Professional Documents
Culture Documents
4
Lab Manual
CCNP Security SIMOS- (300-209)
Confidentiality and Secure Access
This lab manual covers detailed lab demonstration with explanation for CCIE Security
Version 4 VPN Module.
DISCLAIMER
Disclaimer and Terms of Use
Reproduction or translation of content in this PDF document without the
author`s written permission is prohibited. No content may be reproduced
without the express written permission of the author. A Hyperlink from
another website to this document is permitted. You may download and
retain on your disk a single copy of material published only for your
personal, non-commercial use, provided that you do not remove any
copyright or other proprietary notices. You may not otherwise copy,
display, download, modify, distribute, repost, transmit, sell all or part of
any material without the prior written permission of the author. You may
not mirror all or part of any material published by the author in this
document, and you may not inline any of the graphics contained in any
material. Any one accessing this document, it would be deemed to have
read and understood the above, and agreed to it in its totality absolutely
without any exception.
IF YOU DO NOT AGREE, please delete any copies you may possess.
Please contact author or Inter-Networkz using the contact link mentioned
below:
Web -URL: www.inter-networkz.com
Email: sandeep@inter-networkz.com | cciesandeep12@gmail.com |
info@inter-networkz.com
Skype: ccie.sandeep12
Blog: cciesecurityv4solution.blogspot.in
Page 1
Page 2
Page 3
Page 4
Basic Initialization:
Configure the routers shown in the topology:
Page 5
We are going to have only two directly connected routes on R2, as ISP
Configure R3,this is your remote site.
Page 6
Page 7
101
101
101
101
permit
permit
permit
permit
ip
ip
ip
ip
host
host
host
host
10.1.1.1
10.1.1.1
10.1.2.1
10.1.2.1
host
host
host
host
10.1.3.1
10.1.4.1
10.1.3.1
10.1.4.1
Page 8
101
101
101
101
permit
permit
permit
permit
ip
ip
ip
ip
host
host
host
host
10.1.1.1
10.1.1.1
10.1.2.1
10.1.2.1
host
host
host
host
10.1.3.1
10.1.4.1
10.1.3.1
10.1.4.1
Page 9
Let`s change all the field marked in red color so that we get configuration
ready for R3.
Here the fields marked in blue color are changed if you compare it with R1
configuration:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.12.1
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Exit
Access-list
Access-list
Access-list
Access-list
101
101
101
101
permit
permit
permit
permit
ip
ip
ip
ip
host
host
host
host
10.1.3.1
10.1.4.1
10.1.3.1
10.1.4.1
host
host
host
host
10.1.1.1
10.1.1.1
10.1.2.1
10.1.2.1
VERIFICATION:
From Router R1: Ping 10.1.3.1 source 10.1.1.1
or ping 10.1.4.1 source 10.1.1.1
Verification Commands:
Show crypto isakmp sa
Show crypto ipsec sec
Page 10
Read the message, interface tunnel1 is up. Similarly, configure an interface tunnel
on R3.
Page 11
Check the routing table on R1 site. We have received routes for the private
networks on R3 sites.
All routes starting with D are learned through the tunnel. As you know we can
run interior routing protocol on the internet. So the EIGRP packets were
encapsulated into Public IPv4 address and sent to the other site.
Page 12
Also check the route on R3. We have received routes for the private network on R1.
VERIFICATION:
Now as the Sites have got the routes, let`s ping 10.1.1.1 from 10.4.1.1.
Also, you can configure line vty so we can telnet and check.
Page 13
Note: though we have end-to-end reachability, all the packets are completely
exposed. Reason being GRE is ENCAPSULATING the Private packets into Public
packets and not ENCRYPTING them. So if someone tries to sniff, he would get all
the information.
Next you see is the snapshot of the sniff performed on this network.
Page 14
Note: The output show telnet packet which was sent from R1 to R3 where GRE
was encapsulating this telnet packet from private source- 192.168.1.1 to private
destination-10.1.3.1 and the data part shows a character C the first alphabet is
used in the line vty password.
Next Lab is on how to secure this traffic.
