Вы находитесь на странице: 1из 34

Introduction

The Implementing IOS IPSec site-to-site VPN with pre-shared key authentication module provides you with the instructions and Cisco hardware to develop your hands on skills in the following topics:

1) Implement an IOS IPSec site-to-site VPN using CCP and the CLI

Lab Diagram

During your session you will have access to the following lab configuration. Depending on the
During your session you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but they are
shown here in the layout to get an overall understanding of the topology of the lab.
Internet
ISP1
ISP2
172.14.0.3/24
172.14.0.4/24
Frame-Relay
NYEDGE2
NYEDGE1
WAN
Gi0/1
Gi0/1
Cisco
Cisco
2911 Router
Ser0/0/0
2911 Router
LDNWAN1
Ser0/0/0
Ser0/0/1
Gi0/0
Gi0/0
Ser0/0/1
Ser0/0/1
Ser0/1/1
Ser0/0/0
Ser0/1/0
Fas1/0/1
Fas1/0/1
Gi0/1
Gi0/0
Fas1/0/2
Fas1/0/12
Fas1/0/23
172.16.16.0/24
Cisco
Fas1/0/24
NYWAN 1
IP Phone
NYCORE1
NYCORE2
Cisco
Fas1/0/22
Fas1/0/22
NWRKWAN1
Cisco 3750v2-24PS
Cisco 3750v2-24PS
2911 Router
Switch
Switch
Fas0/24
Fas0/23
PLABCSCO 01
NYACCESS1
Cisco Tools Server
Fas0/1
Cisco 2960-24
Lab Nic
Switch
192.168.16.10/24

Connecting to your Lab

In this module you will be working on the following equipment to carry out the steps defined in each exercise.

NYEDGE1

NYEDGE2

NYCORE1

NYCORE2

NYACCESS1

PLABCSCO01

Text in RED indicates a task that needs to be copied with the corresponding answer(s) to the Lab Report.

Each exercise will detail which terminal you are required to work on to carry out the steps.

During the boot up process an activity indicator will be displayed in the device name tab:

Black - Powered Off

Orange - Working on your request

Green - Ready to access

If the remote terminal is not displayed automatically in the main window (or popup) click the Connect icon located in the tools bar to start your session.

Copyright Notice

This document and its content is copyright of Practice-IT - © Practice-IT 2014. All rights reserved. Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

1) You may print or download to a local hard disk e xtracts for your personal and non-commercial use only.

2) You may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material. You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

Exercise 1 - Implement an IOS IPSec site-to-site VPN using CCP and the CLI

In this exercise you will configure a site-to-site VPN using cisco CCP for NYEDGE1 and the CLI on NYEDGE2. VPNs are very common in the workplace as they either provide a cost effective link across a public network (the Internet) or in some case they can provide a secure connection across a private network.

Diagram IPSEC Tunnel Gi0/1 Gi0/1 172.14 .0.1/24 172.14 .0.2/24 Loop 1 10 .10 .0.1/24 Loop
Diagram
IPSEC Tunnel
Gi0/1
Gi0/1
172.14
.0.1/24
172.14
.0.2/24
Loop 1
10
.10 .0.1/24
Loop 2
10
.10 .1.1/24
NYEDGE1
NYEDGE2

Loop 1

10 .10 .4.1/24

Loop 2

10 .10 .5.1/24

Configuring NYEDGE1 using CCP

Step 1

Ensure you have powered on PLABCSCO01 so that you can use the CCP software located on this server.

Before proceeding, you need to make sure the resolution setting is good to work

you need to make sure the resolution setting is good to work around the CCP window.

around the CCP window. Click on Settings

Then, The Personal Setting window appears. This allows you to customize the

resolution and window type of the lab.

at window’s upper right corner.

Make sure Open Microsoft devices in a popup window selection is On. Then, under Resolution, click on Smaller or Bigger as needed until getting 1024x768 resolution. Then, click Save . This resolution should be good to work with CCP software window. You can always change the resolution to higher or lower as needed.

Step 2 Once PLABCSCO01 is powered on, connect to the desktop and launch the Cisco

Step 2

Once PLABCSCO01 is powered on, connect to the desktop and launch the Cisco Configuration Professional (CCP) software, there is a shortcut on the desktop, highlighted in the screenshot below.

