R1(config-cr&pto-map)# matc" addre
d! *o view the list of possible et co((ands that you can do in a crypto (ap) use the help function! R1(config-cr&pto-map)# et & $entit& $entit& restriction2 p nterface nternet Protocol config comman$s isakmp-profile !pecif& isakmp Profile nat !et +A< translation peer Allo8e$ (ncr&ption9)ecr&ption peer2 pfs !pecif& pfs settings securit&-association !ecurit& association parameters transform-set !pecif& list of transform sets in priorit& or$er e! Setting a peer I+ or host na(e is re7uired) so set it to R3Js re(ote V+1 endpoint interface using the following co((and! R1(config-cr&pto-map)# f! et peer 10.2.2.1 >ard code the transfor( set to be used with this peer) using the et tran form- et tag co((and! Set the perfect forwarding secrecy type using the et pf type co((and) and also (odify the default I+sec security association life ti(e with the et ecurit!-a ociation lifetime econd seconds co((and! R1(config-cr&pto-map)# et pf group5 R1(config-cr&pto-map)# et tran form- et 50 R1(config-cr&pto-map)# et ecurit!-a ociation lifetime R1(config-cr&pto-map)# e#it g! #reate a (irrored (atching crypto (ap on R3! R3(config)# cr!pto map '()* 10 ip ec-i akmp R3(config-cr&pto-map)# matc" addre 101 R3(config-cr&pto-map)# et peer 10.1.1.1 R3(config-cr&pto-map)# et pf group5 R3(config-cr&pto-map)# et tran form- et 50 R3(config-cr&pto-map)# et ecurit!-a ociation lifetime R3(config-cr&pto-map)# e#it
econd
900
econd
900
h! *he last step is applying the (aps to interfaces! 1ote that the security associations (S"s) will not be established until the crypto (ap has been activated by interesting traffic! *he router will generate a notification that crypto is now on! i! "pply the crypto (aps to the appropriate interfaces on R% and R3! R1(config)# interface S0/0/0 R1(config-if)# cr!pto map '()* =>an 27 .?:.@:.@210.: :CRAP<;-1- !A"#PB;+B;CC: R1(config)# end R3(config)# interface S0/0/1 R3(config-if)# cr!pto map '()* =>an 27 .?:1.:0?2137: :CRAP<;-1- !A"#PB;+B;CC: R3(config)# end
!A"#P is ;+
!A"#P is ;+
+age %' of ,'
CCNA Security
#as' -: Verify Site-to-Site IPsec VPN Configuration

Step *: Verify the IPsec configuration on ,* and ,.1
a! +reviously) you used the "ow cr!pto i akmp polic! co((and to show the configured IS"G8+ policies on the router! Si(ilarly) the "ow cr!pto ip ec tran form- et co((and displays the configured I+sec policies in the for( of the transfor( sets! R1# "ow cr!pto ip ec tran form- et <ransform set 0.: D esp-201-aes esp-s%a-%mac E 8ill negotiate F D <unnel3 E3 <ransform set #GH$efaultBtransformBsetB1: D esp-aes esp-s%a-%mac 8ill negotiate F D <ransport3 E3 <ransform set #GH$efaultBtransformBsetB.: D esp-3$es esp-s%a-%mac 8ill negotiate F D <ransport3 E3 R3# "ow cr!pto ip ec tran form- et <ransform set 0.: D esp-201-aes esp-s%a-%mac E 8ill negotiate F D <unnel3 E3 <ransform set #GH$efaultBtransformBsetB1: D esp-aes esp-s%a-%mac 8ill negotiate F D <ransport3 E3 <ransform set #GH$efaultBtransformBsetB.: D esp-3$es esp-s%a-%mac 8ill negotiate F D <ransport3 E3 E E E E
b! Dse the "ow cr!pto map co((and to display the crypto (aps that will be applied to the router! R1# "ow cr!pto map Cr&pto #ap IC#API 1. ipsec-isakmp Peer F 1.222221 ('ten$e$ P access list 1.1 access-list 1.1 permit ip 1@22117212. .2.2.2200 1@22117232. .2.2.2200 Current peer: 1.222221 !ecurit& association lifetime: ?1.7... kilo-&tes9@.. secon$s PC! (A9+): A )* group: group0 <ransform setsFD 0.: D esp-201-aes esp-s%a-%mac E 3 E nterfaces using cr&pto map #A#AP: !erial.9.9. R3# "ow cr!pto map Cr&pto #ap IC#API 1. ipsec-isakmp Peer F 1.212121 ('ten$e$ P access list 1.1 access-list 1.1 permit ip 1@22117232. .2.2.2200 1@22117212. .2.2.2200 Current peer: 1.212121 !ecurit& association lifetime: ?1.7... kilo-&tes9@.. secon$s PC! (A9+): A )* group: group0 <ransform setsFD 0.: D esp-201-aes esp-s%a-%mac E 3
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age %% of ,'
CCNA Security
E nterfaces using cr&pto map #A#AP: !erial.9.91 Note: *he output of these "ow co((ands does not change if interesting traffic goes across the connection! Bou test various types of traffic in the neAt tas5!
#as' .: Verify IPsec VPN Operation

Step *: $isp"ay isa'0p security associations1
*he "ow cr!pto i akmp a co((and reveals that no IGE S"s eAist yet! ;hen interesting traffic is sent) this co((and output will change! R1# $st "ow cr!pto i akmp src state a conn-i$ slot status
Step -: $isp"ay IPsec security associations1

a! *he "ow cr!pto ip ec a co((and shows the unused S" between R% and R3! 1ote the nu(ber of pac5ets sent across and the lac5 of any security associations listed toward the botto( of the output! *he output for R% is shown here! R1# "ow cr!pto ip ec a
interface: !erial.9.9. Cr&pto map tag: C#AP3 local a$$r 1.212121 protecte$ /rf: (none) local i$ent (a$$r9mask9prot9port): ([email protected].) remote i$ent (a$$r9mask9prot9port): ([email protected].) currentBpeer 1.222221 port 0.. P(R# <3 flagsFDoriginBisBacl3E #pkts encaps: .3 #pkts encr&pt: .3 #pkts $igest: . #pkts $ecaps: .3 #pkts $ecr&pt: .3 #pkts /erif&: . #pkts compresse$: .3 #pkts $ecompresse$: . #pkts not compresse$: .3 #pkts compr2 faile$: . #pkts not $ecompresse$: .3 #pkts $ecompress faile$: . #sen$ errors .3 #rec/ errors . local cr&pto en$pt2: 1.2121213 remote cr&pto en$pt2: 1.222221 pat% mtu 10..3 ip mtu 10..3 ip mtu i$- !erial.9.9. current out-oun$ spi: .'.(.) in-oun$ esp sas: in-oun$ a% sas: in-oun$ pcp sas: out-oun$ esp sas: out-oun$ a% sas: out-oun$ pcp sas: b! ;hy have no security associations (S"s) been negotiatedC Hecause no interesting traffic has been identified) I+sec has not begun to negotiate a security association over which it will encrypt traffic!
Step .:
enerate so0e uninteresting test traffic and obser%e the resu"ts1