Page 15
Page 16
Apply the IPsec profile to protect the data going through the tunnel. For this you
need to go to the tunnel interface and say:
Tunnel protection ipsec profile {ipsec profile name}
In the above snapshot you see that EIGRP neighbor relationship is down. The holdon time expires because R1 is sending and receiving IPsec packets where-else as R3
is not configured for IPsec, packets received from R3 are not an IPsec packet.
Page 17
Check the Wireshark output: all packets are encrypted using ESP.
Also take a look at the output of Interface Tunnel 1, check the line highlighted
using marker.
IPsec profile named IPSEC_PROFILE is being used to encrypt the traffic sent over
the tunnel interface.
Page 18
Page 19
If you execute show crypto ipsec sa command you would see still the
mode setting in used is Tunnel (check the highlighted section in above snapshot).
For this you would need to clear the existing SA and bring up the tunnel again.
And then check the output -show crypto ipsec sa .
Int tunnel 1
Shut
No shut
Exit
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 20
Now as the Entire packet is getting encrypted, so we dont need GRE header. So
we set tunnel mode to IPsec ipv4
Page 21
Page 22
Basic Initialization:
On R1:
int f0/0
ip address 10.11.11.1 255.255.255.0
no shut
exi
!
Ip route 0.0.0.0 0.0.0.0 10.11.11.10
On R2:
Int f0/0
Ip address 192.1.12.2 255.255.255.0
No shut
Exi
Int f0/1
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 23
Page 24
Page 25
VERIFICATION:
Page 26
On ASA:
Page 27
Page 28
Solution:
On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.11.1
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Exit
Access-list 101 permit ip
10.11.11.1
Page 29
Page 30
Page 31
Lab Topology:
Page 32
Page 33
ACL:
access-list ACL permit udp host 192.1.23.3 host
192.1.10.1 eq isakmp
access-list ACL permit esp host 192.1.23.3 host
192.1.10.1
Apply ACL to outside interface:
Access-group ACL in interface outside
Page 34
R3
src
slot
192.1.23.3
ACTIVE
state
status
QM_IDLE
1001
Page 35
Page 36
Page 37
Pre-requisite: Need full end-to-end reachability. For this you can run any interior
routing protocol.
Also your key-server cannot be a Group-member. We use R5 loopback
(10.1.5.1/24) as Key-Server as being a loopback it would be accessible from any
interface.
Now check the routing table using command: Show ip route
Page 38
On Group Member:
Page 39
Debug:
Check that ping which was working earlier is now not working.
Reason: R1 got itself registered with key server. And R2, R3 and R4 are yet to
register.
Page 40
Note: Ping from R1 to 10.1.3.1 and 10.1.4.1 is still failing because they are yet to
register themself.
But if you do the ping shown below, this would succeed. As its from Source IP:
7.7.15.1
This is not the interesting traffic. And so it goes unencrypted.
Page 41
For this ping the WireShark capture output is shown below the ping:
Page 42
For this ping the WireShark capture output is shown below the ping:
Page 43
Check that Phase-II parameters are available on Group Members, as they are
pushed down by the Key Server.
Now check that the remaining key lifetime is just 96 seconds.
And soon the key would be refreshed and redistributed to the Group-Members.
Page 44
Page 45
Configuration on CA Server:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
R5(config)#clock timezone IST 5 30
R5(config)#ntp master 1
or
R5(config)#do clock set 20:55:00 13 aug 2013
Step2: Now configure a FQDN and hostname
R5(config)#ip domain-name cisco.com
Step3: Generate RSA key Pair
R5(config)#crypto key generate rsa label CA modulus
1024
% Generating 1024 bit RSA keys, keys will be non-exportable..[OK]
Step4: Enable HTTP service, as Clients are going to enroll for Identity certificates
on port 80. To check the consequence of this command, skip this command for now
and come back and enter this command after step5.
You would see though you have executed NO SHUTDOWN under CA server,
still CA server is not UP.
