This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.
CCIE #29033

This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.

You can also follow me on twitter @FE80CC1E

Wednesday, March 20, 2013

VPN-IPSEC

Its been a while but I am going to try to post weekly.

Here is a sample configuration for IPSEC VPN between in 2 routers.
Note: 172.16.1.X/32 are loopback interfaces.








R1
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2

Define pre-shared key
(config)#crypto isakmp key 0 $pass@word$ address 192.168.1.2

Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac

Create ACL to match interesting traffic
(config)#access-list 150 permit ip 172.16.1.1 0.0.0.0 172.16.1.2 0.0.0.0

Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.2
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150

Apply Cypto Map to Interface
(config)#interface fas0
(config-if)#crypto map VPN-MAP-R1-R2

Create a route
(config)#ip route 172.16.1.2 255.255.255.255 fas0

R2
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2

Define pre-shared key
(config)#crypto isakmp kep 0 $pass@word$ address 192.168.1.1

Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac

Create ACL to match interesting traffic
(config)#access-list 150 permit 172.16.1.2 0.0.0.0 172.16.1.1 0.0.0.0

Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.1
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150

Apply Cypto Map to Interface
(config)#interface 0/1
(config-if)#crypto map VPN-MAP-R1-R2

Create a route
(config)#ip route 172.16.1.1 255.255.255.255 fas0


Sample Output from R2 - (After ping from R1 source lo0)

R2(config)#do show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.2     192.168.1.1     QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA





R2(config)#do show cry ipsec sa

interface: FastEthernet0
    Crypto map tag: VPN-MAP-R1-R2, local addr 192.168.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
   current_peer 192.168.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
    #pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x6F76C310(1870054160)

     inbound esp sas:
      spi: 0x1F2B01DC(522912220)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, crypto map: VPN-MAP-R1-R2
        sa timing: remaining key lifetime (k/sec): (4605243/2016)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6F76C310(1870054160)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, crypto map: VPN-MAP-R1-R2
        sa timing: remaining key lifetime (k/sec): (4605245/2011)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


Wireshark capture - Anything sourced from R1 L0 is encrypted (ESP) when not sourcing from R1 L0 the packets are sent in clear text.



0 comments:

Post a Comment