When the software launches, you can safely ignore the Java message by clicking the Later

When the software launches, you can safely ignore the Java message by clicking the Later button.

When CCP launches, enter in the community settings for NYEDGE1 and NYEDGE2. They have the IP addresses 192.168.16.1 and 192.168.16.2 respectively. They have the same username and password of ciscosdm/ciscosdm

Check the Discover all devices checkbox in the bottom left of the window, then click OK.

Step 3 Once the devices have been discovered, ensure 192.168.16.1 is highlighted (this is NYEDGE1

Step 3

Once the devices have been discovered, ensure 192.168.16.1 is highlighted (this is NYEDGE1) and click the Configure button at the top.

Note: If you get a problem about a device being “undiscoverable” close CCP and start over with Step 2. This can happen if the CCP software is unable to discover the router because of network latency.

Expand Security > VPN then click the Site-to-Site VPN link.

Expand Security > VPN then click the Site-to-Site VPN link.

On the right the task page will appear.

On the right the task page will appear.

Ensure Create a site to site VPN folder tab is selected, and scroll down to

Ensure Create a site to site VPN folder tab is selected, and scroll down to click the Launch the selected task button (you might need to have to scroll down the page).

Step 4 Once the wizard launches, click the Step-by-step wizard radio button then click Next

Step 4

Once the wizard launches, click the Step-by-step wizard radio button then click Next.

Step 5 On the VPN Connection information page, ensure the following settings are configured: 

Step 5

On the VPN Connection information page, ensure the following settings are configured:

Select the interface for this VPN connection: GigabitEthernet0/1

Peer identity: Ensure Peer with static IP address is selected

IP Address of the remote peer: 172.16.1.2

Authentication: Select Pre-shared Keys and use a password of cisco123

Once you are happy with the settings, click Next.

Step 6 At the IKE proposals page, click the Add button to add a new

Step 6

At the IKE proposals page, click the Add button to add a new proposal so you understand this process (we could accept the default proposal in the list).

Step 7 In the Add IKE Policy dialog box, configure the following settings:  Priority:

Step 7

In the Add IKE Policy dialog box, configure the following settings:

Priority: 2

Authentication: PRE_SHARE

Encryption: AES_256

D-H Group: Group2

Hash: SHA_1

Lifetime: 24 0 0

Once you have entered in the details, click OK.

Step 8 Back on the IKE Proposals page, notice the new policy that has been

Step 8

Back on the IKE Proposals page, notice the new policy that has been added.

Click Next.

Step 9 At the Transform Set page, again so you understand the process, click Add.

Step 9

At the Transform Set page, again so you understand the process, click Add.

Step 10 From the Add Transform Set dialog box, configure the following settings:  Name:

Step 10

From the Add Transform Set dialog box, configure the following settings:

Name: Strong

Leave the checkbox checked for Data Integrity with encryption (ESP)

Integrity Algorithm: ESP_SHA_HMAC

Encryption Algorithm: ESP_AES_256

You can leave the advanced settings as default.

Once you are happy, click OK.

Step 11 Back on the Transform Set page, ensure your transform set called Strong is

Step 11

Back on the Transform Set page, ensure your transform set called Strong is selected then click Next.

Step 12 In the Traffic to protect page, you want to protect traffic going between

Step 12

In the Traffic to protect page, you want to protect traffic going between loopback 1 and loopback 2 of each respective router, the subnets are as follows:

NYEDGE1: Loop 1 > 10.10.0.0/24

NYEDGE1: Loop 2 > 10.20.1.0/24

NYEDGE2: Loop 1 > 10.10.4.0/24

NYEDGE2: Loop 2 > 10.20.5.0/24

We can summarise these so as follows:

NYEDGE1: 10.10.0.0/23

NYEDGE2: 10.10.4.0/23

Enter in the information for the respective source and destination networks, this can be seen in the screenshot below:

networks, this can be seen in the screenshot below: Once you have entered in the subnets,

Once you have entered in the subnets, click Next.

Step 13

At the Summary of the Configuration page, click Finish.

Step 14 You need first to save the configuration to a file on the desktop.

Step 14

You need first to save the configuration to a file on the desktop.

On the Deliver Configuration to Device dialog box, click on Save to file .

