This document describes the configuration of a site-to-site VPN between 4 routers to connect two private networks. The routers are configured with IKE policies, crypto maps, and IPsec transforms to establish encrypted tunnels between their interfaces. Tests show that with the VPN in place, the two private networks can now communicate, while remaining isolated from public networks and each other without the VPN.
This document describes the configuration of a site-to-site VPN between 4 routers to connect two private networks. The routers are configured with IKE policies, crypto maps, and IPsec transforms to establish encrypted tunnels between their interfaces. Tests show that with the VPN in place, the two private networks can now communicate, while remaining isolated from public networks and each other without the VPN.
This document describes the configuration of a site-to-site VPN between 4 routers to connect two private networks. The routers are configured with IKE policies, crypto maps, and IPsec transforms to establish encrypted tunnels between their interfaces. Tests show that with the VPN in place, the two private networks can now communicate, while remaining isolated from public networks and each other without the VPN.
Routeur R1: version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! ip subnet-zero ip cef ! no ip dhcp use vrf connected ! no ip domain lookup no ip ips deny-action ips-interface ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 1800 crypto isakmp key miedkey address 172.16.3.253 ! crypto ipsec transform-set groupe3set esp-3des esp-md5-hmac ! crypto map groupe3map 10 ipsec-isakmp set peer 172.16.3.253 set transform-set groupe3set match address 101 ! interface FastEthernet0/0 ip address 192.168.1.254 255.255.255.0 ! ip nat inside ! ip virtual-reassembly duplex half ! interface Serial1/0 ip address 196.1.95.254 255.255.255.0 ! ip nat outside ! ip virtual-reassembly serial restart-delay 0 clock rate 64000 crypto map groupe3map ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip classless ip route 0.0.0.0 0.0.0.0 196.1.95.253 no ip http server no ip http secure-server ! ! ip nat inside source list 1 interface Serial1/0 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.4.0 0.0.0.255 ! control-plane ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end
Routeur R2:
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! ip subnet-zero ip cef ! no ip dhcp use vrf connected ! no ip domain lookup no ip ips deny-action ips-interface ! interface FastEthernet0/0 no ip address shutdown duplex half ! interface Serial1/0 ip address 196.1.95.253 255.255.255.0 serial restart-delay 0 ! interface Serial1/1 ip address 172.16.5.254 255.255.255.0 serial restart-delay 0 clock rate 64000 ! interface Serial1/2 ip address 172.16.3.254 255.255.255.0 serial restart-delay 0 clock rate 64000 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip classless ip route 172.16.6.0 255.255.255.0 172.16.5.253 no ip http server no ip http secure-server ! control-plane ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! end
Routeur R3: ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! ip subnet-zero ip cef ! no ip dhcp use vrf connected ! no ip domain lookup no ip ips deny-action ips-interface ! interface FastEthernet0/0 ip address 172.16.6.254 255.255.255.0 duplex half ! interface Serial1/0 no ip address shutdown serial restart-delay 0 ! interface Serial1/1 ip address 172.16.5.253 255.255.255.0 serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip classless ip route 172.16.3.0 255.255.255.0 172.16.5.254 ip route 196.1.95.0 255.255.255.0 172.16.5.254 no ip http server no ip http secure-server ! control-plane ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! end
Routeur R4:
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy ! ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ! no ip domain lookup no ip ips deny-action ips-interface ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 5 lifetime 1800 crypto isakmp key miedkey address 196.1.95.254 ! crypto ipsec transform-set groupe3set esp-3des esp-md5-hmac ! crypto map groupe3map 10 ipsec-isakmp set peer 196.1.95.254 set transform-set groupe3set match address 101 ! interface FastEthernet0/0 ip address 172.16.4.254 255.255.255.0 ! ip nat inside ! ip virtual-reassembly duplex half ! interface Serial1/0 no ip address shutdown serial restart-delay 0 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 ip address 172.16.3.253 255.255.255.0 ! ip nat outside ! ip virtual-reassembly serial restart-delay 0 crypto map groupe3map ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.3.254 no ip http server no ip http secure-server ! ! ip nat source list 1 interface Serial1/2 overload ! ! access-list 1 permit 172.16.4.0 0.0.0.255 access-list 101 permit ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 ! control-plane ! gatekeeper shutdown ! line con 0 exec-timeout 0 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! end
Vrification: Les rseaux privs peuvent dsormais voir les rseaux publics:
Mais le contraire n'est pas possible:
De mme les rseaux privs ne se voient pas entre eux:
Nous allons dans la suite de ce TP mettre en place un VPN site site entre le rseau priv 1 et le rseau priv 2:
Les deux rseaux privs communiquent prsent entre eux:
Extrait du rsultat de la commande show crypto ipsec sa
Capture avec wireshark
Les communications entre les rseaux privs dont donc cryptes.