Sie sind auf Seite 1von 5

04/10/2015

VPNsitetositepackettracer5.3labTheCiscoLearningNetwork

Home>Certifications>Security(CCNASecurity)>IINSExam>Documents

VPN site to site packet tracer 5.3 lab


CreatedbyYasserRamzyAudaCCIER&S#45694,CCSI#34215,CCNPSecurityon19Dec201012:22.LastmodifiedbyYasser
RamzyAudaCCIER&S#45694,CCSI#34215,CCNPSecurityon19Dec201012:42.

firstofallyouneedtostudyWelltheconceptsofIPSec,VPNtypes,CRYPTOLOGYbeforeyoureadthisdocument
Itsjustshowyouhowtotypetherightcommandsonbothroutersidesusingpackettracer5.3
Wewillhavethefollowingtopology

NoticeyouwillsetstaticroutebetweenthetworouterswhileonreallivebothwillconnectedthroughISPs

forrouter1wewilltypethefollowingcommands:
Router(config)#cryptoisakmpenable<===enableIPsec
Router(config)#cryptoisakmppolicy1<===setnewpolicywithnumber1
Router(configisakmp)#authenticationpreshare<===usingshredkeyauthenticationmethod(ifusecertification
usersasiginsteadofpreshare)
Router(configisakmp)#encryptionaes<===usesymmetricencryptionAES
Router(configisakmp)#hashsha<===usehashalghorthimshafordataintegrity
Router(configisakmp)#group2<===usediffehelmangroup2
Router(configisakmp)#exit
Router(config)#cryptoisakmpkey0address11.0.0.10.0.0.0<===0isthekeywillusedwithnextsite,nextsiteip
address11.0.0.1andnoteonpackettraceryouuse0.0.0.0insteadofsubnetmask
Router(config)#cryptoipsectransformsetyasserespaesespshahmac<===settransformsetcalledyasserand
espistheprotocolwillbeused,ucanuseAHoninternalVPN
Router(config)#cryptoipsecsecurityassociationlifetimeseconds86400<===keyexpireafter86400seconds
Router(config)#ipaccesslistextendedramzy<===ACLcalledramzytotellwhich
trafficwillusethevpntunnel
Router(configextnacl)#permitip12.0.0.00.255.255.25510.0.0.00.255.255.255
Router(configextnacl)#exit
Router(config)#cryptomapauda100ipsecisakmp<===createcryptomapcalledaudawithseq
number100
%NOTE:Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router(configcryptomap)#matchaddressramzy<===linkaboveACLtothiscryptomap
Router(configcryptomap)#setpeer11.0.0.1<===linknextsiteipaddresstothiscrypto
map
Router(configcryptomap)#setpfsgroup2<===linkDHgroup2tothiscryptomap
Router(configcryptomap)#settransformsetyasser<===linkabovetransformsettothis
cryptomap
Router(configcryptomap)#ex
Router(config)#intfa0/1<===applycryptomapaudatointerfacefacethenextsitelink.
Router(configif)#cryptomapauda
*Jan307:16:26.785:%CRYPTO6ISAKMP_ON_OFF:ISAKMPisON
Router(configif)#dowr
Buildingconfiguration...
[OK]
Router(configif)#^Z
Router#

forrouter0wewilltypethefollowingcommands:
Router(config)#cryptoisakmpenable
Router(config)#cryptoisakmppolicy1
Router(configisakmp)#authenticationpreshare
Router(configisakmp)#encryptionaes
Router(configisakmp)#group2
Router(configisakmp)#hashsha
Router(configisakmp)#exit

https://learningnetwork.cisco.com/docs/DOC10756

1/5

04/10/2015

VPNsitetositepackettracer5.3labTheCiscoLearningNetwork

Router(config)#cryptoisakmpkey0address11.0.0.20.0.0.0
Router(config)#cryptoipsectransformsetyasserespaesespshahmac
Router(config)#cryptoipsecsecurityassociationlifetimeseconds86400
Router(config)#ipaccesslistextendedramzy
Router(configextnacl)#permitip10.0.0.00.255.255.25512.0.0.00.255.255.255
Router(configextnacl)#exit
Router(config)#cryptomapauda100ipsecisakmp
%NOTE:Thisnewcryptomapwillremaindisableduntilapeer
andavalidaccesslisthavebeenconfigured.
Router(configcryptomap)#matchaddressramzy
Router(configcryptomap)#setpeer11.0.0.2
Router(configcryptomap)#setpfsgroup2
Router(configcryptomap)#settransformsetyasser
Router(configcryptomap)#exit
Router(config)#interfacefastEthernet0/1
Router(configif)#cryptomapauda
*Jan307:16:26.785:%CRYPTO6ISAKMP_ON_OFF:ISAKMPisON
Router(configif)#exit
Router(config)#dowr
Buildingconfiguration...
[OK]
Router(config)#

nowletsgotorouter0anddosomeshowcommands:

Router#showcryptoIsakmppolicy

GlobalIKEpolicy
Protectionsuiteofpriority1
encryptionalgorithm:AESAdvancedEncryptionStandard(128bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:PreSharedKey
DiffieHellmangroup:#2(1024bit)
lifetime:86400seconds,novolumelimit
Defaultprotectionsuite
encryptionalgorithm:DESDataEncryptionStandard(56bitkeys).
hashalgorithm:SecureHashStandard
authenticationmethod:RivestShamirAdlemanSignature
DiffieHellmangroup:#1(768bit)
lifetime:86400seconds,novolumelimit
Router#

