Escolar Documentos
Profissional Documentos
Cultura Documentos
4
Lab Manual
CCNP Security – SIMOS- (300-209)
Confidentiality and Secure Access
This lab manual covers detailed lab demonstration with explanation for CCIE Security
Version 4 VPN Module.
CCIE Security Ver. 4 Lab Manual
DISCLAIMER
Disclaimer and “Terms of Use”
Reproduction or translation of content in this PDF document without the
author`s written permission is prohibited. No content may be reproduced
without the express written permission of the author. A Hyperlink from
another website to this document is permitted. You may download and
retain on your disk a single copy of material published only for your
personal, non-commercial use, provided that you do not remove any
copyright or other proprietary notices. You may not otherwise copy,
display, download, modify, distribute, repost, transmit, sell all or part of
any material without the prior written permission of the author. You may
not mirror all or part of any material published by the author in this
document, and you may not inline any of the graphics contained in any
material. Any one accessing this document, it would be deemed to have
read and understood the above, and agreed to it in its totality absolutely
without any exception.
IF YOU DO NOT AGREE, please delete any copies you may possess.
Skype: ccie.sandeep12
Blog: cciesecurityv4solution.blogspot.in
Table of Contents
Scenario: R1 and R3 are two sites of a company named ABC. R2 is the ISP in the
topology. R1 has private network simulated with the help of loopback interfaces.
Same is on R3. The objective of this lab is to connect R1 and R3 private networks
together using IPsec Site-To-Site VPN.
Lab Topology:
Basic Initialization:
Configure the routers shown in the topology:
We are going to have only two directly connected routes on R2, as ISP
Configure R3,this is your remote site.
TASK
Configure an IPsec Tunnel between Router R1 and Router R3. Use the following
settings for the Tunnel:
ISAKMP Parameters
Authentication : Pre-shared
Group : 2
Encryption : 3DES
Hash: md5
Pre-Shared Key : cisco123
IPSec Parameters
Encryption : ESP-3DES
Authentication : ESP-SHA-HMAC
Interesting Traffic
All IP traffic between 10.1.1.0 and 10.1.3.0
All IP traffic between 10.1.1.0 and 10.1.4.0
All IP traffic between 10.1.2.0 and 10.1.3.0
All IP traffic between 10.1.2.0 and 10.1.4.0
Tunnel Endpoints
R1 F 0/0 to R3 F 0/0
Solution:
IPsec configuration generally goes in five steps mentioned below:
1.Create ISAKMP policy
2.Create IPsec Policy
3.Create an ACL to select interesting traffic
4.Create crypto map to link all above parameters
5. Apply crypto map to the outgoing interface.
On R1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3
Int f0/0
Crypto map CMAP
exit
Same configuration goes on Router R3 with few changes here and there.
Copy the configuration from R1 so that we can make required changes:
Let me show you what the changes are. All fields marked in red color
should be changed.
OnR1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3
Int f0/0
Crypto map CMAP
exit
Let`s change all the field marked in red color so that we get configuration
ready for R3.
Here the fields marked in blue color are changed if you compare it with R1
configuration:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.12.1
Verification Commands:
Show crypto isakmp sa
Show crypto ipsec sec
Now configure tunnel interfaces on the routers, as this is a Routing based VPN,
what goes through the tunnel is decided by the Routing table entry.
So we create a virtual interface for tunnel with unused Private IP assigned to it.
The source for the tunnel is your Physical Interface with Public_IP,
And destination is remote site interface with Public_IP.
Read the message, interface tunnel1 is up. Similarly, configure an interface tunnel
on R3.
Check the routing table on R1 site. We have received routes for the private
networks on R3 sites.
All routes starting with “D” are learned through the tunnel. As you know we can
run interior routing protocol on the internet. So the EIGRP packets were
encapsulated into Public IPv4 address and sent to the other site.
Also check the route on R3. We have received routes for the private network on R1.
VERIFICATION:
Now as the Sites have got the routes, let`s ping 10.1.1.1 from 10.4.1.1.
Also, you can configure line vty so we can telnet and check.
Note: though we have end-to-end reachability, all the packets are completely
exposed. Reason being GRE is ENCAPSULATING the Private packets into Public
packets and not ENCRYPTING them. So if someone tries to sniff, he would get all
the information.
