You are on page 1of 167

CCIE Security Ver.

4
Lab Manual
CCNP Security – SIMOS- (300-209)
Confidentiality and Secure Access

This lab manual covers detailed lab demonstration with explanation for CCIE Security
Version 4 VPN Module.
CCIE Security Ver. 4 Lab Manual

DISCLAIMER
Disclaimer and “Terms of Use”
Reproduction or translation of content in this PDF document without the
author`s written permission is prohibited. No content may be reproduced
without the express written permission of the author. A Hyperlink from
another website to this document is permitted. You may download and
retain on your disk a single copy of material published only for your
personal, non-commercial use, provided that you do not remove any
copyright or other proprietary notices. You may not otherwise copy,
display, download, modify, distribute, repost, transmit, sell all or part of
any material without the prior written permission of the author. You may
not mirror all or part of any material published by the author in this
document, and you may not inline any of the graphics contained in any
material. Any one accessing this document, it would be deemed to have
read and understood the above, and agreed to it in its totality absolutely
without any exception.

IF YOU DO NOT AGREE, please delete any copies you may possess.

Please contact author or Inter-Networkz using the contact link mentioned


below:

Web -URL: www.inter-networkz.com

Email: sandeep@inter-networkz.com | cciesandeep12@gmail.com |


info@inter-networkz.com

Skype: ccie.sandeep12

Blog: cciesecurityv4solution.blogspot.in

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 1
CCIE Security Ver. 4 Lab Manual

Table of Contents

Module 1: Site-To-Site VPNs

1. Basic IPsec Site-To-Site VPN


2. GRE Tunnel
3. GRE with IPsec

Module 2: Advance VPNs

1. Router to ASA IPsec Site-To-Site VPN


2. Router to Router IPsec Site-To-Site VPN through Cisco ASA
3. Router to Router IPsec Site-To-Site VPN through Cisco ASA with
NAT-T
4. GET VPN using PSK
5. GET VPN using PKI
6. DMVPN Phase – I/II/III
7. DMVPN Dual Hub

Module 3: High Availability VPN

1. HA VPN without HSRP


2. HA VPN with HSRP

Module 4: Remote Access VPN

1. IOS Easy VPN Server with Software Client


2. IOS Easy VPN Server with Router as Client
3. IOS Easy VPN Server – NEM
4. Easy VPN Server on Cisco ASA
5. SSL VPN - IOS Server
6. SSL VPN on Cisco ASA

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 2
CCIE Security Ver. 4 Lab Manual

Module 5: IKEv2 Based VPN

1. Routing based VPN using IKEv2


2. Policy Based VPN using IKEv2
3. IKEv2 based VPN on Cisco ASA
4. Remote Access VPN using IKEv2

Module 6: Flex VPN

1. Site-To-Site Flex VPN


2. Spoke-To-Spoke Flex VPN
3. Server- Client Flex VPN

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 3
CCIE Security Ver. 4 Lab Manual

Module1: Site-To-Site VPNs

 Basic IPsec LAN-To-LAN VPN


 GRE Tunnel
 GRE Tunnel With IPsec

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 4
CCIE Security Ver. 4 Lab Manual

LAB-1 : Basic IPsec LAN-To-LAN VPN

Scenario: R1 and R3 are two sites of a company named ABC. R2 is the ISP in the
topology. R1 has private network simulated with the help of loopback interfaces.
Same is on R3. The objective of this lab is to connect R1 and R3 private networks
together using IPsec Site-To-Site VPN.

Recommendation: I would recommend you to practice the same topology at least


twice. While practicing the lab for the first time make sure you use the same
topology and IP addresses.

Lab Topology:

Basic Initialization:
Configure the routers shown in the topology:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 5
CCIE Security Ver. 4 Lab Manual

Now configure R2, Simulating as ISP.

We are going to have only two directly connected routes on R2, as ISP
Configure R3,this is your remote site.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 6
CCIE Security Ver. 4 Lab Manual

TASK

Configure an IPsec Tunnel between Router R1 and Router R3. Use the following
settings for the Tunnel:
ISAKMP Parameters
 Authentication : Pre-shared
 Group : 2
 Encryption : 3DES
 Hash: md5
 Pre-Shared Key : cisco123
IPSec Parameters
 Encryption : ESP-3DES
 Authentication : ESP-SHA-HMAC
Interesting Traffic
 All IP traffic between 10.1.1.0 and 10.1.3.0
 All IP traffic between 10.1.1.0 and 10.1.4.0
 All IP traffic between 10.1.2.0 and 10.1.3.0
 All IP traffic between 10.1.2.0 and 10.1.4.0
Tunnel Endpoints
R1 F 0/0 to R3 F 0/0

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 7
CCIE Security Ver. 4 Lab Manual

Solution:
IPsec configuration generally goes in five steps mentioned below:
1.Create ISAKMP policy
2.Create IPsec Policy
3.Create an ACL to select interesting traffic
4.Create crypto map to link all above parameters
5. Apply crypto map to the outgoing interface.

On R1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.1.1.1 host 10.1.3.1


Access-list 101 permit ip host 10.1.1.1 host 10.1.4.1
Access-list 101 permit ip host 10.1.2.1 host 10.1.3.1
Access-list 101 permit ip host 10.1.2.1 host 10.1.4.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.23.3
Set transform-set TSET
Match address 101
Exit

Int f0/0
Crypto map CMAP
exit

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 8
CCIE Security Ver. 4 Lab Manual

Same configuration goes on Router R3 with few changes here and there.
Copy the configuration from R1 so that we can make required changes:
Let me show you what the changes are. All fields marked in red color
should be changed.
OnR1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.1.1.1 host 10.1.3.1


Access-list 101 permit ip host 10.1.1.1 host 10.1.4.1
Access-list 101 permit ip host 10.1.2.1 host 10.1.3.1
Access-list 101 permit ip host 10.1.2.1 host 10.1.4.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.23.3
Set transform-set TSET
Match address 101
Exit

Int f0/0
Crypto map CMAP
exit

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 9
CCIE Security Ver. 4 Lab Manual

Let`s change all the field marked in red color so that we get configuration
ready for R3.
Here the fields marked in blue color are changed if you compare it with R1
configuration:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.12.1

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.1.3.1 host 10.1.1.1


Access-list 101 permit ip host 10.1.4.1 host 10.1.1.1
Access-list 101 permit ip host 10.1.3.1 host 10.1.2.1
Access-list 101 permit ip host 10.1.4.1 host 10.1.2.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.12.1
Set transform-set TSET
Match address 101
Exit
Int f0/0
Crypto map CMAP
exit
VERIFICATION:
From Router R1: Ping 10.1.3.1 source 10.1.1.1
or ping 10.1.4.1 source 10.1.1.1

Verification Commands:
 Show crypto isakmp sa
 Show crypto ipsec sec

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 10
CCIE Security Ver. 4 Lab Manual

LAB-2 GRE Tunnel

Scenario: The objective of this lab is to connect R1 and R3 private networks


together using a routing based VPN-(GRE – tunnel). In the Last lab traffic send
through VPN tunnel was selected using ACL (Policy-Based). Here the VPN traffic
is decided with the help of Routing table entry (Routing Based VPN).

Recommendation: same as previous lab

Lab Topology: same as previous lab

Basic Initialization: Use the initial configuration of previous lab.

Now configure tunnel interfaces on the routers, as this is a Routing based VPN,
what goes through the tunnel is decided by the Routing table entry.
So we create a virtual interface for tunnel with unused Private IP assigned to it.
The source for the tunnel is your Physical Interface with Public_IP,
And destination is remote site interface with Public_IP.

Read the message, interface tunnel1 is up. Similarly, configure an interface tunnel
on R3.

Check the interface brief.


A virtual tunnel interface gets created with a private IP address assigned to it.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 11
CCIE Security Ver. 4 Lab Manual

Now run interior routing protocol on both sites.


And advertise the private network (10.1.0.0); also run IGP on the tunnel interface
(192.168.1.0) that we have created, this is important because only when you enable
IGP on Tunnel interface the updates would be sent over the tunnel to the other
site. Where the other site tunnel interface IP is also enable for IGP, as a result is
capable of listening the hello packets sent on 224.0.0.0 multicast network.

Check the routing table on R1 site. We have received routes for the private
networks on R3 sites.
All routes starting with “D” are learned through the tunnel. As you know we can
run interior routing protocol on the internet. So the EIGRP packets were
encapsulated into Public IPv4 address and sent to the other site.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 12
CCIE Security Ver. 4 Lab Manual

Also check the route on R3. We have received routes for the private network on R1.

VERIFICATION:
Now as the Sites have got the routes, let`s ping 10.1.1.1 from 10.4.1.1.

Also, you can configure line vty so we can telnet and check.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 13
CCIE Security Ver. 4 Lab Manual

Note: though we have end-to-end reachability, all the packets are completely
exposed. Reason being GRE is ENCAPSULATING the Private packets into Public
packets and not ENCRYPTING them. So if someone tries to sniff, he would get all
the information.
Next you see is the snapshot of the sniff performed on this network.

For verification run Wireshark on one of the link.


Also set line vty password on R3 to cisco. Telnet R3 from R1.

Note: Wireshark is capturing these packets.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 14
CCIE Security Ver. 4 Lab Manual

Note: The output show telnet packet which was sent from R1 to R3 where GRE
was encapsulating this telnet packet from private source- 192.168.1.1 to private
destination-10.1.3.1 and the data part shows a character – “C” the first alphabet is
used in the line vty password.

Next Lab is on how to secure this traffic.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 15
CCIE Security Ver. 4 Lab Manual

LAB-3 GRE Tunnel with IPsec profile

Scenario: The objective of this lab is to secure the GRE tunnel traffic using IPsec.

Recommendation: This lab builds on the previous lab so you can continue with
the previous lab.

Lab Topology: same as previous Lab

Basic Initialization: Complete Lab2 and continue with the


configuration of this Lab.

Now to secure GRE-Tunnel we use IPsec along with GRE.


Configure Phase-I parameters:
For this you would need to specify:
(a) authentication = pre-share
(b) encryption = des,3des,aes
(c) hash =md5 or SHA-I
(d) Diffie -Hellman group = group 1 or 2 or 5

And Phase-II parameters where we just specify the encryption and hash method,
the session key or traffic encryption key is provided by ISAKMP or Phase-I.
Now we need to create an IPsec Profile.
Then call the Transform-Set in the IPsec profile. This IPsec profile is used to
protect the traffic leaving the tunnel interface.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 16
CCIE Security Ver. 4 Lab Manual

Apply the IPsec profile to protect the data going through the tunnel. For this you
need to go to the tunnel interface and say:
Tunnel protection ipsec profile {ipsec profile name}

In the above snapshot you see that EIGRP neighbor relationship is down. The hold-
on time expires because R1 is sending and receiving IPsec packets where-else as R3
is not configured for IPsec, packets received from R3 are not an IPsec packet.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 17
CCIE Security Ver. 4 Lab Manual

VERIFICATION: ping 10.1.1.1 with source as 10.1.4.1

Check the Wireshark output: all packets are encrypted using ESP.

