Beruflich Dokumente
Kultur Dokumente
Lab Diagram
During your session you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but they are
shown here in the layout to get an overall understanding of the topology of the lab.
Internet
ISP1
172.14.0.3/24
Frame-Relay
WAN
NYEDGE1
Cisco
2911 Router
LDNWAN1
ISP2
172.14.0.4/24
Ser0/0/0
Ser0/0/0
Ser0/0/1
Ser0/0/0
Gi0/1
172.16.16.0/24
NYWAN1
Cisco
2911 Router
NWRKWAN1
Ser0/1/1
Ser0/1/0
Gi0/0
Ser0/0/1 Gi0/0
Gi0/0
Ser0/0/1
Fas1/0/1
Fas1/0/1
Fas1/0/2
Fas1/0/12
Fas1/0/23
Fas1/0/24
NYCORE1
Fas1/0/22
Fas1/0/22
Cisco 3750v2-24PS
Switch
Fas0/24
PLABCSCO01
Cisco Tools Server
NYEDGE2
Cisco
2911 Router
Gi0/1
Gi0/1
Lab Nic
192.168.16.10/24
Fas0/1
NYCORE2
Cisco 3750v2-24PS
Switch
Cisco
IP Phone
Fas0/23
NYACCESS1
Cisco 2960-24
Switch
NYEDGE1
NYEDGE2
NYCORE1
NYCORE2
NYACCESS1
PLABCSCO01
Text in RED indicates a task that needs to be copied with the corresponding
answer(s) to the Lab Report.
Each exercise will detail which terminal you are required to work on to carry out the
steps.
During the boot up process an activity indicator will be displayed in the device name
tab:
If the remote terminal is not displayed automatically in the main window (or popup)
click the Connect icon located in the tools bar to start your session.
Copyright Notice
This document and its content is copyright of Practice-IT - Practice-IT 2014. All rights reserved. Any
redistribution or reproduction of part or all of the contents in any form is prohibited other than the
following:
1) You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2) You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.
Diagram
Gi0/1
172.14.0.1/24
IPSEC Tunnel
Gi0/1
172.14.0.2/24
Loop 1
10.10.4.1/24
Loop 2
10.10.5.1/24
Loop 1
10.10.0.1/24
Loop 2
10.10.1.1/24
NYEDGE1
NYEDGE2
Step 2
Once PLABCSCO01 is powered on, connect to the desktop and launch the Cisco
Configuration Professional (CCP) software, there is a shortcut on the desktop,
highlighted in the screenshot below.
When the software launches, you can safely ignore the Java message by clicking the
Later button.
When CCP launches, enter in the community settings for NYEDGE1 and NYEDGE2.
They have the IP addresses 192.168.16.1 and 192.168.16.2 respectively. They have
the same username and password of ciscosdm/ciscosdm
Check the Discover all devices checkbox in the bottom left of the window, then click
OK.
Step 3
Once the devices have been discovered, ensure 192.168.16.1 is highlighted (this is
NYEDGE1) and click the Configure button at the top.
Note: If you get a problem about a device being undiscoverable close CCP and
start over with Step 2. This can happen if the CCP software is unable to discover
the router because of network latency.
Expand Security > VPN then click the Site-to-Site VPN link.
Ensure Create a site to site VPN folder tab is selected, and scroll down to click the
Launch the selected task button (you might need to have to scroll down the page).
Step 4
Once the wizard launches, click the Step-by-step wizard radio button then click
Next.
Step 5
On the VPN Connection information page, ensure the following settings are
configured:
Step 6
At the IKE proposals page, click the Add button to add a new proposal so you
understand this process (we could accept the default proposal in the list).
Step 7
In the Add IKE Policy dialog box, configure the following settings:
Priority: 2
Authentication: PRE_SHARE
Encryption: AES_256
Hash: SHA_1
Lifetime: 24 0 0
Step 8
Back on the IKE Proposals page, notice the new policy that has been added.
Click Next.
Step 9
At the Transform Set page, again so you understand the process, click Add.
Step 10
From the Add Transform Set dialog box, configure the following settings:
Name: Strong
Leave the checkbox checked for Data Integrity with encryption (ESP)
Step 11
Back on the Transform Set page, ensure your transform set called Strong is selected
then click Next.
Step 12
In the Traffic to protect page, you want to protect traffic going between loopback
1 and loopback 2 of each respective router, the subnets are as follows:
NYEDGE1: Loop 1 > 10.10.0.0/24
NYEDGE1: Loop 2 > 10.20.1.0/24
Enter in the information for the respective source and destination networks, this can
be seen in the screenshot below:
Step 13
At the Summary of the Configuration page, click Finish.
Step 14
You need first to save the configuration to a file on the desktop.
