CCNP Security Simos Inz

CCIE Security Ver.
4
Lab Manual
CCNP Security SIMOS- (300-209)
Confidentiality and Secure Access
This lab manual covers detailed lab demonstration with explanation for CCIE Security
Version 4 VPN Module.
CCIE Security Ver. 4 Lab Manual
DISCLAIMER
Disclaimer and Terms of Use
Reproduction or translation of content in this PDF document without the
author`s written permission is prohibited. No content may be reproduced
without the express written permission of the author. A Hyperlink from
another website to this document is permitted. You may download and
retain on your disk a single copy of material published only for your
personal, non-commercial use, provided that you do not remove any
copyright or other proprietary notices. You may not otherwise copy,
display, download, modify, distribute, repost, transmit, sell all or part of
any material without the prior written permission of the author. You may
not mirror all or part of any material published by the author in this
document, and you may not inline any of the graphics contained in any
material. Any one accessing this document, it would be deemed to have
read and understood the above, and agreed to it in its totality absolutely
without any exception.
IF YOU DO NOT AGREE, please delete any copies you may possess.
Please contact author or Inter-Networkz using the contact link mentioned
below:
Web -URL: www.inter-networkz.com
Email: sandeep@inter-networkz.com | cciesandeep12@gmail.com |
info@inter-networkz.com
Skype: ccie.sandeep12
Blog: cciesecurityv4solution.blogspot.in
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 1

Table of Contents
Module 1: Site-To-Site VPNs
1. Basic IPsec Site-To-Site VPN
2. GRE Tunnel
3. GRE with IPsec
Module 2: Advance VPNs
1. Router to ASA IPsec Site-To-Site VPN
2. Router to Router IPsec Site-To-Site VPN through Cisco ASA
3. Router to Router IPsec Site-To-Site VPN through Cisco ASA with
NAT-T
4. GET VPN using PSK
5. GET VPN using PKI
6. DMVPN Phase I/II/III
7. DMVPN Dual Hub
Module 3: High Availability VPN
1. HA VPN without HSRP
2. HA VPN with HSRP
Module 4: Remote Access VPN
1. IOS Easy VPN Server with Software Client
2. IOS Easy VPN Server with Router as Client
3. IOS Easy VPN Server NEM
4. Easy VPN Server on Cisco ASA
5. SSL VPN - IOS Server
6. SSL VPN on Cisco ASA

Page 2

Module 5: IKEv2 Based VPN
1. Routing based VPN using IKEv2
2. Policy Based VPN using IKEv2
3. IKEv2 based VPN on Cisco ASA
4. Remote Access VPN using IKEv2
Module 6: Flex VPN

1. Site-To-Site Flex VPN
2. Spoke-To-Spoke Flex VPN
3. Server- Client Flex VPN

Page 3
Module1: Site-To-Site VPNs
Basic IPsec LAN-To-LAN VPN

GRE Tunnel
GRE Tunnel With IPsec

Page 4
LAB-1 : Basic IPsec LAN-To-LAN VPN

Scenario: R1 and R3 are two sites of a company named ABC. R2 is the ISP in the
topology. R1 has private network simulated with the help of loopback interfaces.
Same is on R3. The objective of this lab is to connect R1 and R3 private networks
together using IPsec Site-To-Site VPN.
Recommendation: I would recommend you to practice the same topology at least
twice. While practicing the lab for the first time make sure you use the same
topology and IP addresses.
Lab Topology:
Basic Initialization:
Configure the routers shown in the topology:

Page 5
Now configure R2, Simulating as ISP.
We are going to have only two directly connected routes on R2, as ISP
Configure R3,this is your remote site.

Page 6

TASK
Configure an IPsec Tunnel between Router R1 and Router R3. Use the following
settings for the Tunnel:
ISAKMP Parameters
Authentication : Pre-shared
Group : 2
Encryption : 3DES
Hash: md5
Pre-Shared Key : cisco123
IPSec Parameters
Encryption : ESP-3DES
Authentication : ESP-SHA-HMAC
Interesting Traffic
All IP traffic between 10.1.1.0 and 10.1.3.0
Tunnel Endpoints
R1 F 0/0 to R3 F 0/0

Page 7

Solution:
IPsec configuration generally goes in five steps mentioned below:
1.Create ISAKMP policy
2.Create IPsec Policy
3.Create an ACL to select interesting traffic
4.Create crypto map to link all above parameters
5. Apply crypto map to the outgoing interface.
On R1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Exit
Access-list
Access-list
Access-list
Access-list
101
101
101
101
permit
permit
permit
permit
ip
ip
ip
ip
host
host
host
host
10.1.1.1
10.1.1.1
10.1.2.1
10.1.2.1
host
host
host
host
10.1.3.1
10.1.4.1
10.1.3.1
10.1.4.1
Crypto map CMAP 10 ipsec-isakmp

Set peer 192.1.23.3
Set transform-set TSET
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit

Page 8

Same configuration goes on Router R3 with few changes here and there.
Copy the configuration from R1 so that we can make required changes:
Let me show you what the changes are. All fields marked in red color
should be changed.
OnR1:
Encryption 3des
Hash md5
Group 2
Exit
Exit
Access-list
Access-list
Access-list
Access-list
101
101
101
101
permit
permit
permit
permit
ip
ip
ip
ip
host
host
host
host
10.1.1.1
10.1.1.1
10.1.2.1
10.1.2.1
host
host
host
host
10.1.3.1
10.1.4.1
10.1.3.1
10.1.4.1

Set peer 192.1.23.3
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit

Page 9
Let`s change all the field marked in red color so that we get configuration
ready for R3.
Here the fields marked in blue color are changed if you compare it with R1
configuration:
Encryption 3des
Hash md5
Group 2
Exit
Exit
Access-list
Access-list
Access-list
Access-list
101
101
101
101
permit
permit
permit
permit
ip
ip
ip
ip
host
host
host
host
10.1.3.1
10.1.4.1
10.1.3.1
10.1.4.1
host
host
host
host
10.1.1.1
10.1.1.1
10.1.2.1
10.1.2.1

Set peer 192.1.12.1
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit
VERIFICATION:
From Router R1: Ping 10.1.3.1 source 10.1.1.1
or ping 10.1.4.1 source 10.1.1.1
Verification Commands:
Show crypto isakmp sa
Show crypto ipsec sec

Page 10
LAB-2 GRE Tunnel

Scenario: The objective of this lab is to connect R1 and R3 private networks
together using a routing based VPN-(GRE tunnel). In the Last lab traffic send
through VPN tunnel was selected using ACL (Policy-Based). Here the VPN traffic
is decided with the help of Routing table entry (Routing Based VPN).
Recommendation: same as previous lab
Lab Topology: same as previous lab
Basic Initialization: Use the initial configuration of previous lab.
Now configure tunnel interfaces on the routers, as this is a Routing based VPN,
what goes through the tunnel is decided by the Routing table entry.
So we create a virtual interface for tunnel with unused Private IP assigned to it.
The source for the tunnel is your Physical Interface with Public_IP,
And destination is remote site interface with Public_IP.
Read the message, interface tunnel1 is up. Similarly, configure an interface tunnel
on R3.
Check the interface brief.

A virtual tunnel interface gets created with a private IP address assigned to it.
Page 11
Now run interior routing protocol on both sites.

And advertise the private network (10.1.0.0); also run IGP on the tunnel interface
(192.168.1.0) that we have created, this is important because only when you enable
IGP on Tunnel interface the updates would be sent over the tunnel to the other
site. Where the other site tunnel interface IP is also enable for IGP, as a result is
capable of listening the hello packets sent on 224.0.0.0 multicast network.
Check the routing table on R1 site. We have received routes for the private
networks on R3 sites.
All routes starting with D are learned through the tunnel. As you know we can
run interior routing protocol on the internet. So the EIGRP packets were
encapsulated into Public IPv4 address and sent to the other site.

Page 12
Also check the route on R3. We have received routes for the private network on R1.
VERIFICATION:
Now as the Sites have got the routes, let`s ping 10.1.1.1 from 10.4.1.1.
Also, you can configure line vty so we can telnet and check.

Page 13
Note: though we have end-to-end reachability, all the packets are completely
exposed. Reason being GRE is ENCAPSULATING the Private packets into Public
packets and not ENCRYPTING them. So if someone tries to sniff, he would get all
the information.
Next you see is the snapshot of the sniff performed on this network.
For verification run Wireshark on one of the link.

Also set line vty password on R3 to cisco. Telnet R3 from R1.
Note: Wireshark is capturing these packets.

Page 14
Note: The output show telnet packet which was sent from R1 to R3 where GRE
was encapsulating this telnet packet from private source- 192.168.1.1 to private
destination-10.1.3.1 and the data part shows a character C the first alphabet is
used in the line vty password.
Next Lab is on how to secure this traffic.

Page 15
LAB-3 GRE Tunnel with IPsec profile

Scenario: The objective of this lab is to secure the GRE tunnel traffic using IPsec.
Recommendation: This lab builds on the previous lab so you can continue with
the previous lab.
Lab Topology: same as previous Lab
Basic Initialization: Complete Lab2 and continue with the
configuration of this Lab.
Now to secure GRE-Tunnel we use IPsec along with GRE.
Configure Phase-I parameters:
For this you would need to specify:
(a) authentication = pre-share
(b) encryption = des,3des,aes
(c) hash =md5 or SHA-I
(d) Diffie -Hellman group = group 1 or 2 or 5
And Phase-II parameters where we just specify the encryption and hash method,
the session key or traffic encryption key is provided by ISAKMP or Phase-I.
Now we need to create an IPsec Profile.
Then call the Transform-Set in the IPsec profile. This IPsec profile is used to
protect the traffic leaving the tunnel interface.

Page 16
Apply the IPsec profile to protect the data going through the tunnel. For this you
need to go to the tunnel interface and say:
Tunnel protection ipsec profile {ipsec profile name}
In the above snapshot you see that EIGRP neighbor relationship is down. The holdon time expires because R1 is sending and receiving IPsec packets where-else as R3
is not configured for IPsec, packets received from R3 are not an IPsec packet.

Page 17
VERIFICATION: ping 10.1.1.1 with source as 10.1.4.1
Check the Wireshark output: all packets are encrypted using ESP.
Also take a look at the output of Interface Tunnel 1, check the line highlighted
using marker.
IPsec profile named IPSEC_PROFILE is being used to encrypt the traffic sent over
the tunnel interface.