Also take a look at the output of Interface Tunnel 1, check the line highlighted
using marker.
IPsec profile named IPSEC_PROFILE is being used to encrypt the traffic sent over
the tunnel interface.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 18
CCIE Security Ver. 4 Lab Manual

Check PHASE-I tunnel or ISAKMP tunnel:

Check PHASE-II tunnel or IPsec tunnel:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 19
CCIE Security Ver. 4 Lab Manual

IPsec tunnel is working in Tunnel Mode.

Now you can change IPsec tunnel Mode to transport

If you execute “show crypto ipsec sa” command you would see still the
mode setting in used is Tunnel (check the highlighted section in above snapshot).
For this you would need to clear the existing SA and bring up the tunnel again.
And then check the output -“show crypto ipsec sa” .

Int tunnel 1
Shut
No shut
Exit
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 20
CCIE Security Ver. 4 Lab Manual

Now as the Entire packet is getting encrypted, so we don’t need GRE header. So
we set tunnel mode to “IPsec ipv4”

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 21
CCIE Security Ver. 4 Lab Manual

Module2: Advance VPN

Router-ASA IPsec VPN

 Router-Router IPsec VPN


through ASA Firewall
 Router-Router IPsec VPN
through ASA Firewall with NAT-
T

GET VPN using PSK

GET VPN using PKI

DMVPN Phase-I/II/III

DMVPN Dual-Hub
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 22
CCIE Security Ver. 4 Lab Manual

LAB-1 : Router-ASA IPsec VPN

Scenario: The objective of this lab is to connect R1 and R3 private networks


together using IPsec Site-To-Site VPN. R1 is located on Inside of Cisco ASA
firewall. IPsec Tunnel is established between ASA outside interface and R3. Also
traffic from R1 is translated to 192.11.11.0/24 network on the Cisco ASA firewall.

Recommendation: You can use PIX firewall (8.0.X) for this lab.

Lab Topology:

Basic Initialization:
On R1:
int f0/0
ip address 10.11.11.1 255.255.255.0
no shut
exi
!
Ip route 0.0.0.0 0.0.0.0 10.11.11.10

On R2:
Int f0/0
Ip address 192.1.12.2 255.255.255.0
No shut
Exi
Int f0/1

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 23
CCIE Security Ver. 4 Lab Manual

Ip address 192.1.23.2 255.255.255.0


No shut
Exi

On R3:
Int f0/0
Ip address 192.1.23.3 255.255.255.0
No shut
Exi
Int loopback 0
Ip address 10.11.20.1 255.255.255.0
Exi
Ip route 0.0.0.0 0.0.0.0 192.1.23.2

On ASA:
Int e1
Nameif inside
Ip address 10.11.11.10 255.255.255.0
No shut
Exi
Int e2
Nameif outside
Ip address 192.1.12.10
No shut
Exi
!give a default gateway pointing to 192.1.12.2
Route outside 0 0 192.1.12.2

Configure an IPsec Tunnel between Router R3 and ASA. Use the following
settings for the Tunnel:
ISAKMP Parameters
 Authentication : Pre-shared
 Diffie-Hellman Group : 2
 Encryption : 3DES
 Hash: md5
 Pre-Shared Key : cisco123

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 24
CCIE Security Ver. 4 Lab Manual

IPsec Parameters
 Encryption : ESP-3DES
 Authentication : ESP-SHA-HMAC
Interesting Traffic
 All IP traffic between 10.11.11.1 and 10.11.20.1
Tunnel Endpoints
ASA E2 to R3 F 0/0

Solution:
On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.12.10

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.11.20.1 host


10.11.11.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.12.10
Set transform-set TSET
Match address 101
Exit

Int f0/0
Crypto map CMAP
exit

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 25
CCIE Security Ver. 4 Lab Manual

On ASA:

!Enable isakmp on interface


Crypto isakmp enable outside

!Configure ISAKMP policy


crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key cisco123 address 192.1.23.3

!Configure Transform-set
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!Configure ACL
Access-list 101 permit ip host 10.11.11.1 host
10.11.20.1

!Configure crypto map and attach to interface


Crypto map CMAP 1 set peer 192.1.23.3
Crypto map CMAP 1 set transform-set TSET
Crypto map CMAP 1 match address 101
Crypto map CMAP interface outside

VERIFICATION:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 26
CCIE Security Ver. 4 Lab Manual

On ASA:

Debug commands: debug crypto isakmp

Now as per the scenario R1 network 10.11.11.0/24 is translated to


192.11.11.1/24 – 192.11.11.11/24 network on outside of the firewall.

Global (outside) 1 192.11.11.1-192.11.11.11


Nat (inside) 1 10.11.11.0 255.255.255.0

Now verify: ping 10.11.11.1 source 10.11.20.1 from R3.

This time around ping does not work. You can fix this problem by exempting
traffic sourced from 10.11.11.0/24 and going towards 10.11.20.0/24 network.

Access-list EXEMPT_VPN permit ip 10.11.11.0


255.255.255.0 10.11.20.0 255.255.255.0

Nat (inside) 0 access-list EXEMPT_VPN

Now again verify: ping 10.11.11.1 source 10.11.20.1 from R3

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 27
CCIE Security Ver. 4 Lab Manual

LAB-2: Router-To-Router IPsec Tunnel


through ASA

Scenario: The objective of this lab is to connect R1 and R3 private networks


together using IPsec Site-To-Site VPN. R1 is located on Inside of Cisco ASA
firewall. R1 Private IP address is translated on Firewall. IPsec Tunnel is
established between R1 (translated IP address) and R3. Tunnel should pass
through the Firewall.

Recommendation: You can use PIX firewall (8.0.X) for this lab.

Lab Topology: same as previous lab

Basic Initialization: same as previous lab

Configure an IPsec Tunnel between Router R3 and R1. Use the following settings
for the Tunnel:
ISAKMP Parameters
 Authentication : Pre-shared
 Group : 2
 Encryption : 3DES
 Hash: md5
 Pre-Shared Key : cisco123
IPSec Parameters
 Encryption : ESP-3DES
 Authentication : ESP-SHA-HMAC
Interesting Traffic
 All IP traffic between 10.11.11.1 and 10.11.20.1
Tunnel Endpoints
R1 F0/0 to R3 F 0/0

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 28
CCIE Security Ver. 4 Lab Manual

Translation
Statically translate R1 IP address to 192.1.11.1
ACL Entries
ACL Entries on ASA in inbound direction to allow IPsec.
Static Route
Static Route on R2 for IP address 192.1.11.1

Solution:
On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.11.1

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.11.20.1 host


10.11.11.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.11.1
Set transform-set TSET
Match address 101
Exit

Int f0/0
Crypto map CMAP
exit

On R1:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 29
CCIE Security Ver. 4 Lab Manual

Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.11.11.1 host 10.11.20.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.23.3
Set transform-set TSET
Match address 101
Exit

Int f0/0
Crypto map CMAP
exit

On ASA:Static translation for R1(10.11.11.1)


Static (inside,outside) 192.1.11.1 10.11.11.1

ACL:

Access-list VACL permit udp host 192.1.23.3 host


192.1.11.1 eq 4500
Another entry in same ACL to permit NAT-Traversal.
Permits traffic sourced from R3 to R1 on UDP/4500.

Apply ACL to outside interface:


Access-group VACL in interface outside

Static route on R2 for 192.1.11.1


Ip route 192.1.11.0 255.255.2555.0 192.1.12.10

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 30
CCIE Security Ver. 4 Lab Manual

Verification:
R3#ping 10.11.11.1 source 10.11.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.11.11.1, timeout is 2


seconds:

Packet sent with a source address of 10.11.20.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max =


112/119/140 ms

ASA(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-


max 4096) alert-interval 300

access-list ACL; 1 elements

access-list ACL line 1 extended permit udp host 192.1.23.3 host


192.1.11.1 eq 4500 (hitcnt=1) 0xa6de5ddd

ASA(config)# show conn

1 in use, 3 most used

UDP out 192.1.23.3:4500 in 10.11.11.1:4500 idle 0:00:03 flags -

ASA(config)#

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 31
CCIE Security Ver. 4 Lab Manual

LAB-3: Router-To-Router IPsec Tunnel through


ASA

Scenario: The objective of this lab is to connect R1 and R3 private networks


together using IPsec Site-To-Site VPN. R1 is located on Inside of Cisco ASA
firewall. R1 has a public IP address. IPsec Tunnel is established between R1 and
R3. Tunnel should pass through the Firewall.

Recommendation: You can use PIX firewall (8.0.X) for this lab.

Lab Topology:

Basic Initialization: Load the initial configuration from lab file.

Configure an IPsec Tunnel between Router R3 and R1. Use the following settings
for the Tunnel:
ISAKMP Parameters
 Authentication : Pre-shared
 Group : 2
 Encryption : 3DES
 Hash: md5
 Pre-Shared Key : cisco123

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 32
CCIE Security Ver. 4 Lab Manual

IPSec Parameters
 Encryption : ESP-3DES
 Authentication : ESP-SHA-HMAC
Interesting Traffic
 All IP traffic between 10.11.11.1 and 10.11.20.1
Tunnel Endpoints
R1 F0/0 to R3 F 0/0
Translation: -NA-
ACL Entries
ACL Entries on ASA in inbound direction to allow IPsec.
Static Route
Static Route on R2 for IP address 192.1.10.0/24 next-hop ASA outside
interface IP.

