Академический Документы
Профессиональный Документы
Культура Документы
VPNsitetositepackettracer5.3labTheCiscoLearningNetwork
Home>Certifications>Security(CCNASecurity)>IINSExam>Documents
firstofallyouneedtostudyWelltheconceptsofIPSec,VPNtypes,CRYPTOLOGYbeforeyoureadthisdocument
Itsjustshowyouhowtotypetherightcommandsonbothroutersidesusingpackettracer5.3
Wewillhavethefollowingtopology
NoticeyouwillsetstaticroutebetweenthetworouterswhileonreallivebothwillconnectedthroughISPs
forrouter1wewilltypethefollowingcommands:
Router(config)#cryptoisakmpenable<===enableIPsec
Router(config)#cryptoisakmppolicy1<===setnewpolicywithnumber1
Router(configisakmp)#authenticationpreshare<===usingshredkeyauthenticationmethod(ifusecertification
usersasiginsteadofpreshare)
Router(configisakmp)#encryptionaes<===usesymmetricencryptionAES
Router(configisakmp)#hashsha<===usehashalghorthimshafordataintegrity
Router(configisakmp)#group2<===usediffehelmangroup2
Router(configisakmp)#exit
Router(config)#cryptoisakmpkey0address11.0.0.10.0.0.0<===0isthekeywillusedwithnextsite,nextsiteip
address11.0.0.1andnoteonpackettraceryouuse0.0.0.0insteadofsubnetmask
Router(config)#cryptoipsectransformsetyasserespaesespshahmac<===settransformsetcalledyasserand
espistheprotocolwillbeused,ucanuseAHoninternalVPN
Router(config)#cryptoipsecsecurityassociationlifetimeseconds86400<===keyexpireafter86400seconds
Router(config)#ipaccesslistextendedramzy<===ACLcalledramzytotellwhich
trafficwillusethevpntunnel
Router(configextnacl)#permitip12.0.0.00.255.255.25510.0.0.00.255.255.255
Router(configextnacl)#exit
Router(config)#cryptomapauda100ipsecisakmp<===createcryptomapcalledaudawithseq
number100
%NOTE:Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router(configcryptomap)#matchaddressramzy<===linkaboveACLtothiscryptomap
Router(configcryptomap)#setpeer11.0.0.1<===linknextsiteipaddresstothiscrypto
map
Router(configcryptomap)#setpfsgroup2<===linkDHgroup2tothiscryptomap
Router(configcryptomap)#settransformsetyasser<===linkabovetransformsettothis
cryptomap
Router(configcryptomap)#ex
Router(config)#intfa0/1<===applycryptomapaudatointerfacefacethenextsitelink.
Router(configif)#cryptomapauda
*Jan307:16:26.785:%CRYPTO6ISAKMP_ON_OFF:ISAKMPisON
Router(configif)#dowr
Buildingconfiguration...
[OK]
Router(configif)#^Z
Router#
forrouter0wewilltypethefollowingcommands:
Router(config)#cryptoisakmpenable
Router(config)#cryptoisakmppolicy1
Router(configisakmp)#authenticationpreshare
Router(configisakmp)#encryptionaes
Router(configisakmp)#group2
Router(configisakmp)#hashsha
Router(configisakmp)#exit
https://learningnetwork.cisco.com/docs/DOC10756
1/5
04/10/2015
VPNsitetositepackettracer5.3labTheCiscoLearningNetwork
Router(config)#cryptoisakmpkey0address11.0.0.20.0.0.0
Router(config)#cryptoipsectransformsetyasserespaesespshahmac
Router(config)#cryptoipsecsecurityassociationlifetimeseconds86400
Router(config)#ipaccesslistextendedramzy
Router(configextnacl)#permitip10.0.0.00.255.255.25512.0.0.00.255.255.255
Router(configextnacl)#exit
Router(config)#cryptomapauda100ipsecisakmp
%NOTE:Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router(configcryptomap)#matchaddressramzy
Router(configcryptomap)#setpeer11.0.0.2
Router(configcryptomap)#setpfsgroup2
Router(configcryptomap)#settransformsetyasser
Router(configcryptomap)#exit
Router(config)#interfacefastEthernet0/1
Router(configif)#cryptomapauda
*Jan307:16:26.785:%CRYPTO6ISAKMP_ON_OFF:ISAKMPisON
Router(configif)#exit
Router(config)#dowr
Buildingconfiguration...