a co((and! ;as an S" created between R% and R3C 1o!
a! +ing fro( R% to the R3 S'-'-% interface I+ address %'!2!2!%! ;ere the pings successfulC Bes! b! Issue the "ow cr!pto i akmp c! +ing fro( R% to the R3 a'% interface I+ address %&2!%./!3!%! ;ere the pings successfulC Bes!
+age %2 of ,'
CCNA Security
d! Issue the "ow cr!pto i akmp a co((and again! ;as an S" created for these pingsC ;hy or why notC 1o S" was created! *he source address of both pings was the R% S'-'-' address of %'!%!%!%! In the first case) the destination address was %'!2!2!%! In the second case) the destination address was %&2!%./!3!%! *his is not EinterestingF traffic! *he "#9 %'% that is associated with the crypto (ap for R% defines interesting traffic as I+ pac5ets fro( the %&2!%./!%!'-2, networ5 to the %&2!%./!3!'-2, networ5! e! Issue the co((and de%ug eigrp packet ! Bou should see EIGR+ hello pac5ets passing between R% and R3! R1# de%ug eigrp packet ( ,RP Packets $e-ugging is on (JP)A<(3 R(KJ(!<3 KJ(RA3 R(P5A3 *(55;3 PL!AP3 PR;M(3 AC"3 !<JM3 ! AKJ(RA3 ! AR(P5A) R1# =>an 2@ 11:.0:?122?3: ( ,RP: Recei/e$ *(55; on !erial.9.9. n-r 1.212122 =>an 2@ 11:.0:?122?3: A! 1.13 Clags .'.3 !eN .9. i$-K .9. ii$-K un9rel& .9. pe erK un9rel& .9. =>an 2@ 11:.0:?1277O: ( ,RP: !en$ing *(55; on !erial.9.9. =>an 2@ 11:.0:?1277O: A! 1.13 Clags .'.3 !eN .9. i$-K .9. ii$-K un9rel& .9. R1# =>an 2@ 11:.0:?321?3: ( ,RP: !en$ing *(55; on Cast(t%ernet.91 =>an 2@ 11:.0:?321?3: A! 1.13 Clags .'.3 !eN .9. i$-K .9. ii$-K un9rel& .9. R1# f! *urn off debugging with the no de%ug eigrp packet or unde%ug all co((and! g! Issue the "ow cr!pto i akmp a co((and again! ;as an S" created between R% and R3C ;hy or why notC 1o! *his is router4to4router routing protocol traffic! *he source and destination of these pac5ets is not interesting) does not initiate the S") and is not encrypted!
Step 2:
enerate so0e interesting test traffic and obser%e the resu"ts1
a! Dse an eAtended ping fro( R% to the R3 a'% interface I+ address %&2!%./!3!%! EAtended ping allows you to control the source address of the pac5ets! Respond as shown in the following eAa(ple! +ress enter to accept the defaults) eAcept where a specific response is indicated! R1# ping Protocol PipQ: <arget P a$$ress: 192.168.3.1 Repeat count P0Q: )atagram si4e P1..Q: <imeout in secon$s P2Q: ('ten$e$ comman$s PnQ: ! !ource a$$ress or interface: 192.168.1.1 <&pe of ser/ice P.Q: !et )C -it in P %ea$erR PnoQ: Sali$ate repl& $ataR PnoQ: )ata pattern P.'AMC)Q: 5oose3 !trict3 Recor$3 <imestamp3 Ser-osePnoneQ: !8eep range of si4es PnQ: <&pe escape seNuence to a-ort2 !en$ing 03 1..--&te C#P (c%os to 1@2211723213 timeout is 2 secon$s: Packet sent 8it% a source a$$ress of 1@221172121 HHHHH !uccess rate is 1.. percent (090)3 roun$-trip min9a/g9ma' F @29@29@2 ms
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age %3 of ,'
CCNA Security
b! Issue the "ow cr!pto i akmp a co((and again!
R1# "ow cr!pto i akmp a P/? Cr&pto !A"#P !A $st src 1.222221 1.212121 c!
state K#B )5(
conn-i$ slot status 1..1 . AC< S(
;hy was an S" created between R% and R3 this ti(eC *he source was %&2!%./!%!%) and the destination was %&2!%./!3!%! *his is interesting traffic based on the "#9 %'% definition! "n S" is established) and pac5ets travel through the tunnel as encrypted traffic!
d! ;hat are the endpoints of the I+sec V+1 tunnelC Src: %'!%!%!% (R% S'-'-')) 2st: %'!2!2!% (R3 S'-'-%)! e! +ing fro( +#4" to +#4#! ;ere the pings successfulC Bes! f! Issue the "ow cr!pto ip ec a co((and! >ow (any pac5ets have been transfor(ed between R% and R3C 1ine: five pac5ets fro( the R% to R3 pings) four pac5ets fro( the +#4" to R3 pings) and one pac5et for each echo re7uest! *he nu(ber of pac5et (ay vary depending on how (any pings have been issued and fro( where! R1# "ow cr!pto ip ec a
interface: !erial.9.9. Cr&pto map tag: C#AP3 local a$$r 1.212121 protecte$ /rf: (none) local i$ent (a$$r9mask9prot9port): ([email protected].) remote i$ent (a$$r9mask9prot9port): ([email protected].) currentBpeer 1.222221 port 0.. P(R# <3 flagsFDoriginBisBacl3E #pkts encaps: @3 #pkts encr&pt: @3 #pkts $igest: @ #pkts $ecaps: @3 #pkts $ecr&pt: @3 #pkts /erif&: @ #pkts compresse$: .3 #pkts $ecompresse$: . #pkts not compresse$: .3 #pkts compr2 faile$: . #pkts not $ecompresse$: .3 #pkts $ecompress faile$: . #sen$ errors .3 #rec/ errors . local cr&pto en$pt2: 1.2121213 remote cr&pto en$pt2: 1.222221 pat% mtu 10..3 ip mtu 10..3 ip mtu i$- !erial.9.9. current out-oun$ spi: .'C1)).07(2.327.?O2) in-oun$ esp sas: spi: .')C0O12.C(3O?O.20?23) transform: esp-201-aes esp-s%a-%mac 3 in use settings FD<unnel3 E conn i$: 2..03 flo8Bi$: CP,A:03 cr&pto map: C#AP sa timing: remaining ke& lifetime (k9sec): (??701@097OO) S si4e: 11 -&tes repla& $etection support: A !tatus: AC< S( in-oun$ a% sas: in-oun$ pcp sas: out-oun$ esp sas: spi: .'C1)).07(2.327.?O2) transform: esp-201-aes esp-s%a-%mac 3 in use settings FD<unnel3 E conn i$: 2..13 flo8Bi$: CP,A:13 cr&pto map: C#AP
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age %, of ,'
CCNA Security
sa timing: remaining ke& lifetime (k9sec): (??701@097OO) S si4e: 11 -&tes repla& $etection support: A !tatus: AC< S( out-oun$ a% sas: out-oun$ pcp sas: g! *he previous eAa(ple used pings to generate interesting traffic! ;hat other types of traffic would result in an S" for(ing and tunnel establish(entC "ny traffic initiated fro( R% with a source address in the %&2!%./!%!'-2, networ5 and a destination address in the %&2!%./!3!'-2, networ5! 6n R3) interesting traffic is any traffic with a source address in the %&2!%./!3!'-2, networ5 and a destination address in the %&2!%./!%!'-2, networ5! *his includes *+) >**+) *elnet) and others!
Part .: Configure a Site-to-Site IPsec VPN (ith CCP