R5(config)# ip http server
Step5: Setup CA server parameters
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 46
CN: CommonName
OU: OrganizationalUnit
O: Organization
L: Locality
S: StateOrProvinceName
C: CountryName
On the Clients:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
R1(config)#clock timezone IST 5 30
R1(config)# ntp server 10.1.5.1
or
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 47
Page 48
Page 49
Page 50
Page 51
At this moment only R1 has got the Session_Key form the KEY_SERVER.
This ping fails as R1 is sending encrypted traffic but R2 can`t decrypt it, as R2 is
yet to register with key Server. Similarly if R2 ping R1, R1 get an error message:
Page 52
Page 53
Page 54
Page 55
LAB-6: DMVPN
Lab Topology:
Basic Initialization:
Here R1 is the HUB:
Initial configuration for the HUB/ SERVER.
Page 56
Configuration on SPOKES:
On R3:
Verification: goto R1(HUB) and check R3 has dynamically registered to the NHS
Server(R1).
This entry remains with the Next-Hop-Server (NHS) for 2 hours; also observe
registration type is dynamic.
Verify the output on R3:
Page 57
On R5
Int tunnel 1
Ip address 192.168.1.5
255.255.25.0
Tunnel source s0/0
Tunnel mode gre multipoint
Ip nhrp network-id 100
Ip nhrp nhs 192.168.1.1
Ip nhrp map 192.168.1.1
110.1.16.1
Recheck the NHS for the mapping, R4 and R5 has also registered.
As you have verified the output on R3 there is only 1 mapping entry available in
the cache. Now we try to trace route to 192.168.1.5 i.e. the IP address of R5 tunnel
interface.
Page 58
The packet first goes to 192.168.1.1 i.e. NHS and then goes to 192.168.1.5
So the packet takes 2 hops to reach the destination.
But during this process R3 requested for the mapping to reach 192.168.1.5 from
the NHS.
Compare this with the above given snapshot.
This time the packet makes it to the destination in just 1 hop because R3 has the
mapping available in the Cache.
This is called DMVPN PHASE-I, where the SPOKES communicate directly
to each other by downloading the mappings from the NHS.
Page 59
DMVPN PHASE-II
Now run interior routing protocol on the HUB and SPOKES.
Router eigrp 101
No auto-summary
Network 192.168.1.0
Network 10.0.0.0
Exi
On SPOKES:
int tunnel 1
ip nhrp map multicast 110.1.16.1
exit
Routing protocols updates are sent on multicast network 224.0.0.0, so SPOKES
need to have a mapping to send the routing updates to HUB.
On HUB:
Int tunnel 1
Ip nhrp map multicast dynamic
Exi
Verify the output:
On HUB:
Int tunnel 1
Shut
exi
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 60
Observe all the private networks are reachable via 192.168.1.1 i.e. HUB
Page 61
Now if you trace route you would see traffic is routed though the HUB to the
SPOKE and doesnt go directly from SPOKE to SPOKE.
Reason: How traffic is routed is dictated by the routing table. And routing table
entry say 10.4.1.1 is reachable via 192.168.1.1.
For solution change setting on R1(HUB):
Int tunnel 1
No ip next-hop-self eigrp 101
Exi
Verification: check the routing table entry on SPOKES again and compare with
the earlier routing table output.
Page 62
Page 63
Page 64
DMVPN PHASE-III
Remove the changes made in the routing protocol on the HUB during PHASE-II.
On HUB:
Int tunnel 1
Ip split-horizon eigrp 101
Ip next-hop-self eigrp 101
Exi
Now we use NHRP feature to accomplish what we accomplished in PHASE-II by
changing setting of routing protocol.
