IPsec VPN Tunnel
Pre-setup: Usually this is the perimeter router so allow the firewall. Optional
access-list acl permit udp source wildcard destination wildcard eq isakmp
access-list acl permit esp source wildcard destination wildcard
access-list acl permit ahp source wildcard destination wildcard
You need to enable to securityk9 technology-package
Router(config)#license boot module c2900 technology-package securityk9
Router(config)#reload
Task 1: Configure the ISAKMP policy for IKE Phase 1
There are seven default isakmp policies. The most secure is the default. We will configure our own. You can remember this by HAGLE. Hash, Authentication, Group (DH), Lifetime, Encryption.
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#hash sha
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 5
Router(config-isakmp)#lifetime 3600
Router(config-isakmp)#encryption aes 256
We used a pre-shared key for authentication so we need to specify the password for the first phase.
Router(config)#crypto isakmp key derpyisbestpony address 208.77.5.1
show crypto isakmp policy
Task 2: Configure the IPsec Policy for IKE Phase 2
Configure the encryption and hashing algorithms that you will use for the data sent thought the IPsec tunnel. Hence the transform.
Router(config)#crypto ipsec transform-set transform_name esp-aes esp-sha-hmac
Task 3: Configure ACL to define interesting traffic
Even though the tunnel is setup it doesn’t exist yet. Interesting traffic must be detected before IKE Phase 1 negotiations can begin. Allow the local lan to the remote lan.
Router(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
show crypto isakmp sa
Task 4: Configure a Crypto Map for the IPsec Policy
Now that interesting traffic is defined and an IPsec transform set is configured, you need to bind them together with a crypto map.
Rotuer(config)# crypto map map_name seq_num ipsec-isakmp
What traffic will be interesting? The access-list we made before.
Router(config-crypto-map)#match address 101
The transform-set we created earlier for the IPsec tunnel.
Router(config-crypto-map)# set transform-set transform_name
The peer router you’re connecting to.
Router(config-crypto-map)#set peer 172.30.2.2
You need to set the type of DH you want to use.
Router(config-crypto-map)#set pfs group5
How long these setting will last before it’s renegotiated
Router(config-crypto-map)#set security-association lifetime seconds 900
Task 5: Apply the IPsec Policy
Apply the crypto map to the interface.
Router(config)#interface serial0/0/0
Router(config-if)#crypto map map_name
show crypto map
derpy: http://th03.deviantart.net/fs71/PRE/f/2012/302/6/1/derpy_hooves_by_freak0uo-d5jedxp.png
twilight: http://fc03.deviantart.net/fs70/i/2012/226/e/5/twilight_sparkle_vector_by_ikillyou121-d56s0vc.png
Видео IPsec VPN Tunnel канала Derpy Networking
access-list acl permit udp source wildcard destination wildcard eq isakmp
access-list acl permit esp source wildcard destination wildcard
access-list acl permit ahp source wildcard destination wildcard
You need to enable to securityk9 technology-package
Router(config)#license boot module c2900 technology-package securityk9
Router(config)#reload
Task 1: Configure the ISAKMP policy for IKE Phase 1
There are seven default isakmp policies. The most secure is the default. We will configure our own. You can remember this by HAGLE. Hash, Authentication, Group (DH), Lifetime, Encryption.
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#hash sha
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 5
Router(config-isakmp)#lifetime 3600
Router(config-isakmp)#encryption aes 256
We used a pre-shared key for authentication so we need to specify the password for the first phase.
Router(config)#crypto isakmp key derpyisbestpony address 208.77.5.1
show crypto isakmp policy
Task 2: Configure the IPsec Policy for IKE Phase 2
Configure the encryption and hashing algorithms that you will use for the data sent thought the IPsec tunnel. Hence the transform.
Router(config)#crypto ipsec transform-set transform_name esp-aes esp-sha-hmac
Task 3: Configure ACL to define interesting traffic
Even though the tunnel is setup it doesn’t exist yet. Interesting traffic must be detected before IKE Phase 1 negotiations can begin. Allow the local lan to the remote lan.
Router(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
show crypto isakmp sa
Task 4: Configure a Crypto Map for the IPsec Policy
Now that interesting traffic is defined and an IPsec transform set is configured, you need to bind them together with a crypto map.
Rotuer(config)# crypto map map_name seq_num ipsec-isakmp
What traffic will be interesting? The access-list we made before.
Router(config-crypto-map)#match address 101
The transform-set we created earlier for the IPsec tunnel.
Router(config-crypto-map)# set transform-set transform_name
The peer router you’re connecting to.
Router(config-crypto-map)#set peer 172.30.2.2
You need to set the type of DH you want to use.
Router(config-crypto-map)#set pfs group5
How long these setting will last before it’s renegotiated
Router(config-crypto-map)#set security-association lifetime seconds 900
Task 5: Apply the IPsec Policy
Apply the crypto map to the interface.
Router(config)#interface serial0/0/0
Router(config-if)#crypto map map_name
show crypto map
derpy: http://th03.deviantart.net/fs71/PRE/f/2012/302/6/1/derpy_hooves_by_freak0uo-d5jedxp.png
twilight: http://fc03.deviantart.net/fs70/i/2012/226/e/5/twilight_sparkle_vector_by_ikillyou121-d56s0vc.png
Видео IPsec VPN Tunnel канала Derpy Networking
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
What is IPSec?Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnelsIPSec VPN concepts and basic configuration in Cisco IOS routerIPSec Site-to-Site VPNs w/Static Virtual Tunnel Interfaces (SVTI): IKEv1 & IKEv2VPN ModelsTCP Sequence and Acknowledgment NumbersIPsec Basics 19 Mar 2014Site to Site VPNs for CCNAs037 IPsec Verification TroubleshootingCisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101MicroNugget: IPsec Site to Site VPN Tunnels Explained | CBT NuggetsCreate an IPsec VPN tunnel using Packet Tracer - CCNA SecurityIPsec VPN Introduction - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012What is a VPN?CCIE Routing & Switching version 5: IPsec- IKE phase 1VPN Tunneling and VPN Tunneling Protocols Explainedipsec overviewUnderstanding Cisco SSL VPN vs IPSec VPNMicroNugget: What is Split Tunneling with Virtual Private Networks?MicroNugget: How IPsec Site to Site VPN Tunnels Work