On R3:
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.10.1

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.11.20.1 host


10.11.11.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.10.1
Set transform-set TSET
Match address 101
Exit

Int f0/0

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 33
CCIE Security Ver. 4 Lab Manual
Crypto map CMAP
exit
On R1
crypto isakmp policy 1
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Exit
Crypto isakmp key 0 cisco123 address 192.1.23.3

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


Exit

Access-list 101 permit ip host 10.11.11.1 host


10.11.20.1

Crypto map CMAP 10 ipsec-isakmp


Set peer 192.1.23.3
Set transform-set TSET
Match address 101
Exit

Int f0/0
Crypto map CMAP
exit

ACL:
access-list ACL permit udp host 192.1.23.3 host
192.1.10.1 eq isakmp
access-list ACL permit esp host 192.1.23.3 host
192.1.10.1
Apply ACL to outside interface:
Access-group ACL in interface outside

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 34
CCIE Security Ver. 4 Lab Manual

VERIFICATION:
!On R3

R3#ping 10.11.11.1 source 10.11.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.11.11.1, timeout is 2


seconds:

Packet sent with a source address of 10.11.20.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max =


80/108/132 ms

R3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state


conn-id slot status

192.1.10.1 192.1.23.3 QM_IDLE 1001


0 ACTIVE

IPv6 Crypto ISAKMP SA

ASA(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-


max 4096) alert-interval 300

access-list ACL; 2 elements

access-list ACL line 1 extended permit udp host 192.1.23.3 host


192.1.10.1 eq isakmp (hitcnt=1) 0x4784758b

access-list ACL line 2 extended permit esp host 192.1.23.3 host


192.1.10.1 (hitcnt=1) 0xeb3f8117

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 35
CCIE Security Ver. 4 Lab Manual

LAB-4 : GET VPN Using PSK

LAB TOPOLOGY:

Devices used: 2600 Software (C2691-ADVIPSERVICESK9-M), Version


12.4(15) T6

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 36
CCIE Security Ver. 4 Lab Manual

Basic Initialization:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 37
CCIE Security Ver. 4 Lab Manual

Pre-requisite: Need full end-to-end reachability. For this you can run any interior
routing protocol.
Also your key-server cannot be a Group-member. We use R5 loopback
(10.1.5.1/24) as Key-Server as being a loopback it would be accessible from any
interface.
Now check the routing table using command: Show ip route

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 38
CCIE Security Ver. 4 Lab Manual

Note: Make sure all nodes are reachable. Don’t proceed further if you haven’t
completed this step properly.
Output on R5:

On Group Member:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 39
CCIE Security Ver. 4 Lab Manual

Now configure remaining Group Members. Do this on R2/R3 and R4

Now to apply the crypto map to the outgoing interface:

Debug:
Check that ping which was working earlier is now not working.

Reason: R1 got itself registered with key server. And R2, R3 and R4 are yet to
register.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 40
CCIE Security Ver. 4 Lab Manual

Now register R2 with KS.

Now again try the last ping from 10.1.1.1 to 10.1.2.1.

Note: Ping from R1 to 10.1.3.1 and 10.1.4.1 is still failing because they are yet to
register themself.
But if you do the ping shown below, this would succeed. As it’s from Source IP:
7.7.15.1
This is not the interesting traffic. And so it goes unencrypted.

So now get R3 and R4 also registered.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 41
CCIE Security Ver. 4 Lab Manual

Check the output on KS after registration of R1/R2/R3 and R4.

For this ping the WireShark capture output is shown below the ping:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 42
CCIE Security Ver. 4 Lab Manual

For this ping the WireShark capture output is shown below the ping:

Check the ISAKMP SA:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 43
CCIE Security Ver. 4 Lab Manual

Check the IPSEC SA:

Check that Phase-II parameters are available on Group Members, as they are
pushed down by the Key Server.

Now check that the remaining key lifetime is just 96 seconds.


And soon the key would be refreshed and redistributed to the Group-Members.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 44
CCIE Security Ver. 4 Lab Manual

Output On Group member after the Key was refreshed.


Check the SA lifetime for the verification.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 45
CCIE Security Ver. 4 Lab Manual

LAB-5: GET VPN Using PKI


i.e. Using IOS CA SERVER

Lab Topology: Same as Lab-4

Basic Initialization: same as Lab-4

Once the devices are up, ping from R6, all directly connected links.

Configuration on CA Server:
Step1: Configure the Clock.
You can configure clock manually or using NTP.
R5(config)#clock timezone IST 5 30
R5(config)#ntp master 1
or
R5(config)#do clock set 20:55:00 13 aug 2013

Step2: Now configure a FQDN and hostname


R5(config)#ip domain-name cisco.com

Step3: Generate RSA key Pair


R5(config)#crypto key generate rsa label CA modulus
1024
% Generating 1024 bit RSA keys, keys will be non-exportable..[OK]

Step4: Enable HTTP service, as Clients are going to enroll for Identity certificates
on port 80. To check the consequence of this command, skip this command for now
and come back and enter this command after step5.
You would see though you have executed NO SHUTDOWN under CA server,
still CA server is not UP.
R5(config)# ip http server

Step5: Setup CA server parameters


Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 46
CCIE Security Ver. 4 Lab Manual
R5(config)# crypto pki server CA
R5(cs-server)#database url flash:
% Server database url was changed. You need to move
the
% existing database to the new location.

An X.509 certificate consists of a number of fields. Some of the most common


RDNs and their explanations are as follows:

 CN: CommonName
 OU: OrganizationalUnit
 O: Organization
 L: Locality
 S: StateOrProvinceName
 C: CountryName

Example: CN=CCIEA OU=Network Security O=CCIE-Academy L=Bangalore


S=Karnataka C=IN

R5(cs-server)#issuer-name CN=CCIEA O=CCIE-Academy


OU=Security S=Karnataka C=IN
R5(cs-server)# lifetime ca-certificate 730
!lifetime is in days
R5(cs-server)# lifetime certificate 365
R5(cs-server)#grant auto
R5(cs-server)#no shutdown
R5(cs-server)#exit

On the Clients:
Step1: Configure the Clock.
You can configure clock manually or using NTP.

R1(config)#clock timezone IST 5 30


R1(config)# ntp server 10.1.5.1
or
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 47
CCIE Security Ver. 4 Lab Manual

R1(config)#do clock set 20:55:00 13 aug 2013

Step2: Now configure a FQDN and hostname


R1(config)#ip domain-name cisco.com

Step3: Generate RSA key Pair


R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.local
Choose the size of the key modulus in the range of 360 to 2048 for your General
Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]:1024


% Generating 1024 bit RSA keys, keys will be non-
exportable..[OK]

Step4: Configure Router to point towards CA Server


crypto ca trustpoint XYZ
enrollment url http://10.1.5.1:80
usage ike
revocation-check none
exi

Step5: Configure Router to Download Root certificate of CA server


R1(config)#crypto ca authenticate XYZ
Note: “XYZ” is user defined name, and is locally significant. So this could be any
name.
Certificate has the following attributes:
Fingerprint MD5: 84E5BFE0 D7311BEC 2E9D1878 FDAE1F1C
Fingerprint SHA1: 8F0D0DD3 88E21F6D A6F50564 36FFA49C
FCC8DBEF
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

Step6: Configure Router to enroll for Identity Certificate from CA Server.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 48
CCIE Security Ver. 4 Lab Manual
R1(config)# crypto ca enroll XYZ
% Start certificate enrollment ..
% Create a challenge password. You will need to
verbally provide this password to the CA Administrator
in order to revoke your certificate.
For security reasons your password will not be saved
in the configuration.
Please make a note of it.

Password: cisco123 {min. 7 characters}


Re-enter password: cisco123

% The subject name in the certificate will include:


R1.IP4Networker.com
% Include the router serial number in the subject
name? [yes/no]: yes
% The serial number in the certificate will be:
XXXXXXXXXXX
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate XYZ verbose' command
will show the fingerprint.

Aug 13 15:56:55.300: CRYPTO_PKI: Certificate Request


Fingerprint MD5: EC4D4AB4 E38131C5 E962A630 11D8C498
Aug 13 15:56:55.300: CRYPTO_PKI: Certificate Request
Fingerprint SHA1: A72C88A3 E909EF1C 36CDE8A3 DA6067BF
32F71E8F

Aug 13 15:56:57.984: %PKI-6-CERTRET: Certificate


received from Certificate Authority

On R1 after enrollment for the Certificate:


R1# sh crypto pki certificates
Certificate (Identity Certificate)
Status: Available
Certificate Serial Number: 0x2
Certificate Usage: General Purpose
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 49
CCIE Security Ver. 4 Lab Manual
Issuer: cn=CCIEA O\=training C\=IN
Subject:
Name: R1.cisco.com
Serial Number: XXXXXXXXXXX
serialNumber=XXXXXXXXXXX+hostname=R1.cisco.com
Validity Date:
start date: 15:56:57 UTC Aug 13 2013
end date: 15:56:57 UTC Aug 13 2014
Associated Trustpoints: XYZ

CA Certificate (Root Certificate)


Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer: cn=CCIEA O\=training C\=IN
Subject: cn=CCIEA O\=training C\=IN
Validity Date:
start date: 15:51:37 UTC Aug 13 2013
end date: 15:51:37 UTC Aug 12 2016
Associated Trustpoints: XYZ

To check the enrollments on CA server

Similarly configure R2, R3 and R4

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 50
CCIE Security Ver. 4 Lab Manual

IPsec Configuration on KEY_SERVER and GROUP_MEMBERS


KEY_SERVER Group-Members
!1. Phase-I parameters !1. Phase-I parameters
crypto isakmp policy 10 crypto isakmp policy 10
authentication rsa-sig authentication rsa-sig
hash md5 hash md5
gr 2 gr 2
encry 3des encry 3des
exi exi
!2. Phase-II parameters
crypto ipsec transform-set !2. GDOI to reach SERVER
TSET esp-3des esp-md5-hmac crypto gdoi group AAA
exi identity number 100
!3. Intresting traffic server address
access-list 101 per ip ipv410.1.5.1
10.1.0.0 0.0.255.255 exi
10.1.0.0 0.0.255.255
!3. Crypto Map
crypto map CMAP 10 gdoi
!4. Create IPsec Profile set group AAA
crypto ipsec profile ABC exi
set transform-set TSET
exi !4. apply crypto map to
the interface
!5. GDOI Parameters interface s0/0
crypto gdoi group XYZ crypto map CMAP
identity number 100 exi
server local
sa ipsec 10
profile ABC
match address ipv4 101
address ipv4 10.1.5.1
exi

Group Member R1 Registers with KEY_SERVER

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 51
CCIE Security Ver. 4 Lab Manual

At this moment only R1 has got the Session_Key form the KEY_SERVER.

This ping fails as R1 is sending encrypted traffic but R2 can`t decrypt it, as R2 is
yet to register with key Server. Similarly if R2 ping R1, R1 get an error message:

Group Member R2 Registers with KEY_SERVER

Now the same ping

Similarly get R3 and R4 also Registered with KEY_SERVER.


And you get complete end-to-end connectivity.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 52
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 53
CCIE Security Ver. 4 Lab Manual

Execute this command on R2, R3 and R4


R2# sh crypto gdoi group AAA
R3# sh crypto gdoi group AAA
R4# sh crypto gdoi group AAA

You would see that on all four routers i.e. R1, R2, R3 and R4 the SA lifetime is
different. The reason is all are sharing SAME key.
This is the only multi-point VPN from the perspective of IPsec.
As all peers use the same key provided by the KEY-SERVER.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 54
CCIE Security Ver. 4 Lab Manual

Re-Registration happens dynamically:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 55
CCIE Security Ver. 4 Lab Manual

LAB-6: DMVPN
Lab Topology:

Basic Initialization:
Here R1 is the HUB:
Initial configuration for the HUB/ SERVER.

