CCNA Security 210-260: Module 2: Virtual Private Networks (VPNs), Lesson 5: Implementing IPsec Site-to-Site VPNs

Lesson 5: Implementing IPsec Site-to-Site VPNs
5.1 Configuring IPsec Site-to-Site VPNs in Cisco IOS Devices
5.2 Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS Devices
5.3 Configuring IPsec Site-to-Site VPNs in Cisco ASA
5.4 Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA

=================================================

5.1 Configuring IPsec Site-to-Site VPNs in Cisco IOS Devices

There are many ways that you can configure IPsec Site-to-site VPNs in a Cisco IOS device:
– Traditional/basic site-to-site configurations
– IPsec over Generic Routing Encapsulation (GRE)
– Dynamic Multipoint Virtual Private Network (DMVPN)
– FlexVPN

GRE is a tunneling protocol developed by Cisco that can encaptulate a wide variety of network layer protocols. An example is multicast and routing protocols.

DMVPN is a Cisco IOS Software solution for building scalable IPsec VPNs. Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for sites and users (including mobile workers and telecommuters).

Flex VPN is a newer framework to configure IPsec VPN with IKE version 2 (IKEv2) on Cisco IOS devices.
In the following examples you will learn how to configure a basic IPsec site-to-site tunnel between two Cisco routers.

5-1a.jpg

Protocols and ports that may be required for IPsec
– IKEv1 Phase 1 uses UDP port 500 for its negotiation.
– Layer 4 Protocol 50 – IP Encapsulating Security Payload (ESP)
– Layer 4 Protocol 51 – Authentication Header (AH)
– NAT-T (NAT Traversal) – if both peers support NAT-T, and if they detect that they are connecting to each other through a Network Address Translation (NAT) device, they may negotiate that they will encapsulate the ESP packets in UDP prot 4500.

Lab 5.1

사용자 지정 52

사용자 지정 51

사용자 지정 50

R1#show run

version 15.2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
crypto isakmp key 6 K0a!a address 172.16.123.2
!
!
crypto ipsec transform-set brendanSET esp-aes 256 esp-sha512-hmac
!
crypto map brendanMAP 1 ipsec-isakmp
set peer 172.16.123.2
set transform-set brendanSET
match address 100
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.101.1 255.255.255.0
!
interface Serial2/0
ip address 172.16.123.1 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 172.16.123.2 102 broadcast
frame-relay map ip 172.16.123.3 103 broadcast
no frame-relay inverse-arp
crypto map brendanMAP
!
access-list 100 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
!
end

+======================================================+

R2#show run

version 15.2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 2
crypto isakmp key 6 K0a!a address 172.16.123.1
!
!
crypto ipsec transform-set brendanSET esp-aes 256 esp-sha256-hmac
!
crypto map brendanMAP 1 ipsec-isakmp
set peer 172.16.123.1
set transform-set brendanSET
match address 100
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.102.1 255.255.255.0
!
interface Serial2/0
ip address 172.16.123.2 255.255.255.0
encapsulation frame-relay
serial restart-delay 0
frame-relay map ip 172.16.123.3 201
frame-relay map ip 172.16.123.1 201 broadcast
no frame-relay inverse-arp
crypto map brendanMAP
!
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
!
end

+======================================================+

R1#show crypto ipsec sa

interface: Serial2/0
Crypto map tag: brendanMAP, local addr 172.16.123.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer 172.16.123.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.123.1, remote crypto endpt.: 172.16.123.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

+======================================================+

R2#show crypto ipsec sa

interface: Serial2/0
Crypto map tag: brendanMAP, local addr 172.16.123.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer 172.16.123.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.123.2, remote crypto endpt.: 172.16.123.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

5.2 Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS Devices
5.3 Configuring IPsec Site-to-Site VPNs in Cisco ASA
5.4 Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s