Lab 13‐1 - LPouliot/Junior-Spring-NET-330-01-Network-Design GitHub Wiki

LAB 13-1 IPSEC Packet Tracer 1

image

Configure interfaces

Assign appropriate IP addresses to all router interfaces and the servers

  • make sure to make a note of the addresses as you will need to keep track of them

Assign default routes on Champlain and Middlebury Routers to point to VTEL

  • Hint: ip route 0.0.0.0 0.0.0.0 ...

You should be able to ping from Champlain router to Middlebury router on Public ip's.

  • Do not proceed until public ping is successful
  • Champlain to Middlebury private ip's should not be able to ping

VTEL ISP

>enable
#config t
(config)#interface FastEthernet 0/0
(config-if)#no shutdown
(config-if)#ip address 216.93.144.2 255.255.255.0 
(config-if)#interface FastEthernet 0/1
(config-if)#no shutdown
(config-if)#ip address 140.230.18.2 255.255.255.0

Champlain College Public

>enable
#config t
(config)#interface FastEthernet 0/0
(config-if)#no shutdown
(config-if)#ip address 216.93.144.1 255.255.255.0 
(config-if)ip route 0.0.0.0 0.0.0.0 216.93.144.2
(config)#interface FastEthernet 0/1
(config-if)#no shutdown
(config-if)#ip address 172.16.84.1 255.255.255.0

Middlebury College Public

>enable
#config t
(config)#interface FastEthernet 0/0
(config-if)#no shutdown
(config-if)#ip address 140.230.18.1 255.255.255.0 
(config-if)#ip route 0.0.0.0 0.0.0.0 140.230.18.2
(config)#interface FastEthernet 0/1
(config-if)#no shutdown
(config-if)#ip address 192.168.25.1 255.255.255.0

Champlain College Private

>enable
#config t
(config)#hostname CC-Research-Lab

Middlebury College Private

>enable
#config t
(config)#hostname MC-Research-Lab

Champlain Server

  • IP - 172.16.84.100
  • Net - /24
  • DefaultG - 172.16.84.1

Middlebury

  • IP - 192.168.25.50
  • Net - /24
  • DefaultG - 192.168.25.1

You should be able to ping from Champlain router to Middlebury router on Public ip's

image

Champlain to Middlebury private ip's should not be able to ping

image

Configure Champlain Router

Identify traffic to send through tunnel with access-list

From config mode, an access-list is needed to identify traffic that needs to be sent through the tunnel

(config)# access-list number permit ip src_net src_mask_wildcard dst_net dst_mask_wildcard

source network is Champlain Private

destination network is Middlebury Private

number can be any number above 100- used to identify the list when you assign to a VPN tunnel. Remember the number - you will need it later

  • Doing 110
(config)# access-list 110 permit ip 172.16.84.0  0.0.0.255  192.168.25.0  0.0.0.255

Configure IKE Phase 1 ISAKMP Policy on Champlain Router

Remember - ipsec site-to-site VPN's require parameters for 2 tunnels. This first one is to set up for a secure key exchange, so that session keys can be securely set up for the bulk data transfer in the second tunnel.

You will configure the crypto ISAKMP policy identified with the number "10" and the shared authentication key "NET330". You will configure the encryption method, key exchange method, and DH method. Note: The highest DH group currently supported by Packet Tracer is group 5. In a production network, you would configure at least DH 14.

(config)# crypto isakmp policy 10
(config-isakmp)# encryption aes 256
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5
(config-isakmp)# exit
(config)# crypto isakmp key NET330 address 140.230.18.1 (public_ip_of_dst_router)

Configure the IKE Phase 2 IPsec policy

This sets the parameters for the internal tunnel - the one that will transfer data between the two sites

Create the transform-set "VPN-SET" to use esp-aes and esp-sha-hmac as your cryptographic settings:

(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

Create the crypto map "VPN-MAP" that binds all of the Phase 2 parameters together. We will use sequence number 10 and identify it as an ipsec-isakmp map.

(config)# crypto map VPN-MAP 10 ipsec-isakmp
(config-crypto-map)# description VPN connection to Middlebury
(config-crypto-map)# set peer 140.230.18.1 (pub_ip_dst(Mil)_router)
(config-crypto-map)# set transform-set VPN-SET
(config-crypto-map)# match address 110 (number_of_access-list_set_above)
(config-crypto-map)# exit

Configure the "crypto map" on the outgoing interface.

You can bind the "VPN-MAP" crypto map you created to the outgoing interface (likely FastEthernet 0/0 in our lab)

(config)# interface FastEthernet 0/0
(config-if)# crypto map VPN-MAP

image

The Champlain side of the site-to-site VPN should be done now.

Configure Middlebury Router

Perform the same steps to configure the Champlain router on the Middlebury Router - but make sure to change the addresses and other settings to reflect the reversed direction of the connection.

(config)# access-list 110 permit ip  192.168.25.0  0.0.0.255  172.16.84.0  0.0.0.255 
(config)# crypto isakmp policy 10
(config-isakmp)# encryption aes 256
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5
(config-isakmp)# exit
(config)# crypto isakmp key NET330 address 216.93.144.1 (public_ip_of_dst_router)
(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
(config)# crypto map VPN-MAP 10 ipsec-isakmp
(config-crypto-map)# description VPN connection to Champlain
(config-crypto-map)# set peer 216.93.144.1 (pub_ip_dst_router)
(config-crypto-map)# set transform-set VPN-SET
(config-crypto-map)# match address 110 (number_of_access-list_set_above)
(config-crypto-map)# exit
(config)# interface FastEthernet 0/0
(config-if)# crypto map VPN-MAP

image

Verification

Exit config mode and use the command "show crypto ipsec sa" to view whether the SA (security associations) are set up correctly in both directions.

Ping between the Champlain Server and Middlebury Server in both directions to generate some traffic. If VPN is set up correctly, it will work!

Champlain

image

image

Middlebury

image

image