On R1 (HUB):
Int tunnel 1
Ip nhrp redirect
Exit
On SPOKES:
Int tunnel 1
Ip nhrp shortcut
Exit
Verification:
Page 65
Page 66
Page 67
!On R1
enable
conf t
int f0/0
ip add 136.1.13.1
255.255.255.0
no shut
exi
ip route 0.0.0.0 0.0.0.0
136.1.13.3
int loo 1
ip add 10.1.1.1
255.255.255.0
int loo 2
ip add 10.1.2.1
!On R2
ena
conf t
int s0/0
ip add 136.1.24.2
255.255.255.0
clock rate 1000000
no shut
exi
int s0/1
ip add 136.1.25.2
255.255.255.0
clock rate 1000000
no shut
exi
Page 68
!On R3
ena
conf t
int f0/0
ip add 136.1.13.3
255.255.255.0
no shut
exi
int s0/0
ip add 136.1.34.3
255.255.255.0
no shut
exi
int s0/1
ip add 136.1.35.3
255.255.255.0
no shut
router eigrp 100
no aut
network 136.1.34.0
network 136.1.35.0
exi
Setup Tuning:
If you check the routing table on R3, you would see that there are 2
routes to reach Loopback-0 on R2 i.e. 1.1.1.1
What you can do to correct this is set bandwidth on R5 S0/1 and R2
S0/1 interfaces. As we are running EIGRP this would change the
metric value and as a result there would be only 1 best route in the
routing table.
On R2 - interface S0/1
bandwidth 128
On R5 - interface S0/1
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 69
Page 70
Page 71
Page 72
Basic Configuration:
Router-R4
Int f0/0
Ip address 192.1.100.1
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.168.1.1
255.255.255.0
No shut
Exi
!
Ip route 0.0.0.0 0.0.0.0
192.1.100.3
Router-R2
int f0/0
ip address 192.168.1.5
255.255.255.0
no shut
exit
int loopback 0
Router-R5
Int f0/0
Ip address 192.1.100.2
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.168.1.2
255.255.255.0
No shut
Exi
Ip route 0.0.0.0 0.0.0.0
192.1.100.3
Router-R3
int f0/0
ip address 192.1.100.3
255.255.255.0
no shut
exi
int s0/0
Page 73
ip address 192.1.34.3
255.255.255.0
clock rate 128000
no shut
exi
Ip route 0.0.0.0 0.0.0.0
192.1.34.4
Router-R1
int s0/0
ip address 192.1.34.4
255.255.255.0
no shut
exit
int loopback 0
ip address 10.4.4.4
255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0
192.1.34.3
On the switch:
On Router R5
Interface F0/0
Standby 1 ip 192.1.100.12
Standby 1 name HA
exit
Page 74
Page 75
SITE2= Router R4
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 76
SITE2= Router R5
Page 77
Ping output marked with yellow color is when interface F0/0 of R4 is UP.
Ping output marked with orange color is when interface F0/0 of R4 is
SHUTDOWN and for next 10sec you get dots (.) in ping output.
Ping outputs which are left unmarked are the Ping packets going through R5.
Page 78
Page 79
LAB-1: Easy VPN with IOS server and Cisco VPN Client
Software
Lab Topology:
Logical Setup:
Physical Setup:
Requirements:
Devices Used:
(a)Two PC`s
(b) Two Routers : R3,R4
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 80
Page 81
On SW4:
Page 82
Try to ping 192.1.20.2 which is the Public IP address of your Easy VPN
Server.
Page 83
Page 84
Page 85
Page 86
Page 87
Page 88
Connection in progress:
Once you get connected, you would be prompted for Login username
and password.
Page 89
Page 90
Basic Initialization:
On R1
Int f0/0
Ip ad 192.1.20.2
255.255.255.0
No shut
Exi
Int loopback 1
Ip add 10.10.10.1
255.255.255.0
exit
Ip route 0.0.0.0
0.0.0.0 192.1.20.1
On R3
Int f0/0
Ip add 192.1.30.3
255.255.255.0
No shut
Exi
Int loopback 1
Ip add 192.168.10.1
On R2
Int f0/0
Ip add 192.1.20.1
255.255.255.0
No shut
Exi
Int f0/1
Ip add 192.1.30.1
255.255.255.0
No shut
Exi
Verification:
Ping 192.1.20.2 form
R3.
Page 91
Page 92
On R3:
Crypto ipsec client ezvpn EZC
Peer 192.1.20.2
group SALES1 key cisco111
mode client
connect auto
exit
Output:
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 93
On Server (R1): the moment client router R3 connects up the virtualaccess2 interface state changes to UP.