Verify the output:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 56
CCIE Security Ver. 4 Lab Manual

Verify the routing table enrty:

Configuration on SPOKES:
On R3:

Verification: goto R1(HUB) and check R3 has dynamically registered to the NHS
Server(R1).

This entry remains with the Next-Hop-Server (NHS) for 2 hours; also observe
registration type is dynamic.

Verify the output on R3:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 57
CCIE Security Ver. 4 Lab Manual

The mapping available is of type Static. Which say to reach NHS server with IP
address 192.168.1.1/32 the corresponding public IP is 110.1.16.1. Also observe this
entry never expire as its manually defined.

Similarly configure R4 and R5:


On R4 On R5
Int tunnel 1 Int tunnel 1
Ip address 192.168.1.4 Ip address 192.168.1.5
255.255.25.0 255.255.25.0
Tunnel source s0/0 Tunnel source s0/0
Tunnel mode gre multipoint Tunnel mode gre multipoint
Ip nhrp network-id 100 Ip nhrp network-id 100
Ip nhrp nhs 192.168.1.1 Ip nhrp nhs 192.168.1.1
Ip nhrp map 192.168.1.1 Ip nhrp map 192.168.1.1
110.1.16.1 110.1.16.1

Recheck the NHS for the mapping, R4 and R5 has also registered.

As you have verified the output on R3 there is only 1 mapping entry available in
the cache. Now we try to trace route to 192.168.1.5 i.e. the IP address of R5 tunnel
interface.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 58
CCIE Security Ver. 4 Lab Manual

The packet first goes to 192.168.1.1 i.e. NHS and then goes to 192.168.1.5
So the packet takes 2 hops to reach the destination.
But during this process R3 requested for the mapping to reach 192.168.1.5 from
the NHS.
Compare this with the above given snapshot.

Now execute the same trace route command again.

This time the packet makes it to the destination in just 1 hop because R3 has the
mapping available in the Cache.

This is called DMVPN PHASE-I, where the SPOKES communicate directly


to each other by downloading the mappings from the NHS.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 59
CCIE Security Ver. 4 Lab Manual

DMVPN PHASE-II

Now run interior routing protocol on the HUB and SPOKES.

Router eigrp 101


No auto-summary
Network 192.168.1.0
Network 10.0.0.0
Exi

On SPOKES:
int tunnel 1
ip nhrp map multicast 110.1.16.1
exit

Routing protocols updates are sent on multicast network 224.0.0.0, so SPOKES


need to have a mapping to send the routing updates to HUB.

On HUB:
Int tunnel 1
Ip nhrp map multicast dynamic
Exi

Verify the output:

On HUB:
Int tunnel 1
Shut
exi

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 60
CCIE Security Ver. 4 Lab Manual

On All Spokes:
Int tunnel 1
Shut
Exi

Now bring up the tunnel interface on HUB and the on all


spokes:
On HUB:
Int tunnel 1
No Shut
exi

On All Spokes:
Int tunnel 1
No Shut
Exi

Now On R1 turn-off split-horizon feature on the HUB for EIGRP process-


101.
On R1(HUB)
Int tunnel 1
No ip split-horizon eigrp 101
Exit

Check Routing table entries on SPOKES:

Observe all the private networks are reachable via 192.168.1.1 i.e. HUB

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 61
CCIE Security Ver. 4 Lab Manual

Now if you trace route you would see traffic is routed though the HUB to the
SPOKE and doesn’t go directly from SPOKE to SPOKE.
Reason: How traffic is routed is dictated by the routing table. And routing table
entry say 10.4.1.1 is reachable via 192.168.1.1.

For solution change setting on R1(HUB):


Int tunnel 1
No ip next-hop-self eigrp 101
Exi

Verification: check the routing table entry on SPOKES again and compare with
the earlier routing table output.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 62
CCIE Security Ver. 4 Lab Manual

Routing table entry on SPOKE- R5

Trace route to 10.4.1.1 from 10.5.2.1

Two hops to reach the destination.

Check the mapping:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 63
CCIE Security Ver. 4 Lab Manual

Mapping to reach 10.4.1.1 is downloaded from the NHS and remains in the cache
for 2 hours.
Now if you re-trace route to 10.4.1.1 you would see packet reach the destination in
1 hop.

This is called DMVPN PHASE-II, where the SPOKES communicate


directly to each other by downloading the mappings from the NHS, but
here we change settings of the routing protocol to accomplish this.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 64
CCIE Security Ver. 4 Lab Manual

DMVPN PHASE-III
Remove the changes made in the routing protocol on the HUB during PHASE-II.

On HUB:
Int tunnel 1
Ip split-horizon eigrp 101
Ip next-hop-self eigrp 101
Exi

Now we use NHRP feature to accomplish what we accomplished in PHASE-II by


changing setting of routing protocol.

On R1 (HUB):
Int tunnel 1
Ip nhrp redirect
Exit

On SPOKES:
Int tunnel 1
Ip nhrp shortcut
Exit

Verification:

Remaining Output omitted. Retry the same trace route.


Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 65
CCIE Security Ver. 4 Lab Manual

LAB-7: DMVPN Dual-Hub


Note: Continue with the configuration of last lab.
All you need to do is make changes on R1(HUB-1) and
configure R2(HUB-2) followed by adding information about
HUB-2 on existing spokes.

Configuration on R1 (HUB-1)
Int tunnel 1
Ip nhrp map 192.168.1.2 110.1.26.2
Ip nhrp map muticast 110.1.26.2
Exi

Configuration on R2 (HUB-2)
Run eigrp with AS 101

Int tunnel 1
Ip address 192.168.1.2 255.255.255.0
Tunnel source f0/0
Tunnel mode gre multipoint
Ip nhrp network-id 100
Ip nhrp map 192.168.1.1 110.1.16.1
Ip nhrp map muticast dynamic
Ip nhrp map multicast 110.1.16.1
Ip nhrp redirect
Exi

On spokes:
Int tunnel 1
Ip nhrp nhs 192.168.1.2
Ip nhrp map 192.168.1.2 110.1.26.2
Ip nhrp map multicast 110.1.26.2

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 66
CCIE Security Ver. 4 Lab Manual

Module3: High Availability VPN

 High Availability VPN


without using HSRP

 High Availability VPN using


HSRP

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 67
CCIE Security Ver. 4 Lab Manual

LAB-1: HIGH AVAILABLITY VPN WITHOUT HSRP


Lab Topology:

!On R1 !On R2
enable ena
conf t conf t
int f0/0 int s0/0
ip add 136.1.13.1 ip add 136.1.24.2
255.255.255.0 255.255.255.0
no shut clock rate 1000000
exi no shut
ip route 0.0.0.0 0.0.0.0 exi
136.1.13.3 int s0/1
int loo 1 ip add 136.1.25.2
ip add 10.1.1.1 255.255.255.0
255.255.255.0 clock rate 1000000
int loo 2 no shut
ip add 10.1.2.1 exi

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 68
CCIE Security Ver. 4 Lab Manual
255.255.255.0 router eigrp 100
no aut
network 1.0.0.0
network 136.1.24.0
!On R3 network 136.1.25.0
ena exi
conf t
int f0/0 int loopback 0
ip add 136.1.13.3 ip add 1.1.1.1 255.0.0.0
255.255.255.0 int loo 1
no shut ip add 10.2.1.1
exi 255.255.255.0
int s0/0 int loo 2
ip add 136.1.34.3 ip add 10.2.2.1
255.255.255.0 255.255.255.0
no shut exit
exi
int s0/1
ip add 136.1.35.3
255.255.255.0
no shut
router eigrp 100
no aut
network 136.1.34.0
network 136.1.35.0
exi

Setup Tuning:
If you check the routing table on R3, you would see that there are 2
routes to reach Loopback-0 on R2 i.e. 1.1.1.1

What you can do to correct this is set bandwidth on R5 S0/1 and R2


S0/1 interfaces. As we are running EIGRP this would change the
metric value and as a result there would be only 1 best route in the
routing table.
On R2 - interface S0/1
bandwidth 128
On R5 - interface S0/1

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 69
CCIE Security Ver. 4 Lab Manual
bandwidth 128
Now if you check the routing table entry, you would see only 1 route
to reach 1.1.1.1 network.

Now if you traceroute from R3 to reach 1.1.1.1, you would find the
hops are through 136.1.34.0 then next-hop 136.1.24.0.
When this path is down, alternate route is moved to the routing
table.

IPsec configuration on Router R2


!Step1:
crypto isakmp policy 10
authe pre-share
encry 3des
hash md5
group 2
exi
crypto isakmp key 0 cisco123 address 136.1.13.1
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
exi
!Step3:
access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0
0.0.255.255
!Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 136.1.13.1
set transform-set TSET
exi
!Step5:
!Apply crypto-map CMAP on outgoing interfaces i.e. S0/0 & S0/1
int s0/0
crypt map CMAP
int s0/1
crypt map CMAP
!Step6:
crypto map CMAP local-address Loopback0

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 70
CCIE Security Ver. 4 Lab Manual

!
Apart from this you would need static route:
Ip route 10.1.0.0 255.255.0.0 136.1.13.1
IPsec configuration on Router R1

!Step1:
crypto isakmp policy 10
authe pre-share
encry 3des
hash md5
group 2
exi
crypto isakmp key 0 cisco123 address 1.1.1.1
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha
exi
! Step3:
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0
0.0.255.255
! Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 1.1.1.1
set transform-set TSET
exi
! Step5:
!Apply crypto-map CMAP on outgoing interface
int F0/0
crypt map CMAP
exit

Verification of the present setup:


From R2/R1:
Show crypto isakmp sa
No ISAKMP sa exist.
Ping 10.1.1.1 source 10.2.1.1
Now again execute : show crypto isakmp sa
Show crypto ipsec sa

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 71
CCIE Security Ver. 4 Lab Manual

To test the setup:


From R2:
Ping 10.1.1.1 source 10.2.1.1 repeat 1000

Now goto R4:


Shut down interface S0/1 of router R4.