[OK]
Router(config)#
nowletsgotorouter0anddosomeshowcommands:
Router#showcryptoIsakmppolicy
GlobalIKEpolicy
Protectionsuiteofpriority1
encryptionalgorithm:AESAdvancedEncryptionStandard(128bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:PreSharedKey
DiffieHellmangroup:#2(1024bit)
lifetime:86400seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:RivestShamirAdlemanSignature
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit
Router#
Router#showcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstateconnidslotstatus
11.0.0.111.0.0.2QM_IDLE10620ACTIVE
IPv6CryptoISAKMPSA
Router#
Router#showcryptomap
CryptoMapauda100ipsecisakmp
Peer=11.0.0.1
ExtendedIPaccesslistramzy
accesslistramzypermitip12.0.0.00.255.255.25510.0.0.00.255.255.255
Currentpeer:11.0.0.1
Securityassociationlifetime:4608000kilobytes/86400seconds
PFS(Y/N):Y
Transformsets={
yasser,
}
Interfacesusingcryptomapauda:
FastEthernet0/1
Router#
Router#shcryptoipsectransformset
Transformsetyasser:{{espaesespshahmac}
willnegotiate={Tunnel,},
https://learningnetwork.cisco.com/docs/DOC10756
2/5
04/10/2015
VPNsitetositepackettracer5.3labTheCiscoLearningNetwork
Router#
nowletsmakepc0pingpc1
Router#showcryptoipsecsa
interface:FastEthernet0/1
Cryptomaptag:auda,localaddr11.0.0.2
protectedvrf:(none)
localident(addr/mask/prot/port):(12.0.0.0/255.0.0.0/0/0)
remoteident(addr/mask/prot/port):(10.0.0.0/255.0.0.0/0/0)
current_peer11.0.0.1port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:6,#pktsencrypt:6,#pktsdigest:0
#pktsdecaps:5,#pktsdecrypt:5,#pktsverify:0
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors1,#recverrors0
localcryptoendpt.:11.0.0.2,remotecryptoendpt.:11.0.0.1
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet0/1
currentoutboundspi:0x12D96D50(316239184)
inboundespsas:
spi:0x590D14F4(1494029556)
transform:espaesespshahmac,
inusesettings={Tunnel,}
connid:2004,flow_id:FPGA:1,cryptomap:auda
satiming:remainingkeylifetime(k/sec):(4525504/86170)
IVsize:16bytes
replaydetectionsupport:N
Status:ACTIVE
inboundahsas:
inboundpcpsas:
outboundespsas:
spi:0x12D96D50(316239184)
transform:espaesespshahmac,
inusesettings={Tunnel,}
connid:2005,flow_id:FPGA:1,cryptomap:auda
satiming:remainingkeylifetime(k/sec):(4525504/86170)
IVsize:16bytes
replaydetectionsupport:N
Status:ACTIVE
outboundahsas:
outboundpcpsas:
packettracerfile:
yasserramzyauda
CCNA,CCNAsecurity,CCNAvoice,CCDA,CCNP,CCIP,CCNPsecurity(CCSP).
vpn1.pkt.zip
7.0K
Nosecuritypolicyviolationsfound.
Thefilewaslastscanned6monthsago.
Nosecuritypolicyviolationsfound.
Thefilewaslastscanned6monthsago.
116491Views
Categories: Tags:
https://learningnetwork.cisco.com/docs/DOC10756
3/5
04/10/2015
VPNsitetositepackettracer5.3labTheCiscoLearningNetwork
AverageUserRating
(9ratings)
MOSTLIKED
8Comments
sami24Nov201222:12
ThankYouMr.yasser..^__^..
Actions
ChristianQuiroga01Mar201308:58
Thanks
Actions
hpardo198707Apr201305:05
Itriedusingthesesamesettings(differentIP's)witha2811inthemiddleactingastheinternet,madesureicouldpingall
thewaythroughusingnatoverloadtoallthepublicfacingIP's,butnottowhereicouldpingtheprivateip'softheother
network.Itriedtobuildthetunnelbutmyphase1isakmptunnelwontbuilditssapeer.....ifollowedyourconfigsexactly
withadjustmentsformyIP's...willthisnotworkonpackettracerwithanotherrouteractingasacloud?ifanyonewantsto
tryandhelpmeouticanemailthemthesavedfilefrompackettracer.
Actions
Rahul03Jun201409:53
HI,
Iamenteringtheipseccommand"Router(config)#cryptoipsectransformsetOESespaesespshahmac"
butittakesmeintoasubcategeory"#Router(cfgcryptotrans)#"
thisishappeingonacisco2911.
butwheniusethiscommandonpatkettraceridontgetit.
amidoingsomethingwrong
Actions
NetwrkRyan03Nov201409:40
Goodwork!
Actions
danisimanjuntak30Mar201521:19
Goodjob!
Actions
ganesh19Apr201508:05
sirwhenigivecommandshowcryptoisakmpsa
Router#shcrissa
IPv4CryptoISAKMPSA
dstsrcstateconnidslotstatus
11.0.0.211.0.0.1QM_IDLE10440ACTIVE(deleted)
Pv6CryptoISAKMPSAI
andnotabletopinganotherpc
Actions
CARLOS27May201516:47
https://learningnetwork.cisco.com/docs/DOC10756
4/5
04/10/2015
VPNsitetositepackettracer5.3labTheCiscoLearningNetwork
GreatWork!!!
Actions
Terms&Conditions
PrivacyStatement
CookiePolicy
https://learningnetwork.cisco.com/docs/DOC10756
Trademarks
Languages
Followus:
5/5