In +art 3 of this lab) configure an I+sec V+1 tunnel between R% and R3 that passes through R2! *as5 % will restore the router to the basic settings using your saved configurations! In tas5 2) configure R% using #isco ##+! In *as5 3) (irror those settings to R3 using ##+ utilities! inally) review and test the resulting configuration!
#as' *: ,estore ,outer ,* and ,. to the +asic Settings

*o avoid confusion as to what was entered in +art 2 of the lab) start by restoring R% and R3 to the basic configuration as described in +art % of this lab! Step *: 3rase and re"oad the router1 a! #onnect to the router console) and enter privileged E<E# (ode! b! Erase the startup config and then issue the reload co((and to restart the router! Step -: ,estore the basic configuration1 a! ;hen the router restarts) enter privileged E<E# (ode with the ena%le co((and) and then enter global config (ode! Dse the >yper*er(inal #ransfer < Send =i"e function) copy and paste) or use another (ethod to load the basic startup config for R% and R3 that was created and saved in +art % of this lab! b! Save the running config to the startup config for R% and R3 using the cop! run c! tart co((and! *est connectivity by pinging fro( host +#4" to +#4#! If the pings are not successful) troubleshoot the router and +# configurations before continuing!
#as' -: Configure IPsec VPN Settings on ,* Using CCP

Step *: Configure a userna0e and pass(ord pair and enab"e !##P router access1
a! ro( the #9I) configure a userna(e and password for use with ##+ on R% and R3! R1(config)# u ername admin pri$ilege 15 R3(config)# u ername admin pri$ilege 15 b! Enable the >**+ server on R% and R3! R1(config)#ip "ttp er$er ecret ci co12345 ecret ci co12345
+age %0 of ,'
CCNA Security
R3(config)#ip "ttp er$er
c! #onfigure local database authentication of web sessions to support ''* connecti$it!.

R1(config)# ip "ttp aut"entication local R3(config)# ip "ttp aut"entication local
Step -: Access CCP and disco%er ,*1

a! Run the ##+ application on +#4"! In the Se"ect>&anage Co00unity window) input the R% I+ address *8-1*681*1* in the >ostna(e-"ddress field) ad0in in the Dserna(e field) and cisco*-.25 in the +assword field! #lic5 the O; button!
b! "t the ##+ 2ashboard) clic5 on the $isco%ery button to discover and connect to R%! If the discovery process fails) use the $isco%er $etai"s button to deter(ine the proble( so that you can resolve the issue!
Step .: Start the CCP VPN (i?ard to configure ,*1

a! #lic5 the Configure button at the top of the ##+ screen) and choose Security < VPN < Site-to-Site VPN! Read through the description of this option!
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age %. of ,'
CCNA Security
b! ;hat (ust you 5now to co(plete the configurationC *he re(ote device (R3 S'-'-%) I+ address and the pre4shared 5ey (cisco%23,0)) which will be established in *as5 2) Step ,!
c!
#lic5 the Launch the se"ected tas' button to begin the ##+ Site4to4Site V+1 wiKard!
d! 6n the initial Site4to4Site V+1 ;iKard window) the Luic5 Setup option is selected by default! #lic5 the Vie( $efau"ts button to see what settings this option uses! ;hat type of encryption does the default transfor( set useC ES+432ES e! ro( the initial Site4to4Site V+1 wiKard window) choose the Step by Step wiKard) and then clic5 Ne9t! ;hy would you use this option over the Luic5 setup optionC So that you have (ore control over the V+1 settings used!
Step 2: Configure basic VPN connection infor0ation settings1

a! ro( the V+1 #onnection Infor(ation window) select the interface for the connection) which should be R% Seria":>:>:!
b! In the +eer Identity section) select Peer (ith static IP address and enter the I+ address of re(ote peer R3 S'-'-% (*:1-1-1*)! c! In the "uthentication section) clic5 Pre-shared ;eys ) and enter the pre4shared V+1 5ey cisco*-.25! Re4enter the 5ey for confir(ation! *his 5ey authenticates the initial eAchange to establish the Security "ssociation between devices! ;hen finished) your screen should loo5 si(ilar to the following! 6nce you have entered these settings correctly) clic5 Ne9t!
+age %= of ,'
CCNA Security
Step 5: Configure I;3 po"icy para0eters1