Page 18
Check PHASE-I tunnel or ISAKMP tunnel:
Check PHASE-II tunnel or IPsec tunnel:

Page 19

IPsec tunnel is working in Tunnel Mode.
Now you can change IPsec tunnel Mode to transport
If you execute show crypto ipsec sa command you would see still the
mode setting in used is Tunnel (check the highlighted section in above snapshot).
For this you would need to clear the existing SA and bring up the tunnel again.
And then check the output -show crypto ipsec sa .
Int tunnel 1
Shut
No shut
Exit
Page 20
Now as the Entire packet is getting encrypted, so we dont need GRE header. So
we set tunnel mode to IPsec ipv4

Page 21
Module2: Advance VPN

Router-ASA IPsec VPN
Router-Router IPsec VPN

through ASA Firewall
Router-Router IPsec VPN
through ASA Firewall with NATT
GET VPN using PSK
GET VPN using PKI
DMVPN Phase-I/II/III
DMVPN Dual-Hub

Page 22
LAB-1 : Router-ASA IPsec VPN

together using IPsec Site-To-Site VPN. R1 is located on Inside of Cisco ASA
firewall. IPsec Tunnel is established between ASA outside interface and R3. Also
traffic from R1 is translated to 192.11.11.0/24 network on the Cisco ASA firewall.
Recommendation: You can use PIX firewall (8.0.X) for this lab.
Lab Topology:
On R1:
int f0/0
ip address 10.11.11.1 255.255.255.0
no shut
exi
!
Ip route 0.0.0.0 0.0.0.0 10.11.11.10
On R2:
Int f0/0
Ip address 192.1.12.2 255.255.255.0
No shut
Exi
Int f0/1
Page 23

Ip address 192.1.23.2 255.255.255.0
No shut
Exi
On R3:
Int f0/0
Ip address 192.1.23.3 255.255.255.0
No shut
Exi
Int loopback 0
Ip address 10.11.20.1 255.255.255.0
Exi
Ip route 0.0.0.0 0.0.0.0 192.1.23.2
On ASA:
Int e1
Nameif inside
Ip address 10.11.11.10 255.255.255.0
No shut
Exi
Int e2
Nameif outside
Ip address 192.1.12.10
No shut
Exi
!give a default gateway pointing to 192.1.12.2
Route outside 0 0 192.1.12.2
Configure an IPsec Tunnel between Router R3 and ASA. Use the following
settings for the Tunnel:
ISAKMP Parameters
Diffie-Hellman Group : 2
Encryption : 3DES
Hash: md5
Page 24

IPsec Parameters
Interesting Traffic
Tunnel Endpoints
ASA E2 to R3 F 0/0
Solution:
On R3:
Encryption 3des
Hash md5
Group 2
Exit
Exit
Access-list 101 permit ip
10.11.11.1
host 10.11.20.1 host

Set peer 192.1.12.10
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit

Page 25

On ASA:
!Enable isakmp on interface
Crypto isakmp enable outside
!Configure ISAKMP policy
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key cisco123 address 192.1.23.3
!Configure Transform-set
!Configure ACL
10.11.20.1
!Configure
Crypto map
Crypto map
Crypto map
Crypto map
crypto map and attach to interface

CMAP 1 set peer 192.1.23.3
CMAP 1 set transform-set TSET
CMAP 1 match address 101
CMAP interface outside
VERIFICATION:

Page 26
On ASA:
Debug commands: debug crypto isakmp

Now as per the scenario R1 network 10.11.11.0/24 is translated to
192.11.11.1/24 192.11.11.11/24 network on outside of the firewall.
Global (outside) 1 192.11.11.1-192.11.11.11
Nat (inside) 1 10.11.11.0 255.255.255.0
Now verify: ping 10.11.11.1 source 10.11.20.1 from R3.
This time around ping does not work. You can fix this problem by exempting
traffic sourced from 10.11.11.0/24 and going towards 10.11.20.0/24 network.
Access-list EXEMPT_VPN permit ip 10.11.11.0

255.255.255.0 10.11.20.0 255.255.255.0
Nat (inside) 0 access-list EXEMPT_VPN
Now again verify: ping 10.11.11.1 source 10.11.20.1 from R3

Page 27
LAB-2: Router-To-Router IPsec Tunnel

through ASA
firewall. R1 Private IP address is translated on Firewall. IPsec Tunnel is
established between R1 (translated IP address) and R3. Tunnel should pass
through the Firewall.
Lab Topology: same as previous lab

Basic Initialization: same as previous lab
Configure an IPsec Tunnel between Router R3 and R1. Use the following settings
for the Tunnel:
ISAKMP Parameters
Group : 2
Encryption : 3DES
Hash: md5
IPSec Parameters
Interesting Traffic
Tunnel Endpoints
R1 F0/0 to R3 F 0/0
Page 28

Translation
Statically translate R1 IP address to 192.1.11.1
ACL Entries
ACL Entries on ASA in inbound direction to allow IPsec.
Static Route
Static Route on R2 for IP address 192.1.11.1
Solution:
On R3:
Encryption 3des
Hash md5
Group 2
Exit
Exit
10.11.11.1

Set peer 192.1.11.1
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit
On R1:
Encryption 3des
Hash md5
Page 29

Group 2
Exit
Exit
Access-list 101 permit ip host 10.11.11.1 host 10.11.20.1
Set peer 192.1.23.3
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit
On ASA:Static translation for R1(10.11.11.1)

Static (inside,outside) 192.1.11.1 10.11.11.1
ACL:
Access-list VACL permit udp host 192.1.23.3 host
192.1.11.1 eq 4500
Another entry in same ACL to permit NAT-Traversal.
Permits traffic sourced from R3 to R1 on UDP/4500.
Apply ACL to outside interface:
Access-group VACL in interface outside
Static route on R2 for 192.1.11.1
Ip route 192.1.11.0 255.255.2555.0 192.1.12.10

Page 30

Verification:
R3#ping 10.11.11.1 source 10.11.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.11.1, timeout is 2
seconds:
Packet sent with a source address of 10.11.20.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
112/119/140 ms
ASA(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flowmax 4096) alert-interval 300
access-list ACL; 1 elements
access-list ACL line 1 extended permit udp host 192.1.23.3 host
192.1.11.1 eq 4500 (hitcnt=1) 0xa6de5ddd
ASA(config)# show conn

1 in use, 3 most used
UDP out 192.1.23.3:4500 in 10.11.11.1:4500 idle 0:00:03 flags ASA(config)#

Page 31
LAB-3: Router-To-Router IPsec Tunnel through

ASA
firewall. R1 has a public IP address. IPsec Tunnel is established between R1 and
R3. Tunnel should pass through the Firewall.
Lab Topology:
Basic Initialization: Load the initial configuration from lab file.

Configure an IPsec Tunnel between Router R3 and R1. Use the following settings
for the Tunnel:
ISAKMP Parameters
Group : 2
Encryption : 3DES
Hash: md5
Page 32

IPSec Parameters
Interesting Traffic
Tunnel Endpoints
R1 F0/0 to R3 F 0/0
Translation: -NAACL Entries
ACL Entries on ASA in inbound direction to allow IPsec.
Static Route
Static Route on R2 for IP address 192.1.10.0/24 next-hop ASA outside
interface IP.
On R3:
Encryption 3des
Hash md5
Group 2
Exit
Exit
Access-list 101 permit ip host 10.11.20.1 host
10.11.11.1
Set peer 192.1.10.1
Match address 101
Exit
Int f0/0
Page 33

Crypto map CMAP
exit
On R1
Encryption 3des
Hash md5
Group 2
Exit
Exit
Access-list 101 permit ip host 10.11.11.1 host
10.11.20.1
Set peer 192.1.23.3
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit
ACL:
access-list ACL permit udp host 192.1.23.3 host
192.1.10.1 eq isakmp
access-list ACL permit esp host 192.1.23.3 host
192.1.10.1
Apply ACL to outside interface:
Access-group ACL in interface outside

Page 34

VERIFICATION:
!On
R3
R3#ping 10.11.11.1 source 10.11.20.1

seconds:
.!!!!
80/108/132 ms
R3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst
conn-id
192.1.10.1
0
src
slot
192.1.23.3
ACTIVE
state
status
QM_IDLE
1001
IPv6 Crypto ISAKMP SA
ASA(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flowmax 4096) alert-interval 300
access-list ACL; 2 elements
access-list ACL line 1 extended permit udp host 192.1.23.3 host
192.1.10.1 eq isakmp (hitcnt=1) 0x4784758b
access-list ACL line 2 extended permit esp host 192.1.23.3 host
192.1.10.1 (hitcnt=1) 0xeb3f8117

Page 35
LAB-4 : GET VPN Using PSK

LAB TOPOLOGY:
Devices used: 2600 Software (C2691-ADVIPSERVICESK9-M), Version

12.4(15) T6

Page 36


Page 37
Pre-requisite: Need full end-to-end reachability. For this you can run any interior
routing protocol.
Also your key-server cannot be a Group-member. We use R5 loopback
(10.1.5.1/24) as Key-Server as being a loopback it would be accessible from any
interface.
Now check the routing table using command: Show ip route

Page 38

Note: Make sure all nodes are reachable. Dont proceed further if you havent
completed this step properly.
Output on R5:
On Group Member:

Page 39

Now configure remaining Group Members. Do this on R2/R3 and R4
Now to apply the crypto map to the outgoing interface:
Debug:
Check that ping which was working earlier is now not working.
Reason: R1 got itself registered with key server. And R2, R3 and R4 are yet to
register.

Page 40

Now register R2 with KS.
Now again try the last ping from 10.1.1.1 to 10.1.2.1.
Note: Ping from R1 to 10.1.3.1 and 10.1.4.1 is still failing because they are yet to
register themself.
But if you do the ping shown below, this would succeed. As its from Source IP:
7.7.15.1
This is not the interesting traffic. And so it goes unencrypted.
So now get R3 and R4 also registered.

Page 41
Check the output on KS after registration of R1/R2/R3 and R4.
For this ping the WireShark capture output is shown below the ping:

Page 42
For this ping the WireShark capture output is shown below the ping:
Check the ISAKMP SA:

Page 43

Check the IPSEC SA:
Check that Phase-II parameters are available on Group Members, as they are
pushed down by the Key Server.
Now check that the remaining key lifetime is just 96 seconds.
And soon the key would be refreshed and redistributed to the Group-Members.

Page 44

Output On Group member after the Key was refreshed.
Check the SA lifetime for the verification.

Page 45
LAB-5: GET VPN Using PKI

i.e. Using IOS CA SERVER
Lab Topology: Same as Lab-4
Basic Initialization: same as Lab-4
Once the devices are up, ping from R6, all directly connected links.
Configuration on CA Server:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
R5(config)#clock timezone IST 5 30
R5(config)#ntp master 1
or
R5(config)#do clock set 20:55:00 13 aug 2013
Step2: Now configure a FQDN and hostname
R5(config)#ip domain-name cisco.com
Step3: Generate RSA key Pair
R5(config)#crypto key generate rsa label CA modulus
1024
% Generating 1024 bit RSA keys, keys will be non-exportable..[OK]
Step4: Enable HTTP service, as Clients are going to enroll for Identity certificates
on port 80. To check the consequence of this command, skip this command for now
and come back and enter this command after step5.
You would see though you have executed NO SHUTDOWN under CA server,
still CA server is not UP.
R5(config)# ip http server
Step5: Setup CA server parameters
Page 46

R5(config)# crypto pki server CA
R5(cs-server)#database url flash:
% Server database url was changed. You need to move
the
% existing database to the new location.
An X.509 certificate consists of a number of fields. Some of the most common

RDNs and their explanations are as follows:
CN: CommonName
OU: OrganizationalUnit
O: Organization
L: Locality
S: StateOrProvinceName
C: CountryName
Example: CN=CCIEA OU=Network Security O=CCIE-Academy L=Bangalore

S=Karnataka C=IN
R5(cs-server)#issuer-name CN=CCIEA O=CCIE-Academy
OU=Security S=Karnataka C=IN
R5(cs-server)# lifetime ca-certificate 730
!lifetime is in days
R5(cs-server)# lifetime certificate 365
R5(cs-server)#grant auto
R5(cs-server)#no shutdown
R5(cs-server)#exit
On the Clients:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
R1(config)#clock timezone IST 5 30
R1(config)# ntp server 10.1.5.1
or
Page 47

R1(config)#do clock set 20:55:00 13 aug 2013
Step2: Now configure a FQDN and hostname
R1(config)#ip domain-name cisco.com
Step3: Generate RSA key Pair
R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.local
Choose the size of the key modulus in the range of 360 to 2048 for your General
Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]:1024
% Generating 1024 bit RSA keys, keys will be nonexportable..[OK]
Step4: Configure Router to point towards CA Server
crypto ca trustpoint XYZ
enrollment url http://10.1.5.1:80
usage ike
revocation-check none
exi
Step5: Configure Router to Download Root certificate of CA server
R1(config)#crypto ca authenticate XYZ
Note: XYZ is user defined name, and is locally significant. So this could be any
name.
Certificate has the following attributes:
Fingerprint MD5: 84E5BFE0 D7311BEC 2E9D1878 FDAE1F1C
Fingerprint SHA1: 8F0D0DD3 88E21F6D A6F50564 36FFA49C
FCC8DBEF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Step6: Configure Router to enroll for Identity Certificate from CA Server.

