8.4.1.2 Packet Tracer – Configure and Verify a Site-to-Site IPsec VPN using CLI Answes PDF

Preview

Summary

Packet Tracer – Configure and Verify a Site-to-Site IPsec VPN using CLI LAB...

Description

Packet Tracer – Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology

Addressing Table

Objectives •Ver i f yconnect i vi t yt hr oughoutt henet wor k . •Configur eR1t os uppor tas i t et osi t eI Ps ecVPNwi t hR3.

Background / Scenario Thenet wor kt opol ogyshowst hr eer out er s .Yourt as ki st oconfi gur eR1andR3t o s uppor tasi t et os i t eI Ps ecVPNwhent r afficfl owsbet weent hei rr es pec t i v e LANs.TheI Ps ecVPNt unneli sf r om R1t oR3v i aR2.R2ac t sasapas s t hr ough andhasnok nowl edgeoft heVPN.I Ps ecpr ovi dess ec ur et r ans mi ss i onof s ensi t i v ei nf or mat i onov erunpr ot ect ednet wor k s ,suchast heI nt er net .I Ps ec oper at esatt henet wor kl ay erandpr ot ect sandaut hent i c at esI Ppack et sbet ween par t i c i pat i ngI Psecdev i c es( peer s ) ,suchasCi s cor out er s . ISAKMP Phase 1 Policy Parameters

Note:Bol dedpar amet er sar edef aul t s .Onl yunbol dedpar amet er shav et obe expl i c i t l yc onfigur ed. IPsec Phase 2 Policy Parameters

Ther out er shav ebeenpr econfi gur edwi t ht hef ol l owi ng: •Pas swor df orcons ol el i ne:ciscoconpa55 •Pas swor df orvt yl i nes :ciscovtypa55 •Enabl epas swor d:ciscoenpa55 •SSHus er nameandpass wor d:SSHadmin / ciscosshpa55 •OSPF101

Part 1: Configure IPsec Parameters on R1 Step 1: Test connectivity. Pi ngf r om PCAt oPCC. Step 2: Enable the Security Technology package. a.OnR1,i s suet heshow version commandt ovi ewt heSec ur i t yT ec hnol ogy pac kagel i c ensei nf or mat i on. b.I ft heSec ur i t yTec hnol ogypac kagehasnotbeenenabl ed,us et hef ol l owi ng c ommandt oenabl et hepack age. R1(config)# license boot module c1900 technology-package securityk9 c .Ac c eptt heendus erl i c ens eagr eement . d.Sav et her unni ngconfi gandr el oadt her out ert oenabl et hesecur i t yl i cens e. e.Ver i f yt hatt heSec ur i t yTec hnol ogypack agehasbeenenabl edbyusi ng t heshow version command.

Step 3: Identify interesting traffic on R1.

Confi gur eACL110t oi dent i f yt het r afficf r om t heLANonR1t ot heLANonR3as i nt er es t i ng.Thi si nt er est i ngt r afficwi l l t r i ggert heI Ps ecVPNt obei mpl ement ed whent her ei st r afficbet weent heR1t oR3LANs .Al lot hert r afficsour cedf r om t he LANswi l l notbeenc r y pt ed.Bec auseoft hei mpl i c i tdeny all,t her ei snoneedt o c onfigur eadeny ip any any st at ement . R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Step 4: Configure the IKE Phase 1 ISAKMP policy on R1. Confi gur et hecrypto ISAKMP policy 10 pr oper t i esonR1al ongwi t ht he s har edc r ypt ok eyvpnpa55.Ref ert ot heI SAKMPPhas e1t abl ef ort hespec i fi c par amet er st oconfi gur e.Def aul tval uesdonothav et obeconfi gur ed.Ther ef or e, onl yt heencr y pt i onmet hod,k eyex c hangemet hod,andDHmet hodmustbe c onfigur ed. Note:Thehi ghes tDHgr oupcur r ent l ys uppor t edbyPack etTr aceri sgr oup5.I n apr oduc t i onnet wor k,y ouwoul dc onfi gur eatl eastDH14. R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5 R1(config-isakmp)# exit R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2

Step 5: Configure the IKE Phase 2 IPsec policy on R1. a.Cr eat et het r ans f or ms etVPNSETt ous eesp-aes andesp-sha-hmac. R1(config)# crypto ipsec transform-set VPN-SET esp-aes espsha-hmac b.Cr eat et hecr y pt omapVPNMAPt hatbi ndsal l oft hePhase2par amet er s t oget her .Us es equenc enumber10andi dent i f yi tasani psec i sak mpmap. R1(config)# crypto map VPN-MAP 10 ipsec-isakmp R1(config-crypto-map)# description VPN connection to R3 R1(config-crypto-map)# set peer 10.2.2.2