IGE policies are used while setting up the control channel between the two V+1 endpoints for 5ey eAchange! *his is also referred to as the IGE secure association (S")! In contrast) the I+sec policy is used during IGE +hase II to negotiate an I+sec security association to pass target data traffic! a! In the IGE +roposals window) a default policy proposal is displayed! Bou can use this one or create a new one! ;hat function does this IGE proposal serveC *he IGE proposal specifies the encryption algorith() authentication algorith() and 5ey eAchange (ethod used by this router when negotiating a V+1 connection with a re(ote router! b! #lic5 the Add button to create a new IGE policy! c! Set up the security policy as shown in the "dd IGE +olicy dialog boA below! *hese settings are (atched later on R3! ;hen finished) clic5 O; to add the policy! *hen clic5 Ne9t!
d! #lic5 the !e"p button for assistance in answering the following 7uestions! ;hat is the function of the encryption algorith( in the IGE policyC *he encryption algorith( encrypts and decrypts the payload of the control pac5ets that pass over the secure IGE channel!
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age %/ of ,'
CCNA Security
e! ;hat is the purpose of the hash functionC *he hash validates that the entire control pac5et has not been ta(pered with during transit! *he hash also authenticates the re(ote peer as the origin of the pac5et via a secret 5ey! f! ;hat function does the authentication (ethod serveC Hoth endpoints verify that the I+sec traffic that they have received is sent by the re(ote I+sec peer!
g! >ow is the 2iffie4>ell(an group in the IGE policy usedC *he 2iffie4>ell(an group is used by each of the endpoints to generate a shared secret 5ey) which is never trans(itted across the networ5! Each 2iffie4>ell(an group has an associated 5ey length! h! ;hat event happens at the end of the IGE policyJs lifeti(eC IGE renegotiates the IGE association!
Step 6: Configure a transfor0 set1

*he transfor( set is the I+sec policy used to encrypt) hash) and authenticate pac5ets that pass through the tunnel! *he transfor( set is the IGE +hase 2 policy! a! " ##+ default transfor( set is displayed! #lic5 the Add button to create a new transfor( set! b! Set up the transfor( set as shown in the *ransfor( Set dialog boA below! *hese settings are (atched later on R3! ;hen finished) clic5 O; to add the transfor( set! *hen clic5 Ne9t!
Step 7: $efine interesting traffic1

Bou (ust define interesting traffic to be protected through the V+1 tunnel! Interesting traffic is defined through an access list applied to the router! Hy entering the source and destination subnets that you would li5e to protect through the V+1 tunnel) ##+ generates the appropriate si(ple access list for you! In the *raffic to protect window) enter the infor(ation as shown below! *hese are the opposite of the settings configured on R3 later in the lab! ;hen finished) clic5 Ne9t!
+age %& of ,'
CCNA Security
Step 8: ,e%ie( the su00ary configuration and de"i%er co00ands to the router1
a! Review the Su((ary of the #onfiguration window! It should loo5 si(ilar to the one below! 2o not select the chec5boA for *est V+1 connectivity after configuring! *his is done after configuring R3!
b! In the 2eliver #onfiguration to router window) select Sa%e running config to router@s startup config and clic5 the $e"i%er button! "fter the co((ands have been delivered) clic5 O;! >ow (any co((ands were deliveredC 3% with ##+ 2!0
+age 2' of ,'
CCNA Security
#as' .: Create a &irror Configuration for ,.

Step *: Use CCP on ,* to generate a 0irror configuration for ,.1
a! 6n R%) clic5 the Configure button at the top of the ##+ screen) and then choose Security < VPN < Site-to-Site VPN! #lic5 the 3dit Site to Site VPN tab! Bou should see the V+1 configuration listed that you Must created on R%! ;hat is the description of the V+1C *unnel to %'!2!2!% b! ;hat is the status of the V+1 and whyC 2own! *he IGE security association could not be established because the V+1 peer R3 has not yet been configured! R3 (ust be configured with the appropriate V+1 para(eters) such as (atching IGE proposals and I+sec policies and a (irrored access list) before the IGE and I+sec security associations will activate! c! Select the V+1 policy you Must configured on R% and clic5 the enerate &irror button in the lower right of the window! *he Generate 8irror window displays the co((ands necessary to configure R3 as a V+1 peer! Scroll through the window to see all the co((ands generated!
d! *he teAt at the top of the window states that the configuration generated should only be used as a guide for setting up a site4to4site V+1! ;hat co((ands are (issing to allow this crypto policy to function on R3C *he co((ands to apply the crypto (ap to the S'-'-% interface! !int: 9oo5 at the description entry following the cr!pto map S+(,'()*,1 co((and!
Step -: Sa%e the configuration co00ands for ,.1

a! #lic5 the Sa%e button to create a teAt file for use in the neAt tas5! b! Save the co((ands to the des5top or other location and na(e it V+148irror4#fg4for4R3!tAt! Note: Bou can also copy the co((ands directly fro( the c! enerate &irror window! (6ptional) Edit the file to re(ove the eAplanation teAt at the beginning and the description entry following the cr!pto map S+(,'()*,1 co((and!
+age 2% of ,'
CCNA Security
#as' 2: App"y the &irror Configuration to ,. and Verify the Configuration

Step *: Access the ,. CLI and copy the 0irror co00ands1
Note: Bou can also use ##+ on R3 to create the appropriate V+1 configuration) but copying and pasting the (irror co((ands generated fro( R% is easier! a! 6n R3) enter privileged E<E# (ode and then global config (ode! b! #opy the co((ands fro( the teAt file into the R3 #9I!
Step -: App"y the crypto 0ap to the ,. S:>:>* interface1

