Here is a sample configuration for IPSEC VPN between in 2 routers.
Note: 172.16.1.X/32 are loopback interfaces.
R1
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp key 0 $pass@word$ address 192.168.1.2
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
(config)#access-list 150 permit ip 172.16.1.1 0.0.0.0 172.16.1.2 0.0.0.0
Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.2
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150
Apply Cypto Map to Interface
(config)#interface fas0
(config-if)#crypto map VPN-MAP-R1-R2
Create a route
(config)#ip route 172.16.1.2 255.255.255.255 fas0
R2
Define IKE Phase 1 Policy (ISAKMP)
(config)#crytpo isakmp policy 10
(config-isakmp)#encryption aes 256
(config-isakmp)#authentication pre-share
(config-isakmp)#hash sha
(config-isakmp)#group 2
Define pre-shared key
(config)#crypto isakmp kep 0 $pass@word$ address 192.168.1.1
Define IKE Phase 2 Policy (IPSEC)
(config)#crypto ipsec transform-set TRANS-R1-R2 esp-aes 256 esp-sha-hmac
Create ACL to match interesting traffic
(config)#access-list 150 permit 172.16.1.2 0.0.0.0 172.16.1.1 0.0.0.0
Create Crypto Map
(config)#crypto map VPN-MAP-R1-R2 10 ipsec-isakmp
(config-crypto-map)#set peer 192.168.1.1
(config-crypto-map)#set transform-set TRANS-R1-R2
(config-crypto-map)#match address 150
Apply Cypto Map to Interface
(config)#interface 0/1
(config-if)#crypto map VPN-MAP-R1-R2
Create a route
(config)#ip route 172.16.1.1 255.255.255.255 fas0
Sample Output from R2 - (After ping from R1 source lo0)
R2(config)#do show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.2 192.168.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R2(config)#do show cry ipsec sa
interface: FastEthernet0
Crypto map tag: VPN-MAP-R1-R2, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x6F76C310(1870054160)
inbound esp sas:
spi: 0x1F2B01DC(522912220)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: VPN-MAP-R1-R2
sa timing: remaining key lifetime (k/sec): (4605243/2016)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6F76C310(1870054160)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: VPN-MAP-R1-R2
sa timing: remaining key lifetime (k/sec): (4605245/2011)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Wireshark capture - Anything sourced from R1 L0 is encrypted (ESP) when not sourcing from R1 L0 the packets are sent in clear text.
0 comments:
Post a Comment