Next you see is the snapshot of the sniff performed on this network.
Note: The output show telnet packet which was sent from R1 to R3 where GRE
was encapsulating this telnet packet from private source- 192.168.1.1 to private
destination-10.1.3.1 and the data part shows a character – “C” the first alphabet is
used in the line vty password.
Scenario: The objective of this lab is to secure the GRE tunnel traffic using IPsec.
Recommendation: This lab builds on the previous lab so you can continue with
the previous lab.
And Phase-II parameters where we just specify the encryption and hash method,
the session key or traffic encryption key is provided by ISAKMP or Phase-I.
Now we need to create an IPsec Profile.
Then call the Transform-Set in the IPsec profile. This IPsec profile is used to
protect the traffic leaving the tunnel interface.
Apply the IPsec profile to protect the data going through the tunnel. For this you
need to go to the tunnel interface and say:
Tunnel protection ipsec profile {ipsec profile name}
In the above snapshot you see that EIGRP neighbor relationship is down. The hold-
on time expires because R1 is sending and receiving IPsec packets where-else as R3
is not configured for IPsec, packets received from R3 are not an IPsec packet.
Check the Wireshark output: all packets are encrypted using ESP.
Also take a look at the output of Interface Tunnel 1, check the line highlighted
using marker.
IPsec profile named IPSEC_PROFILE is being used to encrypt the traffic sent over
the tunnel interface.
If you execute “show crypto ipsec sa” command you would see still the
mode setting in used is Tunnel (check the highlighted section in above snapshot).
For this you would need to clear the existing SA and bring up the tunnel again.
And then check the output -“show crypto ipsec sa” .
Int tunnel 1
Shut
No shut
Exit
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 20
CCIE Security Ver. 4 Lab Manual
Now as the Entire packet is getting encrypted, so we don’t need GRE header. So
we set tunnel mode to “IPsec ipv4”
DMVPN Phase-I/II/III
DMVPN Dual-Hub
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 22
CCIE Security Ver. 4 Lab Manual
Recommendation: You can use PIX firewall (8.0.X) for this lab.
Lab Topology:
Basic Initialization:
On R1:
int f0/0
ip address 10.11.11.1 255.255.255.0
no shut
exi
!
Ip route 0.0.0.0 0.0.0.0 10.11.11.10
On R2:
Int f0/0
Ip address 192.1.12.2 255.255.255.0
No shut
Exi
Int f0/1
On R3:
Int f0/0
Ip address 192.1.23.3 255.255.255.0
No shut
Exi
Int loopback 0
Ip address 10.11.20.1 255.255.255.0
Exi
Ip route 0.0.0.0 0.0.0.0 192.1.23.2
On ASA:
Int e1
Nameif inside
Ip address 10.11.11.10 255.255.255.0
No shut
Exi
Int e2
Nameif outside
Ip address 192.1.12.10
No shut
Exi
!give a default gateway pointing to 192.1.12.2
Route outside 0 0 192.1.12.2
Configure an IPsec Tunnel between Router R3 and ASA. Use the following
settings for the Tunnel:
ISAKMP Parameters
Authentication : Pre-shared
Diffie-Hellman Group : 2
Encryption : 3DES
Hash: md5
Pre-Shared Key : cisco123
IPsec Parameters
Encryption : ESP-3DES
Authentication : ESP-SHA-HMAC
Interesting Traffic
All IP traffic between 10.11.11.1 and 10.11.20.1
Tunnel Endpoints
ASA E2 to R3 F 0/0
Solution:
On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.12.10
Int f0/0
Crypto map CMAP
exit
On ASA:
!Configure Transform-set
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!Configure ACL
Access-list 101 permit ip host 10.11.11.1 host
10.11.20.1
VERIFICATION:
On ASA:
This time around ping does not work. You can fix this problem by exempting
traffic sourced from 10.11.11.0/24 and going towards 10.11.20.0/24 network.
Recommendation: You can use PIX firewall (8.0.X) for this lab.
