Friday, 13 March 2020

SITE TO SITE IPSEC VPN CONFIGURATION

Let's  start

SITE - TO -SITE IPSEC VPN CONFIGURATION


INTERFACES STATUS
=========================

R1#sh int des | i up
Fa0                            up             up       LAN
Se0                            up             up       WAN
R1#sh ip int brief | i up
FastEthernet0              10.0.0.1        YES NVRAM  up                    up
Serial0                    12.0.0.1        YES NVRAM  up                    up

R2#sh int des | i up
Fa0                            up             up       LAN
Se0                            up             up       WAN
R2#sh ip int brief | i up
FastEthernet0              20.0.0.1        YES NVRAM  up                    up
Serial0                    12.0.0.2        YES NVRAM  up                    up

ABLE TO PING FROM PC1 TO PC2 & VICEVERSA
=========================================
PC1> ping 20.0.0.100
84 bytes from 20.0.0.100 icmp_seq=1 ttl=62 time=36.002 ms
84 bytes from 20.0.0.100 icmp_seq=2 ttl=62 time=58.003 ms
84 bytes from 20.0.0.100 icmp_seq=3 ttl=62 time=43.003 ms
84 bytes from 20.0.0.100 icmp_seq=4 ttl=62 time=43.003 ms
84 bytes from 20.0.0.100 icmp_seq=5 ttl=62 time=44.002 ms

PC2> ping 10.0.0.100
84 bytes from 10.0.0.100 icmp_seq=1 ttl=62 time=54.003 ms
84 bytes from 10.0.0.100 icmp_seq=2 ttl=62 time=53.003 ms
84 bytes from 10.0.0.100 icmp_seq=3 ttl=62 time=42.002 ms
84 bytes from 10.0.0.100 icmp_seq=4 ttl=62 time=38.002 ms
84 bytes from 10.0.0.100 icmp_seq=5 ttl=62 time=40.002 ms

Step 1:-  Create ACL to define Interesting Traffic.
Step 2:- Define parameters for IKE Phase1 Tunnel (ISAKMP Tunnel)
      a) Enable Crypto ISAKMP
      b) Configure HAGLE PARAMTERS
      c) Set peer & key
Step 3:- Define parameters for IKE Phase2 Tunnel (IPSec Tunnel)
Step 4 :- Create Crypto map and apply to the appropriate interface.

**** every command begins with crypto ****

STEP 1  - Create ACL to define "Interesting" Traffic
=====================================================

R1(config)#access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
R2(config)#access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

note :- we can acls with different acl numbers on both the vpn devices.

STEP 2 - Define parameters for IKE Phase 1 Tunnel (ISAKMP Tunnel)
==================================================================
a) Enable Crypto ISAKMP
==================================================================
R1#sh crypto isakmp policy
ISAKMP is turned off
R2#sh crypto isakmp policy
ISAKMP is turned off

R1(config)#crypto isakmp enable
Mar 13 02:24:38.171: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1#sh cry isakmp policy

Global IKE policy
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit


NOTE :- By default there is one IKE PHASE 1 ISAKMP Policy present.

R2(config)#crypto isakmp enable
Mar 13 02:26:44.519: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

b) Configure HAGLE PARAMTERS
==================================================================
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#encryption aes
R1(config-isakmp)#^Z

R1#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

R2(config)#crypto isakmp policy 10
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 5
R2(config-isakmp)#encryption aes
R2(config-isakmp)#^Z

R2#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

c) Set peer & key
==================================================================
R1(config)#crypto isakmp key ?
  0  Specifies an UNENCRYPTED password will follow
  6  Specifies an ENCRYPTED password will follow
  note - both the keys will go encrypted over public network ...it is how the key will be locally

R1(config)#crypto isakmp key 0 cisco123 address 12.0.0.2
R1#sh crypto isakmp key
Keyring               Hostname/Address                   Preshared Key

default               12.0.0.2                           cisco123

R2(config)#crypto isakmp key 0 cisco123 address 12.0.0.1

R2#sh crypto isakmp key
Keyring               Hostname/Address                   Preshared Key

default               12.0.0.1                           cisco123
R2#

====================================================================================================================================
Step 3:- Define parameters for IKE Phase2 Tunnel (IPSec Tunnel)
==================================================================

