CCNP LAB:ipsec site-to-site VPN
Requirements: I use two LOOP flow simulation to create a VPN interested IPSEC VPN, IKE1 stage with pre-shared key, IKE2 stage hash algorithm sha, encryption algorithm DES.
Step one: the basic configuration interface and connectivity testing
R1 (config) # int s0
R1 (config-if) # ip add 10.1.1.1 255.255.255.0
R1 (config-if) # clock rate 64000
R1 (config-if) # no sh
R1 (config) # int loop 0
R1 (config-if) # ip add 1.1.1.1 255.255.255.0
R2 (config) # int s1
R2 (config-if) # ip add 10.1.1.2 255.255.255.0
R2 (config-if) # no sh
R2 (config) # int loop 0
R2 (config-if) # ip add 1.1.2.1 255.255.255.0
R1 # ping 10.1.1.2 // test connectivity, further IPSEC
!!!!!
Success rate is 100 percent (5 / 5), round-trip min / avg / max = 28/31/32 ms
R2 # ping 10.1.1.1
!!!!!
Success rate is 100 percent (5 / 5), round-trip min / avg / max = 32/32/32 ms
Configuration II: IKE1 and IKE2 configuration in two stages, and applied to the interface
R1 (config) # crypto isakmp policy 10 //IKE1 stage strategy
R1 (config-isakmp) # authen pre-share // will be amended to pre-shared authentication
R1 (config) # crypto isakmp key cisco address 10.1.1.2 // the definition of Pre-Shared Key
R1 (config) # crypto ipsec transform myset esp-sha-hmac esp-des
Phase 2 //defined set of conversion
R1 (config) # access-list 100 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
// Interested in the definition of encryption flow
R1 (config) # crypto map mymap 10 ipsec-isakmp // phase of the definition of encryption Figure 2
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1 (config-crypto-map) # match address 100 // encryption will be applied to map list
R1 (config-crypto-map) # set peer 10.1.1.2 //Peer designated
R1 (config-crypto-map) # set transform-set myset // set mapping will be converted to the encryption map
R1 (config) # int s0
R1 (config-if) # crypto map mymap // encryption map will be applied to the interface
R1 (config) # ip route 1.1.2.0 255.255.255.0 20.1.1.2
// designated tunnel routing flow to interest
R2 (config) # crypto isakmp policy 10 // R2 and R1 to match client strategy
R2 (config-isakmp) # authentication pre-share
R2 (config-isakmp) # exit
R2 (config) # crypto isakmp key cisco address 10.1.1.1 // key line, address each other means
R2 (config) # crypto ipsec transform-set myset esp-des esp-sha-hmac
R2 (cfg-crypto-trans) # exit // both ends must match, the default is tunnel mode
R2 (config) # access-list 102 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255
interested in flow, at both ends of each other means
R2 (config) # crypto map mymap 10 ipsec-isakmp //encryption map
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2 (config-crypto-map) # set peer 10.1.1.1 //the physical address of the client
R2 (config-crypto-map) # set transform-set myset
R2 (config-crypto-map) # match address 102
R2 (config-crypto-map) # exit
R2 (config) # ip route 1.1.1.0 255.255.255.0 10.1.1.1 // Encryption routing flow chart of interest
R2 (config) # int s1
R2 (config-if) # crypto map mymap //encryption applied to the interface mapping
Step three: Testing whether stream encryption, ping the interface directly
R1 # ping 1.1.2.1
!!!!!
Success rate is 100 percent (5 / 5), round-trip min / avg / max = 32/33/36 ms
R2 # ping 1.1.1.1
!!!!!
