Lab Walkthroughs - caitlinmallen/TechWiki GitHub Wiki

Lab 10-1 IPSEC

Configure Champlain Router

Access-list will identify traffic that needs to be sent through the tunnel

champ-router(config)# access-list number permit ip src_net src_mask_wildcard dst_net dst_mask_wildcard

access-list 110 permit ip 172.16.84.0 0.0.0.255 192.168.25.0 0.0.0.255

Configure IKE Phase 1 ISAKMP Policy on Champlain Router

Site-to-site require parameters for two tunnels.

  • _Set up for the secure key exchange so session keys can be securely set-up _
    Configure crypto ISAKMP policy identified with the number 10 and shared authentication key NET330. Configure encryption method, key exchange method,and DH method (highest supported in Packet Tracer is 5, IRL it's at least 14 that is needed) R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5 R1(config-isakmp)# exit R1(config)# crypto isakmp key NET330 address public_ip_of_middlebury_router crypto isakmp key NET330 address 140.230.18.2 Configure IKE Phase 2 IPSEC Policy Set the parameters for the internal tunnel, the one that will transfer data between the two sites Create the transform-set “VPN-SET” to use esp-aes and esp-sha-hmac as your crypto settings R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac Create the crypto map “VPN-MAP” that binds all of the phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-isakmp map R1(config)# crypto map VPN-MAP 10 ipsec-isakmp R1(config-crypto-map)# description VPN connection to Middlebury R1(config-crypto-map)# set peer pub_ip_middlebury_router R1(config-crypto-map)# set transform-set VPN-SET R1(config-crypto-map)# match address number_of_access-list_set_above R1(config-crypto-map)# exit For lab set peer 140.230.18.2 match address 110 Configure the “crypto map” on the outgoing interface Bind the “VPN-MAP” crypto map to the outgoing interface R1(config)# interface FastEthernet 0/0 R1(config-if)# crypto map VPN-MAP Configure Middlebury Router mid-router(config)# access-list 110 permit ip 192.168.25.0 0.0.0.255 172.16.84.0 0.0.0.255 Configure IKE Phase 1 ISAKMP on Middlebury Router R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5 R1(config-isakmp)# exit R1(config)# crypto isakmp key NET330 address 216.93.144.1 Configure IKE Phase 2 IPSEC Policy R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac R1(config)# crypto map VPN-MAP 10 ipsec-isakmp R1(config-crypto-map)# description VPN connection to Champlain R1(config-crypto-map)# set peer 216.93.144.1 R1(config-crypto-map)# set transform-set VPN-SET R1(config-crypto-map)# match address 110 R1(config-crypto-map)# exit Configure the “crypto map” R1(config)# interface FastEthernet 0/0 R1(config-if)# crypto map VPN-MAP