Page 48

R1(config)# crypto ca enroll XYZ
% Start certificate enrollment ..
% Create a challenge password. You will need to
verbally provide this password to the CA Administrator
in order to revoke your certificate.
For security reasons your password will not be saved
in the configuration.
Please make a note of it.
Password: cisco123 {min. 7 characters}
Re-enter password: cisco123
% The subject name in the certificate will include:
R1.IP4Networker.com
% Include the router serial number in the subject
name? [yes/no]: yes
% The serial number in the certificate will be:
XXXXXXXXXXX
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate XYZ verbose' command
will show the fingerprint.
Aug 13 15:56:55.300: CRYPTO_PKI: Certificate Request
Fingerprint MD5: EC4D4AB4 E38131C5 E962A630 11D8C498
Aug 13 15:56:55.300: CRYPTO_PKI: Certificate Request
Fingerprint SHA1: A72C88A3 E909EF1C 36CDE8A3 DA6067BF
32F71E8F
Aug 13 15:56:57.984: %PKI-6-CERTRET: Certificate
received from Certificate Authority
On R1 after enrollment for the Certificate:
R1# sh crypto pki certificates
Certificate (Identity Certificate)
Status: Available
Certificate Serial Number: 0x2
Certificate Usage: General Purpose
Page 49

Issuer: cn=CCIEA O\=training C\=IN
Subject:
Name: R1.cisco.com
Serial Number: XXXXXXXXXXX
serialNumber=XXXXXXXXXXX+hostname=R1.cisco.com
Validity Date:
start date: 15:56:57 UTC Aug 13 2013
end
date: 15:56:57 UTC Aug 13 2014
Associated Trustpoints: XYZ
CA Certificate (Root Certificate)
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer: cn=CCIEA O\=training C\=IN
Subject: cn=CCIEA O\=training C\=IN
Validity Date:
start date: 15:51:37 UTC Aug 13 2013
end
date: 15:51:37 UTC Aug 12 2016
Associated Trustpoints: XYZ
To check the enrollments on CA server
Similarly configure R2, R3 and R4

Page 50

IPsec Configuration on KEY_SERVER and GROUP_MEMBERS
KEY_SERVER
Group-Members
!1. Phase-I parameters
!1. Phase-I parameters
authentication rsa-sig
authentication rsa-sig
hash md5
hash md5
gr 2
gr 2
encry 3des
encry 3des
exi
exi
!2. Phase-II parameters
crypto ipsec transform-set !2. GDOI to reach SERVER
TSET esp-3des esp-md5-hmac
crypto gdoi group AAA
exi
identity number 100
!3. Intresting traffic
server address
access-list 101 per ip
ipv410.1.5.1
10.1.0.0 0.0.255.255
exi
10.1.0.0 0.0.255.255
!3. Crypto Map
crypto map CMAP 10 gdoi
!4. Create IPsec Profile
set group AAA
crypto ipsec profile ABC
exi
set transform-set TSET
!4. apply crypto map to
exi
the interface
!5. GDOI Parameters
interface s0/0
crypto gdoi group XYZ
crypto map CMAP
identity number 100
exi
server local
sa ipsec 10
profile ABC
match address ipv4 101
address ipv4 10.1.5.1
exi
Group Member R1 Registers with KEY_SERVER

Page 51
At this moment only R1 has got the Session_Key form the KEY_SERVER.
This ping fails as R1 is sending encrypted traffic but R2 can`t decrypt it, as R2 is
yet to register with key Server. Similarly if R2 ping R1, R1 get an error message:
Group Member R2 Registers with KEY_SERVER
Now the same ping
Similarly get R3 and R4 also Registered with KEY_SERVER.

And you get complete end-to-end connectivity.

Page 52

Page 53
Execute this command on R2, R3 and R4

R2# sh crypto gdoi group AAA
You would see that on all four routers i.e. R1, R2, R3 and R4 the SA lifetime is
different. The reason is all are sharing SAME key.
This is the only multi-point VPN from the perspective of IPsec.
As all peers use the same key provided by the KEY-SERVER.

Page 54
Re-Registration happens dynamically:

Page 55
LAB-6: DMVPN
Lab Topology:
Here R1 is the HUB:
Initial configuration for the HUB/ SERVER.
Verify the output:

Page 56
Verify the routing table enrty:
Configuration on SPOKES:
On R3:
Verification: goto R1(HUB) and check R3 has dynamically registered to the NHS
Server(R1).
This entry remains with the Next-Hop-Server (NHS) for 2 hours; also observe
registration type is dynamic.
Verify the output on R3:

Page 57

The mapping available is of type Static. Which say to reach NHS server with IP
address 192.168.1.1/32 the corresponding public IP is 110.1.16.1. Also observe this
entry never expire as its manually defined.
Similarly configure R4 and R5:
On R4
Int tunnel 1
255.255.25.0
Tunnel source s0/0
Tunnel mode gre multipoint
Ip nhrp network-id 100
Ip nhrp nhs 192.168.1.1
Ip nhrp map 192.168.1.1
110.1.16.1
On R5
Int tunnel 1
255.255.25.0
Tunnel source s0/0
Ip nhrp nhs 192.168.1.1
Ip nhrp map 192.168.1.1
110.1.16.1
Recheck the NHS for the mapping, R4 and R5 has also registered.
As you have verified the output on R3 there is only 1 mapping entry available in
the cache. Now we try to trace route to 192.168.1.5 i.e. the IP address of R5 tunnel
interface.

Page 58
The packet first goes to 192.168.1.1 i.e. NHS and then goes to 192.168.1.5
So the packet takes 2 hops to reach the destination.
But during this process R3 requested for the mapping to reach 192.168.1.5 from
the NHS.
Compare this with the above given snapshot.
Now execute the same trace route command again.
This time the packet makes it to the destination in just 1 hop because R3 has the
mapping available in the Cache.
This is called DMVPN PHASE-I, where the SPOKES communicate directly
to each other by downloading the mappings from the NHS.

Page 59
DMVPN PHASE-II
Now run interior routing protocol on the HUB and SPOKES.
Router eigrp 101
No auto-summary
Network 192.168.1.0
Network 10.0.0.0
Exi
On SPOKES:
int tunnel 1
ip nhrp map multicast 110.1.16.1
exit
Routing protocols updates are sent on multicast network 224.0.0.0, so SPOKES
need to have a mapping to send the routing updates to HUB.
On HUB:
Int tunnel 1
Ip nhrp map multicast dynamic
Exi
Verify the output:
On HUB:
Int tunnel 1
Shut
exi
Page 60

On All Spokes:
Int tunnel 1
Shut
Exi
Now bring up the tunnel interface on HUB and the on all

spokes:
On HUB:
Int tunnel 1
No Shut
exi
On All Spokes:
Int tunnel 1
No Shut
Exi
Now On R1 turn-off split-horizon feature on the HUB for EIGRP process101.
On R1(HUB)
Int tunnel 1
No ip split-horizon eigrp 101
Exit
Check Routing table entries on SPOKES:
Observe all the private networks are reachable via 192.168.1.1 i.e. HUB

Page 61
Now if you trace route you would see traffic is routed though the HUB to the
SPOKE and doesnt go directly from SPOKE to SPOKE.
Reason: How traffic is routed is dictated by the routing table. And routing table
entry say 10.4.1.1 is reachable via 192.168.1.1.
For solution change setting on R1(HUB):
Int tunnel 1
No ip next-hop-self eigrp 101
Exi
Verification: check the routing table entry on SPOKES again and compare with
the earlier routing table output.

Page 62
Routing table entry on SPOKE- R5
Trace route to 10.4.1.1 from 10.5.2.1
Two hops to reach the destination.

Check the mapping:

Page 63

Mapping to reach 10.4.1.1 is downloaded from the NHS and remains in the cache
for 2 hours.
Now if you re-trace route to 10.4.1.1 you would see packet reach the destination in
1 hop.
This is called DMVPN PHASE-II, where the SPOKES communicate

directly to each other by downloading the mappings from the NHS, but
here we change settings of the routing protocol to accomplish this.

Page 64
DMVPN PHASE-III
Remove the changes made in the routing protocol on the HUB during PHASE-II.
On HUB:
Int tunnel 1
Ip split-horizon eigrp 101
Ip next-hop-self eigrp 101
Exi
Now we use NHRP feature to accomplish what we accomplished in PHASE-II by
changing setting of routing protocol.
On R1 (HUB):
Int tunnel 1
Ip nhrp redirect
Exit
On SPOKES:
Int tunnel 1
Ip nhrp shortcut
Exit
Verification:
Remaining Output omitted. Retry the same trace route.

Page 65
LAB-7: DMVPN Dual-Hub

Note: Continue with the configuration of last lab.
All you need to do is make changes on R1(HUB-1) and
configure R2(HUB-2) followed by adding information about
HUB-2 on existing spokes.
Configuration on R1 (HUB-1)
Int tunnel 1
Ip nhrp map 192.168.1.2 110.1.26.2
Ip nhrp map muticast 110.1.26.2
Exi
Configuration on R2 (HUB-2)
Run eigrp with AS 101
Int tunnel 1
Ip address 192.168.1.2 255.255.255.0
Tunnel source f0/0
Ip nhrp map 192.168.1.1 110.1.16.1
Ip nhrp map muticast dynamic
Ip nhrp map multicast 110.1.16.1
Ip nhrp redirect
Exi
On spokes:
Int tunnel 1
Ip nhrp nhs 192.168.1.2
Ip nhrp map 192.168.1.2 110.1.26.2
Ip nhrp map multicast 110.1.26.2
Page 66
Module3: High Availability VPN
High Availability VPN

without using HSRP
High Availability VPN using
HSRP

Page 67
LAB-1: HIGH AVAILABLITY VPN WITHOUT HSRP

Lab Topology:
!On R1
enable
conf t
int f0/0
ip add 136.1.13.1
255.255.255.0
no shut
exi
ip route 0.0.0.0 0.0.0.0
136.1.13.3
int loo 1
ip add 10.1.1.1
255.255.255.0
int loo 2
ip add 10.1.2.1
!On R2
ena
conf t
int s0/0
ip add 136.1.24.2
255.255.255.0
clock rate 1000000
no shut
exi
int s0/1
ip add 136.1.25.2
255.255.255.0
clock rate 1000000
no shut
exi