Page 94
Now notice that there is no translation on the router. We will come back
and verify this output again soon.
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 95
Now ping 10.10.10.1 the private network behind Easy VPN Server from
Private network behind R3 (Loopback 1=192.168.10.1)
Page 96
Page 97
Page 98
Page 99
Basic Initialization:
On R4
Int f0/0
Ip add 10.11.11.1
255.255.255.0
No shut
Exi
!
Ip route 0.0.0.0
0.0.0.0 10.11.11.10
!
Ip http server
Ip http secure-server
!
Username admin
privilege 15 password
cisco
On R5
Int f0/0
On PC:
Change adapter
settings:
IP Address: 177.11.11.1
Mask: 255.255.255.0
Gateway:177.11.11.10
On R6
Int f0/0
Page 100
Ip add 192.1.20.1
255.255.255.0
No shut
Exi
Int f0/1
Ip add 177.11.11.10
255.255.255.0
No shut
exi
Ip route 0.0.0.0
0.0.0.0 192.1.20.10
Clientless VPN
on SSL VPN Server (R5):
Username admin password cisco
!
aaa new-model
aaa authentication login AUTHEN local
!
ip http server
ip http secure-server
Output:
Page 101
Page 102
Verification:
On PC:
Page 103
Under policy-group SSL_Policy there is one command hide-urlbar which hides URL bar. You know it takes you to Router R4
which is at 10.11.11.1 but you won`t get to see this address in urlbar.
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 104
Page 105
Page 106
Thin client
Continue with previous configuration:
webvpn context SSL_CONTEXT
port-forward "Applications"
local-port 2200 remote-server "10.11.11.1" remoteport 23 description "Use this To Telnet To R4"
policy group SSL_Policy
port-forward "Applications"
exit
exit
Verification:
Browse to https://192.1.20.10
Login using username admin password cisco
Page 107
Page 108
Page 109
Page 110
Page 111
Full Client
Verification:
Browse to https://192.1.20.10
Login using username admin password cisco
After successful login you will be presented the page shown below.
Page 112
Page 113
Page 114
Theory:
In IKEv1 i.e. Internet Key Exchange Version 1 we have two PHASE:
PHASE-I and PHASE-II
PHASE-I is also known as ISAKMP Phase.
ISAKMP stands for Internet Security Association and Key
Management Protocol.
In PHASE-I we have two protocols working for successful establishment
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Basic Initialization:
!On R1
conf t
int s1/0
ip add 171.1.15.1
255.255.255.0
no shut
exi
!
int loopback1
ip add 10.1.1.1
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
171.1.15.5
!
!On R5
conf t
int s1/0
clock rate 1000000
ip add 171.1.15.5
!On R2
conf t
int s1/0
ip add 171.1.25.2
255.255.255.0
no shut
exi
!
int loopback1
ip add 10.1.2.2
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
171.1.25.5
!
Page 122
IKEv2 configuration on R1
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.25.2 255.255.255.0
pre-shared-key local R1cisco
pre-shared-key remote R2cisco
!
crypto ikev2 profile R1R2
match identity remote address 171.1.25.2
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256hmac
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 123
IKEv2 configuration on R2
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.15.1 255.255.255.0
pre-shared-key local R2cisco
pre-shared-key remote R1cisco
!
crypto ikev2 profile R1R2
match identity remote address 171.1.15.1
255.255.255.255
authentication remote pre-share
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 124
Verification:
Debug crypto ikev2
*Jul 10 17:30:52.615: IKEv2:Received Packet [From
110.1.23.3:500/To 110.1.12.1:500/VRF i0:f0]
Initiator SPI : 3EA1B271BCF3669C - Responder SPI :
0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jul 10 17:30:52.635: IKEv2:(SA ID = 1):Verify SA init message
*Jul 10 17:30:52.639: IKEv2:(SA ID = 1):Insert SA
*Jul 10 17:30:52.643: IKEv2:Searching Policy with fvrf 0, local
address 110.1.12.1
*Jul 10 17:30:52.647: IKEv2:Found Policy 'IKEV2-POLICY'
*Jul 10 17:30:52.651: IKEv2:(SA ID = 1):Processing IKE_SA_INIT
message
*Jul 10 17:30:52.659: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jul 10 17:30:52.663: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'Trustpool4'
'Trustpool3'
'Trustpool2'
'Trustpool1'
'Trustpool'
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 125
Page 126
Page 127
Page 128
ID = 1):
ID = 1):[IPsec -> IKEv2] Creation
PASSED
ID = 1):Checking for duplicate
ID = 1):No duplicate IKEv2 SA
ID = 1):Starting timer (8 sec) to
Page 129
Sh crypto ikev2 sa
Sh crypto ipsec sa
Page 130
!On R4
conf t
int s1/0
ip add 182.1.45.4
255.255.255.0
no shut
exi
!