Check routing table on R3: show ip route eigrp


You can see network 1.0.0.0/8 is reachable via. 136.1.35.0

At the same time goto R2 :


You would see that all packets flow seamless. Hardly 1 packet would
be dropped.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 72
CCIE Security Ver. 4 Lab Manual

LAB-2: High Availability VPN using HSRP

Lab Topology:

Basic Configuration:
Router-R4 Router-R5
Int f0/0 Int f0/0
Ip address 192.1.100.1 Ip address 192.1.100.2
255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
Int f0/1 Int f0/1
Ip add 192.168.1.1 Ip add 192.168.1.2
255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
! Ip route 0.0.0.0 0.0.0.0
Ip route 0.0.0.0 0.0.0.0 192.1.100.3
192.1.100.3
Router-R2 Router-R3
int f0/0 int f0/0
ip address 192.168.1.5 ip address 192.1.100.3
255.255.255.0 255.255.255.0
no shut no shut
exit exi
int loopback 0 int s0/0

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 73
CCIE Security Ver. 4 Lab Manual
ip address 10.5.5.5 ip address 192.1.34.3
255.255.255.0 255.255.255.0
Run eigrp on clock rate 128000
192.168.1.0/24 and no shut
10.5.5.0 network. exi
Ip route 0.0.0.0 0.0.0.0
192.1.34.4

Router-R1
int s0/0
ip address 192.1.34.4
255.255.255.0
no shut
exit
int loopback 0
ip address 10.4.4.4
255.255.255.0
!
Ip route 0.0.0.0 0.0.0.0
192.1.34.3

On the switch:

Configure HSRP on R4 and R5:


On Router R4 On Router R5
Interface F0/0 Interface F0/0
Standby 1 ip 192.1.100.12 Standby 1 ip 192.1.100.12
Standby 1 priority 105 Standby 1 name HA
Standby 1 preempt exit
Standby 1 name HA
exit

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 74
CCIE Security Ver. 4 Lab Manual

crypto isakmp keepalive 10 (seconds)

IPsec configuration On Router R1


!Step1:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
exit
crypto isakmp key 0 cisco123 address 192.1.100.12
!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
exit
! Step3:
access-list 101 permit ip 10.4.4.0 0.0.0.255 10.5.5.0
0.0.0.255
! Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.1.100.12
set transform-set TSET
reverse-route static
exit
! Step5:
!Apply crypto-map CMAP on outgoing interface
int S0/0
crypt map CMAP
exit

IPsec configuration On Router R4 & R5


This configuration goes on both the routers.
!Step1:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 75
CCIE Security Ver. 4 Lab Manual
group 2
exit
crypto isakmp key 0 cisco123 address 192.1.34.4

!Step2:
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
exit
! Step3:
access-list 101 permit ip 10.5.5.0 0.0.0.255 10.4.4.0
0.0.0.255
! Step4:
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 192.1.34.4
set transform-set TSET
reverse-route static
exit
! Step5:
!Apply crypto-map CMAP on outgoing interface
int F0/0
crypt map CMAP redundancy HA
exit

On EIGRP process:
Router eigrp 100
Redistribute static
Exi

Output:
SITE1= Router R1

SITE2= Router R4

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 76
CCIE Security Ver. 4 Lab Manual

SITE2= Router R5

Check the routing table on SITE2-R2.

Network 10.4.4.0 is reachable via – 192.168.1.1 i.e. Router R4.

Now let`s do a ping from 10.5.5.5 to 10.4.4.4 with a repeat value of 500.
Ping 10.4.4.4 source 10.5.5.5 repeat 500

While the ping is in progress, go to Router R4 and shut down


Interface F0/0. And soon you start getting dots (.) for the pings.
This continues for 10sec, as 10sec are no. of seconds between keep alive.
Crypto isakmp keepalive 10

Actual Output on Router R2:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 77
CCIE Security Ver. 4 Lab Manual

Ping output marked with yellow color is when interface F0/0 of R4 is UP.
Ping output marked with orange color is when interface F0/0 of R4 is
SHUTDOWN and for next 10sec you get dots (.) in ping output.

Ping outputs which are left unmarked are the Ping packets going through R5.

Now go to R4 and NO SHUT interface F0/0.


Ping output marked with blue color is when interface F0/0 of R4 is NO
SHUTDOWN and for next 10seconds you get dots (.) in ping output and after 10
seconds normal ping output.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 78
CCIE Security Ver. 4 Lab Manual

Module 4: Remote Access VPN

Easy VPN – Software Client


Easy VPN – Hardware Client
Easy VPN – Network Ext. Mode
Easy VPN On Cisco ASA
SSL VPN/ Web VPN – IOS Server
SSL VPN on Cisco ASA

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 79
CCIE Security Ver. 4 Lab Manual

LAB-1: Easy VPN with IOS server and Cisco VPN Client
Software

Lab Topology:
Logical Setup:

Physical Setup:

Requirements:
Devices Used:
(a)Two PC`s
(b) Two Routers : R3,R4

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 80
CCIE Security Ver. 4 Lab Manual

(2800 Software (C2800NM-ADVSECURITYK9-M), Version


15.1(4) M6)
(c) Two switch: C3550 Software (C3550-IPSERVICES-M), Version
12.2(44)SE6
(d) Cisco VPN client software installed on the Remote_client_PC.

Basic Initialization:
Setup Layer 2:

Setup trunk line between SW3 and SW4

Same configuration on SW3

Assign appropriate port to the respective VLANs.


On SW3:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 81
CCIE Security Ver. 4 Lab Manual

On SW4:

Now configure the routers:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 82
CCIE Security Ver. 4 Lab Manual

Routes on both the Routers:

Setup the IP address on Remote_Client_PC

Try to ping 192.1.20.2 which is the Public IP address of your Easy VPN
Server.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 83
CCIE Security Ver. 4 Lab Manual

Now Configure R3 as IOS Easy VPN Server

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 84
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 85
CCIE Security Ver. 4 Lab Manual

Now on the Remote_Client_PC configure a profile in the Cisco VPN


Client software:

The output looks like this:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 86
CCIE Security Ver. 4 Lab Manual

Connect to the Easy VPN server using VPNClient Profile:

As Extended Authentication is enabled, you would be challenge for


extended authentication.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 87
CCIE Security Ver. 4 Lab Manual

Check the Output:


You can goto show hidden icons> right click on VPN Client Icon>
Select VPN statistics.

You can ping the Corporate_PC_Connected_TO_Rack (10.10.10.1)


From Remote_Client_PC. to check the VPN connectivity.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 88
CCIE Security Ver. 4 Lab Manual

Now you have complete end-to-end reachability. For verification purpose


I would try to Remote Desktop Connection into the Corporate PC.

Connection in progress:

Once you get connected, you would be prompted for Login username
and password.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 89
CCIE Security Ver. 4 Lab Manual

You would get access to Corporate Network on Successful Login.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 90
CCIE Security Ver. 4 Lab Manual

LAB-2: Easy VPN with IOS server and Router As Client

Lab Topology:

Basic Initialization:
On R1 On R2
Int f0/0 Int f0/0
Ip ad 192.1.20.2 Ip add 192.1.20.1
255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
Int loopback 1 Int f0/1
Ip add 10.10.10.1 Ip add 192.1.30.1
255.255.255.0 255.255.255.0
exit No shut
Ip route 0.0.0.0 Exi
0.0.0.0 192.1.20.1
On R3 Verification:
Int f0/0 Ping 192.1.20.2 form
Ip add 192.1.30.3 R3.
255.255.255.0
No shut
Exi
Int loopback 1
Ip add 192.168.10.1
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 91
CCIE Security Ver. 4 Lab Manual

255.255.255.0
Exi
Ip route 0.0.0.0
0.0.0.0 192.1.30.1

Easy VPN Server Configuration: On R1

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 92
CCIE Security Ver. 4 Lab Manual

On R3:

Crypto ipsec client ezvpn EZC


Peer 192.1.20.2
group SALES1 key cisco111
mode client
connect auto
exit

Output:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 93
CCIE Security Ver. 4 Lab Manual

On R3: the router connects as a client under group SALES1 and the
address assigned by the Server from the pool is 10.11.11.1/24.
This address is installed on the Loopback interface 10,000.

On Server (R1): the moment client router R3 connects up the virtual-


access2 interface state changes to UP.

Check interface brief on R3

Loopback10000 is assigned IP address 10.11.11.1 provided by the Easy


VPN server.
Check interface brief on Router R1(Server). Interface virtual-access2 is
up.

Next, check the routing table on R3 (Client).

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 94
CCIE Security Ver. 4 Lab Manual

Check routing table on Router R1 (Server)

Check interface virtual-access2 which is dynamically created using


Virtual-template1.

Now notice that there is no translation on the router. We will come back
and verify this output again soon.
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 95
CCIE Security Ver. 4 Lab Manual

Now ping 10.10.10.1 the private network behind Easy VPN Server from
Private network behind R3 (Loopback 1=192.168.10.1)

Ping from private to another private IP address succeeded over the


internet. Now go and check the translation table entry, 192.168.10.1 is
translated to the Private IP address (10.11.11.1) assigned by the Easy
VPN Server. This address is installed on Loopback10000 on R3.

Debug commands: show crypto isakmp sa


show crypto ipsec sa

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 96
CCIE Security Ver. 4 Lab Manual

LAB-3: Easy VPN with IOS server and Router As Client in NEM
Mode

Lab Topology: same as previous lab.

Pre-requisite: previous lab configuration.


Don`t touch the configuration of router R1 and R2.Only modify the
configuration of R3 (Client).

On R3:
No Crypto ipsec client ezvpn EZC

Crypto ipsec client ezvpn EZC


Peer 192.1.20.2
group SALES1 key cisco111
mode network-extension
connect manual
exit

To manually connect to the server, execute the command given below:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 97
CCIE Security Ver. 4 Lab Manual

As soon as you hit enter, you get connected to the Server.


This time around no IP address is assigned to R3 by the server. Instead
the subnet 192.168.10.0/24 is informed to the Server, so that server
installs route for this subnet in its routing table.
For verification of the above comment, check routing table on Server
(R1).

Now ping 192.168.10.1 from 10.10.10.1 (private-to-private).