Page 68

255.255.255.0
!On R3
ena
conf t
int f0/0
ip add 136.1.13.3
255.255.255.0
no shut
exi
int s0/0
ip add 136.1.34.3
255.255.255.0
no shut
exi
int s0/1
ip add 136.1.35.3
255.255.255.0
no shut
router eigrp 100
no aut
network 136.1.34.0
network 136.1.35.0
exi
router eigrp 100

no aut
network 1.0.0.0
network 136.1.24.0
network 136.1.25.0
exi
int loopback 0
ip add 1.1.1.1 255.0.0.0
int loo 1
ip add 10.2.1.1
255.255.255.0
int loo 2
ip add 10.2.2.1
255.255.255.0
exit
Setup Tuning:
If you check the routing table on R3, you would see that there are 2
routes to reach Loopback-0 on R2 i.e. 1.1.1.1
What you can do to correct this is set bandwidth on R5 S0/1 and R2
S0/1 interfaces. As we are running EIGRP this would change the
metric value and as a result there would be only 1 best route in the
routing table.
On R2 - interface S0/1
bandwidth 128
On R5 - interface S0/1
Page 69

bandwidth 128
Now if you check the routing table entry, you would see only 1 route
to reach 1.1.1.1 network.
Now if you traceroute from R3 to reach 1.1.1.1, you would find the
hops are through 136.1.34.0 then next-hop 136.1.24.0.
When this path is down, alternate route is moved to the routing
table.
IPsec configuration on Router R2
!Step1:
authe pre-share
encry 3des
hash md5
group 2
exi
crypto isakmp key 0 cisco123 address 136.1.13.1
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
exi
!Step3:
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0
0.0.255.255
!Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 136.1.13.1
exi
!Step5:
!Apply crypto-map CMAP on outgoing interfaces i.e. S0/0 & S0/1
int s0/0
crypt map CMAP
int s0/1
crypt map CMAP
!Step6:
crypto map CMAP local-address Loopback0
Page 70

!
Apart from this you would need static route:
Ip route 10.1.0.0 255.255.0.0 136.1.13.1
IPsec configuration on Router R1
!Step1:
authe pre-share
encry 3des
hash md5
group 2
exi
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha
exi
! Step3:
0.0.255.255
! Step4:
match address 101
set peer 1.1.1.1
exi
! Step5:
!Apply crypto-map CMAP on outgoing interface
int F0/0
crypt map CMAP
exit
Verification of the present setup:
From R2/R1:
Show crypto isakmp sa
No ISAKMP sa exist.
Ping 10.1.1.1 source 10.2.1.1
Now again execute : show crypto isakmp sa
Show crypto ipsec sa
Page 71

To test the setup:
From R2:
Ping 10.1.1.1 source 10.2.1.1 repeat 1000
Now goto R4:

Shut down interface S0/1 of router R4.
Check routing table on R3: show ip route eigrp
You can see network 1.0.0.0/8 is reachable via. 136.1.35.0
At the same time goto R2 :
You would see that all packets flow seamless. Hardly 1 packet would
be dropped.

Page 72
LAB-2: High Availability VPN using HSRP

Lab Topology:
Basic Configuration:
Router-R4
Int f0/0
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.168.1.1
255.255.255.0
No shut
Exi
!
Ip route 0.0.0.0 0.0.0.0
192.1.100.3
Router-R2
int f0/0
ip address 192.168.1.5
255.255.255.0
no shut
exit
int loopback 0
Router-R5
Int f0/0
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.168.1.2
255.255.255.0
No shut
Exi
Ip route 0.0.0.0 0.0.0.0
192.1.100.3
Router-R3
int f0/0
255.255.255.0
no shut
exi
int s0/0

Page 73

ip address 10.5.5.5
255.255.255.0
Run eigrp on
192.168.1.0/24 and
10.5.5.0 network.
255.255.255.0
clock rate 128000
no shut
exi
Ip route 0.0.0.0 0.0.0.0
192.1.34.4
Router-R1
int s0/0
255.255.255.0
no shut
exit
int loopback 0
ip address 10.4.4.4
255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0
192.1.34.3
On the switch:
Configure HSRP on R4 and R5:

On Router R4
Interface F0/0
Standby 1 ip 192.1.100.12
Standby 1 priority 105
Standby 1 preempt
Standby 1 name HA
exit
On Router R5
Interface F0/0
Standby 1 ip 192.1.100.12
Standby 1 name HA
exit

Page 74

crypto isakmp keepalive 10 (seconds)
IPsec configuration On Router R1
!Step1:
authentication pre-share
encryption 3des
hash md5
group 2
exit
!Step2:
exit
! Step3:
0.0.0.255
! Step4:
match address 101
set peer 192.1.100.12
reverse-route static
exit
! Step5:
int S0/0
crypt map CMAP
exit
IPsec configuration On Router R4 & R5
This configuration goes on both the routers.
!Step1:
encryption 3des
hash md5
Page 75

group 2
exit
!Step2:
exit
! Step3:
0.0.0.255
! Step4:
match address 101
set peer 192.1.34.4
reverse-route static
exit
! Step5:
int F0/0
crypt map CMAP redundancy HA
exit
On EIGRP process:
Router eigrp 100
Redistribute static
Exi
Output:
SITE1= Router R1
SITE2= Router R4
Page 76
SITE2= Router R5
Check the routing table on SITE2-R2.
Network 10.4.4.0 is reachable via 192.168.1.1 i.e. Router R4.

Now let`s do a ping from 10.5.5.5 to 10.4.4.4 with a repeat value of 500.
Ping 10.4.4.4 source 10.5.5.5 repeat 500
While the ping is in progress, go to Router R4 and shut down
Interface F0/0. And soon you start getting dots (.) for the pings.
This continues for 10sec, as 10sec are no. of seconds between keep alive.
Crypto isakmp keepalive 10
Actual Output on Router R2:

Page 77
Ping output marked with yellow color is when interface F0/0 of R4 is UP.
Ping output marked with orange color is when interface F0/0 of R4 is
SHUTDOWN and for next 10sec you get dots (.) in ping output.
Ping outputs which are left unmarked are the Ping packets going through R5.
Now go to R4 and NO SHUT interface F0/0.

Ping output marked with blue color is when interface F0/0 of R4 is NO
SHUTDOWN and for next 10seconds you get dots (.) in ping output and after 10
seconds normal ping output.

Page 78
Module 4: Remote Access VPN

Easy VPN Software Client
Easy VPN Hardware Client
Easy VPN Network Ext. Mode
Easy VPN On Cisco ASA
SSL VPN/ Web VPN IOS Server
SSL VPN on Cisco ASA

Page 79
LAB-1: Easy VPN with IOS server and Cisco VPN Client
Software
Lab Topology:
Logical Setup:
Physical Setup:
Requirements:
Devices Used:
(a)Two PC`s
(b) Two Routers : R3,R4
Page 80

(2800 Software (C2800NM-ADVSECURITYK9-M), Version
15.1(4) M6)
(c) Two switch: C3550 Software (C3550-IPSERVICES-M), Version
12.2(44)SE6
(d) Cisco VPN client software installed on the Remote_client_PC.
Setup Layer 2:
Setup trunk line between SW3 and SW4
Same configuration on SW3

Assign appropriate port to the respective VLANs.
On SW3:

Page 81
On SW4:
Now configure the routers:

Page 82
Routes on both the Routers:
Setup the IP address on Remote_Client_PC
Try to ping 192.1.20.2 which is the Public IP address of your Easy VPN
Server.

Page 83
Now Configure R3 as IOS Easy VPN Server

Page 84

Page 85

Now on the Remote_Client_PC configure a profile in the Cisco VPN
Client software:
The output looks like this:

Page 86

Connect to the Easy VPN server using VPNClient Profile:
As Extended Authentication is enabled, you would be challenge for

extended authentication.

Page 87

Check the Output:
You can goto show hidden icons> right click on VPN Client Icon>
Select VPN statistics.
You can ping the Corporate_PC_Connected_TO_Rack (10.10.10.1)

From Remote_Client_PC. to check the VPN connectivity.

Page 88

Now you have complete end-to-end reachability. For verification purpose
I would try to Remote Desktop Connection into the Corporate PC.
Connection in progress:
Once you get connected, you would be prompted for Login username
and password.

Page 89

You would get access to Corporate Network on Successful Login.

Page 90
LAB-2: Easy VPN with IOS server and Router As Client

Lab Topology:
On R1
Int f0/0
Ip ad 192.1.20.2
255.255.255.0
No shut
Exi
Int loopback 1
Ip add 10.10.10.1
255.255.255.0
exit
Ip route 0.0.0.0
0.0.0.0 192.1.20.1
On R3
Int f0/0
Ip add 192.1.30.3
255.255.255.0
No shut
Exi
Int loopback 1
Ip add 192.168.10.1
On R2
Int f0/0
Ip add 192.1.20.1
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.1.30.1
255.255.255.0
No shut
Exi
Verification:
Ping 192.1.20.2 form
R3.

Page 91

255.255.255.0
Exi
Ip route 0.0.0.0
0.0.0.0 192.1.30.1
Easy VPN Server Configuration: On R1

Page 92
On R3:
Crypto ipsec client ezvpn EZC
Peer 192.1.20.2
group SALES1 key cisco111
mode client
connect auto
exit
Output:
Page 93

On R3: the router connects as a client under group SALES1 and the
address assigned by the Server from the pool is 10.11.11.1/24.
This address is installed on the Loopback interface 10,000.
On Server (R1): the moment client router R3 connects up the virtualaccess2 interface state changes to UP.
Check interface brief on R3
Loopback10000 is assigned IP address 10.11.11.1 provided by the Easy

VPN server.
Check interface brief on Router R1(Server). Interface virtual-access2 is
up.
Next, check the routing table on R3 (Client).

Page 94
Check routing table on Router R1 (Server)
Check interface virtual-access2 which is dynamically created using

Virtual-template1.
Now notice that there is no translation on the router. We will come back
and verify this output again soon.
Page 95
Now ping 10.10.10.1 the private network behind Easy VPN Server from
Private network behind R3 (Loopback 1=192.168.10.1)
Ping from private to another private IP address succeeded over the

internet. Now go and check the translation table entry, 192.168.10.1 is
translated to the Private IP address (10.11.11.1) assigned by the Easy
VPN Server. This address is installed on Loopback10000 on R3.
Debug commands: show crypto isakmp sa

show crypto ipsec sa

Page 96

LAB-3: Easy VPN with IOS server and Router As Client in NEM
Mode
Lab Topology: same as previous lab.
Pre-requisite: previous lab configuration.
Don`t touch the configuration of router R1 and R2.Only modify the
configuration of R3 (Client).
On R3:
No Crypto ipsec client ezvpn EZC
Crypto ipsec client ezvpn EZC
Peer 192.1.20.2
group SALES1 key cisco111
mode network-extension
connect manual
exit
To manually connect to the server, execute the command given below:

Page 97

As soon as you hit enter, you get connected to the Server.
This time around no IP address is assigned to R3 by the server. Instead
the subnet 192.168.10.0/24 is informed to the Server, so that server
installs route for this subnet in its routing table.
For verification of the above comment, check routing table on Server
(R1).
Now ping 192.168.10.1 from 10.10.10.1 (private-to-private).

