Introduction

The Implementing IOS IPSec site-to-site VPN with pre-shared key

authentication module provides you with the instructions and Cisco hardware to
develop your hands on skills in the following topics:
1) Implement an IOS IPSec site-to-site VPN using CCP and the CLI

Lab Diagram
During your session you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but they are
shown here in the layout to get an overall understanding of the topology of the lab.

Internet

ISP1
172.14.0.3/24
Frame-Relay
WAN

NYEDGE1
Cisco
2911 Router

LDNWAN1

ISP2
172.14.0.4/24

Ser0/0/0
Ser0/0/0

Ser0/0/1

Ser0/0/0
Gi0/1
172.16.16.0/24
NYWAN1
Cisco
2911 Router

NWRKWAN1

Ser0/1/1
Ser0/1/0
Gi0/0

Ser0/0/1 Gi0/0

Gi0/0

Ser0/0/1

Fas1/0/1

Fas1/0/1
Fas1/0/2

Fas1/0/12
Fas1/0/23

Fas1/0/24
NYCORE1
Fas1/0/22
Fas1/0/22
Cisco 3750v2-24PS
Switch

Fas0/24
PLABCSCO01
Cisco Tools Server

NYEDGE2
Cisco
2911 Router

Gi0/1

Gi0/1

Lab Nic
192.168.16.10/24

Fas0/1

NYCORE2
Cisco 3750v2-24PS
Switch

Cisco
IP Phone

Fas0/23
NYACCESS1
Cisco 2960-24
Switch

Connecting to your Lab

In this module you will be working on the following equipment to carry out the steps
defined in each exercise.

NYEDGE1

NYEDGE2

NYCORE1

NYCORE2

NYACCESS1

PLABCSCO01

Text in RED indicates a task that needs to be copied with the corresponding
answer(s) to the Lab Report.
Each exercise will detail which terminal you are required to work on to carry out the
steps.
During the boot up process an activity indicator will be displayed in the device name
tab:

Black - Powered Off

Orange - Working on your request

Green - Ready to access

If the remote terminal is not displayed automatically in the main window (or popup)
click the Connect icon located in the tools bar to start your session.

Copyright Notice
This document and its content is copyright of Practice-IT - Practice-IT 2014. All rights reserved. Any
redistribution or reproduction of part or all of the contents in any form is prohibited other than the
following:
1) You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2) You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.

Exercise 1 - Implement an IOS

IPSec site-to-site VPN using CCP
and the CLI
In this exercise you will configure a site-to-site VPN using cisco CCP for NYEDGE1
and the CLI on NYEDGE2. VPNs are very common in the workplace as they either
provide a cost effective link across a public network (the Internet) or in some case
they can provide a secure connection across a private network.

Diagram
Gi0/1
172.14.0.1/24

IPSEC Tunnel

Gi0/1
172.14.0.2/24
Loop 1
10.10.4.1/24
Loop 2
10.10.5.1/24

Loop 1
10.10.0.1/24
Loop 2
10.10.1.1/24
NYEDGE1

NYEDGE2

Configuring NYEDGE1 using CCP

Step 1
Ensure you have powered on PLABCSCO01 so that you can use the CCP software
located on this server.
Before proceeding, you need to make sure the resolution setting is good to work
around the CCP window. Click on Settings
at windows upper right corner.
Then, The Personal Setting window appears. This allows you to customize the
resolution and window type of the lab.
Make sure Open Microsoft devices in a popup window selection is On. Then, under
Resolution, click on Smaller or Bigger as needed until getting 1024x768 resolution.
Then, click Save. This resolution should be good to work with CCP software window.
You can always change the resolution to higher or lower as needed.

Step 2
Once PLABCSCO01 is powered on, connect to the desktop and launch the Cisco
Configuration Professional (CCP) software, there is a shortcut on the desktop,
highlighted in the screenshot below.

When the software launches, you can safely ignore the Java message by clicking the
Later button.
When CCP launches, enter in the community settings for NYEDGE1 and NYEDGE2.
They have the IP addresses 192.168.16.1 and 192.168.16.2 respectively. They have
the same username and password of ciscosdm/ciscosdm
Check the Discover all devices checkbox in the bottom left of the window, then click
OK.

Step 3
Once the devices have been discovered, ensure 192.168.16.1 is highlighted (this is
NYEDGE1) and click the Configure button at the top.
Note: If you get a problem about a device being undiscoverable close CCP and
start over with Step 2. This can happen if the CCP software is unable to discover
the router because of network latency.

Expand Security > VPN then click the Site-to-Site VPN link.

On the right the task page will appear.

Ensure Create a site to site VPN folder tab is selected, and scroll down to click the
Launch the selected task button (you might need to have to scroll down the page).

Step 4
Once the wizard launches, click the Step-by-step wizard radio button then click
Next.

Step 5
On the VPN Connection information page, ensure the following settings are
configured:

Select the interface for this VPN connection: GigabitEthernet0/1

Peer identity: Ensure Peer with static IP address is selected

IP Address of the remote peer: 172.16.1.2

Authentication: Select Pre-shared Keys and use a password of cisco123

Once you are happy with the settings, click Next.