Step 15 On the Save File dialog box, keep the default name ( CC-CLI-dd-month-YYYY.txt ).

Step 15

On the Save File dialog box, keep the default name (CC-CLI-dd-month-YYYY.txt).

Verify that Desktop button on the left is selected then click Save.

Step 16 Back on the Delivery Configuration to Device dialog box, then click Deliver .

Step 16

Back on the Delivery Configuration to Device dialog box, then click Deliver.

Step 17 On the Commands Delivery Status dialog box, click OK .

Step 17

On the Commands Delivery Status dialog box, click OK.

Step 18 Once you have clicked OK you will notice that the state of the

Step 18

Once you have clicked OK you will notice that the state of the VPN is down.

Minimize CCP software.

Step 19 From desktop of PLABCSCO01 , right-click on the file CC-CLI-dd-month-YYYY.txt that you just

Step 19

From desktop of PLABCSCO01, right-click on the file CC-CLI-dd-month-YYYY.txt that you just saved, and select Open.

Task 1: Take screenshot of the notepad window showing the VPN site-to-site configuration file in

Task 1: Take screenshot of the notepad window showing the VPN site-to-site configuration file in router NYEDGE1. Include the screen shot in the Lab Report.

Continue to configure NYEDGE2 . Configuring NYEDGE2 using the CLI Next we will configure the

Continue to configure NYEDGE2.

Configuring NYEDGE2 using the CLI

Next we will configure the peer router NYEDGE2 using the CLI so that we have covered off both configuration methods.

Step 1

Connect to NYEDGE2. If you reviewed the configuration script applied to NYEDGE1 then we ultimately need to make the same CLI changes by hand, this time reversing some of the settings (ACL’s for example).

The first step is to configure the access-list, rather than using the naming convention that CCP uses, we will create a named ACL called S2SNYEDGE1:

NYEDGE2>enable

NYEDGE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYEDGE2(config)#ip access-list extended S2SNYEDGE1

NYEDGE2(config-ext-nacl)# exit

NYEDGE2(config)#

Step 2

Next we configure the same transform set that we built using CCP. Use the following commands to configure this:

NYEDGE2(config)#crypto ipsec transform-set Strong esp-sha-hmac esp-aes 256

NYEDGE2(cfg-crypto-trans)# mode tunnel

NYEDGE2(config-crypto-trans)# exit

NYEDGE2(config)#

Step 3

Next we need to configure the crypto map. To do this use the following commands. Note that you will get a warning message about the peer address - don’t worry about this, as you will configure it during this step:

NYEDGE2(config)#crypto map NYEDGE1MAP 1 ipsec -isakmp

NYEDGE2(config-crypto-map)# set transform-set Strong

NYEDGE2(config-crypto-map)# set peer 172.16.1.1

NYEDGE2(config-crypto-map)# match address S2SNYEDGE1

NYEDGE2(config-crypto-map)# exit

NYEDGE2(config)#

Step 4

Next we need to configure the pre-shared key and map this to the Gi0/1 IP address on NYEDGE1:

NYEDGE2(config)#crypto isakmp key cisco123 address 172.16.1.1

Step 5

Next we create the ISAKMP policy:

NYEDGE2(config)#crypto isakmp policy 1

NYEDGE2(config-isakmp)#authentication pre-share

NYEDGE2(config-isakmp)#encryption aes 256

NYEDGE2(config-isakmp)#hash sha

NYEDGE2(config-isakmp)#lifetime 86400

NYEDGE2(config-isakmp)#exit

NYEDGE2(config)#exit

Step 6

Finally we need to apply the crypto map to the interface (Gi0/1):

NYEDGE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYEDGE2(config)#interface gigabitEthernet 0/1

NYEDGE2(config-if)#crypto map NYEDGE1MAP

NYEDGE(config-if)#exit

NYEDGE(config)#exit

Verifying the VPN

Finally we want to verify that the VPN works. We need to initiate some traffic to test this, first let’s look at some counters:

On NYEDGE1 use the show crypto ipsec sa command:

NYEDGE1>enable

NYEDGE1#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.254.0/0/0)

current_peer 172.16.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/ source 10.10.0.11

PFS (Y/N): N, DH group: none

(Output omitted)

In the output you can see that no packets have been encrypted or decrypted. This is helpful when diagnosing a VPN, as sometimes you can see packets being encrypted but not decrypted or vice-versa.