Router#showcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstateconnidslotstatus
11.0.0.111.0.0.2QM_IDLE10620ACTIVE

IPv6CryptoISAKMPSA

Router#

Router#showcryptomap
CryptoMapauda100ipsecisakmp
Peer=11.0.0.1
ExtendedIPaccesslistramzy
accesslistramzypermitip12.0.0.00.255.255.25510.0.0.00.255.255.255
Currentpeer:11.0.0.1
Securityassociationlifetime:4608000kilobytes/86400seconds
PFS(Y/N):Y
Transformsets={
yasser,
}
Interfacesusingcryptomapauda:
FastEthernet0/1

Router#

Router#shcryptoipsectransformset
Transformsetyasser:{{espaesespshahmac}
willnegotiate={Tunnel,},

https://learningnetwork.cisco.com/docs/DOC10756

2/5

04/10/2015

VPNsitetositepackettracer5.3labTheCiscoLearningNetwork

Router#

nowletsmakepc0pingpc1

Router#showcryptoipsecsa

interface:FastEthernet0/1
Cryptomaptag:auda,localaddr11.0.0.2

protectedvrf:(none)
localident(addr/mask/prot/port):(12.0.0.0/255.0.0.0/0/0)
remoteident(addr/mask/prot/port):(10.0.0.0/255.0.0.0/0/0)
current_peer11.0.0.1port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:6,#pktsencrypt:6,#pktsdigest:0
#pktsdecaps:5,#pktsdecrypt:5,#pktsverify:0
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors1,#recverrors0

localcryptoendpt.:11.0.0.2,remotecryptoendpt.:11.0.0.1
pathmtu1500,ipmtu1500,ipmtuidbFastEthernet0/1
currentoutboundspi:0x12D96D50(316239184)

inboundespsas:
spi:0x590D14F4(1494029556)
transform:espaesespshahmac,
inusesettings={Tunnel,}
connid:2004,flow_id:FPGA:1,cryptomap:auda
satiming:remainingkeylifetime(k/sec):(4525504/86170)
IVsize:16bytes
replaydetectionsupport:N
Status:ACTIVE

inboundahsas:

inboundpcpsas:

outboundespsas:
spi:0x12D96D50(316239184)
transform:espaesespshahmac,
inusesettings={Tunnel,}
connid:2005,flow_id:FPGA:1,cryptomap:auda
satiming:remainingkeylifetime(k/sec):(4525504/86170)
IVsize:16bytes
replaydetectionsupport:N
Status:ACTIVE

outboundahsas:

outboundpcpsas:

packettracerfile:

yasserramzyauda
CCNA,CCNAsecurity,CCNAvoice,CCDA,CCNP,CCIP,CCNPsecurity(CCSP).
vpn1.pkt.zip
7.0K

Nosecuritypolicyviolationsfound.
Thefilewaslastscanned6monthsago.
Nosecuritypolicyviolationsfound.
Thefilewaslastscanned6monthsago.

116491Views

Categories: Tags:

https://learningnetwork.cisco.com/docs/DOC10756

3/5

04/10/2015

VPNsitetositepackettracer5.3labTheCiscoLearningNetwork

AverageUserRating
(9ratings)

MOSTLIKED

8Comments

sami24Nov201222:12

ThankYouMr.yasser..^__^..
Actions

ChristianQuiroga01Mar201308:58

Thanks
Actions

hpardo198707Apr201305:05

Itriedusingthesesamesettings(differentIP's)witha2811inthemiddleactingastheinternet,madesureicouldpingall
thewaythroughusingnatoverloadtoallthepublicfacingIP's,butnottowhereicouldpingtheprivateip'softheother
network.Itriedtobuildthetunnelbutmyphase1isakmptunnelwontbuilditssapeer.....ifollowedyourconfigsexactly
withadjustmentsformyIP's...willthisnotworkonpackettracerwithanotherrouteractingasacloud?ifanyonewantsto
tryandhelpmeouticanemailthemthesavedfilefrompackettracer.
Actions

Rahul03Jun201409:53

HI,

Iamenteringtheipseccommand"Router(config)#cryptoipsectransformsetOESespaesespshahmac"
butittakesmeintoasubcategeory"#Router(cfgcryptotrans)#"
thisishappeingonacisco2911.
butwheniusethiscommandonpatkettraceridontgetit.
amidoingsomethingwrong
Actions

NetwrkRyan03Nov201409:40

Goodwork!
Actions

danisimanjuntak30Mar201521:19

Goodjob!
Actions

ganesh19Apr201508:05

sirwhenigivecommandshowcryptoisakmpsa
Router#shcrissa
IPv4CryptoISAKMPSA
dstsrcstateconnidslotstatus
11.0.0.211.0.0.1QM_IDLE10440ACTIVE(deleted)

Pv6CryptoISAKMPSAI

andnotabletopinganotherpc
Actions

CARLOS27May201516:47

https://learningnetwork.cisco.com/docs/DOC10756

4/5

04/10/2015

VPNsitetositepackettracer5.3labTheCiscoLearningNetwork
GreatWork!!!
Actions

Terms&Conditions

PrivacyStatement

CookiePolicy

https://learningnetwork.cisco.com/docs/DOC10756

Trademarks

Languages

Followus:

5/5