R3(config)# interface S0/0/1 R3(config-if)# cr!pto map S+(,'()*,1 =>an 3. 13:..:37217?: :CRAP<;-1- !A"#PB;+B;CC:
!A"#P is ;+
Step .: Verify the VPN configuration on ,. using Cisco IOS1

a! 2isplay the running config beginning with the first line that contains the string E'-'-%F to verify that the crypto (ap is applied to S'-'-%! R3# " run - %eg 0/0/1 interface !erial.9.91 ip a$$ress 1.222221 200220022002202 cr&pto map !)#BC#APB1 b! 6n R3) use the "ow cr!pto i akmp polic! co((and to show the configured IS"G8+ policies on the router! 1ote that the default ##+ policy is also present! R3# "ow cr!pto i akmp polic!
,lo-al "( polic& Protection suite of priorit& 1 encr&ption algorit%m: %as% algorit%m: aut%entication met%o$: )iffie-*ellman group: lifetime: Protection suite of priorit& 1. encr&ption algorit%m: -it ke&s )2 %as% algorit%m: aut%entication met%o$: )iffie-*ellman group: lifetime: c!
<%ree ke& triple )(! !ecure *as% !tan$ar$ Pre-!%are$ "e& #2 (1.2? -it) 71?.. secon$s3 no /olume limit A(! - A$/ance$ (ncr&ption !tan$ar$ (201 #essage )igest 0 Pre-!%are$ "e& #0 (1031 -it) 277.. secon$s3 no /olume limit
In the above output) how (any IS"G8+ policies are thereC *wo) the ##+ default with priority % and the one with priority %') which was created during the ##+ session with R% and copied as part of the (irror configuration!
d! Issue the "ow cr!pto ip ec tran form- et co((and to display the configured I+sec policies in the for( of the transfor( sets! R3# "ow cr!pto ip ec tran form- et <ransform set 5a--<ransform: D esp-201-aes esp-s%a-%mac 8ill negotiate F D <unnel3 E3 E E
<ransform set #GH$efaultBtransformBsetB1: D esp-aes esp-s%a-%mac 8ill negotiate F D <ransport3 E3

+age 22 of ,'
CCNA Security
<ransform set #GH$efaultBtransformBsetB.: D esp-3$es esp-s%a-%mac 8ill negotiate F D <ransport3 E3 E
e! Dse the "ow cr!pto map co((and to display the crypto (aps that will be applied to the router! R3# "ow cr!pto map Cr&pto #ap I!)#BC#APB1I 1 ipsec-isakmp )escription: Appl& t%e cr&pto map on t%e peer routerTs interface %a/ing P a$$ress 1.222221 t%at connects to t%is router2 Peer F 1.212121 ('ten$e$ P access list !)#B1 access-list !)#B1 permit ip 1@22117232. .2.2.2200 1@22117212. .2.2.2200 Current peer: 1.212121 !ecurit& association lifetime: ?1.7... kilo-&tes931.. secon$s PC! (A9+): + <ransform setsFD 5a--<ransform: D esp-201-aes esp-s%a-%mac E 3 E nterfaces using cr&pto map !)#BC#APB1: !erial.9.91 f! In the above output) the IS"G8+ policy being used by the crypto (ap is the ##+ default policy with se7uence nu(ber priority %) indicated by the nu(ber % in the first output line: Cr&pto #ap U!)#BC#APB1F % ipsec4isa5(p! ;hy is it not using the one you created in the ##+ session N the one shown with priority %' in Step 3b aboveC *he ##+ crypto (ap config defaults to using the default IS"G8+ policy!
g! (6ptional) Bou can force the routers to use the (ore stringent policy that you created by changing the crypto (ap references in the R% and R3 router configs as shown below! If this is done) the default IS"G8+ policy % can be re(oved fro( both routers! R1(config)# interface S0/0/1 R1(config-if)# no cr!pto map S+(,'()*,1 R1(config-if)# e#it =>an 3. 1O:.1:?12.@@: :CRAP<;-1- !A"#PB;+B;CC: !A"#P is ;CC R1(config)# no cr!pto map S+(,'()*,1 1 R1(config)# cr!pto map S+(,'()*,1 10 ip ec-i akmp : +;<(: <%is ne8 cr&pto map 8ill remain $isa-le$ until a peer an$ a /ali$ access list %a/e -een configure$2 R1(config-cr&pto-map)# de cription .unnel to 10.2.2.1 R1(config-cr&pto-map)# et peer 10.2.2.1 R1(config-cr&pto-map)# et tran form- et /a%-.ran form R1(config-cr&pto-map)# matc" addre 100 R1(config-cr&pto-map)# e#it R1(config)#int S0/0/1 R1(config-if)# cr!pto map S+(,'()*,1 R1(config-if)#e =>an 3. 1O:.3:1121.3: :CRAP<;-1- !A"#PB;+B;CC: !A"#P is ;+ R3(config)# interface S0/0/1 R3(config-if)# no cr!pto map S+(,'()*,1 R3(config-if)# e#it R3(config)# no cr!pto map S+(,'()*,1 1 R3(config)# cr!pto map S+(,'()*,1 10 ip ec-i akmp : +;<(: <%is ne8 cr&pto map 8ill remain $isa-le$ until a peer an$ a /ali$ access list %a/e -een configure$2 R3(config-cr&pto-map)# de cription .unnel to 10.1.1.1
CCNA Security
R3(config-cr&pto-map)# et peer 10.1.1.1 R3(config-cr&pto-map)# et tran form- et /a%-.ran form R3(config-cr&pto-map)# matc" addre 100 R3(config-cr&pto-map)# e#it R3(config)# int S0/0/1 R3(config-if)# cr!pto map S+(,'()*,1 R3(config-if)# =>an 3. 22:17:272?7O: :CRAP<;-1- !A"#PB;+B;CC: !A"#P is ;+
#as' 5: #est the VPN Configuration Using CCP on ,*1