Success rate is 100 percent (5 / 5), round-trip min / avg / max = 32/33/36 ms
R1 and R2 in a two-stage view of relevance
R1 # show crypto isakmp sa // There is no correlation
dst src state conn-id slot
R2 # show crypto isakmp sa
dst src state conn-id slot
R1 # show crypto ipsec sa // no encryption package, did not establish a correlation
interface: Serial0
Crypto map tag: mymap, local addr. 10.1.1.1
local ident (addr / mask / prot / port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr / mask / prot / port): (1.1.2.0/255.255.255.0/0/0)
current_peer: 10.1.1.2
PERMIT, flags = (origin_is_acl,)
# pkts encaps: 0, # pkts encrypt: 0, # pkts digest 0
# pkts decaps: 0, # pkts decrypt: 0, # pkts verify 0
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
# send errors 0, # recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R2 # show crypto ipsec sa
interface: Serial1
Crypto map tag: mymap, local addr. 10.1.1.2
local ident (addr / mask / prot / port): (1.1.2.0/255.255.255.0/0/0)
remote ident (addr / mask / prot / port): (1.1.1.0/255.255.255.0/0/0)
current_peer: 10.1.1.1
PERMIT, flags = (origin_is_acl,)
# pkts encaps: 0, # pkts encrypt: 0, # pkts digest 0
# pkts decaps: 0, # pkts decrypt: 0, # pkts verify 0
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
# send errors 0, # recv errors 0
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Step Four: Using extended ping to trigger the flow of interest
R1 # ping ip
Target IP address: 1.1.2.1
Repeat count [5]: 10 //packet transfer will be for 10 months, otherwise do not see the effect of a ping
Extended commands [n]: y
Source address or interface: 1.1.1.1
Sending 10, 100-byte ICMP Echos to 1.1.2.1, timeout is 2 seconds:
….!!!!!! flow of interest has been triggered, and ping
Success rate is 60 percent (6 / 10), round-trip min / avg / max = 84/84/84 ms
Step five: once again the link to view a two-stage, as well as the encryption situation
R1 # show crypto isa sa // IKE1 phase correlation has been established for the fast mode
dst src state conn-id slot
10.1.1.2 10.1.1.1 QM_IDLE 1 0
R1 # show crypto ipsec sa
// IKE2 link establishment phase, and encrypt the traffic, the tunnel has been successfully established
interface: Serial0
Crypto map tag: mymap, local addr. 10.1.1.1
local ident (addr / mask / prot / port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr / mask / prot / port): (1.1.2.0/255.255.255.0/0/0)
current_peer: 10.1.1.2
PERMIT, flags = (origin_is_acl,)
# pkts encaps: 6, # pkts encrypt: 6, # pkts digest 6
# pkts decaps: 6, # pkts decrypt: 6, # pkts verify 6
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
# send errors 14, # recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 84AEB2E6
inbound esp sas:
spi: 0x1E44AB1D (507816733)
transform: esp-des esp-sha-hmac,
in use settings = (Tunnel,)
slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k / sec): (4607999/3520)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x84AEB2E6 (2226041574)
transform: esp-des esp-sha-hmac,
in use settings = (Tunnel,)
slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k / sec): (4607999/3520)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
R2 # show crypto isa sa
dst src state conn-id slot
10.1.1.2 10.1.1.1 QM_IDLE 1 0
R2 # show crypto ipsec sa
interface: Serial1
Crypto map tag: mymap, local addr. 10.1.1.2
local ident (addr / mask / prot / port): (1.1.2.0/255.255.255.0/0/0)
remote ident (addr / mask / prot / port): (1.1.1.0/255.255.255.0/0/0)
current_peer: 10.1.1.1
PERMIT, flags = (origin_is_acl,)
# pkts encaps: 6, # pkts encrypt: 6, # pkts digest 6
# pkts decaps: 6, # pkts decrypt: 6, # pkts verify 6
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0
# send errors 0, # recv errors 0
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 1E44AB1D
inbound esp sas: // stop flow has been generated
spi: 0x84AEB2E6 (2226041574)
transform: esp-des esp-sha-hmac,
in use settings = (Tunnel,)
slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k / sec): (4607999/3502)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas: //outbound flow has been generated
spi: 0x1E44AB1D (507816733)
transform: esp-des esp-sha-hmac,
in use settings = (Tunnel,)
slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k / sec): (4607999/3502)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Configuration V: Show the current configuration
R1 # show run
hostname R1
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.2
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set myset
match address 102
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial0
ip address 10.1.1.1 255.255.255.0
clockrate 64000
crypto map mymap
!
ip route 1.1.2.0 255.255.255.0 10.1.1.2
!
access-list 102 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
!
end
R2 # show run
hostname R2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.1.1.1
set transform-set myset
match address 102
!
interface Loopback0
ip address 1.1.2.1 255.255.255.0
!
interface Serial1
ip address 10.1.1.2 255.255.255.0
crypto map mymap
!
ip route 1.1.1.0 255.255.255.0 10.1.1.1
!
access-list 102 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
end
Note: Want get the CCNP material ? Pass4sure CCNP Study Guide, Clike it!