On the Deliver Configuration to Device dialog box, click on Save to file.
Step 15
On the Save File dialog box, keep the default name (CC-CLI-dd-month-YYYY.txt).
Verify that Desktop button on the left is selected then click Save.
Step 16
Back on the Delivery Configuration to Device dialog box, then click Deliver.
Step 17
On the Commands Delivery Status dialog box, click OK.
Step 18
Once you have clicked OK you will notice that the state of the VPN is down.
Minimize CCP software.
Step 19
From desktop of PLABCSCO01, right-click on the file CC-CLI-dd-month-YYYY.txt
that you just saved, and select Open.
Task 1: Take screenshot of the notepad window showing the VPN site-to-site
configuration file in router NYEDGE1. Include the screenshot in the Lab Report.
Step 1
Connect to NYEDGE2. If you reviewed the configuration script applied to NYEDGE1
then we ultimately need to make the same CLI changes by hand, this time reversing
some of the settings (ACLs for example).
The first step is to configure the access-list, rather than using the naming convention
that CCP uses, we will create a named ACL called S2SNYEDGE1:
NYEDGE2>enable
NYEDGE2#configure terminal
Enter configuration commands, one per line.
NYEDGE2(config-ext-nacl)# exit
NYEDGE2(config)#
Step 2
Next we configure the same transform set that we built using CCP. Use the following
commands to configure this:
NYEDGE2(config)#crypto ipsec transform-set Strong esp-sha-hmac esp-aes 256
NYEDGE2(cfg-crypto-trans)# mode tunnel
NYEDGE2(config-crypto-trans)# exit
NYEDGE2(config)#
Step 3
Next we need to configure the crypto map. To do this use the following commands.
Note that you will get a warning message about the peer address - dont worry
about this, as you will configure it during this step:
NYEDGE2(config)#crypto map NYEDGE1MAP 1 ipsec -isakmp
NYEDGE2(config-crypto-map)# set transform-set Strong
NYEDGE2(config-crypto-map)# set peer 172.16.1.1
NYEDGE2(config-crypto-map)# match address S2SNYEDGE1
NYEDGE2(config-crypto-map)# exit
NYEDGE2(config)#
Step 4
Next we need to configure the pre-shared key and map this to the Gi0/1 IP address
on NYEDGE1:
NYEDGE2(config)#crypto isakmp key cisco123 address 172.16.1.1
Step 5
Next we create the ISAKMP policy:
NYEDGE2(config)#crypto isakmp policy 1
NYEDGE2(config-isakmp)#authentication pre-share
NYEDGE2(config-isakmp)#encryption aes 256
NYEDGE2(config-isakmp)#hash sha
NYEDGE2(config-isakmp)#group 2
NYEDGE2(config-isakmp)#lifetime 86400
NYEDGE2(config-isakmp)#exit
NYEDGE2(config)#exit
Step 6
Finally we need to apply the crypto map to the interface (Gi0/1):
NYEDGE2#configure terminal
Enter configuration commands, one per line.
In the output you can see that no packets have been encrypted or decrypted. This is
helpful when diagnosing a VPN, as sometimes you can see packets being encrypted
but not decrypted or vice-versa.
Lets initiate some traffic, ping from NYEDGE1 with a source IP address of 10.10.0.1
to 10.10.4.1:
NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.0.1
.....
Success rate is 0 percent (0/5)
NYEDGE2
NYEDGE2#configure terminal
Enter configuration commands, one per line.
interface: GigabitEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1
Notice that the counters for encrypted and decrypted packets have gone up by 4,
and notice that our ping replied 4 times.
You can also use the debug crypto engine packet command. However, word of
extreme caution - this is a fairly noisy debug, so do not use it in a production
environment unless you really know what you are doing!
Enable this debug on NYEDGE2, then re-issue a ping from NYEDGE1:
0E220990:
E..(.D..~2
C.u.0.
*Aug
...
0E2209C0:
E..d.F....#=..
......../.......
...ENH+M+M+M+M+M
0E2209F0: ABCD
+M
...
(Output omitted)
You have successfully built a VPN using both the CLI and CCP software!
Task 6: Take screenshot of CCP software in PLABCSCO01 monitoring encrypted
and decrypted packets CLI. Include the screenshot in the Lab Report.
Summary
You covered the following activities in this module:
Using the CCP software to build half of a site-to-site VPN between two
routers.
You configured the second half of the site-to-site VPN using the CLI.
You confirmed the configuration of the VPN by testing it and seeing the
packets being encrypted and decrypted.
You also monitored the VPN status using the CCP software.
This concludes Implementing IOS IPSec site-to-site VPN with pre-shared key
authentication Lab. Save the Lab Report, and submit it to the iLab DropBox in
week 6.