And use these commands to check SA`s
1. Show crypto isakmp sa
2. Show crypto ipsec sa

Page 98

Page 99
LAB-4: SSL VPN on Router

Lab Topology:
Logical Setup:
On R4
Int f0/0
Ip add 10.11.11.1
255.255.255.0
No shut
Exi
!
Ip route 0.0.0.0
0.0.0.0 10.11.11.10
!
Ip http server
Ip http secure-server
!
Username admin
privilege 15 password
cisco
On R5
Int f0/0
On PC:
Change adapter
settings:
IP Address: 177.11.11.1
Mask: 255.255.255.0
Gateway:177.11.11.10
On R6
Int f0/0

Page 100

Ip add 10.11.11.10
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.1.20.10
255.255.255.0
No shut
exi
Ip route 177.11.11.0
255.255.255.0
192.1.20.1
Ip add 192.1.20.1
255.255.255.0
No shut
Exi
Int f0/1
Ip add 177.11.11.10
255.255.255.0
No shut
exi
Ip route 0.0.0.0
0.0.0.0 192.1.20.10
Clientless VPN
on SSL VPN Server (R5):
Username admin password cisco
!
aaa new-model
aaa authentication login AUTHEN local
!
ip http server
ip http secure-server
Output:
Prepare your Server:

crypto pki trustpoint SELF_CA
rsakey MYKEY 1024
Page 101

subject-name CN=CCIEAcademy OU=Network Security
O=CCIEAcademy L=Bangalore S=Karnataka C=IN
ip-address none
enrollment selfsigned
exi
crypto pki enroll SELF_CA
Output:
Now Configure Router to accept VPN connections:

webvpn gateway SSL_GATEWAY
ip address 192.1.20.10 port 443
http-redirect port 80
ssl trustpoint SELF_CA
inservice
!
webvpn context SALES
ssl authenticate verify all
!
url-list "Device-Config"
heading "Device Configuration"
url-text "Access_to_R4" url-value
"http://10.11.11.1"
policy group SSL_Policy
url-list "Device-Config"
hide-url-bar
mask-urls
default-group-policy SSL_Policy
aaa authentication list AUTHEN
gateway SSL_GATEWAY
inservice
Page 102

exit
Verification:
On PC:
Ping 192.1.20.10 from PC. This should succeed.

https://192.1.20.10 and continue to the website.

Page 103

Enter Username admin and password cisco
Click on the link Access_to_R4.
Under policy-group SSL_Policy there is one command hide-urlbar which hides URL bar. You know it takes you to Router R4
which is at 10.11.11.1 but you won`t get to see this address in urlbar.
Page 104
Enter Username admin password cisco

Page 105
Logout form the page.

Page 106
Thin client
Continue with previous configuration:
webvpn context SSL_CONTEXT
port-forward "Applications"
local-port 2200 remote-server "10.11.11.1" remoteport 23 description "Use this To Telnet To R4"
policy group SSL_Policy
port-forward "Applications"
exit
exit
Verification:
Browse to https://192.1.20.10
Login using username admin password cisco

Page 107

Page 108

Page 109

Page 110

Page 111
Full Client
R5(config)# ip access-list extended SSL_ACL

R5(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0255
host 10.11.11.1 eq 23
R5(config-ext-nacl)#exit
R5(config)#ip local pool SSL_POOL 192.168.10.1
192.168.10.10
R5(config)#webvpn context SSL_CONTEXT
R5(config-webvpn-context)# policy group SSL_Policy
R5(config-webvpn-group)# filter tunnel SSL_ACL
R5(config-webvpn-group)#svc split include 10.11.11.0
255.255.255.0
R5(config-webvpn-group)# functions svc-enabled
R5(config-webvpn-group)# svc address-pool SSL_POOL
R5(config-webvpn-group)#exit
R5(config-webvpn-context)#exit
Verification:
Browse to https://192.1.20.10
Login using username admin password cisco
After successful login you will be presented the page shown below.

Page 112
Goto Application Access on the right hand side and click

Start to download Cisco AnyConnect Secure Mobility
Client.
Cisco AnyConnect Secure Mobility Software downloaded from
the SSL VPN Server.

Page 113
Module 5: IKEv2 Based VPN

IKEv2 Policy Based Site-to-Site
VPN
IKEv2 Routing Based Site-to-Site
VPN
IKEv2 Based VPN on Cisco ASA

Page 114
LAB-1: IKEv2 Policy Based Site-To-Site VPN

Lab Topology:
Theory:
In IKEv1 i.e. Internet Key Exchange Version 1 we have two PHASE:
PHASE-I and PHASE-II
PHASE-I is also known as ISAKMP Phase.
ISAKMP stands for Internet Security Association and Key
Management Protocol.
In PHASE-I we have two protocols working for successful establishment
Page 115

of PHASE-I SA (Security Association or Tunnel)
1. ISAKMP
2. Diffie-Hellman
ISAKMP works on UDP port 500.
Note: Both IKEv1 and IKEv2 uses UDP for encapsulation and
transmission of the traffic. IKEv1 and IKEv2 use UDP port 500.
IKEv1 has two PHASE where PHASE-I could work in two mode:
1. Main-Mode: Here 3 pair of messages are exchanged i.e. total of 6
messages are exchanged for the establishment of PHASE-I SA.
PHASE-I SA is bidirectional SA. and used for secure exchange of the
Session_Key which is used by the PHASE-II SA to securely send/receive
the user data.
2. Aggressive-Mode: Here only 3 messages are exchanged for the
establishment of PHASE-I SA.
Main-Mode is the default preferred mode on the routers where as
Aggressive mode is the default mode on the ASA firewall, as when
configuring IPsec VPN because of the operation of the Main Mode
because Main Mode involves more processing compare to Aggressive
Mode where only 3 messages are exchanged.
IKEv1 PHASE-II always works in QUICK Mode, where only 3
messages are exchanged.
We use crypto ipsec transform-set command for IPsec policy
negotiation. The PHASE-II SA`s are Unidirectional SA`s. i.e. 1 SA for
incoming traffic and 1 separate SA for outgoing traffic.
Here always 5 piece of information is sent:
Page 116

IPsec Mode: Tunnel(default Mode) or Transport
Encryption Method: DES,3-DES, AES-128,192,256
Hash/ Integrity Method: MD5 or SHA-1
IPsec Protocol: ESP (Encapsulating Security Payload) or AH
(Authentication Header)
SA Lifetime: Seconds or KB
IKEv2 requires minimum 4 messages for successful establishment of the
PHASE-I and II SA`s.
1. IKE_SA_INIT message: this message is exchanged between the peers
for security parameters negotiation through IKEv2 proposal.
In IKEv2 proposal we mention parameters like:
-Integrity method
-Encryption Method
-Diffie-Hellman Group
-Nonce
At this point peers generates SKEYSEED - Seed Security Key Value.
2. IKE_AUTH Message:
IKE_AUTH works over the IKE_SA which is created by
IKE_SA_INIT message and is used to validate the Identity of the peers
and negotiate the various encryption, authentication and integrity
protocols to establish first CHILD_SA for use of ESP/AH.
Peer Validation methods available are:
-Pre-share Keys
-Certificates
-EAP (Extensible Authentication Protocol) like XAUTH.
Page 117

first CHILD_SA is created in IKE_AUTH step is the only CHILD_SA
created for IPsec communication.
However, if an application/ peer requires the use of additional SA`s to
secure the traffic through the tunnel.
IKEv2 uses CREATE_CHILD_SA message exchange for this purpose.
this is equivalent to PFS(Perfect Forward Secrecy) in IKEv1.
Last is INFORMATIONAL message which is exchanged for
management or error notification.
Note: We are using IKEv2, thereby changing only PHASE-I.
Before this let me show you step for IKEv1 VPN using crypto-map.
1. Create ISAKMP Policy:

encryption 3des
hash md5
group 2
exit
crypto isakmp key cisco123 address 192.1.20.2
2. Create IPsec transform-set to mention Phase-II parameters.

crypto ipsec transform-set PHASE_II_TSET esp-3des espsha-hmac
exit
3. Create an ACL to select the interesting traffic.

access-list VPN_SITE1_SITE2 permit ip 10.1.1.0
0.0.0 255 10.2.1.0 0.0.0.255
4. Create a crypto-map to link step 2,3

Page 118

crypto-map CMAP 10 ipsec-isakmp
set peer 192.1.20.2
set transform-set PHASE_II_TSET
match address VPN_SITE1_SITE2
exit
5. Apply the crypto-map CMAP to the outgoing interface of the router.

Interface F0/1
crypto map CMAP
now there are some changes on IKEv2 VPN using

Crypto-map
1. Create IKEv2 Proposal: IKEv2 proposal must have at least 1
encryption, integrity and diffie-hellman group.
Which indirectly means you can mention multiple values.
Sample:
crypto ikev2 proposal {name}
integrity {md5,sha-1,sha256,sha384 etc}
encryption {des,3des,aes-cbc-120,aes-cbc-192 etc}
group {1,2 5,14,15 etc}
exit
Example:
crypto ikev2 proposal PROPOSAL_1
integrity md5 sha-1 sha256
encryption 3des aes-cbc-120
group 2 5 14
exit
2. Create IKEv2 Policy- here we call the proposal we have created in

Step-1.
Sample:
crypto ikev2 policy {name}
proposal {name}
exit
Example:
Page 119

crypto ikev2 policy POLICY_1
proposal PROPOSAL_1
exit
3. Create a Key ring, as we haven`t mentioned the pre-shared key or any

other authentication method for PHASE-I.
Sample:
crypto ikev2 keyring {name}
peer {name} // configure a peer and associated keys
address {subnet mask-optional}
pre-shared-key local 0 {key}
pre-shared-key remote 0 {key}
exit
Example:
crypto ikev2 keyring KEYRING_1
peer SITE
address 200.1.100.5
pre-shared-key local 0 SITE1
pre-shared-key remote 0 SITE5
exit
4. Create IKEv2 Profile wherein we link the above mentioned

parameters:
the IKEv2 profile must contain following things:
1. A local and a remote authentication method
2. A match identity or a match certificate statement.
Sample:
crypto ikev2 profile {name}
authentication local pre-share
authentication remote pre-share
match identity remote address {IP Address}
255.255.255.255
Keyring {name}
Example:
crypto ikev2 profile IKEV2_P
Page 120

match identity remote address 200.1.100.5
255.255.255.255
Keyring KEYRING_1
exit
5. Create IPsec transform-set to mention Phase-II parameters.

Sample:
crypto ipsec transform-set "NAME" "Encryptionmethod" "Hash-method"
exit
Example:
crypto ipsec transform-set PHASE_II_TSET esp-3des
esp-sha-hmac
exit
6.Create an ACL to select the interesting traffic.

Sample:
access-list {name} permit ip SR_IP SR_MASK DEST_IP
DEST_MASK
Example:
access-list 101 permit ip 10.1.1.0 0.0.0 255
10.2.1.0 0.0.0.255
7. Create a crypto-map to link step 2,3

Sample:
crypto-map "NAME" "SEQ. No." ipsec-isakmp
set peer {ADDRESS}
set transform-set {transform-set name}
match address {ACL Name}
set ikev2-profile {profile_name}
exit
Example:
crypto-map CMAP 10 ipsec-isakmp
set peer 200.1.100.5
Page 121

match address 101
set ikev2-profile IKEV2_P
exit
8. Apply the crypto-map to the outgoing interface of the router.

Sample:
interface {physical_name}
crypto map {crypto_map_name}
exit
Example:
interface F1/0
crypto map CMAP
exit
!On R1
conf t
int s1/0
ip add 171.1.15.1
255.255.255.0
no shut
exi
!
int loopback1
ip add 10.1.1.1
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
171.1.15.5
!
!On R5
conf t
int s1/0
clock rate 1000000
ip add 171.1.15.5
!On R2
conf t
int s1/0
ip add 171.1.25.2
255.255.255.0
no shut
exi
!
int loopback1
ip add 10.1.2.2
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
171.1.25.5
!