Step 6
At the IKE proposals page, click the Add button to add a new proposal so you
understand this process (we could accept the default proposal in the list).

Step 7
In the Add IKE Policy dialog box, configure the following settings:

Priority: 2

Authentication: PRE_SHARE

Encryption: AES_256

D-H Group: Group2

Hash: SHA_1

Lifetime: 24 0 0

Once you have entered in the details, click OK.

Step 8
Back on the IKE Proposals page, notice the new policy that has been added.
Click Next.

Step 9
At the Transform Set page, again so you understand the process, click Add.

Step 10
From the Add Transform Set dialog box, configure the following settings:

Name: Strong

Leave the checkbox checked for Data Integrity with encryption (ESP)

Integrity Algorithm: ESP_SHA_HMAC

Encryption Algorithm: ESP_AES_256

You can leave the advanced settings as default.

Once you are happy, click OK.

Step 11
Back on the Transform Set page, ensure your transform set called Strong is selected
then click Next.

Step 12
In the Traffic to protect page, you want to protect traffic going between loopback
1 and loopback 2 of each respective router, the subnets are as follows:
NYEDGE1: Loop 1 > 10.10.0.0/24
NYEDGE1: Loop 2 > 10.20.1.0/24

NYEDGE2: Loop 1 > 10.10.4.0/24

NYEDGE2: Loop 2 > 10.20.5.0/24

We can summarise these so as follows:

NYEDGE1: 10.10.0.0/23
NYEDGE2: 10.10.4.0/23

Enter in the information for the respective source and destination networks, this can
be seen in the screenshot below:

Once you have entered in the subnets, click Next.

Step 13
At the Summary of the Configuration page, click Finish.

Step 14
You need first to save the configuration to a file on the desktop.
On the Deliver Configuration to Device dialog box, click on Save to file.

Step 15
On the Save File dialog box, keep the default name (CC-CLI-dd-month-YYYY.txt).
Verify that Desktop button on the left is selected then click Save.

Step 16
Back on the Delivery Configuration to Device dialog box, then click Deliver.

Step 17
On the Commands Delivery Status dialog box, click OK.

Step 18
Once you have clicked OK you will notice that the state of the VPN is down.
Minimize CCP software.

Step 19
From desktop of PLABCSCO01, right-click on the file CC-CLI-dd-month-YYYY.txt
that you just saved, and select Open.

Task 1: Take screenshot of the notepad window showing the VPN site-to-site
configuration file in router NYEDGE1. Include the screenshot in the Lab Report.

Continue to configure NYEDGE2.

Configuring NYEDGE2 using the CLI

Next we will configure the peer router NYEDGE2 using the CLI so that we have
covered off both configuration methods.

Step 1
Connect to NYEDGE2. If you reviewed the configuration script applied to NYEDGE1
then we ultimately need to make the same CLI changes by hand, this time reversing
some of the settings (ACLs for example).
The first step is to configure the access-list, rather than using the naming convention
that CCP uses, we will create a named ACL called S2SNYEDGE1:
NYEDGE2>enable
NYEDGE2#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

NYEDGE2(config)#ip access-list extended S2SNYEDGE1

NYEDGE2(config-ext-nacl)#permit ip 10.10.4.0 0.0.1.255 10.10.0.0 0.0.1.255

NYEDGE2(config-ext-nacl)# exit
NYEDGE2(config)#

Step 2
Next we configure the same transform set that we built using CCP. Use the following
commands to configure this:
NYEDGE2(config)#crypto ipsec transform-set Strong esp-sha-hmac esp-aes 256
NYEDGE2(cfg-crypto-trans)# mode tunnel
NYEDGE2(config-crypto-trans)# exit
NYEDGE2(config)#

Step 3
Next we need to configure the crypto map. To do this use the following commands.
Note that you will get a warning message about the peer address - dont worry
about this, as you will configure it during this step:
NYEDGE2(config)#crypto map NYEDGE1MAP 1 ipsec -isakmp
NYEDGE2(config-crypto-map)# set transform-set Strong
NYEDGE2(config-crypto-map)# set peer 172.16.1.1
NYEDGE2(config-crypto-map)# match address S2SNYEDGE1
NYEDGE2(config-crypto-map)# exit
NYEDGE2(config)#

Step 4
Next we need to configure the pre-shared key and map this to the Gi0/1 IP address
on NYEDGE1:
NYEDGE2(config)#crypto isakmp key cisco123 address 172.16.1.1

Step 5
Next we create the ISAKMP policy:
NYEDGE2(config)#crypto isakmp policy 1
NYEDGE2(config-isakmp)#authentication pre-share
NYEDGE2(config-isakmp)#encryption aes 256
NYEDGE2(config-isakmp)#hash sha
NYEDGE2(config-isakmp)#group 2

NYEDGE2(config-isakmp)#lifetime 86400
NYEDGE2(config-isakmp)#exit
NYEDGE2(config)#exit

Step 6
Finally we need to apply the crypto map to the interface (Gi0/1):
NYEDGE2#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