int loopback 1
ip add 10.1.4.4
255.255.255.0
exi
!
ip route 0.0.0.0 0.0.0.0
182.1.45.5
!
!On R5
conf t
int s1/2
clock rate 1000000
ip add 182.1.35.5
255.255.255.0
no shut
exi
int s1/3
clock rate 1000000
ip add 182.1.45.5
255.255.255.0
no shut
exi
Page 131
IKEv2 configuration on R3
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R4
address 182.1.45.4 255.255.255.0
pre-shared-key local R3cisco
pre-shared-key remote R4cisco
exit
!
crypto ikev2 profile R3R4
match identity remote address 182.1.45.4
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256hmac
exit
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile R3R4
exi
!
interface Tunnel1
ip address 192.168.10.3 255.255.255.0
tunnel source Serial1/0
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 132
IKEv2 configuration on R4
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R3
address 182.1.35.3 255.255.255.0
pre-shared-key local R4cisco
pre-shared-key remote R3cisco
exit
!
crypto ikev2 profile R3R4
match identity remote address 182.1.35.3
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 133
Page 134
Page 135
: Enabled
: Enabled
perpetual
perpetual
Page 136
limit
policy
redirect
remote-access
exit
group
help
integrity
lifetime
no
prf
ciscoasa(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des
3des encryption
aes
aes encryption
aes-192
aes-192 encryption
Page 137
aes-256 encryption
des
des encryption
null
null encryption
ciscoasa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5
sha
sha256
sha384
sha512
ciscoasa(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1
Diffie-Hellman group 1
Diffie-Hellman group 2
Diffie-Hellman group 5
ciscoasa(config-ikev2-policy)# group 2 5
ciscoasa(config-ikev2-policy)# exi
Page 138
ikev1
ikev2
security-association
help
no
protocol
ciscoasa(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp
Page 139
integrity
protocol
3des encryption
aes
aes encryption
aes-192
aes-192 encryption
aes-256
aes-256 encryption
des
des encryption
null
null encryption
integrity
protocol
sha-1
Page 140
ciscoasa(config)# tunnel-group ?
configure mode commands/options:
WORD < 65 char
ipsec-attributes
Page 141
exit
Exit from tunnel-group IPSec attribute
configuration mode
help
ikev1
Configure IKEv1
ikev2
Configure IKEv2
isakmp
no
peer-id-validate
certificate
ciscoasa(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication
for IKEv2 tunnels
Page 142
ipsec-isakmp
IPSec w/ISAKMP
match
set
Access-list name
IP address
Page 143
IPv6 address
ikev2
nat-t-disable
based on this entry
peer
pfs
reverse-route
Enable reverse route injection for
connections based on this entry
security-association
trustpoint
Specify trustpoint that defines the
certificate to be used while initiating a connection based on
this entry
Page 144
ipsec-proposal tag
Page 145
Page 146
Page 147
Page 148
Page 149
CLIENT SITE
R3(config)#crypto ikev2 proposal PROPOSAL1
IKEv2 proposal MUST have atleast an encryption algorithm, an int
egrity algorithm and a dh group configured
R3(config-ikev2-proposal)# integrity sha1
R3(config-ikev2-proposal)# encry 3des aes-cbc-128
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 150
Page 151
Page 152
Page 153
Lab Topology:
Task:
Implement Flex-VPN spoke-to-spoke. Configure R1 as the HUB. R3 and R4 are the Spokes in
the topology where else R2 is working as ISP. The objective is to communicate from spoke to
spoke i.e. from R3 (10.3.3.0/24) to R4 (10.4.4.0/24).