Page 122

255.255.255.0
no shut
exi
int s1/1
clock rate 1000000
ip add 171.1.25.5
255.255.255.0
no shut
exi
IKEv2 configuration on R1
crypto ikev2 proposal PROP1
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.25.2 255.255.255.0
pre-shared-key local R1cisco
pre-shared-key remote R2cisco
!
crypto ikev2 profile R1R2
255.255.255.255
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256hmac
Page 123

exit
!
access-list 101 permit ip host 10.1.1.1 host 10.1.2.2
!
set peer 171.1.25.2
set ikev2-profile R1R2
match address 101
exi
integrity md5 sha1
group 2 5 14
exit
!
proposal PROP1
exit
!
peer R1
address 171.1.15.1 255.255.255.0
!
255.255.255.255
Page 124

keyring local KR1
exit
!
exit
!
access-list 101 permit ip host 10.1.2.2 host
10.1.1.1
!
set peer 171.1.15.1
match address 101
exi
Verification:
Debug crypto ikev2
*Jul 10 17:30:52.615: IKEv2:Received Packet [From
110.1.23.3:500/To 110.1.12.1:500/VRF i0:f0]
Initiator SPI : 3EA1B271BCF3669C - Responder SPI :
0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jul 10 17:30:52.635: IKEv2:(SA ID = 1):Verify SA init message
*Jul 10 17:30:52.639: IKEv2:(SA ID = 1):Insert SA
*Jul 10 17:30:52.643: IKEv2:Searching Policy with fvrf 0, local
address 110.1.12.1
*Jul 10 17:30:52.647: IKEv2:Found Policy 'IKEV2-POLICY'
*Jul 10 17:30:52.651: IKEv2:(SA ID = 1):Processing IKE_SA_INIT
message
*Jul 10 17:30:52.659: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jul 10 17:30:52.663: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'Trustpool4'
'Trustpool3'
'Trustpool2'
'Trustpool1'
'Trustpool'
Page 125

*Jul 10 17:30:52.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public
Key Hashes of trustpoints
*
R1#Jul 10 17:30:52.671: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting
of Public Key Hashes of trustpoints PASSED
*Jul 10 17:30:52.675: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI
Session
*Jul 10 17:30:52.679: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting
of PKI Session PASSED
*Jul 10 17:30:52.683: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine]
Computing DH public key, DH Group 2
*Jul 10 17:30:52.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2]
DH key Computation PASSED
*Jul 10 17:30:52.687: IKEv2:(SA ID = 1):Request queued for
computation of DH key
Computing DH secret key, DH Group 2
DH key Computation PASSED
*Jul 10 17:30:52.731: IKEv2:(SA ID = 1):Request queued for
computation of DH secret
Calculate SKEYSEED and create rekeyed IKEv2 SA
R1# SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jul 10 17:30:52.739: IKEv2:IKEv2 responder - no config data to
send in IKE_SA_INIT exch
*Jul 10 17:30:52.743: IKEv2:(SA ID = 1):Generating IKE_SA_INIT
message
*Jul 10 17:30:52.747: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI
size: 0 (initial negotiation),
Num. transforms: 4
3DES
MD5
MD596
DH_GROUP_1024_MODP/Group 2
*Jul 10 17:30:52.755: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'Trustpool4'
'Trustpool3'
'Trustpool2'
'Trustpool1'
'Trustpool'
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public
Key Hashes of trustpoints
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of
Public Key Hashes of trustpoints PASSED
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):Sending Packet [To
110.1.23.3:500/From 110.1.12.1:500/VRF i0:f0]

Page 126

9CCC04CAD93792F4 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)
*Jul 10 17:30:52.767: IKEv2:(SA ID = 1):Completed SA init
exchange
*Jul 10 17:30:52.767: IKEv2:(SA ID = 1):Starting timer (30 sec)
to wait for auth message
*Jul 10 17:30:52.891: IKEv2:(SA ID = 1):Received Packet [From
110.1.23.3:500/To 110.1.12.1:500/VRF i0:f0]
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID
R1# IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT)
NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT)
NOTIFY(NON_FIRST_FRAGS)
*Jul 10 17:30:52.919: IKEv2:(SA ID = 1):Stopping timer to wait
for auth message
*Jul 10 17:30:52.923: IKEv2:(SA ID = 1):Checking NAT discovery
*Jul 10 17:30:52.923: IKEv2:(SA ID = 1):NAT not found
*Jul 10 17:30:52.927: IKEv2:(SA ID = 1):Searching policy based on
peer's identity '110.1.23.3' of type 'IPv4 address'
*Jul 10 17:30:52.927: IKEv2:found matching IKEv2 profile 'IKEv2Profile'
*Jul 10 17:30:52.927: ISAKMP:(0):: peer matches IKEv2-Profile
profile
*Jul 10 17:30:52.927: IKEv2:% Getting preshared key from profile
keyring KRING
*Jul 10 17:30:52.927: IKEv2:% Matched peer block 'R3'
*Jul 10 17:30:52.927: IKEv2:Searching Policy with fvrf 0, local
address 110.1.12.1
*Jul 10 17:30:52.931: IKEv2:Found Policy 'IKEV2-POLICY'
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Verify peer's policy
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Peer's policy verified
*Jul 10 1
R1#7:30:52.931: IKEv2:(SA ID = 1):Get peer's authentication
method

Page 127

*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Peer's authentication
method is 'PSK'
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Get peer's preshared key
for 110.1.23.3
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Verify peer's
authentication data
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Use preshared key for id
110.1.23.3, key len 8
*Jul 10 17:30:52.931: IKEv2:[IKEv2 -> Crypto Engine] Generate
IKEv2 authentication data
*Jul 10 17:30:52.931: IKEv2:[Crypto Engine -> IKEv2] IKEv2
authentication data generation PASSED
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Verification of peer's
authenctication data PASSED
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Processing
INITIAL_CONTACT
*Jul 10 17:30:52.935: IKEv2:(SA ID = 1):Processing IKE_AUTH
message
*Jul 10 17:30:52.935: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 2 flags 8177 keysize 0 IDB 0x0
*Jul 10 17:30:52.943: IKEv2:(SA ID = 1):Get my authentication
method
*Jul
R1# 10 17:30:52.943: IKEv2:(SA ID = 1):My authentication method
is 'PSK'
*Jul 10 17:30:52.947: IKEv2:(SA ID = 1):Get peer's preshared key
for 110.1.23.3
*Jul 10 17:30:52.951: IKEv2:(SA ID = 1):Generate my
authentication data
*Jul 10 17:30:52.955: IKEv2:(SA ID = 1):Use preshared key for id
110.1.12.1, key len 8
*Jul 10 17:30:52.955: IKEv2:[IKEv2 -> Crypto Engine] Generate
IKEv2 authentication data
*Jul 10 17:30:52.959: IKEv2:[Crypto Engine -> IKEv2] IKEv2
authentication data generation PASSED
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):Get my authentication
method
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):My authentication method
is 'PSK'
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):Generating IKE_AUTH
message
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):Constructing IDr payload:
'110.1.12.1' of type 'IPv4 address'
*Jul 10 17:30:52.963: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI
size: 4 (IPSec negotiation),
Num. transforms: 3
Page 128

3DES
SHA96
Don't use ESN
*Jul 10 17:30:52.963: IKEv2:(SA ID =
R1#1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE)
NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jul 10 17:30:52.967: IKEv2:(SA ID = 1):Sending Packet [To
110.1.23.3:500/From 110.1.12.1:500/VRF i0:f0]
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jul 10 17:30:52.971: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI
Session
*Jul 10 17:30:52.971: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of
PKI Session PASSED
*Jul 10 17:30:52.975: IKEv2:(SA ID = 1):IKEV2 SA created;
inserting SA into database. SA lifetime timer (86400 sec) started
*Jul 10 17:30:52.979: IKEv2:(SA ID = 1):Session with IKE ID PAIR
(110.1.23.3, 110.1.12.1) is UP
*Jul 10 17:30:52.983: IKEv2:IKEv2 MIB tunnel started, tunnel
index 1
*Jul 10 17:30:52.987: IKEv2:(SA ID = 1):Load IPSEC key material
*Jul 10 17:30:52.991: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create I
R1#Psec SA into IPsec database
*Jul 10 17:30:52.995: IKEv2:(SA ID = 1):Asynchronous request
queued
*Jul 10 17:30:52.995: IKEv2:(SA
*Jul 10 17:30:53.043: IKEv2:(SA
of IPsec SA into IPsec database
*Jul 10 17:30:53.051: IKEv2:(SA
IKEv2 SA
*Jul 10 17:30:53.055: IKEv2:(SA
found
*Jul 10 17:30:53.059: IKEv2:(SA
delete negotiation context
R1#
ID = 1):
ID = 1):[IPsec -> IKEv2] Creation
PASSED
ID = 1):Checking for duplicate
ID = 1):No duplicate IKEv2 SA
ID = 1):Starting timer (8 sec) to

Page 129

On R1 - Ping 10.1.2.2 form source as 10.1.1.1
Sh crypto ikev2 sa
Sh crypto ipsec sa

Page 130
LAB-2: IKEv2 Routing Based Site-To-Site VPN

Lab Topology: same as previous lab.
!On R3
conf t
int s1/0
ip add 182.1.35.3
255.255.255.0
no shut
exi
!
int loopback 1
ip add 10.1.3.3
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
182.1.35.5
!On R4
conf t
int s1/0
ip add 182.1.45.4
255.255.255.0
no shut
exi
!
int loopback 1
ip add 10.1.4.4
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
182.1.45.5
!
!On R5
conf t
int s1/2
clock rate 1000000
ip add 182.1.35.5
255.255.255.0
no shut
exi
int s1/3
clock rate 1000000
ip add 182.1.45.5
255.255.255.0
no shut
exi

Page 131
integrity md5 sha1
group 2 5 14
exit
!
proposal PROP1
exit
!
peer R4
address 182.1.45.4 255.255.255.0
exit
!
255.255.255.255
keyring local KR1
exit
!
exit
!
crypto ipsec profile IPSEC_PROFILE
exi
!
interface Tunnel1
ip address 192.168.10.3 255.255.255.0
tunnel source Serial1/0
Page 132

tunnel mode ipsec ipv4
tunnel destination 182.1.45.4
tunnel protection ipsec profile IPSEC_PROFILE
exi
!
Router eigrp 10
No auto-summary
Net 192.168.1.0
Net 10.1.3.0
Exi
!
integrity md5 sha1
group 2 5 14
exit
!
proposal PROP1
exit
!
peer R3
address 182.1.35.3 255.255.255.0
exit
!
255.255.255.255
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
Page 133

hmac
exit
!
crypto ipsec profile IPSEC_PROFILE
exi
!
interface Tunnel1
ip address 192.168.10.4 255.255.255.0
tunnel source Serial1/0
tunnel mode ipsec ipv4
tunnel destination 182.1.35.3
tunnel protection ipsec profile IPSEC_PROFILE
exi
!
Router eigrp 10
No auto-summary
Network 192.168.10.0
Network 10.1.4.0
Exit
Verification:

Page 134

Page 135
LAB-3: IKEv2 Based VPN on Cisco ASA

ciscoasa> enable
Password: <Enter>
ciscoasa#
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
---------Output omitted------------Licensed features for this platform:
VPN-DES
VPN-3DES-AES
: Enabled
: Enabled
perpetual
perpetual
This platform has an ASA 5520 VPN Plus license.
ciscoasa(config)# ping 110.1.23.3

seconds:
!!!!!
20/34/40 ms
ciscoasa(config)# crypto ikev2 enable outside
ciscoasa(config)# crypto ikev2 ?

configure mode commands/options:

Page 136

cookie-challenge Enable and configure IKEv2 cookie challenges
based on half-open SAs
enable
Enable IKEv2 on the specified interface
limit
Enable limits on IKEv2 SAs
policy
Set IKEv2 policy suite
redirect
Set IKEv2 redirect
remote-access
Configure IKEv2 for Remote Access
ciscoasa(config)# crypto ikev2 policy 3

ciscoasa(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption
Configure one or more encryption algorithm
exit
Exit from ikev2 policy configuration mode
group
Configure one or more DH groups
help
Help for ikev2 policy configuration commands
integrity
Configure one or more integrity algorithm
lifetime
Configure the ikev2 lifetime
no
Remove an ikev2 policy configuration item
prf
Configure one or more hash algorithm
ciscoasa(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des
3des encryption
aes
aes encryption
aes-192
aes-192 encryption

Page 137

aes-256
aes-256 encryption
des
des encryption
null
null encryption
ciscoasa(config-ikev2-policy)# encryption 3des aes aes-192
ciscoasa(config-ikev2-policy)# integrity ?
md5
set hash md5
sha
set hash sha1
sha256
set hash sha256
sha384
set hash sha384
sha512
set hash sha512
ciscoasa(config-ikev2-policy)# integrity md5 sha sha256
ciscoasa(config-ikev2-policy)# group ?
1
Diffie-Hellman group 1
ciscoasa(config-ikev2-policy)# group 2 5
ciscoasa(config-ikev2-policy)# exi
ciscoasa(config)# crypto ipsec ?

df-bit
Set IPsec DF policy

Page 138

fragmentation
Set IPsec fragmentation policy
ikev1
Set IKEv1 settings
ikev2
Set IKEv2 settings
security-association
Set security association parameters
ciscoasa(config)# crypto ipsec ikev2 ?

ipsec-proposal
Configure IKEv2 IPSec Policy
ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal ?

