Escolar Documentos
Profissional Documentos
Cultura Documentos
SECTION B
Objective:
The purpose of this lab was to setup site-site VPN (Virtual Private Network) using IPSec protocols such as DES and AH.
Requirement:
Two 1800 series CISCO Routers for both sites of VPN, for Internet Router we can use 2600 Series CISCO Router. Also as we need switch in Toronto side, we used 1801 router which has switch ports.
Procedure:
In this scenario we setup VPN between Toronto and Vancouver routers, the steps were as follow: *The following configuration is for Toronto router, the same configuration has been done for Vancouver router too.
Prepare to configure Virtual Private Network (VPN) Support Configure Internet Key Exchange (IKE) phase one Configure IPSec parameters phase two Configure IKE parameters and verify IKE and IP Security (IPSec) configuration Verify and test IPSec configuration
1. Setup the lab scenario 2. Disable Wireless Access or other connections 3. IP settings assignment 4. Connectivity testing (between two VPN terminators)
configuration mode. 2. Create an IKE policy to use pre-shared keys by completing the following sub-steps: a. Set the policy priority and enter config-isakmp mode.
3
b. Set authentication and select pre-shared keys for this VPN Toronto(config-isakmp)#authentication pre-share
c. Set Data encryption standard (IKE encryption)
Toronto(config-isakmp)#hash md5
f.
Set the IKE security association (SA) lifetime for 24 hours Toronto(config-isakmp)#lifetime 86400
Configure crypto access lists The ACL should encrypt traffic between perimeter routers. Use the following parameters: Toronto(config)#access-list 120 permit ip host 192.168.2.1 host 10.1.1.2
*Configuration for Vancouver Router in this step is as follow:
Vancouver(config)# access-list 120 permit ip host 10.1.1.2 host 192.168.2.1 2. Configure crypto maps Set the name of the map, the map number, and the type of key exchange to be used. Toronto(config)# crypto map mymap 10 ipsec-isakmp Specify the extended ACL to use with this map. Toronto(config-crypto-map)# match address 120 Specify the transform set defined earlier. Toronto(config-crypto-map)#set transform-set mine Assign the VPN peer using the host name or IP address of the peer. Toronto(config-crypto-map)#set peer 120.1.1.2 Vancouver(config-crypto-map)#set peer 110.1.1.1
3. Apply the crypto map to an interface Toronto(config)#interface vlan 1 Assign the crypto map to the interface. Toronto(config-if)#crypto map mymap
*Configuration for Vancouver Router in this step is as follow:
Analyzer:
To compare two different IPSec protocol we needed analyzer. In Toronto router we used 1801 CISCO router that has switch ports. We implemented SPAN configuration in the router.
authentication pre-share ! crypto isakmp policy 111 encr 3des hash md5 authentication pre-share crypto isakmp key cisco1 address 120.1.1.2 ! ! crypto ipsec transform-set mine esp-des crypto ipsec transform-set mine1 ah-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 120.1.1.2 set transform-set mine match address 120 ! ! ! interface FastEthernet0 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! ! ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto ! 7
interface Vlan1 ip address 110.1.1.1 255.255.255.0 crypto map mymap ! ip route 0.0.0.0 0.0.0.0 110.1.1.2 ! ! no ip http server no ip http secure-server ! access-list 120 permit ip host 192.168.2.1 host 10.1.1.2 ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! End
no aaa new-model ! resource policy ! ! ! ip cef ! ! ! ! ! ! ! ! crypto isakmp policy 111 encr 3des hash md5 authentication pre-share crypto isakmp key cisco1 address 110.1.1.1 ! ! crypto ipsec transform-set mine esp-des crypto ipsec transform-set mine1 ah-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 110.1.1.1 set transform-set mine match address 120 ! ! ! ! interface FastEthernet0 ip address 120.1.1.2 255.255.255.0 duplex auto speed auto crypto map mymap ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 9
! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto ! interface Vlan1 ip address 10.1.1.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 120.1.1.1 ! ! no ip http server no ip http secure-server ! access-list 120 permit ip host 10.1.1.2 host 192.168.2.1 ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! End
10
Observation:
Our group could be able to implement IPSec VPN successfully, and ping from two sites, and also by using Wireshark in analyzer, we could compare AH and DES. At first we setup AH and we recognized that it is not secure we could be able to figure out all the information in Wireshark but in DES configuration it was impossible to find any information; therefore, DES is more secure.
11