Use the following details to complete the task.
Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: 10.1.1.0/24
Network For Tunnel interface: 192.168.10.0/24
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 154
On Spokes:
Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: R3 (10.3.3.0/24), R4 (10.4.4.0/24)
Network For Tunnel interface: 192.168.10.0/24
Local/Remote Authentication method: Pre-shared-key
Pre-shared-key: cisco123
Ikev2 Profile Name: IKEV2PROFILE
IPsec Profile Name: IPSEC
IP NHRP network-id: 100
Tunnel Interface: Tunnel1
Tunnel interface IP: negotiated
Tunnel source: S1/0
Tunnel destination: 110.1.12.1
Interior Routing Protocol: EIGRP-10
Solution : On AVI
R1(config)#
*Jul 11 11:48:10.959: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
R1(config)#
*Jul 11 11:48:11.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to down
*Jul 11 11:48:40.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to up
R1(config)#
*Jul 11 11:48:46.371: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.11
(Virtual-Access1) is up: new adjacency
R1#
R1#
*Jul 11 11:49:35.063: %SYS-5-CONFIG_I: Configured from console by consoler
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12
Page 155
Method
unset
manual
manual
manual
unset
unset
Status
Protocol
administratively down down
up
up
up
up
up
up
up
up
up
down
Virtual-Access1 is assigned the IP address of Loopback 11. As we have given in the command
under interface virtual-template 1 type tunnel using ip unnumbered loopback 11.
R1#
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l LISP + - replicated route, % next hop override
Gateway of last resort is 110.1.12.2 to network 0.0.0.0
S*
Page 156
Method
unset
manual
manual
manual
unset
unset
unset
Status
Protocol
administratively down down
up
up
up
up
up
up
up
up
up
up
up
down
Page 157
Status
READY
Tunnel-id
Local
Remote
fvrf/ivrf
1
110.1.12.1/500
110.1.23.3/500
none/none
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/984 sec
IPv6 Crypto IKEv2 SA
Status
READY
R1#
On Client R4
R4(config)#
*Jul 11 11:53:23.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.1 (Tunnel1)
is up: new adjacency
R4#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id
Local
Remote
fvrf/ivrf
1
110.1.24.4/500
110.1.12.1/500
none/none
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/25 sec
IPv6 Crypto IKEv2 SA
Status
READY
Page 158
Page 159
Page 160
Flex VPN-Server-Client
Pre-requisite: Load the initial configuration for all the devices in the topology from the preconfiguration files.
Lab Topology:
Task
Configure R1 as the Server and R3 as the client. Make sure you are able to
ping from 10.3.3.0/24 network behind R3 to 10.1.1.0/24 network behind R1.
Use pre-configuration to initialize the devices.
Solution: On AVI
Page 161
Page 162
Page 163
On SERVER (R1)
R1(config)#
*Jul 11 13:14:13.747: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#
*Jul 11 13:16:27.947: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to do
wn
*Jul 11 13:16:28.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
R1(config)#
*Jul 11 13:16:38.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
*Jul 11 13:16:39.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to up
Once the Client connects to the server interface Virtual-access 1 dynamically comes up.
R1(config)#
R1(config)#end
R1#
R1#
R1#show ip
*Jul 11 13:21:24.627: %SYS-5-CONFIG_I: Configured from console by console
R1#
R1#show ip int brief
Interface
IP-Address OK?
Method
Status
Protocol
FastEthernet0/0 unassigned YES
unset
administratively down down
Serial1/0
110.1.12.10
YES
manual
up
up
Loopback1
10.1.1.1
YES
manual
up
up
Loopback11
192.168.10.1 YES
manual
up
up
Virtual-Access1 192.168.10.1 YES
unset
up
up
Virtual-Template1 192.168.10.1 YES
unset
up
down
Page 164
Page 165
Page 166