R1(config-crypto-map)# set transform-set VPN-SET R1(config-crypto-map)# match address 110 R1(config-crypto-map)# exit

Step 6: Configure the crypto map on the outgoing interface. Bi ndt heVPNMAPcr y pt omapt ot heout goi ngSer i al 0/ 0/ 0i nt er f ac e. R1(config)# interface s0/0/0 R1(config-if)# crypto map VPN-MAP

Part 2: Configure IPsec Parameters on R3 Step 1: Enable the Security Technology package. a.OnR3,i s suet hes howv er s i oncommandt ov er i f yt hatt heSecur i t y T echnol ogypac kagel i censei nf or mat i onhasbeenenabl ed. b.I ft heSec ur i t yTec hnol ogypac kagehasnotbeenenabl ed,enabl et he pac kageandr el oadR3.

Step 2: Configure router R3 to support a site-to-site VPN with R1. Confi gur er eci pr ocat i ngpar amet er sonR3.Confi gur eACL110i dent i f yi ngt he t r afficf r om t heLANonR3t ot heLANonR1asi nt er es t i ng. R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 3: Configure the IKE Phase 1 ISAKMP properties on R3. Confi gur et hec r ypt oI SAKMPpol i c y10pr oper t i esonR3al ongwi t ht hes har ed c r ypt ok eyv pnpa55. R3(config)# crypto isakmp policy 10 R3(config-isakmp)# encryption aes 256 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# group 5 R3(config-isakmp)# exit R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2

Step 4: Configure the IKE Phase 2 IPsec policy on R3. a.Cr eat et het r ans f or ms etVPNSETt ous eesp-aes andesp-sha-hmac. R3(config)# crypto ipsec transform-set VPN-SET esp-aes espsha-hmac b.Cr eat et hecr y pt omapVPNMAPt hatbi ndsal l oft hePhase2par amet er s t oget her .Us es equenc enumber10andi dent i f yi tasani psec i sak mpmap. R3(config)# crypto map VPN-MAP 10 ipsec-isakmp R3(config-crypto-map)# description VPN connection to R1 R3(config-crypto-map)# set peer 10.1.1.2 R3(config-crypto-map)# set transform-set VPN-SET R3(config-crypto-map)# match address 110 R3(config-crypto-map)# exit

Step 5: Configure the crypto map on the outgoing interface. Bi ndt heVPNMAPcr y pt omapt ot heout goi ngSer i al 0/ 0/ 1i nt er f ac e.Note:Thi s i snotgr aded. R3(config)# interface s0/0/1 R3(config-if)# crypto map VPN-MAP

Part 3: Verify the IPsec VPN Step 1: Verify the tunnel prior to interesting traffic. I s s uet heshow crypto ipsec sa commandonR1.Not i c et hatt henumberof pac k et sencaps ul at ed,enc r ypt ed,dec apsul at ed,anddecr ypt edar eal l sett o0. Step 2: Create interesting traffic. Pi ngPCCf r om PCA. Step 3: Verify the tunnel after interesting traffic. OnR1,r ei s suet heshow crypto ipsec sa command.Not i cet hatt he numberofpac k et si smor et han0,whi c hi ndi c at est hatt heI Ps ecVPNt unneli s wor k i ng. Step 4: Create uninteresting traffic.

Pi ngPCBf r om PCA.Note:I ss ui ngapi ngf r om r out erR1t oPCCorR3t oPCAi snoti nt er es t i ngt r affic .

Step 5: Verify the tunnel. OnR1,r ei s suet heshow crypto ipsec sa command.Not i c et hatt he numberofpac k et shasnotc hanged,whi c hv er i fi est hatuni nt er est i ngt r affici snot enc r y pt ed.

Step 6: Check results. Yourc ompl et i onper cent ageshoul dbe100%.Cl i c kCheck Results t os ee f eedbac kandv er i fic at i onofwhi chr equi r edcomponent shav ebeencompl et ed.

Scripts for R1 config t license boot module c1900 technology-package securityk9 yes end copy running-config startup-config reload config t access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 exit crypto isakmp key vpnpa55 address 10.2.2.2 crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac crypto map VPN-MAP 10 ipsec-isakmp description VPN connection to R3 set peer 10.2.2.2 set transform-set VPN-SET match address 110 exit interface S0/0/0 crypto map VPN-MAP

Scripts for R3 config t

access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 exit crypto isakmp key vpnpa55 address 10.1.1.2 crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac crypto map VPN-MAP 10 ipsec-isakmp description VPN connection to R1 set peer 10.1.1.2 set transform-set VPN-SET match address 110 exit interface S0/0/1 crypto map VPN-MAP...