Configure an IPsec Tunnel between Router R3 and R1. Use the following settings
for the Tunnel:
ISAKMP Parameters
Authentication : Pre-shared
Group : 2
Encryption : 3DES
Hash: md5
Pre-Shared Key : cisco123
IPSec Parameters
Encryption : ESP-3DES
Authentication : ESP-SHA-HMAC
Interesting Traffic
All IP traffic between 10.11.11.1 and 10.11.20.1
Tunnel Endpoints
R1 F0/0 to R3 F 0/0
Translation
Statically translate R1 IP address to 192.1.11.1
ACL Entries
ACL Entries on ASA in inbound direction to allow IPsec.
Static Route
Static Route on R2 for IP address 192.1.11.1
Solution:
On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.11.1
Int f0/0
Crypto map CMAP
exit
On R1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 29
CCIE Security Ver. 4 Lab Manual
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3
Int f0/0
Crypto map CMAP
exit
ACL:
Verification:
R3#ping 10.11.11.1 source 10.11.20.1
!!!!!
ASA(config)#
Recommendation: You can use PIX firewall (8.0.X) for this lab.
Lab Topology:
Configure an IPsec Tunnel between Router R3 and R1. Use the following settings
for the Tunnel:
ISAKMP Parameters
Authentication : Pre-shared
Group : 2
Encryption : 3DES
Hash: md5
Pre-Shared Key : cisco123
IPSec Parameters
Encryption : ESP-3DES
Authentication : ESP-SHA-HMAC
Interesting Traffic
All IP traffic between 10.11.11.1 and 10.11.20.1
Tunnel Endpoints
R1 F0/0 to R3 F 0/0
Translation: -NA-
ACL Entries
ACL Entries on ASA in inbound direction to allow IPsec.
Static Route
Static Route on R2 for IP address 192.1.10.0/24 next-hop ASA outside
interface IP.
On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.10.1
Int f0/0
Int f0/0
Crypto map CMAP
exit
ACL:
access-list ACL permit udp host 192.1.23.3 host
192.1.10.1 eq isakmp
access-list ACL permit esp host 192.1.23.3 host
192.1.10.1
Apply ACL to outside interface:
Access-group ACL in interface outside
VERIFICATION:
!On R3
.!!!!
LAB TOPOLOGY:
Basic Initialization:
Pre-requisite: Need full end-to-end reachability. For this you can run any interior
routing protocol.
Also your key-server cannot be a Group-member. We use R5 loopback
(10.1.5.1/24) as Key-Server as being a loopback it would be accessible from any
interface.
Now check the routing table using command: Show ip route
Note: Make sure all nodes are reachable. Don’t proceed further if you haven’t
completed this step properly.
Output on R5:
On Group Member:
Debug:
Check that ping which was working earlier is now not working.
Reason: R1 got itself registered with key server. And R2, R3 and R4 are yet to
register.
Note: Ping from R1 to 10.1.3.1 and 10.1.4.1 is still failing because they are yet to
register themself.
But if you do the ping shown below, this would succeed. As it’s from Source IP:
7.7.15.1
This is not the interesting traffic. And so it goes unencrypted.
For this ping the WireShark capture output is shown below the ping:
For this ping the WireShark capture output is shown below the ping:
Check that Phase-II parameters are available on Group Members, as they are
pushed down by the Key Server.
Once the devices are up, ping from R6, all directly connected links.
Configuration on CA Server:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
R5(config)#clock timezone IST 5 30
R5(config)#ntp master 1
or
R5(config)#do clock set 20:55:00 13 aug 2013
Step4: Enable HTTP service, as Clients are going to enroll for Identity certificates
on port 80. To check the consequence of this command, skip this command for now
and come back and enter this command after step5.
You would see though you have executed NO SHUTDOWN under CA server,
still CA server is not UP.
R5(config)# ip http server
CN: CommonName
OU: OrganizationalUnit
O: Organization
L: Locality
S: StateOrProvinceName
C: CountryName
On the Clients:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
At this moment only R1 has got the Session_Key form the KEY_SERVER.
This ping fails as R1 is sending encrypted traffic but R2 can`t decrypt it, as R2 is
yet to register with key Server. Similarly if R2 ping R1, R1 get an error message:
You would see that on all four routers i.e. R1, R2, R3 and R4 the SA lifetime is
different. The reason is all are sharing SAME key.
This is the only multi-point VPN from the perspective of IPsec.
As all peers use the same key provided by the KEY-SERVER.
LAB-6: DMVPN
Lab Topology:
Basic Initialization:
Here R1 is the HUB:
Initial configuration for the HUB/ SERVER.