Let’s initiate some traffic, ping from NYEDGE1 with a source IP address of 10.10.0.1 to 10.10.4.1:

NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

Success rate is 0 percent (0/5)

Task 2: Take screenshot showing unsuccessful connectivity between 10.10.4.1 and 10.10.0.1. Include the screenshot in the Lab Report.

Notice the ping fails!

Viewing the output of the show crypto ipsec sa command still shows no encrypted packets. Actually we need to go back to basics, as there are no routes on the router!

Add routes on both routers:

NYEDGE1

NYEDGE1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYEDGE1(config)#ip route 10.10.4.0 255.255.254.0 172.16.1.2

NYEDGE1(config)#exit

NYEDGE2

NYEDGE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYEDGE2(config)#ip route 10.10.0.0 255.255.254.0 172.16.1.1

Retry the ping from NYEDGE1:

NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

.!!!!

Success rate is 80 percent (4/5), round -trip min/avg/max = 1/1/1 ms

Task 3: Take screenshot showing successful connectivity between 10.10.4.1 and

10.10.0.1. Include the screenshot in the Lab Report.

How do we know the packets are encrypted?

NYEDGE1#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.254.0/0/0)

current_peer 172.16.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

(Output omitted)

Notice that the counters for encrypted and decrypted packets have gone up by 4, and notice that our ping replied 4 times.

Task 4: Take screenshot of command show crypto ipsec sa output showing 4 packets encrypted and decrypted. Include the screensho t in the Lab Report.

You can also use the debug crypto engine packet command. However, word of extreme caution - this is a fairly noisy debug, so do not use it in a production environment unless you really know what you are doing!

Enable this debug on NYEDGE2, then re-issue a ping from NYEDGE1:

Here is a snippet of the output on NYEDGE2:

NYEDGE2(config)#exit

NYEDGE2#debug crypto engine packet

Crypto Engine Packet debugging is on

NYEDGE2#

*Aug 1 16:03:29.819: crypto_sb_oce_alloc_fwd_handle: created forw_handle=3D49B0D0 using oce=0 type=0 for pak=2181FBC8, track=3D9F3E

FC

*Aug 1 16:03:29.819: Before decryption:

0E220990:

4500 00A806C4 0000FE32

E

(.D

~2

0E2209A0: 5B3CAC10 0101AC10 01023C52 BA310000 [<,

,

0E2209B0:

000A42D6 C0C3D03 B

3855B1EA E1B8CDEA

BV@CP;8U1ja8Mj

0E2209C0: 4317F58F B01B

C.u.0.

*Aug 1 16:03:29.819: After decryption:

0E2209C0:

4500 00640046 0000FF01 A33D0A0A

0E2209D0: 00010A0A 04010800 AF2E000E 00000000

0E2209E0: 00000045 CEC8ABCD ABCDABCD ABCDABCD

E

d.F

/

#=

ENH+M+M+M+M+M

0E2209F0: ABCD

+M

(Output omitted)

Turn the debug off on NYEDGE2:

NYEDGE2#u all

All possible debugging has been turned off

NYEDGE2#

Task 5: Take screenshot of NYEDGE2 CLI showing debugging bottom output. Include the screenshot in the Lab Report.

Switch over to PLABCSCO01 device.

In the CCP software, on the toolbar click Monitor.

Then expand out in the tree structure, Security > VPN Status and select IPSec Tunnels

On the VPN Status pane, notice the details about the IPSec Tunnel you created.

You have successfully built a VPN using both the CLI and CCP software! Task 6:

You have successfully built a VPN using both the CLI and CCP software!

Task 6: Take screenshot of CCP software in PLABCSCO01 monitoring encrypted and decrypted packets CLI. Include the screenshot in the Lab Report.

Summary

You covered the following activities in this module:

Using the CCP software to build half of a site-to-site VPN between two

routers.

You configured the second half of the site-to-site VPN using the CLI.

You confirmed the configuration of the VPN by testing it and seeing the packets being encrypted and decrypted.

You also monitored the VPN status using the CCP software.

This concludes Implementing IOS IPSec site-to-site VPN with pre-shared key authentication Lab. Save the Lab Report, and submit it to the iLab DropBox in week 6.