Lab 13‐1 - LPouliot/Junior-Spring-NET-330-01-Network-Design GitHub Wiki
LAB 13-1 IPSEC Packet Tracer 1
Configure interfaces
Assign appropriate IP addresses to all router interfaces and the servers
- make sure to make a note of the addresses as you will need to keep track of them
Assign default routes on Champlain and Middlebury Routers to point to VTEL
- Hint: ip route 0.0.0.0 0.0.0.0 ...
You should be able to ping from Champlain router to Middlebury router on Public ip's.
- Do not proceed until public ping is successful
- Champlain to Middlebury private ip's should not be able to ping
VTEL ISP
>enable
#config t
(config)#interface FastEthernet 0/0
(config-if)#no shutdown
(config-if)#ip address 216.93.144.2 255.255.255.0
(config-if)#interface FastEthernet 0/1
(config-if)#no shutdown
(config-if)#ip address 140.230.18.2 255.255.255.0
Champlain College Public
>enable
#config t
(config)#interface FastEthernet 0/0
(config-if)#no shutdown
(config-if)#ip address 216.93.144.1 255.255.255.0
(config-if)ip route 0.0.0.0 0.0.0.0 216.93.144.2
(config)#interface FastEthernet 0/1
(config-if)#no shutdown
(config-if)#ip address 172.16.84.1 255.255.255.0
Middlebury College Public
>enable
#config t
(config)#interface FastEthernet 0/0
(config-if)#no shutdown
(config-if)#ip address 140.230.18.1 255.255.255.0
(config-if)#ip route 0.0.0.0 0.0.0.0 140.230.18.2
(config)#interface FastEthernet 0/1
(config-if)#no shutdown
(config-if)#ip address 192.168.25.1 255.255.255.0
Champlain College Private
>enable
#config t
(config)#hostname CC-Research-Lab
Middlebury College Private
>enable
#config t
(config)#hostname MC-Research-Lab
Champlain Server
- IP - 172.16.84.100
- Net - /24
- DefaultG - 172.16.84.1
Middlebury
- IP - 192.168.25.50
- Net - /24
- DefaultG - 192.168.25.1
You should be able to ping from Champlain router to Middlebury router on Public ip's
Champlain to Middlebury private ip's should not be able to ping
Configure Champlain Router
Identify traffic to send through tunnel with access-list
From config mode, an access-list is needed to identify traffic that needs to be sent through the tunnel
(config)# access-list number permit ip src_net src_mask_wildcard dst_net dst_mask_wildcard
source network is Champlain Private
destination network is Middlebury Private
number can be any number above 100- used to identify the list when you assign to a VPN tunnel. Remember the number - you will need it later
- Doing 110
(config)# access-list 110 permit ip 172.16.84.0 0.0.0.255 192.168.25.0 0.0.0.255
Configure IKE Phase 1 ISAKMP Policy on Champlain Router
Remember - ipsec site-to-site VPN's require parameters for 2 tunnels. This first one is to set up for a secure key exchange, so that session keys can be securely set up for the bulk data transfer in the second tunnel.
You will configure the crypto ISAKMP policy identified with the number "10" and the shared authentication key "NET330". You will configure the encryption method, key exchange method, and DH method. Note: The highest DH group currently supported by Packet Tracer is group 5. In a production network, you would configure at least DH 14.
(config)# crypto isakmp policy 10
(config-isakmp)# encryption aes 256
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5
(config-isakmp)# exit
(config)# crypto isakmp key NET330 address 140.230.18.1 (public_ip_of_dst_router)
Configure the IKE Phase 2 IPsec policy
This sets the parameters for the internal tunnel - the one that will transfer data between the two sites
Create the transform-set "VPN-SET" to use esp-aes and esp-sha-hmac as your cryptographic settings:
(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
Create the crypto map "VPN-MAP" that binds all of the Phase 2 parameters together. We will use sequence number 10 and identify it as an ipsec-isakmp map.
(config)# crypto map VPN-MAP 10 ipsec-isakmp
(config-crypto-map)# description VPN connection to Middlebury
(config-crypto-map)# set peer 140.230.18.1 (pub_ip_dst(Mil)_router)
(config-crypto-map)# set transform-set VPN-SET
(config-crypto-map)# match address 110 (number_of_access-list_set_above)
(config-crypto-map)# exit
Configure the "crypto map" on the outgoing interface.
You can bind the "VPN-MAP" crypto map you created to the outgoing interface (likely FastEthernet 0/0 in our lab)
(config)# interface FastEthernet 0/0
(config-if)# crypto map VPN-MAP
The Champlain side of the site-to-site VPN should be done now.
Configure Middlebury Router
Perform the same steps to configure the Champlain router on the Middlebury Router - but make sure to change the addresses and other settings to reflect the reversed direction of the connection.
(config)# access-list 110 permit ip 192.168.25.0 0.0.0.255 172.16.84.0 0.0.0.255
(config)# crypto isakmp policy 10
(config-isakmp)# encryption aes 256
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5
(config-isakmp)# exit
(config)# crypto isakmp key NET330 address 216.93.144.1 (public_ip_of_dst_router)
(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
(config)# crypto map VPN-MAP 10 ipsec-isakmp
(config-crypto-map)# description VPN connection to Champlain
(config-crypto-map)# set peer 216.93.144.1 (pub_ip_dst_router)
(config-crypto-map)# set transform-set VPN-SET
(config-crypto-map)# match address 110 (number_of_access-list_set_above)
(config-crypto-map)# exit
(config)# interface FastEthernet 0/0
(config-if)# crypto map VPN-MAP
Verification
Exit config mode and use the command "show crypto ipsec sa" to view whether the SA (security associations) are set up correctly in both directions.
Ping between the Champlain Server and Middlebury Server in both directions to generate some traffic. If VPN is set up correctly, it will work!
Champlain
Middlebury