Configuration on SPOKES:
On R3:
Verification: goto R1(HUB) and check R3 has dynamically registered to the NHS
Server(R1).
This entry remains with the Next-Hop-Server (NHS) for 2 hours; also observe
registration type is dynamic.
The mapping available is of type Static. Which say to reach NHS server with IP
address 192.168.1.1/32 the corresponding public IP is 110.1.16.1. Also observe this
entry never expire as its manually defined.
Recheck the NHS for the mapping, R4 and R5 has also registered.
As you have verified the output on R3 there is only 1 mapping entry available in
the cache. Now we try to trace route to 192.168.1.5 i.e. the IP address of R5 tunnel
interface.
The packet first goes to 192.168.1.1 i.e. NHS and then goes to 192.168.1.5
So the packet takes 2 hops to reach the destination.
But during this process R3 requested for the mapping to reach 192.168.1.5 from
the NHS.
Compare this with the above given snapshot.
This time the packet makes it to the destination in just 1 hop because R3 has the
mapping available in the Cache.
DMVPN PHASE-II
On SPOKES:
int tunnel 1
ip nhrp map multicast 110.1.16.1
exit
On HUB:
Int tunnel 1
Ip nhrp map multicast dynamic
Exi
On HUB:
Int tunnel 1
Shut
exi
On All Spokes:
Int tunnel 1
Shut
Exi
On All Spokes:
Int tunnel 1
No Shut
Exi
Observe all the private networks are reachable via 192.168.1.1 i.e. HUB
Now if you trace route you would see traffic is routed though the HUB to the
SPOKE and doesn’t go directly from SPOKE to SPOKE.
Reason: How traffic is routed is dictated by the routing table. And routing table
entry say 10.4.1.1 is reachable via 192.168.1.1.
Verification: check the routing table entry on SPOKES again and compare with
the earlier routing table output.
Mapping to reach 10.4.1.1 is downloaded from the NHS and remains in the cache
for 2 hours.
Now if you re-trace route to 10.4.1.1 you would see packet reach the destination in
1 hop.
DMVPN PHASE-III
Remove the changes made in the routing protocol on the HUB during PHASE-II.
On HUB:
Int tunnel 1
Ip split-horizon eigrp 101
Ip next-hop-self eigrp 101
Exi
On R1 (HUB):
Int tunnel 1
Ip nhrp redirect
Exit
On SPOKES:
Int tunnel 1
Ip nhrp shortcut
Exit
Verification:
Configuration on R1 (HUB-1)
Int tunnel 1
Ip nhrp map 192.168.1.2 110.1.26.2
Ip nhrp map muticast 110.1.26.2
Exi
Configuration on R2 (HUB-2)
Run eigrp with AS 101
Int tunnel 1
Ip address 192.168.1.2 255.255.255.0
Tunnel source f0/0
Tunnel mode gre multipoint
Ip nhrp network-id 100
Ip nhrp map 192.168.1.1 110.1.16.1
Ip nhrp map muticast dynamic
Ip nhrp map multicast 110.1.16.1
Ip nhrp redirect
Exi
On spokes:
Int tunnel 1
Ip nhrp nhs 192.168.1.2
Ip nhrp map 192.168.1.2 110.1.26.2
Ip nhrp map multicast 110.1.26.2
!On R1 !On R2
enable ena
conf t conf t
int f0/0 int s0/0
ip add 136.1.13.1 ip add 136.1.24.2
255.255.255.0 255.255.255.0
no shut clock rate 1000000
exi no shut
ip route 0.0.0.0 0.0.0.0 exi
136.1.13.3 int s0/1
int loo 1 ip add 136.1.25.2
ip add 10.1.1.1 255.255.255.0
255.255.255.0 clock rate 1000000
int loo 2 no shut
ip add 10.1.2.1 exi
Setup Tuning:
If you check the routing table on R3, you would see that there are 2
routes to reach Loopback-0 on R2 i.e. 1.1.1.1
Now if you traceroute from R3 to reach 1.1.1.1, you would find the
hops are through 136.1.34.0 then next-hop 136.1.24.0.
When this path is down, alternate route is moved to the routing
table.
!