a! 6n R%) use ##+ to test the I+sec V+1 tunnel between the two routers! #hoose the folder Security < VPN < Site-to-Site VPN and clic5 the 3dit Site-to-Site VPN tab! b! c! ro( the Edit Site to Site V+1 tab) choose the V+1 and clic5 #est #unne"! ;hen the V+1 *roubleshooting window displays) clic5 the Start button to have ##+ start troubleshooting the tunnel!
d! ;hen the ##+ ;arning window displays indicating that ##+ will enable router debugs and generate so(e tunnel traffic) clic5 Aes to continue! e! In the neAt V+1 *roubleshooting window) the I+ address of the R% a'-% interface in the source networ5 is displayed by default (%&2!%./!%!%)! Enter the I+ address of the R3 a'-% interface in the destination networ5 field (*8-1*681.1*) and clic5 Continue to begin the debugging process!
f!
If the debug is successful and the tunnel is up) you should see the screen below! If the testing fails) ##+ displays failure reasons and reco((ended actions! #lic5 O; to re(ove the window!
+age 2, of ,'
CCNA Security
g! Bou can save the report if desiredO otherwise) clic5 C"ose! Note: If you want to reset the tunnel and test again) you can clic5 the C"ear Connection button fro( the Edit Suite4to4Site V+1 window! *his can also be acco(plished at the #9I using the clear cr!pto e ion co((and! h! 2isplay the running config for R3 beginning with the first line that contains the string E'-'-%F to verify that the crypto (ap is applied to S'-'-%! R3# " run - %eg 0/0/1 interface !erial.9.91 ip a$$ress 1.222221 200220022002202 cr&pto map !)#BC#APB1 Voutput omitte$> i! Issue the "ow cr!pto i akmp a co((and on R3 to view the security association created! R3# "ow cr!pto i akmp a P/? Cr&pto !A"#P !A $st src 1.222221 1.212121 M!
state K#B )5(
conn-i$ slot status 1..1 . AC< S(
Issue the "ow cr!pto ip ec a co((and! >ow (any pac5ets have been transfor(ed between R% and R3C %%. fro( the ##+ testing R3# "ow cr!pto ip ec a
interface: !erial.9.91 Cr&pto map tag: !)#BC#APB13 local a$$r 1.222221 protecte$ /rf: (none)
CCNA Security
local i$ent (a$$r9mask9prot9port): ([email protected].) remote i$ent (a$$r9mask9prot9port): ([email protected].) currentBpeer 1.212121 port 0.. P(R# <3 flagsFDoriginBisBacl3E #pkts encaps: 1113 #pkts encr&pt: 1113 #pkts $igest: 111 #pkts $ecaps: 1113 #pkts $ecr&pt: 1113 #pkts /erif&: 111 #pkts compresse$: .3 #pkts $ecompresse$: . #pkts not compresse$: .3 #pkts compr2 faile$: . #pkts not $ecompresse$: .3 #pkts $ecompress faile$: . #sen$ errors .3 #rec/ errors . local cr&pto en$pt2: 1.2222213 remote cr&pto en$pt2: 1.212121 pat% mtu 10..3 ip mtu 10..3 ip mtu i$- !erial.9.91 current out-oun$ spi: .'2.OAA)7A([email protected].) in-oun$ esp sas: spi: .'AC1.2CA(([email protected]?) transform: esp-201-aes esp-s%a-%mac 3 in use settings FD<unnel3 E conn i$: 2..O3 flo8Bi$: CP,A:O3 cr&pto map: !)#BC#APB1 sa timing: remaining ke& lifetime (k9sec): (?0072@?93.3O) S si4e: 11 -&tes repla& $etection support: A !tatus: AC< S( in-oun$ a% sas: in-oun$ pcp sas: out-oun$ esp sas: spi: .'2.OAA)7A([email protected].) transform: esp-201-aes esp-s%a-%mac 3 in use settings FD<unnel3 E conn i$: 2..73 flo8Bi$: CP,A:73 cr&pto map: !)#BC#APB1 sa timing: remaining ke& lifetime (k9sec): (?0072@?93.3O) S si4e: 11 -&tes repla& $etection support: A !tatus: AC< S( out-oun$ a% sas: out-oun$ pcp sas:
+age 2. of ,'
CCNA Security
,ef"ection
%! ;ould traffic on the ast Ethernet lin5 between +#4" and the R% a'-' interface be encrypted by the site4 to4site I+sec V+1 tunnelC ;hy or why notC 1o! *his site4to4site V+1 only encrypts fro( router R% to R3! " sniffer could be used to see the traffic fro( +#4" to the R% default gateway! 2! #o(pared to using the ##+ V+1 wiKard GDI) what are so(e factors to consider when configuring site4to4 site I+sec V+1s using the (anual #9IC "nswers will vary but could include the following: *raditional #9I (ethods are ti(e4consu(ing and prone to 5eystro5e errors! *hey also re7uire the ad(inistrator to have an eAtensive 5nowledge of I+sec V+1s and #isco I6S co((and syntaA! ##+ gives the (aAi(u( fleAibility and greatly si(plifies I+sec V+1 configuration! ##+ also provides help and eAplanations on various technologies and settings available!
,outer Interface Su00ary #ab"e

,outer Interface Su00ary Router 8odel Ethernet Interface Ethernet Interface Serial Interface Serial Interface I% I2 I% I2 ast Ethernet '-' ast Ethernet '-% Serial '-'-' Serial '-'-% %/'' ( a'-') ( a'-%) (S'-'-') (S'-'-%) Gigabit Ethernet '-' Gigabit Ethernet '-% Serial '-'-' Serial '-'-% %&'' (G'-') (G'-%) (S'-'-') (S'-'-%) ast Ethernet '-' ast Ethernet '-% Serial '-'-' Serial '-'-% 2/'' ( a'-') ( a'-%) (S'-'-') (S'-'-%) Gigabit Ethernet '-' Gigabit Ethernet '-% Serial '-'-' Serial '-'-% 2&'' (G'-') (G'-%) (S'-'-') (S'-'-%) Note: *o find out how the router is configured) loo5 at the interfaces to identify the type of router and how (any interfaces the router has! *here is no way to effectively list all the co(binations of configurations for each router class! *his table includes identifiers for the possible co(binations of Ethernet and Serial interfaces in the device! *he table does not include any other type of interface) even though a specific router (ay contain one! "n eAa(ple of this (ight be an IS21 HRI interface! *he string in parenthesis is the legal abbreviation that can be used in #isco I6S co((ands to represent the interface!
,outer Configs
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of ast Ethernet Interfaces!
,outer ,* after Part *

R1#s% run Muil$ing configuration222 Current configuration : 1370 -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R1 H
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 2= of ,'
CCNA Security
-oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H H H arc%i/e log config %i$eke&s H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.91 ip a$$ress 1@221172121 200220022002. $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. ip a$$ress 1.212121 200220022002202 no fair-Nueue clock rate 1?... H interface !erial.9.91 no ip a$$ress s%ut$o8n clock rate 2...... H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.21212. .2.2.23 net8ork 1@22117212. no auto-summar&
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 2/ of ,'
CCNA Security
H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H control-plane H line con . e'ec-timeout . . pass8or$ O 1?1?1M17.C.M2@2?2A37322131 logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O .0.7.C1C22?3071)..1011.117 login H sc%e$uler allocate 2.... 1... en$
,outer ,- after Part *