And use these commands to check SA`s
1. Show crypto isakmp sa
2. Show crypto ipsec sa

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 98
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 99
CCIE Security Ver. 4 Lab Manual

LAB-4: SSL VPN on Router

Lab Topology:
Logical Setup:

Basic Initialization:
On R4 On PC:
Int f0/0 Change adapter
Ip add 10.11.11.1 settings:
255.255.255.0 IP Address: 177.11.11.1
No shut Mask: 255.255.255.0
Exi Gateway:177.11.11.10
!
Ip route 0.0.0.0
0.0.0.0 10.11.11.10
!
Ip http server
Ip http secure-server
!
Username admin
privilege 15 password
cisco
On R5 On R6
Int f0/0 Int f0/0
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 100
CCIE Security Ver. 4 Lab Manual

Ip add 10.11.11.10 Ip add 192.1.20.1


255.255.255.0 255.255.255.0
No shut No shut
Exi Exi
Int f0/1 Int f0/1
Ip add 192.1.20.10 Ip add 177.11.11.10
255.255.255.0 255.255.255.0
No shut No shut
exi exi
Ip route 177.11.11.0 Ip route 0.0.0.0
255.255.255.0 0.0.0.0 192.1.20.10
192.1.20.1

Clientless VPN
on SSL VPN Server (R5):

Username admin password cisco


!
aaa new-model
aaa authentication login AUTHEN local
!
ip http server
ip http secure-server

Output:

Prepare your Server:


crypto pki trustpoint SELF_CA
rsakey MYKEY 1024
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 101
CCIE Security Ver. 4 Lab Manual

subject-name CN=CCIEAcademy OU=Network Security


O=CCIEAcademy L=Bangalore S=Karnataka C=IN
ip-address none
enrollment selfsigned
exi
crypto pki enroll SELF_CA
Output:

Now Configure Router to accept VPN connections:


webvpn gateway SSL_GATEWAY
ip address 192.1.20.10 port 443
http-redirect port 80
ssl trustpoint SELF_CA
inservice
!
webvpn context SALES
ssl authenticate verify all
!
url-list "Device-Config"
heading "Device Configuration"
url-text "Access_to_R4" url-value
"http://10.11.11.1"

policy group SSL_Policy


url-list "Device-Config"
hide-url-bar
mask-urls
default-group-policy SSL_Policy
aaa authentication list AUTHEN
gateway SSL_GATEWAY
inservice
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 102
CCIE Security Ver. 4 Lab Manual
exit

Verification:
On PC:

Ping 192.1.20.10 from PC. This should succeed.

https://192.1.20.10 and continue to the website.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 103
CCIE Security Ver. 4 Lab Manual

Enter Username admin and password cisco

Click on the link Access_to_R4.

Under policy-group SSL_Policy there is one command “hide-url-


bar” which hides URL bar. You know it takes you to Router R4
which is at 10.11.11.1 but you won`t get to see this address in url-
bar.
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 104
CCIE Security Ver. 4 Lab Manual

Enter Username admin password cisco

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 105
CCIE Security Ver. 4 Lab Manual

Logout form the page.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 106
CCIE Security Ver. 4 Lab Manual

Thin client
Continue with previous configuration:
webvpn context SSL_CONTEXT
port-forward "Applications"
local-port 2200 remote-server "10.11.11.1" remote-
port 23 description "Use this To Telnet To R4"

policy group SSL_Policy


port-forward "Applications"
exit
exit

Verification:
Browse to https://192.1.20.10
Login using username admin password cisco

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 107
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 108
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 109
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 110
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 111
CCIE Security Ver. 4 Lab Manual

Full Client

R5(config)# ip access-list extended SSL_ACL


R5(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0255
host 10.11.11.1 eq 23
R5(config-ext-nacl)#exit

R5(config)#ip local pool SSL_POOL 192.168.10.1


192.168.10.10

R5(config)#webvpn context SSL_CONTEXT


R5(config-webvpn-context)# policy group SSL_Policy
R5(config-webvpn-group)# filter tunnel SSL_ACL
R5(config-webvpn-group)#svc split include 10.11.11.0
255.255.255.0
R5(config-webvpn-group)# functions svc-enabled
R5(config-webvpn-group)# svc address-pool SSL_POOL
R5(config-webvpn-group)#exit
R5(config-webvpn-context)#exit

Verification:
Browse to https://192.1.20.10
Login using username admin password cisco

After successful login you will be presented the page shown below.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 112
CCIE Security Ver. 4 Lab Manual

Goto “Application Access” on the right hand side and click


“Start” to download “Cisco AnyConnect Secure Mobility
Client”.

Cisco AnyConnect Secure Mobility Software downloaded from


the SSL VPN Server.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 113
CCIE Security Ver. 4 Lab Manual

Module 5: IKEv2 Based VPN

IKEv2 Policy Based Site-to-Site


VPN

IKEv2 Routing Based Site-to-Site


VPN

IKEv2 Based VPN on Cisco ASA

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 114
CCIE Security Ver. 4 Lab Manual

LAB-1: IKEv2 Policy Based Site-To-Site VPN

Lab Topology:

Theory:
In IKEv1 i.e. Internet Key Exchange Version 1 we have two PHASE:
PHASE-I and PHASE-II

PHASE-I is also known as ISAKMP Phase.


ISAKMP stands for Internet Security Association and Key
Management Protocol.

In PHASE-I we have two protocols working for successful establishment

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 115
CCIE Security Ver. 4 Lab Manual

of PHASE-I SA (Security Association or Tunnel)


1. ISAKMP
2. Diffie-Hellman
ISAKMP works on UDP port 500.
Note: Both IKEv1 and IKEv2 uses UDP for encapsulation and
transmission of the traffic. IKEv1 and IKEv2 use UDP port 500.

IKEv1 has two PHASE where PHASE-I could work in two mode:
1. Main-Mode: Here 3 pair of messages are exchanged i.e. total of 6
messages are exchanged for the establishment of PHASE-I SA.
PHASE-I SA is bidirectional SA. and used for secure exchange of the
Session_Key which is used by the PHASE-II SA to securely send/receive
the user data.
2. Aggressive-Mode: Here only 3 messages are exchanged for the
establishment of PHASE-I SA.

Main-Mode is the default preferred mode on the routers where as


Aggressive mode is the default mode on the ASA firewall, as when
configuring IPsec VPN because of the operation of the Main Mode
because Main Mode involves more processing compare to Aggressive
Mode where only 3 messages are exchanged.

IKEv1 PHASE-II always works in QUICK Mode, where only 3


messages are exchanged.
We use crypto ipsec transform-set command for IPsec policy
negotiation. The PHASE-II SA`s are Unidirectional SA`s. i.e. 1 SA for
incoming traffic and 1 separate SA for outgoing traffic.

Here always 5 piece of information is sent:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 116
CCIE Security Ver. 4 Lab Manual

IPsec Mode: Tunnel(default Mode) or Transport


Encryption Method: DES,3-DES, AES-128,192,256
Hash/ Integrity Method: MD5 or SHA-1
IPsec Protocol: ESP (Encapsulating Security Payload) or AH
(Authentication Header)
SA Lifetime: Seconds or KB

IKEv2 requires minimum 4 messages for successful establishment of the


PHASE-I and II SA`s.
1. IKE_SA_INIT message: this message is exchanged between the peers
for security parameters negotiation through IKEv2 proposal.

In IKEv2 proposal we mention parameters like:


-Integrity method
-Encryption Method
-Diffie-Hellman Group
-Nonce
At this point peers generates SKEYSEED - Seed Security Key Value.

2. IKE_AUTH Message:
IKE_AUTH works over the IKE_SA which is created by
IKE_SA_INIT message and is used to validate the Identity of the peers
and negotiate the various encryption, authentication and integrity
protocols to establish first CHILD_SA for use of ESP/AH.
Peer Validation methods available are:
-Pre-share Keys
-Certificates
-EAP (Extensible Authentication Protocol) like XAUTH.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 117
CCIE Security Ver. 4 Lab Manual

first CHILD_SA is created in IKE_AUTH step is the only CHILD_SA


created for IPsec communication.

However, if an application/ peer requires the use of additional SA`s to


secure the traffic through the tunnel.
IKEv2 uses CREATE_CHILD_SA message exchange for this purpose.
this is equivalent to PFS(Perfect Forward Secrecy) in IKEv1.

Last is INFORMATIONAL message which is exchanged for


management or error notification.
Note: We are using IKEv2, thereby changing only PHASE-I.
Before this let me show you step for IKEv1 VPN using crypto-map.

1. Create ISAKMP Policy:


crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
exit
crypto isakmp key cisco123 address 192.1.20.2

2. Create IPsec transform-set to mention Phase-II parameters.


crypto ipsec transform-set PHASE_II_TSET esp-3des esp-
sha-hmac
exit

3. Create an ACL to select the interesting traffic.


access-list VPN_SITE1_SITE2 permit ip 10.1.1.0
0.0.0 255 10.2.1.0 0.0.0.255

4. Create a crypto-map to link step 2,3


Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 118
CCIE Security Ver. 4 Lab Manual

crypto-map CMAP 10 ipsec-isakmp


set peer 192.1.20.2
set transform-set PHASE_II_TSET
match address VPN_SITE1_SITE2
exit

5. Apply the crypto-map CMAP to the outgoing interface of the router.


Interface F0/1
crypto map CMAP

now there are some changes on IKEv2 VPN using


Crypto-map
1. Create IKEv2 Proposal: IKEv2 proposal must have at least 1
encryption, integrity and diffie-hellman group.
Which indirectly means you can mention multiple values.
Sample:
crypto ikev2 proposal {name}
integrity {md5,sha-1,sha256,sha384 etc}
encryption {des,3des,aes-cbc-120,aes-cbc-192 etc}
group {1,2 5,14,15 etc}
exit
Example:
crypto ikev2 proposal PROPOSAL_1
integrity md5 sha-1 sha256
encryption 3des aes-cbc-120
group 2 5 14
exit

2. Create IKEv2 Policy- here we call the proposal we have created in


Step-1.
Sample:
crypto ikev2 policy {name}
proposal {name}
exit
Example:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 119
CCIE Security Ver. 4 Lab Manual
crypto ikev2 policy POLICY_1
proposal PROPOSAL_1
exit

3. Create a Key ring, as we haven`t mentioned the pre-shared key or any


other authentication method for PHASE-I.
Sample:
crypto ikev2 keyring {name}
peer {name} // configure a peer and associated keys
address {subnet mask-optional}
pre-shared-key local 0 {key}
pre-shared-key remote 0 {key}
exit
Example:
crypto ikev2 keyring KEYRING_1
peer SITE
address 200.1.100.5
pre-shared-key local 0 SITE1
pre-shared-key remote 0 SITE5
exit

4. Create IKEv2 Profile wherein we link the above mentioned


parameters:
the IKEv2 profile must contain following things:
1. A local and a remote authentication method
2. A match identity or a match certificate statement.
Sample:
crypto ikev2 profile {name}
authentication local pre-share
authentication remote pre-share
match identity remote address {IP Address}
255.255.255.255
Keyring {name}
Example:
crypto ikev2 profile IKEV2_P
authentication local pre-share

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 120
CCIE Security Ver. 4 Lab Manual
authentication remote pre-share
match identity remote address 200.1.100.5
255.255.255.255
Keyring KEYRING_1
exit

5. Create IPsec transform-set to mention Phase-II parameters.


Sample:
crypto ipsec transform-set "NAME" "Encryption-
method" "Hash-method"
exit
Example:
crypto ipsec transform-set PHASE_II_TSET esp-3des
esp-sha-hmac
exit

6.Create an ACL to select the interesting traffic.