Apart from this you would need static route:
Ip route 10.1.0.0 255.255.0.0 136.1.13.1
IPsec configuration on Router R1
!Step1:
crypto isakmp policy 10
authe pre-share
encry 3des
hash md5
group 2
exi
crypto isakmp key 0 cisco123 address 1.1.1.1
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha
exi
! Step3:
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0
0.0.255.255
! Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 1.1.1.1
set transform-set TSET
exi
! Step5:
!Apply crypto-map CMAP on outgoing interface
int F0/0
crypt map CMAP
exit
Lab Topology:
Basic Configuration:
Router-R4 Router-R5
Int f0/0 Int f0/0
Ip address 192.1.100.1 Ip address 192.1.100.2
255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
Int f0/1 Int f0/1
Ip add 192.168.1.1 Ip add 192.168.1.2
255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
! Ip route 0.0.0.0 0.0.0.0
Ip route 0.0.0.0 0.0.0.0 192.1.100.3
192.1.100.3
Router-R2 Router-R3
int f0/0 int f0/0
ip address 192.168.1.5 ip address 192.1.100.3
255.255.255.0 255.255.255.0
no shut no shut
exit exi
int loopback 0 int s0/0
Router-R1
int s0/0
ip address 192.1.34.4
255.255.255.0
no shut
exit
int loopback 0
ip address 10.4.4.4
255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0
192.1.34.3
On the switch:
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
exit
! Step3:
access-list 101 permit ip 10.5.5.0 0.0.0.255 10.4.4.0
0.0.0.255
! Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.1.34.4
set transform-set TSET
reverse-route static
exit
! Step5:
!Apply crypto-map CMAP on outgoing interface
int F0/0
crypt map CMAP redundancy HA
exit
On EIGRP process:
Router eigrp 100
Redistribute static
Exi
Output:
SITE1= Router R1
SITE2= Router R4
SITE2= Router R5
Now let`s do a ping from 10.5.5.5 to 10.4.4.4 with a repeat value of 500.
Ping 10.4.4.4 source 10.5.5.5 repeat 500
Ping output marked with yellow color is when interface F0/0 of R4 is UP.
Ping output marked with orange color is when interface F0/0 of R4 is
SHUTDOWN and for next 10sec you get dots (.) in ping output.
Ping outputs which are left unmarked are the Ping packets going through R5.
LAB-1: Easy VPN with IOS server and Cisco VPN Client
Software
Lab Topology:
Logical Setup:
Physical Setup:
Requirements:
Devices Used:
(a)Two PC`s
(b) Two Routers : R3,R4
Basic Initialization:
Setup Layer 2:
On SW4:
Try to ping 192.1.20.2 which is the Public IP address of your Easy VPN
Server.
Connection in progress:
Once you get connected, you would be prompted for Login username
and password.
Lab Topology:
Basic Initialization:
On R1 On R2
Int f0/0 Int f0/0
Ip ad 192.1.20.2 Ip add 192.1.20.1
255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
Int loopback 1 Int f0/1
Ip add 10.10.10.1 Ip add 192.1.30.1
255.255.255.0 255.255.255.0
exit No shut
Ip route 0.0.0.0 Exi
0.0.0.0 192.1.20.1
On R3 Verification:
Int f0/0 Ping 192.1.20.2 form
Ip add 192.1.30.3 R3.
255.255.255.0
No shut
Exi
Int loopback 1
Ip add 192.168.10.1
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 91
CCIE Security Ver. 4 Lab Manual
255.255.255.0
Exi
Ip route 0.0.0.0
0.0.0.0 192.1.30.1
On R3:
Output:
On R3: the router connects as a client under group SALES1 and the
address assigned by the Server from the pool is 10.11.11.1/24.
This address is installed on the Loopback interface 10,000.
Now notice that there is no translation on the router. We will come back
and verify this output again soon.
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 95
CCIE Security Ver. 4 Lab Manual
Now ping 10.10.10.1 the private network behind Easy VPN Server from
Private network behind R3 (Loopback 1=192.168.10.1)
LAB-3: Easy VPN with IOS server and Router As Client in NEM
Mode
On R3:
No Crypto ipsec client ezvpn EZC
Lab Topology:
Logical Setup:
Basic Initialization:
On R4 On PC:
Int f0/0 Change adapter
Ip add 10.11.11.1 settings:
255.255.255.0 IP Address: 177.11.11.1
No shut Mask: 255.255.255.0
Exi Gateway:177.11.11.10
!