R2#s% run Muil$ing configuration222 Current configuration : 131@ -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R2 H -oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 2& of ,'
CCNA Security
$uple' auto spee$ auto H interface Cast(t%ernet.91 no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. ip a$$ress 1.212122 200220022002202 no fair-Nueue H interface !erial.9.91 ip a$$ress 1.222222 200220022002202 clock rate 1?... H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.21212. .2.2.23 net8ork 1.22222. .2.2.23 no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H H control-plane H line con . e'ec-timeout . . pass8or$ O .0.7.C1C22?3?).11O1011.117 logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O .2.0.)?7.7.@1@30000(.7.A11 login H sc%e$uler allocate 2.... 1... en$ R2#R2#
+age 3' of ,'
CCNA Security ,outer ,. after Part *

R3#s% run Muil$ing configuration222 Current configuration : 13?O -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R3 H -oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.91 ip a$$ress 1@221172321 200220022002. $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. no ip a$$ress s%ut$o8n no fair-Nueue clock rate 2......
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 3% of ,'
CCNA Security
H interface !erial.9.91 ip a$$ress 1.222221 200220022002202 H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.22222. .2.2.23 net8ork 1@22117232. no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H control-plane H line con . e'ec-timeout . . pass8or$ O .11..C1O07.?.0..2C0C?C1A.A logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O 1?1?1M17.C.M3C3C3)37322131 login H sc%e$uler allocate 2.... 1... en$ R3#
,outer ,* after Part R1#s% run Muil$ing configuration222 Current configuration : 1710 -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R1 H -oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H
CCNA Security
ip cef no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1. encr aes 201 aut%entication pre-s%are group 0 lifetime 31.. cr&pto isakmp ke& cisco123 a$$ress 1.222221 H cr&pto ipsec securit&-association lifetime secon$s 17.. H cr&pto ipsec transform-set 0. esp-aes 201 esp-s%a-%mac H cr&pto map C#AP 1. ipsec-isakmp set peer 1.222221 set securit&-association lifetime secon$s @.. set transform-set 0. set pfs group0 matc% a$$ress 1.1 H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.91 ip a$$ress 1@221172121 200220022002. $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. ip a$$ress 1.212121 200220022002202 no fair-Nueue clock rate 1?... cr&pto map C#AP H interface !erial.9.91 no ip a$$ress s%ut$o8n clock rate 2...... H
CCNA Security
interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.21212. .2.2.23 net8ork 1@22117212. no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H access-list 1.1 permit ip 1@22117212. .2.2.2200 1@22117232. .2.2.2200 H control-plane H line con . e'ec-timeout . . pass8or$ O [email protected]?)0)1A logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O ...O1A10.O0?1)121131?)0)1A login H sc%e$uler allocate 2.... 1... en$ R1#
,outer ,. after Part R3#s% run Muil$ing configuration222 Current configuration : 1O@O -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R3 H -oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 3, of ,'
CCNA Security
no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1. encr aes 201 aut%entication pre-s%are group 0 lifetime 31.. cr&pto isakmp ke& cisco123 a$$ress 1.212121 H cr&pto ipsec securit&-association lifetime secon$s 17.. H cr&pto ipsec transform-set 0. esp-aes 201 esp-s%a-%mac H cr&pto map C#AP 1. ipsec-isakmp set peer 1.212121 set securit&-association lifetime secon$s @.. set transform-set 0. set pfs group0 matc% a$$ress 1.1 H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.91 ip a$$ress 1@221172321 200220022002. $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. no ip a$$ress s%ut$o8n no fair-Nueue clock rate 2...... H interface !erial.9.91 ip a$$ress 1.222221 200220022002202 cr&pto map C#AP H interface Slan1 no ip a$$ress
CCNA Security
H router eigrp 1.1 net8ork 1.22222. .2.2.23 net8ork 1@22117232. no auto-summar& H ip for8ar$-protocol n$ no ip %ttp ser/er no ip %ttp secure-ser/er H access-list 1.1 permit ip 1@22117232. .2.2.2200 1@22117212. .2.2.2200 H control-plane H line con . e'ec-timeout . . pass8or$ O .3.O0217.0..22?3?.1@1711.? logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O 1?1?1M17.C.M3C3C3)37322131 login H sc%e$uler allocate 2.... 1... en$ R3#
,outer ,* after Part .

R1#s% run Muil$ing configuration222 Current configuration : 1@11 -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R1 H -oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog no logging -uffere$ ena-le secret 0 G1GWS.WG<kX"66CegC$36AmfsmLaC1 H no aaa ne8-mo$el $ot11 s&slog ip source-route H ip cef
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 3. of ,'
CCNA Security
no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1 encr 3$es aut%entication pre-s%are group 2 H cr&pto isakmp polic& 1. encr aes 201 %as% m$0 aut%entication pre-s%are group 0 lifetime 277.. cr&pto isakmp ke& cisco123?0 a$$ress 1.222221 H cr&pto ipsec transform-set 5a--<ransform esp-aes 201 esp-s%a-%mac H cr&pto map !)#BC#APB1 1 ipsec-isakmp $escription <unnel to 1.222221 set peer 1.222221 set transform-set 5a--<ransform matc% a$$ress 1.. H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.91 ip a$$ress 1@221172121 200220022002. $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. ip a$$ress 1.212121 200220022002202 clock rate 1?... cr&pto map !)#BC#APB1 H interface !erial.9.91 no ip a$$ress s%ut$o8n clock rate 2......
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 3= of ,'
CCNA Security
H interface Slan1 no ip a$$ress H router eigrp 1.1 net8ork 1.21212. .2.2.23 net8ork 1@22117212. auto-summar& H ip for8ar$-protocol n$ ip %ttp ser/er no ip %ttp secure-ser/er H access-list 1.. remark CCPBAC5 Categor&F? access-list 1.. remark Psec Rule access-list 1.. permit ip 1@22117212. .2.2.2200 1@22117232. .2.2.2200 H control-plane H line con . e'ec-timeout . . pass8or$ O .@?C?O1A1A.A1?1).01C.03@37 logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O .11..C1O07.?1.1M370C?C1A.A login H sc%e$uler allocate 2.... 1... en$ R1#
,outer ,. after Part .