Sample:
access-list {name} permit ip SR_IP SR_MASK DEST_IP
DEST_MASK
Example:
access-list 101 permit ip 10.1.1.0 0.0.0 255
10.2.1.0 0.0.0.255

7. Create a crypto-map to link step 2,3


Sample:
crypto-map "NAME" "SEQ. No." ipsec-isakmp
set peer {ADDRESS}
set transform-set {transform-set name}
match address {ACL Name}
set ikev2-profile {profile_name}
exit
Example:
crypto-map CMAP 10 ipsec-isakmp
set peer 200.1.100.5
set transform-set TSET
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 121
CCIE Security Ver. 4 Lab Manual
match address 101
set ikev2-profile IKEV2_P
exit

8. Apply the crypto-map to the outgoing interface of the router.


Sample:
interface {physical_name}
crypto map {crypto_map_name}
exit
Example:
interface F1/0
crypto map CMAP
exit

Basic Initialization:
!On R1 !On R2
conf t conf t
int s1/0 int s1/0
ip add 171.1.15.1 ip add 171.1.25.2
255.255.255.0 255.255.255.0
no shut no shut
exi exi
! !
int loopback1 int loopback1
ip add 10.1.1.1 ip add 10.1.2.2
255.255.255.0 255.255.255.0
exi exi
! !
ip route 0.0.0.0 0.0.0.0 ip route 0.0.0.0 0.0.0.0
171.1.15.5 171.1.25.5
! !
!On R5
conf t
int s1/0
clock rate 1000000
ip add 171.1.15.5

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 122
CCIE Security Ver. 4 Lab Manual
255.255.255.0
no shut
exi
int s1/1
clock rate 1000000
ip add 171.1.25.5
255.255.255.0
no shut
exi

IKEv2 configuration on R1
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.25.2 255.255.255.0
pre-shared-key local R1cisco
pre-shared-key remote R2cisco
!
crypto ikev2 profile R1R2
match identity remote address 171.1.25.2
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
hmac
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 123
CCIE Security Ver. 4 Lab Manual
exit
!
access-list 101 permit ip host 10.1.1.1 host 10.1.2.2
!
crypto map CMAP 10 ipsec-isakmp
set peer 171.1.25.2
set transform-set TSET
set ikev2-profile R1R2
match address 101
exi

IKEv2 configuration on R2
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R1
address 171.1.15.1 255.255.255.0
pre-shared-key local R2cisco
pre-shared-key remote R1cisco
!
crypto ikev2 profile R1R2
match identity remote address 171.1.15.1
255.255.255.255
authentication remote pre-share
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 124
CCIE Security Ver. 4 Lab Manual
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
hmac
exit
!
access-list 101 permit ip host 10.1.2.2 host
10.1.1.1
!
crypto map CMAP 10 ipsec-isakmp
set peer 171.1.15.1
set transform-set TSET
set ikev2-profile R1R2
match address 101
exi
Verification:

Debug crypto ikev2


*Jul 10 17:30:52.615: IKEv2:Received Packet [From
110.1.23.3:500/To 110.1.12.1:500/VRF i0:f0]
Initiator SPI : 3EA1B271BCF3669C - Responder SPI :
0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Jul 10 17:30:52.635: IKEv2:(SA ID = 1):Verify SA init message


*Jul 10 17:30:52.639: IKEv2:(SA ID = 1):Insert SA
*Jul 10 17:30:52.643: IKEv2:Searching Policy with fvrf 0, local
address 110.1.12.1
*Jul 10 17:30:52.647: IKEv2:Found Policy 'IKEV2-POLICY'
*Jul 10 17:30:52.651: IKEv2:(SA ID = 1):Processing IKE_SA_INIT
message
*Jul 10 17:30:52.659: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jul 10 17:30:52.663: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2'
'Trustpool1' 'Trustpool'

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 125
CCIE Security Ver. 4 Lab Manual
*Jul 10 17:30:52.667: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public
Key Hashes of trustpoints
*
R1#Jul 10 17:30:52.671: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting
of Public Key Hashes of trustpoints PASSED
*Jul 10 17:30:52.675: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI
Session
*Jul 10 17:30:52.679: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting
of PKI Session PASSED
*Jul 10 17:30:52.683: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine]
Computing DH public key, DH Group 2
*Jul 10 17:30:52.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2]
DH key Computation PASSED
*Jul 10 17:30:52.687: IKEv2:(SA ID = 1):Request queued for
computation of DH key
*Jul 10 17:30:52.691: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine]
Computing DH secret key, DH Group 2
*Jul 10 17:30:52.731: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2]
DH key Computation PASSED
*Jul 10 17:30:52.731: IKEv2:(SA ID = 1):Request queued for
computation of DH secret
*Jul 10 17:30:52.731: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine]
Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jul 10 17:30:52.735: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2]
R1# SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jul 10 17:30:52.739: IKEv2:IKEv2 responder - no config data to
send in IKE_SA_INIT exch
*Jul 10 17:30:52.743: IKEv2:(SA ID = 1):Generating IKE_SA_INIT
message
*Jul 10 17:30:52.747: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI
size: 0 (initial negotiation),
Num. transforms: 4
3DES MD5 MD596 DH_GROUP_1024_MODP/Group 2
*Jul 10 17:30:52.755: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2'
'Trustpool1' 'Trustpool'
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public
Key Hashes of trustpoints
*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of
Public Key Hashes of trustpoints PASSED

*Jul 10 17:30:52.759: IKEv2:(SA ID = 1):Sending Packet [To


110.1.23.3:500/From 110.1.12.1:500/VRF i0:f0]

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 126
CCIE Security Ver. 4 Lab Manual
Initiator SPI : 3EA1B271BCF3669C - Responder SPI :
9CCC04CAD93792F4 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Jul 10 17:30:52.767: IKEv2:(SA ID = 1):Completed SA init


exchange
*Jul 10 17:30:52.767: IKEv2:(SA ID = 1):Starting timer (30 sec)
to wait for auth message

*Jul 10 17:30:52.891: IKEv2:(SA ID = 1):Received Packet [From


110.1.23.3:500/To 110.1.12.1:500/VRF i0:f0]
Initiator SPI : 3EA1B271BCF3669C - Responder SPI :
9CCC04CAD93792F4 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID
R1# IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT)
NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT)
NOTIFY(NON_FIRST_FRAGS)

*Jul 10 17:30:52.919: IKEv2:(SA ID = 1):Stopping timer to wait


for auth message
*Jul 10 17:30:52.923: IKEv2:(SA ID = 1):Checking NAT discovery
*Jul 10 17:30:52.923: IKEv2:(SA ID = 1):NAT not found
*Jul 10 17:30:52.927: IKEv2:(SA ID = 1):Searching policy based on
peer's identity '110.1.23.3' of type 'IPv4 address'
*Jul 10 17:30:52.927: IKEv2:found matching IKEv2 profile 'IKEv2-
Profile'
*Jul 10 17:30:52.927: ISAKMP:(0):: peer matches IKEv2-Profile
profile
*Jul 10 17:30:52.927: IKEv2:% Getting preshared key from profile
keyring KRING
*Jul 10 17:30:52.927: IKEv2:% Matched peer block 'R3'
*Jul 10 17:30:52.927: IKEv2:Searching Policy with fvrf 0, local
address 110.1.12.1
*Jul 10 17:30:52.931: IKEv2:Found Policy 'IKEV2-POLICY'
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Verify peer's policy
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Peer's policy verified
*Jul 10 1
R1#7:30:52.931: IKEv2:(SA ID = 1):Get peer's authentication
method

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 127
CCIE Security Ver. 4 Lab Manual
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Peer's authentication
method is 'PSK'
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Get peer's preshared key
for 110.1.23.3
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Verify peer's
authentication data
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Use preshared key for id
110.1.23.3, key len 8
*Jul 10 17:30:52.931: IKEv2:[IKEv2 -> Crypto Engine] Generate
IKEv2 authentication data
*Jul 10 17:30:52.931: IKEv2:[Crypto Engine -> IKEv2] IKEv2
authentication data generation PASSED
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Verification of peer's
authenctication data PASSED
*Jul 10 17:30:52.931: IKEv2:(SA ID = 1):Processing
INITIAL_CONTACT
*Jul 10 17:30:52.935: IKEv2:(SA ID = 1):Processing IKE_AUTH
message
*Jul 10 17:30:52.935: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 2 flags 8177 keysize 0 IDB 0x0
*Jul 10 17:30:52.943: IKEv2:(SA ID = 1):Get my authentication
method
*Jul
R1# 10 17:30:52.943: IKEv2:(SA ID = 1):My authentication method
is 'PSK'
*Jul 10 17:30:52.947: IKEv2:(SA ID = 1):Get peer's preshared key
for 110.1.23.3
*Jul 10 17:30:52.951: IKEv2:(SA ID = 1):Generate my
authentication data
*Jul 10 17:30:52.955: IKEv2:(SA ID = 1):Use preshared key for id
110.1.12.1, key len 8
*Jul 10 17:30:52.955: IKEv2:[IKEv2 -> Crypto Engine] Generate
IKEv2 authentication data
*Jul 10 17:30:52.959: IKEv2:[Crypto Engine -> IKEv2] IKEv2
authentication data generation PASSED
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):Get my authentication
method
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):My authentication method
is 'PSK'
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):Generating IKE_AUTH
message
*Jul 10 17:30:52.959: IKEv2:(SA ID = 1):Constructing IDr payload:
'110.1.12.1' of type 'IPv4 address'
*Jul 10 17:30:52.963: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI
size: 4 (IPSec negotiation),
Num. transforms: 3

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 128
CCIE Security Ver. 4 Lab Manual
3DES SHA96 Don't use ESN
*Jul 10 17:30:52.963: IKEv2:(SA ID =
R1#1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE)
NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Jul 10 17:30:52.967: IKEv2:(SA ID = 1):Sending Packet [To


110.1.23.3:500/From 110.1.12.1:500/VRF i0:f0]
Initiator SPI : 3EA1B271BCF3669C - Responder SPI :
9CCC04CAD93792F4 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Jul 10 17:30:52.971: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI


Session
*Jul 10 17:30:52.971: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of
PKI Session PASSED
*Jul 10 17:30:52.975: IKEv2:(SA ID = 1):IKEV2 SA created;
inserting SA into database. SA lifetime timer (86400 sec) started
*Jul 10 17:30:52.979: IKEv2:(SA ID = 1):Session with IKE ID PAIR
(110.1.23.3, 110.1.12.1) is UP
*Jul 10 17:30:52.983: IKEv2:IKEv2 MIB tunnel started, tunnel
index 1
*Jul 10 17:30:52.987: IKEv2:(SA ID = 1):Load IPSEC key material
*Jul 10 17:30:52.991: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create I
R1#Psec SA into IPsec database
*Jul 10 17:30:52.995: IKEv2:(SA ID = 1):Asynchronous request
queued

*Jul 10 17:30:52.995: IKEv2:(SA ID = 1):


*Jul 10 17:30:53.043: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation
of IPsec SA into IPsec database PASSED
*Jul 10 17:30:53.051: IKEv2:(SA ID = 1):Checking for duplicate
IKEv2 SA
*Jul 10 17:30:53.055: IKEv2:(SA ID = 1):No duplicate IKEv2 SA
found
*Jul 10 17:30:53.059: IKEv2:(SA ID = 1):Starting timer (8 sec) to
delete negotiation context
R1#

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 129
CCIE Security Ver. 4 Lab Manual

On R1 - Ping 10.1.2.2 form source as 10.1.1.1

Sh crypto ikev2 sa

Sh crypto ipsec sa

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 130
CCIE Security Ver. 4 Lab Manual

LAB-2: IKEv2 Routing Based Site-To-Site VPN

Lab Topology: same as previous lab.