Ip route 0.0.0.0
0.0.0.0 10.11.11.10
!
Ip http server
Ip http secure-server
!
Username admin
privilege 15 password
cisco
On R5 On R6
Int f0/0 Int f0/0
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 100
CCIE Security Ver. 4 Lab Manual
Clientless VPN
on SSL VPN Server (R5):
Output:
Verification:
On PC:
Thin client
Continue with previous configuration:
webvpn context SSL_CONTEXT
port-forward "Applications"
local-port 2200 remote-server "10.11.11.1" remote-
port 23 description "Use this To Telnet To R4"
Verification:
Browse to https://192.1.20.10
Login using username admin password cisco
Full Client
Verification:
Browse to https://192.1.20.10
Login using username admin password cisco
After successful login you will be presented the page shown below.
Lab Topology:
Theory:
In IKEv1 i.e. Internet Key Exchange Version 1 we have two PHASE:
PHASE-I and PHASE-II
IKEv1 has two PHASE where PHASE-I could work in two mode:
1. Main-Mode: Here 3 pair of messages are exchanged i.e. total of 6
messages are exchanged for the establishment of PHASE-I SA.
PHASE-I SA is bidirectional SA. and used for secure exchange of the
Session_Key which is used by the PHASE-II SA to securely send/receive
the user data.
2. Aggressive-Mode: Here only 3 messages are exchanged for the
establishment of PHASE-I SA.
2. IKE_AUTH Message:
IKE_AUTH works over the IKE_SA which is created by
IKE_SA_INIT message and is used to validate the Identity of the peers
and negotiate the various encryption, authentication and integrity
protocols to establish first CHILD_SA for use of ESP/AH.
Peer Validation methods available are:
-Pre-share Keys
-Certificates
-EAP (Extensible Authentication Protocol) like XAUTH.
Basic Initialization:
!On R1 !On R2
conf t conf t
int s1/0 int s1/0
ip add 171.1.15.1 ip add 171.1.25.2
255.255.255.0 255.255.255.0
no shut no shut
exi exi
! !
int loopback1 int loopback1
ip add 10.1.1.1 ip add 10.1.2.2
255.255.255.0 255.255.255.0
exi exi
! !
ip route 0.0.0.0 0.0.0.0 ip route 0.0.0.0 0.0.0.0
171.1.15.5 171.1.25.5
! !
!On R5
conf t
int s1/0
clock rate 1000000
ip add 171.1.15.5
IKEv2 configuration on R1
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.25.2 255.255.255.0
pre-shared-key local R1cisco
pre-shared-key remote R2cisco
!
crypto ikev2 profile R1R2
match identity remote address 171.1.25.2
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
hmac
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 123
CCIE Security Ver. 4 Lab Manual
exit
!
access-list 101 permit ip host 10.1.1.1 host 10.1.2.2
!
crypto map CMAP 10 ipsec-isakmp
set peer 171.1.25.2
set transform-set TSET
set ikev2-profile R1R2
match address 101
exi
IKEv2 configuration on R2
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.15.1 255.255.255.0
pre-shared-key local R2cisco
pre-shared-key remote R1cisco
!
crypto ikev2 profile R1R2
match identity remote address 171.1.15.1
255.255.255.255
authentication remote pre-share
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 124
CCIE Security Ver. 4 Lab Manual
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
hmac
exit
!
access-list 101 permit ip host 10.1.2.2 host
10.1.1.1
!
crypto map CMAP 10 ipsec-isakmp
set peer 171.1.15.1
set transform-set TSET
set ikev2-profile R1R2
match address 101
exi
Verification:
Sh crypto ikev2 sa
Sh crypto ipsec sa
IKEv2 configuration on R3
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R4
address 182.1.45.4 255.255.255.0
pre-shared-key local R3cisco
pre-shared-key remote R4cisco
exit
!
crypto ikev2 profile R3R4
match identity remote address 182.1.45.4
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
hmac
exit
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile R3R4
exi
!
interface Tunnel1
ip address 192.168.10.3 255.255.255.0
tunnel source Serial1/0
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 132
CCIE Security Ver. 4 Lab Manual
tunnel mode ipsec ipv4
tunnel destination 182.1.45.4
tunnel protection ipsec profile IPSEC_PROFILE
exi
!