R3#s% run Muil$ing configuration222 Current configuration : 1@72 -&tes H /ersion 122? ser/ice timestamps $e-ug $atetime msec ser/ice timestamps log $atetime msec ser/ice pass8or$-encr&ption H %ostname R3 H -oot-start-marker -oot-en$-marker H securit& pass8or$s min-lengt% 1. logging message-counter s&slog H no aaa ne8-mo$el $ot11 s&slog ip source-route
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 3/ of ,'
CCNA Security
H ip cef no ip $omain lookup H no ip/1 cef multilink -un$le-name aut%enticate$ H arc%i/e log config %i$eke&s H cr&pto isakmp polic& 1 encr 3$es aut%entication pre-s%are group 2 H cr&pto isakmp polic& 1. encr aes 201 %as% m$0 aut%entication pre-s%are group 0 lifetime 277.. cr&pto isakmp ke& cisco123?0 a$$ress 1.212121 H H cr&pto ipsec transform-set 5a--<ransform esp-aes 201 esp-s%a-%mac H cr&pto map !)#BC#APB1 1 ipsec-isakmp set peer 1.212121 set transform-set 5a--<ransform matc% a$$ress !)#B1 H interface Cast(t%ernet.9. no ip a$$ress s%ut$o8n $uple' auto spee$ auto H interface Cast(t%ernet.91 ip a$$ress 1@221172321 200220022002. $uple' auto spee$ auto H interface Cast(t%ernet.919. H interface Cast(t%ernet.9191 H interface Cast(t%ernet.9192 H interface Cast(t%ernet.9193 H interface !erial.9.9. no ip a$$ress s%ut$o8n no fair-Nueue clock rate 2...... H interface !erial.9.91
"ll contents are #opyright $ %&&22'%2 #isco Syste(s) Inc! "ll rights reserved! *his docu(ent is #isco +ublic Infor(ation! +age 3& of ,'
CCNA Security
ip a$$ress 1.222221 200220022002202 cr&pto map !)#BC#APB1 H interface Slan1 no ip a$dre H router eigrp 1.1 net8ork 1.22222. .2.2.23 net8ork 1@22117232. no auto-summar& H ip for8ar$-protocol n$ ip %ttp ser/er ip %ttp aut%entication local no ip %ttp secure-ser/er H ip access-list e'ten$e$ !)#B1 remark CCPBAC5 Categor&F? remark Psec Rule permit ip 1@22117232. .2.2.2200 1@22117212. .2.2.2200 H control-plane H line con . e'ec-timeout . . pass8or$ O 11.A1.111?1).7.3.A3A2A3O3M logging s&nc%ronous login line au' . line /t& . ? e'ec-timeout 0 . pass8or$ O 1?1?1M17.C.M3C3C3)37322131 login H sc%e$uler allocate 2.... 1... en$ R3#
+age ,' of ,'

CCNASv1.1 Chp08 Lab A Site2Site VPN Instructor

Uploaded by

Copyright:

Available Formats

CCNASv1.1 Chp08 Lab A Site2Site VPN Instructor

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNASv1.1 Chp08 Lab A Site2Site VPN Instructor

Uploaded by

Copyright:

Available Formats

CCNA Security

CCNA Security IP Addressing #ab"e

Part *: +asic ,outer Configuration

Step *: Cab"e the net(or' as sho(n in the topo"ogy1

Step -: Configure basic settings for each router1

Step .: $isab"e $NS "oo'up1

Step 2: Configure the 3I ,P routing protoco" on ,*4 ,-4 and ,.1

b! 6n R2) use the following co((ands!

6n R3) use the following co((ands!

Step 5: Configure PC host IP settings1

Step 6: Verify basic net(or' connecti%ity1

Step 7: Configure a 0ini0u0 pass(ord "ength1

Step 8: Configure the basic conso"e and %ty "ines1

b! #onfigure the password on the vty lines for router R%!

Repeat these configurations on both R2 and R3!

Step 8: 3ncrypt c"ear te9t pass(ords1

Step **: Sa%e the configuration on ,* and ,. for "ater restoration1

Part -: Configure a Site-to-Site VPN (ith Cisco IOS

#as' *: Configure IPsec VPN Settings on ,* and ,.

Step -: 3nab"e I;3 po"icies on ,* and ,.1

a! Verify that IGE is supported and enabled!

Step .: Configure ISA;&P po"icy para0eters on ,* and ,.1

Step 2: Configure pre-shared 'eys1

Step 5: Configure the IPsec transfor0 set and "ife ti0es1

Step 6: $efine interesting traffic1

Step 7: Create and app"y a crypto 0ap1

+age & of ,'

R1(config-cr&pto-map)# matc" addre

+age %' of ,'

#as' -: Verify Site-to-Site IPsec VPN Configuration

#as' .: Verify IPsec VPN Operation

Step -: $isp"ay IPsec security associations1

enerate so0e uninteresting test traffic and obser%e the resu"ts1

enerate so0e interesting test traffic and obser%e the resu"ts1

state K#B )5(

conn-i$ slot status 1..1 . AC< S(

Part .: Configure a Site-to-Site IPsec VPN (ith CCP

#as' *: ,estore ,outer ,* and ,. to the +asic Settings

#as' -: Configure IPsec VPN Settings on ,* Using CCP

c! #onfigure local database authentication of web sessions to support ''* connecti$it!.

Step -: Access CCP and disco%er ,*1

Step .: Start the CCP VPN (i?ard to configure ,*1

Step 2: Configure basic VPN connection infor0ation settings1

Step 5: Configure I;3 po"icy para0eters1

Step 6: Configure a transfor0 set1

Step 7: $efine interesting traffic1

+age %& of ,'

+age 2' of ,'

#as' .: Create a &irror Configuration for ,.

Step -: Sa%e the configuration co00ands for ,.1

#as' 2: App"y the &irror Configuration to ,. and Verify the Configuration

Step -: App"y the crypto 0ap to the ,. S:>:>* interface1

Step .: Verify the VPN configuration on ,. using Cisco IOS1

<ransform set #GH$efaultBtransformBsetB1: D esp-aes esp-s%a-%mac 8ill negotiate F D <ransport3 E3

#as' 5: #est the VPN Configuration Using CCP on ,*1

state K#B )5(

conn-i$ slot status 1..1 . AC< S(

,outer Interface Su00ary #ab"e

#as' : Configure IPsec VPN Settings on , and ,.

#as' : ,estore ,outer , and ,. to the +asic Settings