WORD < 65 char
Enter the name of the ipsec-proposal
ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal

IKEV2PROPOSAL
ciscoasa(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit
Exit from ipsec-proposal configuration mode
help
Help for ikev2 IPSec policy configuration commands
no
Remove an ikev2 IPSec policy configuration item
protocol
Configure a protocol for the IPSec proposal
ciscoasa(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp
IPsec Encapsulating Security Payload
ciscoasa(config-ipsec-proposal)# protocol esp ?

Page 139

encryption
protocol
Add one or more encryption algorithms for this
integrity
protocol
Add one or more integrity algorithms for this
ciscoasa(config-ipsec-proposal)# protocol esp encryption ?

3des
3des encryption
aes
aes encryption
aes-192
aes-192 encryption
aes-256
aes-256 encryption
des
des encryption
null
null encryption
ciscoasa(config-ipsec-proposal)# protocol esp encryption 3des

aes-192
ciscoasa(config-ipsec-proposal)# protocol esp ?
encryption
protocol
Add one or more encryption algorithms for this
integrity
protocol
Add one or more integrity algorithms for this
ciscoasa(config-ipsec-proposal)# protocol esp integrity ?

md5
set hash md5
sha-1
set hash sha-1

Page 140

ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1
ciscoasa(config-ipsec-proposal)# exit
ciscoasa(config)# access-list VPN permit ip 10.1.1.0
255.255.255.0 10.3.3.0 255.255.255.0
ciscoasa(config)# tunnel-group ?
WORD < 65 char
Enter the name of the tunnel group
ciscoasa(config)# tunnel-group PEER-R3 ?

type
Enter the type of this group-policy
ciscoasa(config)# tunnel-group PEER-R3 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digital Certificates and/or The peer is
configured to use Aggressive Mode
ciscoasa(config)#
ciscoasa(config)# no tunnel-group PEER-R3
ciscoasa(config)# tunnel-group 110.1.23.3 type ipsec-l2l
ciscoasa(config)# tunnel-group 110.1.23.3 ?
general-attributes
mode
Enter the general-attributes sub command
ipsec-attributes
Enter the ipsec-attributes sub command mode

Page 141

ciscoasa(config)# tunnel-group 110.1.23.3 ipsec-attributes ?
<cr>
ciscoasa(config)# tunnel-group 110.1.23.3 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain
Enable sending certificate chain
exit
Exit from tunnel-group IPSec attribute
configuration mode
help
Help for tunnel group configuration commands
ikev1
Configure IKEv1
ikev2
Configure IKEv2
isakmp
Configure ISAKMP policy
no
Remove an attribute value pair
peer-id-validate
certificate
Validate identity of the peer using the peer's
ciscoasa(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication
for IKEv2 tunnels
Configure the local authentication method
remote-authentication Configure the remote authentication

method required of the remote peer for IKEv2 tunnels
ciscoasa(config-tunnel-ipsec)# ikev2 local-authentication ?

tunnel-group-ipsec mode commands/options:
Page 142

certificate
Select the trustpoint that identifies the cert to be sent to the IKE peer
pre-shared-key Configure the local pre-shared-key used to
authenticate to the remote peer
ciscoasa(config-tunnel-ipsec)# ikev2 local-authentication preshared-key 0 cisco123
INFO: You must configure ikev2 remote-authentication pre-sharedkey and/or certificate to complete authentication.
ciscoasa(config-tunnel-ipsec)# ikev2 remote-authentication preshared-key 0 cisco123
ciscoasa(config-tunnel-ipsec)# exit
ciscoasa(config)# crypto map CMAP 10 ?

annotation
Specify annotation text - to be used by ASDM only
ipsec-isakmp
IPSec w/ISAKMP
match
Match address of packets to encrypt
set
Specify crypto map settings
ciscoasa(config)# crypto map CMAP 10 match address ?

WORD
Access-list name
ciscoasa(config)# crypto map CMAP 10 match address VPN
ciscoasa(config)# crypto map CMAP 10 set peer ?

Hostname or A.B.C.D
IP address

Page 143

Hostname or X:X:X:X::X
IPv6 address
ciscoasa(config)# crypto map CMAP 10 set peer 110.1.23.3
ciscoasa(config)# crypto map CMAP 10 set ?

connection-type
Specify connection-type for site-site
connection based on this entry
ikev1
Configure IKEv1 policy
ikev2
Configure IKEv2 policy
nat-t-disable
based on this entry
Disable nat-t negotiation for connections
peer
Set IP address of peer
pfs
Specify pfs settings
reverse-route
Enable reverse route injection for
connections based on this entry
security-association
Security association duration
trustpoint
Specify trustpoint that defines the
certificate to be used while initiating a connection based on
this entry
ciscoasa(config)# crypto map CMAP 10 set ikev2 ?

ipsec-proposal
order
Specify list of IPSec proposals in priority
pre-shared-key Specify a pre-shared key to be used while

initiating a connection based on this entry
ciscoasa(config)# crypto map CMAP 10 set ikev2 ipsec-proposal ?

Page 144

WORD
ipsec-proposal tag
ciscoasa(config)# crypto map CMAP 10 set ikev2 ipsec-proposal

IKEV2PROPOSAL
ciscoasa(config)# crypto map CMAP interface outside

Page 145
Module 6: Flex VPN

Site-To-Site
Spoke-To-Spoke
Server-To-Client

Page 146
Flex VPN Site-To-Site

SERVER SITE
R1(config)#int loo10
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#exit
R1(config)#
R1(config)#
R1(config)#
*Jul 10 13:38:56.935: %LINEPROTO-5-UPDOWN: Line protocol on Inte
rface Loopback10, changed state to up
R1(config)#int virtual-template 1 type tunnel
R1(config-if)# ip unnumbered loopback10
R1(config-if)# tunnel source 110.1.12.1
R1(config-if)# tunnel mode ipsec ipv4
R1(config-if)#exit
*Jul 10 13:39:06.475: %LINEPROTO-5-UPDOWN: Line protocol on Inte
rface Virtual-Template1, changed state to down
R1(config-if)#exit
R1(config)#
R1(config)#crypto ikev2 proposal PROPOSAL1
IKEv2 proposal MUST have atleast an encryption algorithm, an int
egrity algorithm and a dh group configured
R1(config-ikev2-proposal)# integrity sha1
Page 147

R1(config-ikev2-proposal)# encry 3des aes-cbc-128
R1(config-ikev2-proposal)# group 2 5
R1(config-ikev2-proposal)# exit
R1(config)#
R1(config)#!IKEv2 Policy
R1(config)#crypto ikev2 policy POLICY1
IKEv2 policy MUST have atleast one complete proposal attached
R1(config-ikev2-policy)#proposal PROPOSAL1
R1(config-ikev2-policy)#exit
R1(config)#
R1(config)#!IKEv2 Keyring
R1(config)#crypto ikev2 keyring KRING1
R1(config-ikev2-keyring)#peer R3
R1(config-ikev2-keyring-peer)# address 0.0.0.0
R1(config-ikev2-keyring-peer)# pre-shared-key cisco123
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config)#
R1(config)#! IKEv2 Profile
R1(config)#crypto ikev2 profile IKEV2PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.

Page 148

R1(config-ikev2-profile)# match identity remote address 0.0.0.0
R1(config-ikev2-profile)# authentication local pre-share
R1(config-ikev2-profile)# authentication remote pre-share
R1(config-ikev2-profile)# keyring local KRING1
R1(config-ikev2-profile)# virtual-template 1
R1(config-ikev2-profile)#exit
R1(config)#
R1(config)#
R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.1.1.0
R1(config-router)#end
R1#
R1#
*Jul 10 13:40:41.827: %SYS-5-CONFIG_I: Configured from console by console
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#
R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#
R1(config)#crypto ipsec profile IPSEC

Page 149

R1(ipsec-profile)# set transform-set TSET
R1(ipsec-profile)# set ikev2-profile IKEV2PROFILE
R1(ipsec-profile)#exit
R1(config)#
R1(config)#int virtual-template 1 type tunnel
R1(config-if)# tunnel protection ipsec profile IPSEC
R1(config-if)#exit
R1(config)#end
R1#
*Jul 10 13:41:02.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#
R1#
*Jul 10 13:44:20.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,
changed state to up
R1#
*Jul 10 13:44:24.719: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor
192.168.10.3 (Virtual-Access1) is up: new adjacency
CLIENT SITE
R3(config)#crypto ikev2 proposal PROPOSAL1
IKEv2 proposal MUST have atleast an encryption algorithm, an int
egrity algorithm and a dh group configured
R3(config-ikev2-proposal)# integrity sha1
R3(config-ikev2-proposal)# encry 3des aes-cbc-128
Page 150

R3(config-ikev2-proposal)# group 2 5
R3(config-ikev2-proposal)# exit
R3(config)#
R3(config)#!IKEv2 Policy
R3(config)#crypto ikev2 policy POLICY1
IKEv2 policy MUST have atleast one complete proposal attached
R3(config-ikev2-policy)#proposal PROPOSAL1
R3(config-ikev2-policy)#exit
R3(config)#
R3(config)#!IKEv2 Keyring
R3(config)#crypto ikev2 keyring KRING1
R3(config-ikev2-keyring)#peer R1
R3(config-ikev2-keyring-peer)# address 110.1.12.1
R3(config-ikev2-keyring-peer)# pre-shared-key cisco123
R3(config-ikev2-keyring-peer)#exit
R3(config-ikev2-keyring)#exit
R3(config)#
R3(config)#! IKEv2 Profile
R3(config)#crypto ikev2 profile IKEV2PROFILE
IKEv2 profile MUST have:
1. A local and a remote authentication method.
R3(config-ikev2-profile)#match identity remote address 110.1.12.1 255.255.255.255

Page 151

R3(config-ikev2-profile)# authentication local pre-share
R3(config-ikev2-profile)# authentication remote pre-share
R3(config-ikev2-profile)# keyring local KRING1
R3(config-ikev2-profile)#exit
R3(config)#!4. IPSec Configuration
R3(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#
R3(config)#crypto ipsec profile IPSEC
R3(ipsec-profile)# set transform-set TSET
R3(ipsec-profile)# set ikev2-profile IKEV2PROFILE
R3(ipsec-profile)#exit
R3(config)#
R3(config)#int tunn 1
R3(config-if)# ip add 192.168.10.3 255.255.255.0
R3(config-if)# tunnel source s1/0
R3(config-if)# tunnel dest 110.1.12.1
R3(config-if)# tunnel mode ipsec ipv4
R3(config-if)# tunnel protection ipsec profile IPSEC
R3(config-if)# exit
R3(config)#
R3(config)#!6. Run routing protocol
R3(config)#router eigrp 10