Router eigrp 10
No auto-summary
Net 192.168.1.0
Net 10.1.3.0
Exi
!
IKEv2 configuration on R4
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R3
address 182.1.35.3 255.255.255.0
pre-shared-key local R4cisco
pre-shared-key remote R3cisco
exit
!
crypto ikev2 profile R3R4
match identity remote address 182.1.35.3
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 133
CCIE Security Ver. 4 Lab Manual
hmac
exit
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile R3R4
exi
!
interface Tunnel1
ip address 192.168.10.4 255.255.255.0
tunnel source Serial1/0
tunnel mode ipsec ipv4
tunnel destination 182.1.35.3
tunnel protection ipsec profile IPSEC_PROFILE
exi
!
Router eigrp 10
No auto-summary
Network 192.168.10.0
Network 10.1.4.0
Exit
Verification:
ciscoasa> enable
Password: <Enter>
ciscoasa#
ciscoasa# show version
---------Output omitted-------------
!!!!!
ciscoasa(config-ikev2-policy)# ?
ciscoasa(config-ikev2-policy)# encryption ?
ciscoasa(config-ikev2-policy)# integrity ?
ciscoasa(config-ikev2-policy)# group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ciscoasa(config-ikev2-policy)# group 2 5
ciscoasa(config-ikev2-policy)# exi
ciscoasa(config-ipsec-proposal)# ?
ciscoasa(config-ipsec-proposal)# protocol ?
ciscoasa(config-ipsec-proposal)# exit
ciscoasa(config)# tunnel-group ?
ciscoasa(config)#
<cr>
ciscoasa(config-tunnel-ipsec)# ?
ciscoasa(config-tunnel-ipsec)# ikev2 ?
ciscoasa(config-tunnel-ipsec)# exit
Site-To-Site
Spoke-To-Spoke
Server-To-Client
SERVER SITE
R1(config)#int loo10
R1(config-if)#exit
R1(config)#
R1(config)#
R1(config)#
R1(config-if)#exit
R1(config-if)#exit
R1(config)#
R1(config-ikev2-proposal)# group 2 5
R1(config-ikev2-proposal)# exit
R1(config)#
R1(config)#!IKEv2 Policy
R1(config-ikev2-policy)#proposal PROPOSAL1
R1(config-ikev2-policy)#exit
R1(config)#
R1(config)#!IKEv2 Keyring
R1(config-ikev2-keyring)#peer R3
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config)#
R1(config-ikev2-profile)# virtual-template 1
R1(config-ikev2-profile)#exit
R1(config)#
R1(config)#
R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#network 192.168.10.0
R1(config-router)#network 10.1.1.0
R1(config-router)#end
R1#
R1#
R1#conf t
R1(config)#
R1(cfg-crypto-trans)#exit
R1(config)#
R1(ipsec-profile)#exit
R1(config)#
R1(config-if)#exit
R1(config)#end
R1#
R1#
R1#
R1#
CLIENT SITE
R3(config-ikev2-proposal)# exit
R3(config)#
R3(config)#!IKEv2 Policy
R3(config-ikev2-policy)#proposal PROPOSAL1
R3(config-ikev2-policy)#exit
R3(config)#
R3(config)#!IKEv2 Keyring
R3(config-ikev2-keyring)#peer R1
R3(config-ikev2-keyring-peer)#exit
R3(config-ikev2-keyring)#exit
R3(config)#
R3(config-ikev2-profile)#exit
R3(cfg-crypto-trans)#exit
R3(config)#
R3(ipsec-profile)#exit
R3(config)#
R3(config)#int tunn 1
R3(config-if)# exit
R3(config)#
R3(config)#router eigrp 10
R3(config-router)#netw 10.3.3.0
R3(config-router)#netw 192.168.10.0
R3(config-router)#exi
Pre-requisite: Load the initial configuration for all the devices in the topology from the pre-
configuration files.
Lab Topology:
Task:
Implement Flex-VPN spoke-to-spoke. Configure R1 as the HUB. R3 and R4 are the Spokes in
the topology where else R2 is working as ISP. The objective is to communicate from spoke to
spoke i.e. from R3 (10.3.3.0/24) to R4 (10.4.4.0/24).
Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: 10.1.1.0/24
Network For Tunnel interface: 192.168.10.0/24
On Spokes:
Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: R3 (10.3.3.0/24), R4 (10.4.4.0/24)
Network For Tunnel interface: 192.168.10.0/24
Local/Remote Authentication method: Pre-shared-key
Pre-shared-key: cisco123
Ikev2 Profile Name: IKEV2PROFILE
IPsec Profile Name: IPSEC
IP NHRP network-id: 100
Tunnel Interface: Tunnel1
Tunnel interface IP: negotiated
Tunnel source: S1/0
Tunnel destination: 110.1.12.1
Interior Routing Protocol: EIGRP-10
Solution : On AVI
R1(config)#
*Jul 11 11:48:10.959: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
R1(config)#
*Jul 11 11:48:11.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to down
*Jul 11 11:48:40.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to up
R1(config)#
*Jul 11 11:48:46.371: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.11
(Virtual-Access1) is up: new adjacency
R1#
R1#
*Jul 11 11:49:35.063: %SYS-5-CONFIG_I: Configured from console by consoler
Virtual-Access1 is assigned the IP address of Loopback 11. As we have given in the command
under interface virtual-template 1 type tunnel using – “ip unnumbered loopback 11”.
R1#
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override
R1#
On Client R4
R4(config)#
*Jul 11 11:53:23.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.1 (Tunnel1)
is up: new adjacency
R4#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override
R4#
R4#traceroute 10.3.3.3 source 10.4.4.4
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.10.1 1 40 msec 208 msec 216 msec
2 192.168.10.11 256 msec * 196 msec
Flex VPN-Server-Client
Pre-requisite: Load the initial configuration for all the devices in the topology from the pre-
configuration files.
Lab Topology:
Task
Configure R1 as the Server and R3 as the client. Make sure you are able to
ping from 10.3.3.0/24 network behind R3 to 10.1.1.0/24 network behind R1.
Solution: On AVI
Verification:
On Client (R3)
R3(config)#
*Jul 12 09:31:56.735: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#
*Jul 12 09:31:56.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to down
R3(config)#crypto ikev2 client flexvpn FLEXVPN
R3(config-ikev2-flexvpn)#peer 1 110.1.12.10
R3(config-ikev2-flexvpn)#connect auto
R3(config-ikev2-flexvpn)#client connect tunnel1
R3(config-ikev2-flexvpn)#end
R3#
R3#
*Jul 11 13:16:27.771: %SYS-5-CONFIG_I: Configured from console by console
R3#
*Jul 11 13:16:28.235: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXVPN)
Client_public_addr = 110.1.23.3 Server_public_addr = 110.1.12.10
R3#
*Jul 11 13:16:39.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to up
R3#
*Jul 11 13:16:39.843: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXVPN)
Client_public_addr = 110.1.23.3 Server_public_addr = 110.1.12.10 Assigned_Tunnel_v4_addr =
192.168.10.6
R3#
R3#
R3#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial1/0 110.1.23.3 YES manual up up
Loopback1 10.3.3.3 YES manual up up
Tunnel1 192.168.10.6 YES manual up up
R3#
R3#
R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
R3#
R3#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.10.6/32
MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 110.1.23.3, destination 110.1.12.10
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC")
On SERVER (R1)
R1(config)#
*Jul 11 13:14:13.747: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#
*Jul 11 13:16:27.947: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to do
wn
*Jul 11 13:16:28.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
R1(config)#
*Jul 11 13:16:38.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
*Jul 11 13:16:39.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to up
Once the Client connects to the server interface Virtual-access 1 dynamically comes up.
R1(config)#
R1(config)#end
R1#
R1#
R1#show ip
*Jul 11 13:21:24.627: %SYS-5-CONFIG_I: Configured from console by console
R1#
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial1/0 110.1.12.10 YES manual up up
Loopback1 10.1.1.1 YES manual up up
Loopback11 192.168.10.1 YES manual up up
Virtual-Access1 192.168.10.1 YES unset up up
Virtual-Template1 192.168.10.1 YES unset up down
R1#
R1#
R1#show interfaces virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback11 (192.168.10.1)
MTU 17886 bytes, BW 100000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x4, loopback not set
Keepalive not set
R1#
R1#
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 110.1.12.10/500 110.1.23.3/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/336 sec