Lab 10 1 IPSEC - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

Default Routes

ip route 0.0.0.0 0.0.0.0 dest_network (could be an interface but a destination network is better)

Configure Champlain Router

  1. Identify traffic to send through tunnel with access-list

From config mode, an access-list is needed to identify traffic that needs to be sent through the tunnel

champ-router(config)# access-list number permit ip src_net src_mask_wildcard dst_net dst_mask_wildcard

source network is Champlain Private destination network is Middlebury Private number can be any number above 100- used to identify the list when you assign to a VPN tunnel. Remember the number - you will need it later 2. Configure IKE Phase 1 ISAKMP Policy on Champlain Router

Remember - ipsec site-to-site VPN's require parameters for 2 tunnels. This first one is to set up for a secure key exchange - so that session keys can be securely set-up for the bulk data transfer in the second tunnel.

You will configure the crypto ISAKMP policy idenitified with the number "10" and the shared authentication key "NET330" . You will configure the encryption method, key exchange method, and DH method. Note: The highest DH group currently supported by Packet Tracer is group 5. In a production network, you would configure at least DH 14.

R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5 R1(config-isakmp)# exit R1(config)# crypto isakmp key NET330 address public_ip_of_middlebury_router 3. Configure the IKE Phase 2 IPsec policy

This sets the parameters for the internal tunnel - the one that will transfer data between the two sites

a. Create the transform-set "VPN-SET" to use esp-aes and esp-sha-hmac as your cryptographic settings:

R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac b. Create the crypto map "VPN-MAP" that binds all of the Phase 2 parameters together. We will use sequence number 10 and identify it as an ipsec-isakmp map.

R1(config)# crypto map VPN-MAP 10 ipsec-isakmp R1(config-crypto-map)# description VPN connection to Middlebury R1(config-crypto-map)# set peer pub_ip_middlebury_router R1(config-crypto-map)# set transform-set VPN-SET R1(config-crypto-map)# match address number_of_access-list_set_above R1(config-crypto-map)# exit 4. Configure the "crypto map" on the outgoing interface.

You can bind the "VPN-MAP" crypto map you created to the outgoing interface (likely FastEthernet 0/0 in our lab)

R1(config)# interface FastEthernet 0/0

R1(config-if)# crypto map VPN-MAP

The Champlain side of the site-to-site VPN should be done now.

Configure Middlebury Router

Perform the same steps to configure the Champlain router on the Middlebury Router - but make sure to change the addresses and other settings to reflect the reversed direction of the connection.

Verification

Exit config mode and use the command "show crypto ipsec sa" to view whether the SA (security associations) are set up correctly in both directions.

Ping between the Champlain Server and Middlebury Server in both directions to generate some traffic. If VPN is set up correctly, it will work!

"show crypto ipsec sa" should now show some encrypted packets in the stats.