Page 152

R3(config-router)#no aut
R3(config-router)#netw 10.3.3.0
R3(config-router)#netw 192.168.10.0
R3(config-router)#exi

Page 153
Flex VPN Spoke-To-Spoke

Pre-requisite: Load the initial configuration for all the devices in the topology from the preconfiguration files.
Lab Topology:
Task:
Implement Flex-VPN spoke-to-spoke. Configure R1 as the HUB. R3 and R4 are the Spokes in
the topology where else R2 is working as ISP. The objective is to communicate from spoke to
spoke i.e. from R3 (10.3.3.0/24) to R4 (10.4.4.0/24).
Use the following details to complete the task.
Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: 10.1.1.0/24
Network For Tunnel interface: 192.168.10.0/24
Page 154

Local/Remote Authentication method: Pre-shared-key
Pre-shared-key: cisco123
Virtual-template 1
Ikev2 Profile Name: IKEV2PROFILE
IPsec Profile Name: IPSEC
IP NHRP network-id: 100
Tunnel Interface: Tunnel1
Interior Routing Protocol: EIGRP-10
On Spokes:
Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: R3 (10.3.3.0/24), R4 (10.4.4.0/24)
Network For Tunnel interface: 192.168.10.0/24
Local/Remote Authentication method: Pre-shared-key
Pre-shared-key: cisco123
Ikev2 Profile Name: IKEV2PROFILE
IPsec Profile Name: IPSEC
IP NHRP network-id: 100
Tunnel Interface: Tunnel1
Tunnel interface IP: negotiated
Tunnel source: S1/0
Tunnel destination: 110.1.12.1
Interior Routing Protocol: EIGRP-10
Solution : On AVI
R1(config)#
*Jul 11 11:48:10.959: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
R1(config)#
*Jul 11 11:48:11.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to down
*Jul 11 11:48:40.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to up
R1(config)#
*Jul 11 11:48:46.371: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.11
(Virtual-Access1) is up: new adjacency
R1#
R1#
*Jul 11 11:49:35.063: %SYS-5-CONFIG_I: Configured from console by consoler
Page 155

R1#sh ip int brief
Interface
IP-Address OK?
FastEthernet0/0 unassigned YES
Serial1/0
110.1.12.1
YES
Loopback1
10.1.1.1
YES
Loopback11
192.168.10.1 YES
Virtual-Access1 192.168.10.1 YES
Virtual-Template1 192.168.10.1 YES
Method
unset
manual
manual
manual
unset
unset
Status
Protocol
administratively down down
up
up
up
up
up
up
up
up
up
down
Virtual-Access1 is assigned the IP address of Loopback 11. As we have given in the command
under interface virtual-template 1 type tunnel using ip unnumbered loopback 11.
R1#
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l LISP + - replicated route, % next hop override
Gateway of last resort is 110.1.12.2 to network 0.0.0.0
S*
0.0.0.0/0 [1/0] via 110.1.12.2

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C
10.1.1.0/24 is directly connected, Loopback1
L
D
10.3.3.0/24 [90/1433600] via 192.168.10.11, 00:00:52, Virtual-Access1
C
110.1.12.0/24 is directly connected, Serial1/0
L
C
L
S
192.168.10.11/32 is directly connected, Virtual-Access1
R1#
*Jul 11 11:52:39.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface VirtualAccess2, changed state to up
R1#
*Jul 11 11:52:53.791: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.12
(Virtual-Access2) is up: new adjacency
R1#
Page 156

R1#sh ip int brief
Interface
IP-Address OK?
Serial1/0
110.1.12.1
YES
Loopback1
10.1.1.1
YES
Loopback11
192.168.10.1 YES
Method
unset
manual
manual
manual
unset
unset
unset
Status
Protocol
up
up
up
up
up
up
up
up
up
up
up
down
R1#sh ip route static

S*
0.0.0.0/0 [1/0] via 110.1.12.2

S
S
R1#
R1#
R1#sh ip route eigrp
D
D
R1#
R1#
R1#
Page 157

R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id
Local
Remote
fvrf/ivrf
2
110.1.12.1/500
110.1.24.4/500
none/none
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/747 sec
Status
READY
Tunnel-id
Local
Remote
fvrf/ivrf
1
110.1.12.1/500
110.1.23.3/500
none/none
Status
READY
R1#
On Client R4
R4(config)#
*Jul 11 11:53:23.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.1 (Tunnel1)
is up: new adjacency
R4#sh crypto ikev2 sa
Tunnel-id
Local
Remote
fvrf/ivrf
1
110.1.24.4/500
110.1.12.1/500
none/none
Status
READY
R4#sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 110.1.24.4
protected vrf: (none)
local ident (addr/mask/prot/port): (110.1.24.4/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (110.1.12.1/255.255.255.255/47/0)
current_peer 110.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
Page 158

#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
R4#show ip route
S*
D
D
C
L
C
L
D
S
D
C
0.0.0.0/0 [1/0] via 110.1.24.2

10.1.1.0/24 [90/27008000] via 192.168.10.1, 00:00:22
10.3.3.0/24 [90/28288000] via 192.168.10.1, 00:00:22
192.168.10.0/24 [90/27008000] via 192.168.10.1, 00:00:22
192.168.10.1/32 is directly connected, Tunnel1
192.168.10.11/32 [90/28160000] via 192.168.10.1, 00:00:22
R4#sh ip route eigrp

D 10.1.1.0/24 [90/27008000] via 192.168.10.1, 00:00:27
D 10.3.3.0/24 [90/28288000] via 192.168.10.1, 00:00:27
Page 159

D 192.168.10.0/24 [90/27008000] via 192.168.10.1, 00:00:27
D 192.168.10.11/32 [90/28160000] via 192.168.10.1, 00:00:27
R4#sh ip route static
route o - ODR, P - periodic downloaded static route, H - NHRP, l LISP + - replicated route, % next hop override Gateway of last resort is 110.1.24.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 110.1.24.2
S 192.168.10.1/32 is directly connected, Tunnel1
R4#ping 10.3.3.3 source 10.4.4.4
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/225/256 ms
R4#
R4#traceroute 10.3.3.3 source 10.4.4.4
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.10.1 1 40 msec 208 msec 216 msec
2 192.168.10.11 256 msec * 196 msec

Page 160
Flex VPN-Server-Client
Pre-requisite: Load the initial configuration for all the devices in the topology from the preconfiguration files.
Lab Topology:
Task
Configure R1 as the Server and R3 as the client. Make sure you are able to
ping from 10.3.3.0/24 network behind R3 to 10.1.1.0/24 network behind R1.
Use pre-configuration to initialize the devices.
Solution: On AVI

Page 161

Verification:
On Client (R3)
R3(config)#
R3(config)#
*Jul 12 09:31:56.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to down
R3(config)#crypto ikev2 client flexvpn FLEXVPN
R3(config-ikev2-flexvpn)#peer 1 110.1.12.10
R3(config-ikev2-flexvpn)#connect auto
R3(config-ikev2-flexvpn)#client connect tunnel1
R3(config-ikev2-flexvpn)#end
R3#
R3#
R3#
*Jul 11 13:16:28.235: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXVPN)
Client_public_addr = 110.1.23.3 Server_public_addr = 110.1.12.10
R3#
*Jul 11 13:16:39.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to up
R3#
*Jul 11 13:16:39.843: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXVPN)
Client_public_addr = 110.1.23.3 Server_public_addr = 110.1.12.10 Assigned_Tunnel_v4_addr =
192.168.10.6
R3#
R3#
R3#show ip int brief
Interface
IP-Address OK?
Method
Status
Protocol
unset
Serial1/0
110.1.23.3
YES
manual
up
up
Loopback1
10.3.3.3
YES
manual
up
up
Tunnel1
192.168.10.6 YES
manual
up
up
R3#
R3#
R3#show ip route
Page 162

S*
0.0.0.0/0 [1/0] via 110.1.23.2

S
C
L
C
L
192.168.10.0/32 is subnetted, 2 subnets
S
192.168.10.1 is directly connected, Tunnel1
C
192.168.10.6 is directly connected, Tunnel1
R3#
R3#show crypto ikev2 sa
Tunnel-id Local
Remote
fvrf/ivrf
Status
1
110.1.23.3/500
110.1.12.10/500
none/none
READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
R3#
R3#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.10.6/32
MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 110.1.23.3, destination 110.1.12.10
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC")
Page 163

---------------- output omitted ---------------------R3#ping 10.1.1.1 source 10.3.3.3
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/126/144 ms
On SERVER (R1)
R1(config)#
R1(config)#
*Jul 11 13:16:27.947: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to do
wn
*Jul 11 13:16:28.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
R1(config)#
1, changed state to down
1, changed state to up
Once the Client connects to the server interface Virtual-access 1 dynamically comes up.
R1(config)#
R1(config)#end
R1#
R1#
R1#show ip
R1#
R1#show ip int brief
Interface
IP-Address OK?
Method
Status
Protocol
unset
Serial1/0
110.1.12.10
YES
manual
up
up
Loopback1
10.1.1.1
YES
manual
up
up
Loopback11
192.168.10.1 YES
manual
up
up
unset
up
up
unset
up
down

Page 164

Virtual-Access1 is assigned the IP address of Loopback 11. As we have given in the command
under interface virtual-template 1 type tunnel using ip unnumbered loopback 11.
R1#
R1#
R1#show ip route
S*
0.0.0.0/0 [1/0] via 110.1.12.2

C
L
S
C
L
C
L
S
Here the highlighted static route is for the IP address assigned to Client (R3) tunnel interface.
The route is added to the routing table because of command route set interface under crypto
ikev2 authorization policy default.
R1#
R1#
R1#show interfaces virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback11 (192.168.10.1)
MTU 17886 bytes, BW 100000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x4, loopback not set
Keepalive not set
Page 165

Tunnel source 110.1.12.10, destination 110.1.23.3
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC")
--------------- OUTPUT OMITTED--------------------------R1#
R1#
R1#show crypto ikev2 sa
Tunnel-id Local
Remote
fvrf/ivrf
Status
1
110.1.12.10/500
110.1.23.3/500
none/none
READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK

Page 166

CCNP Security Simos Inz

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP Security Simos Inz

Uploaded by

Copyright:

Available Formats

CCIE Security Ver.

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Module 6: Flex VPN

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Module1: Site-To-Site VPNs

Basic IPsec LAN-To-LAN VPN

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

LAB-1 : Basic IPsec LAN-To-LAN VPN

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Now configure R2, Simulating as ISP.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Crypto map CMAP 10 ipsec-isakmp

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Crypto map CMAP 10 ipsec-isakmp

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Crypto map CMAP 10 ipsec-isakmp

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

LAB-2 GRE Tunnel

Check the interface brief.

CCIE Security Ver. 4 Lab Manual

Now run interior routing protocol on both sites.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

For verification run Wireshark on one of the link.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

LAB-3 GRE Tunnel with IPsec profile

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

VERIFICATION: ping 10.1.1.1 with source as 10.1.4.1

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Check PHASE-I tunnel or ISAKMP tunnel:

Check PHASE-II tunnel or IPsec tunnel:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Now you can change IPsec tunnel Mode to transport

CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual

Module2: Advance VPN

Router-Router IPsec VPN

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved

CCIE Security Ver. 4 Lab Manual