NYEDGE2(config)#interface gigabitEthernet 0/1

NYEDGE2(config-if)#crypto map NYEDGE1MAP
NYEDGE(config-if)#exit
NYEDGE(config)#exit

Verifying the VPN

Finally we want to verify that the VPN works. We need to initiate some traffic to test
this, first lets look at some counters:
On NYEDGE1 use the show crypto ipsec sa command:
NYEDGE1>enable
NYEDGE1#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1
protected vrf: (none)
local

ident (addr/mask/prot/port): (10.10.0.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.254.0/0/0)

current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/ source 10.10.0.11
current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

(Output omitted)

In the output you can see that no packets have been encrypted or decrypted. This is
helpful when diagnosing a VPN, as sometimes you can see packets being encrypted
but not decrypted or vice-versa.
Lets initiate some traffic, ping from NYEDGE1 with a source IP address of 10.10.0.1
to 10.10.4.1:
NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.0.1
.....
Success rate is 0 percent (0/5)

Task 2: Take screenshot showing unsuccessful connectivity between 10.10.4.1

and 10.10.0.1. Include the screenshot in the Lab Report.

Notice the ping fails!

Viewing the output of the show crypto ipsec sa command still shows no encrypted
packets. Actually we need to go back to basics, as there are no routes on the router!
Add routes on both routers:
NYEDGE1
NYEDGE1#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

NYEDGE1(config)#ip route 10.10.4.0 255.255.254.0 172.16.1.2

NYEDGE1(config)#exit

NYEDGE2
NYEDGE2#configure terminal
Enter configuration commands, one per line.

End with CNTL/Z.

NYEDGE2(config)#ip route 10.10.0.0 255.255.254.0 172.16.1.1

Retry the ping from NYEDGE1:

NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.0.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Task 3: Take screenshot showing successful connectivity between 10.10.4.1 and

10.10.0.1. Include the screenshot in the Lab Report.

How do we know the packets are encrypted?

NYEDGE1#show crypto ipsec sa

interface: GigabitEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1

protected vrf: (none)

local

ident (addr/mask/prot/port): (10.10.0.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.254.0/0/0)

current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
(Output omitted)

Notice that the counters for encrypted and decrypted packets have gone up by 4,
and notice that our ping replied 4 times.

Task 4: Take screenshot of command show crypto ipsec sa output showing 4

packets encrypted and decrypted. Include the screenshot in the Lab Report.

You can also use the debug crypto engine packet command. However, word of
extreme caution - this is a fairly noisy debug, so do not use it in a production
environment unless you really know what you are doing!
Enable this debug on NYEDGE2, then re-issue a ping from NYEDGE1:

Here is a snippet of the output on NYEDGE2:

NYEDGE2(config)#exit
NYEDGE2#debug crypto engine packet
Crypto Engine Packet debugging is on
NYEDGE2#
*Aug 1 16:03:29.819: crypto_sb_oce_alloc_fwd_handle: created forw_handle=3D49B0D0 using
oce=0 type=0 for pak=2181FBC8, track=3D9F3E
FC
*Aug

1 16:03:29.819: Before decryption:

0E220990:

4500 00A806C4 0000FE32

E..(.D..~2

0E2209A0: 5B3CAC10 0101AC10 01023C52 BA310000

3855B1EA E1B8CDEA ..BV@CP;8U1ja8Mj

[<,...,...0E2209B0: 000A42D6 C0C3D03B

0E2209C0: 4317F58F B01B

C.u.0.

*Aug

...

1 16:03:29.819: After decryption:

0E2209C0:

4500 00640046 0000FF01 A33D0A0A

E..d.F....#=..

0E2209D0: 00010A0A 04010800 AF2E000E 00000000

......../.......

0E2209E0: 00000045 CEC8ABCD ABCDABCD ABCDABCD

...ENH+M+M+M+M+M

0E2209F0: ABCD

+M

...

(Output omitted)

Turn the debug off on NYEDGE2:

NYEDGE2#u all
All possible debugging has been turned off
NYEDGE2#

Task 5: Take screenshot of NYEDGE2 CLI showing debugging bottom output.

Include the screenshot in the Lab Report.
Switch over to PLABCSCO01 device.
In the CCP software, on the toolbar click Monitor.
Then expand out in the tree structure, Security > VPN Status and select IPSec
Tunnels
On the VPN Status pane, notice the details about the IPSec Tunnel you created.

You have successfully built a VPN using both the CLI and CCP software!
Task 6: Take screenshot of CCP software in PLABCSCO01 monitoring encrypted
and decrypted packets CLI. Include the screenshot in the Lab Report.

Summary
You covered the following activities in this module:

Using the CCP software to build half of a site-to-site VPN between two
routers.

You configured the second half of the site-to-site VPN using the CLI.

You confirmed the configuration of the VPN by testing it and seeing the
packets being encrypted and decrypted.

You also monitored the VPN status using the CCP software.

This concludes Implementing IOS IPSec site-to-site VPN with pre-shared key
authentication Lab. Save the Lab Report, and submit it to the iLab DropBox in
week 6.