R1(config)#crypto ipsec transform-set AMARTECH esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)#^Z
R1#sh crypto ipsec transform-set
Transform set AMARTECH: { esp-aes esp-md5-hmac  }
   will negotiate = { Tunnel,  },
R2(config)#crypto ipsec transform-set AMARTECH esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)#^Z
R2#
R2#config
Mar 13 03:07:38.415: %SYS-5-CONFIG_I: Configured from console by console
R2#sh crypto ipsec transform-set
Transform set AMARTECH: { esp-aes esp-md5-hmac  }
   will negotiate = { Tunnel,  },

====================================================================
Step 4 :- Create Crypto map and apply to the appropriate interface.
====================================================================

R1(config)#crypto map TECHMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set peer 12.0.0.2
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set transform-set AMARTECH
R1(config-crypto-map)#^Z


R2(config)#crypto map TECHMAP 10 IPsec-ISakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#set peer 12.0.0.1
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#set transform-set AMARTECH
R2(config-crypto-map)#^Z

R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
        Peer = 12.0.0.2
        Extended IP access list 100
            access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                AMARTECH,
        }
        Interfaces using crypto map TECHMAP:

R2#sh crypto ma
Crypto Map "TECHMAP" 10 ipsec-isakmp
        Peer = 12.0.0.1
        Extended IP access list 100
            access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                AMARTECH,
        }
        Interfaces using crypto map TECHMAP:

R1(config)#int s0
R1(config-if)#crypto map TECHMAP
R1(config-if)#^Z
R1#

R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
        Peer = 12.0.0.2
        Extended IP access list 100
            access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
        Current peer: 12.0.0.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                AMARTECH,
        }
        Interfaces using crypto map TECHMAP:
                Serial0

R2(config)#int s0
R2(config-if)#cry
R2(config-if)#crypto map TECHMAP
R2(config-if)#^Z
R2#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
        Peer = 12.0.0.1
        Extended IP access list 100
            access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
        Current peer: 12.0.0.1
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                AMARTECH,
        }
        Interfaces using crypto map TECHMAP:
                Serial0

========================================================================

R1#sh cry isakmp sa
dst             src             state          conn-id slot status

R1#sh cry ipsec
R1#sh cry ipsec sa

interface: Serial0
    Crypto map tag: TECHMAP, local addr 12.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
   current_peer 12.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

======================================================================================================

R1#sh cry isakmp sa
dst             src             state          conn-id slot status
12.0.0.2        12.0.0.1        QM_IDLE              1    0 ACTIVE

R2#sh cry isakmp sa
dst             src             state          conn-id slot status
12.0.0.2        12.0.0.1        QM_IDLE              1    0 ACTIVE


R1#sh cry ipsec sa

interface: Serial0
    Crypto map tag: TECHMAP, local addr 12.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
   current_peer 12.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 21, #pkts encrypt: 21, #pkts digest: 21
    #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0
     current outbound spi: 0xA9BA9F1(177973745)

     inbound esp sas:
      spi: 0x3637026C(909574764)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
        sa timing: remaining key lifetime (k/sec): (4525445/3524)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA9BA9F1(177973745)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
        sa timing: remaining key lifetime (k/sec): (4525445/3522)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R2#sh crypto ipsec sa

interface: Serial0
    Crypto map tag: TECHMAP, local addr 12.0.0.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 12.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
    #pkts decaps: 67, #pkts decrypt: 67, #pkts verify: 67
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0
     current outbound spi: 0x3637026C(909574764)

     inbound esp sas:
      spi: 0xA9BA9F1(177973745)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
        sa timing: remaining key lifetime (k/sec): (4467647/3445)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3637026C(909574764)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
        sa timing: remaining key lifetime (k/sec): (4467647/3443)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


Thanks for Reading !!!!!!

3 comments:

  1. Sir how to config in cloud to provide connectivity between 2 routers

    i am trying but its unable to ping 2 router each other

    ReplyDelete
  2. Very use full, Thank you very much

    ReplyDelete