Basic Initialization:
!On R3 !On R4
conf t conf t
int s1/0 int s1/0
ip add 182.1.35.3 ip add 182.1.45.4
255.255.255.0 255.255.255.0
no shut no shut
exi exi
! !
int loopback 1 int loopback 1
ip add 10.1.3.3 ip add 10.1.4.4
255.255.255.0 255.255.255.0
exi exi
! !
ip route 0.0.0.0 0.0.0.0 ip route 0.0.0.0 0.0.0.0
182.1.35.5 182.1.45.5
!
!On R5
conf t
int s1/2
clock rate 1000000
ip add 182.1.35.5
255.255.255.0
no shut
exi
int s1/3
clock rate 1000000
ip add 182.1.45.5
255.255.255.0
no shut
exi

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 131
CCIE Security Ver. 4 Lab Manual

IKEv2 configuration on R3
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R4
address 182.1.45.4 255.255.255.0
pre-shared-key local R3cisco
pre-shared-key remote R4cisco
exit
!
crypto ikev2 profile R3R4
match identity remote address 182.1.45.4
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
hmac
exit
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile R3R4
exi
!
interface Tunnel1
ip address 192.168.10.3 255.255.255.0
tunnel source Serial1/0
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 132
CCIE Security Ver. 4 Lab Manual
tunnel mode ipsec ipv4
tunnel destination 182.1.45.4
tunnel protection ipsec profile IPSEC_PROFILE
exi
!
Router eigrp 10
No auto-summary
Net 192.168.1.0
Net 10.1.3.0
Exi
!

IKEv2 configuration on R4
crypto ikev2 proposal PROP1
encryption 3des aes-cbc-128
integrity md5 sha1
group 2 5 14
exit
!
crypto ikev2 policy POLICY1
proposal PROP1
exit
!
crypto ikev2 keyring KR1
peer R3
address 182.1.35.3 255.255.255.0
pre-shared-key local R4cisco
pre-shared-key remote R3cisco
exit
!
crypto ikev2 profile R3R4
match identity remote address 182.1.35.3
255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KR1
exit
!
crypto ipsec transform-set TSET esp-3des esp-sha256-
Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved
cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 133
CCIE Security Ver. 4 Lab Manual
hmac
exit
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile R3R4
exi
!
interface Tunnel1
ip address 192.168.10.4 255.255.255.0
tunnel source Serial1/0
tunnel mode ipsec ipv4
tunnel destination 182.1.35.3
tunnel protection ipsec profile IPSEC_PROFILE
exi
!
Router eigrp 10
No auto-summary
Network 192.168.10.0
Network 10.1.4.0
Exit

Verification:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 134
CCIE Security Ver. 4 Lab Manual

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 135
CCIE Security Ver. 4 Lab Manual

LAB-3: IKEv2 Based VPN on Cisco ASA

ciscoasa> enable
Password: <Enter>
ciscoasa#
ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

---------Output omitted-------------

Licensed features for this platform:

VPN-DES : Enabled perpetual


VPN-3DES-AES : Enabled perpetual

This platform has an ASA 5520 VPN Plus license.

ciscoasa(config)# ping 110.1.23.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 110.1.23.3, timeout is 2


seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max =


20/34/40 ms

ciscoasa(config)# crypto ikev2 enable outside

ciscoasa(config)# crypto ikev2 ?

configure mode commands/options:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 136
CCIE Security Ver. 4 Lab Manual
cookie-challenge Enable and configure IKEv2 cookie challenges
based on half-open SAs

enable Enable IKEv2 on the specified interface

limit Enable limits on IKEv2 SAs

policy Set IKEv2 policy suite

redirect Set IKEv2 redirect

remote-access Configure IKEv2 for Remote Access

ciscoasa(config)# crypto ikev2 policy 3

ciscoasa(config-ikev2-policy)# ?

ikev2 policy configuration commands:

encryption Configure one or more encryption algorithm

exit Exit from ikev2 policy configuration mode

group Configure one or more DH groups

help Help for ikev2 policy configuration commands

integrity Configure one or more integrity algorithm

lifetime Configure the ikev2 lifetime

no Remove an ikev2 policy configuration item

prf Configure one or more hash algorithm

ciscoasa(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:

3des 3des encryption

aes aes encryption

aes-192 aes-192 encryption

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 137
CCIE Security Ver. 4 Lab Manual
aes-256 aes-256 encryption

des des encryption

null null encryption

ciscoasa(config-ikev2-policy)# encryption 3des aes aes-192

ciscoasa(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:

md5 set hash md5

sha set hash sha1

sha256 set hash sha256

sha384 set hash sha384

sha512 set hash sha512

ciscoasa(config-ikev2-policy)# integrity md5 sha sha256

ciscoasa(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:

1 Diffie-Hellman group 1

2 Diffie-Hellman group 2

5 Diffie-Hellman group 5

ciscoasa(config-ikev2-policy)# group 2 5

ciscoasa(config-ikev2-policy)# exi

ciscoasa(config)# crypto ipsec ?

configure mode commands/options:

df-bit Set IPsec DF policy

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 138
CCIE Security Ver. 4 Lab Manual
fragmentation Set IPsec fragmentation policy

ikev1 Set IKEv1 settings

ikev2 Set IKEv2 settings

security-association Set security association parameters

ciscoasa(config)# crypto ipsec ikev2 ?

configure mode commands/options:

ipsec-proposal Configure IKEv2 IPSec Policy

ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal ?

configure mode commands/options:

WORD < 65 char Enter the name of the ipsec-proposal

ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal


IKEV2PROPOSAL

ciscoasa(config-ipsec-proposal)# ?

ikev2 IPSec Policy configuration commands:

exit Exit from ipsec-proposal configuration mode

help Help for ikev2 IPSec policy configuration commands

no Remove an ikev2 IPSec policy configuration item

protocol Configure a protocol for the IPSec proposal

ciscoasa(config-ipsec-proposal)# protocol ?

ipsec-proposal mode commands/options:

esp IPsec Encapsulating Security Payload

ciscoasa(config-ipsec-proposal)# protocol esp ?

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 139
CCIE Security Ver. 4 Lab Manual
ipsec-proposal mode commands/options:

encryption Add one or more encryption algorithms for this


protocol

integrity Add one or more integrity algorithms for this


protocol

ciscoasa(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:

3des 3des encryption

aes aes encryption

aes-192 aes-192 encryption

aes-256 aes-256 encryption

des des encryption

null null encryption

ciscoasa(config-ipsec-proposal)# protocol esp encryption 3des


aes-192

ciscoasa(config-ipsec-proposal)# protocol esp ?

ipsec-proposal mode commands/options:

encryption Add one or more encryption algorithms for this


protocol

integrity Add one or more integrity algorithms for this


protocol

ciscoasa(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:

md5 set hash md5

sha-1 set hash sha-1

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 140
CCIE Security Ver. 4 Lab Manual
ciscoasa(config-ipsec-proposal)# protocol esp integrity sha-1

ciscoasa(config-ipsec-proposal)# exit

ciscoasa(config)# access-list VPN permit ip 10.1.1.0


255.255.255.0 10.3.3.0 255.255.255.0

ciscoasa(config)# tunnel-group ?

configure mode commands/options:

WORD < 65 char Enter the name of the tunnel group

ciscoasa(config)# tunnel-group PEER-R3 ?

configure mode commands/options:

type Enter the type of this group-policy

ciscoasa(config)# tunnel-group PEER-R3 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digital Certificates and/or The peer is

configured to use Aggressive Mode

ciscoasa(config)#

ciscoasa(config)# no tunnel-group PEER-R3

ciscoasa(config)# tunnel-group 110.1.23.3 type ipsec-l2l

ciscoasa(config)# tunnel-group 110.1.23.3 ?

configure mode commands/options:

general-attributes Enter the general-attributes sub command


mode

ipsec-attributes Enter the ipsec-attributes sub command mode

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 141
CCIE Security Ver. 4 Lab Manual
ciscoasa(config)# tunnel-group 110.1.23.3 ipsec-attributes ?

configure mode commands/options:

<cr>

ciscoasa(config)# tunnel-group 110.1.23.3 ipsec-attributes

ciscoasa(config-tunnel-ipsec)# ?

tunnel-group configuration commands:

chain Enable sending certificate chain

exit Exit from tunnel-group IPSec attribute


configuration mode

help Help for tunnel group configuration commands

ikev1 Configure IKEv1

ikev2 Configure IKEv2

isakmp Configure ISAKMP policy

no Remove an attribute value pair

peer-id-validate Validate identity of the peer using the peer's


certificate

ciscoasa(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:

local-authentication Configure the local authentication method


for IKEv2 tunnels

remote-authentication Configure the remote authentication


method required of the remote peer for IKEv2 tunnels

ciscoasa(config-tunnel-ipsec)# ikev2 local-authentication ?

tunnel-group-ipsec mode commands/options:

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 142
CCIE Security Ver. 4 Lab Manual
certificate Select the trustpoint that identifies the cert -
to be sent to the IKE peer

pre-shared-key Configure the local pre-shared-key used to


authenticate to the remote peer

ciscoasa(config-tunnel-ipsec)# ikev2 local-authentication pre-


shared-key 0 cisco123

INFO: You must configure ikev2 remote-authentication pre-shared-


key and/or certificate to complete authentication.

ciscoasa(config-tunnel-ipsec)# ikev2 remote-authentication pre-


shared-key 0 cisco123

ciscoasa(config-tunnel-ipsec)# exit

ciscoasa(config)# crypto map CMAP 10 ?

configure mode commands/options:

annotation Specify annotation text - to be used by ASDM only

ipsec-isakmp IPSec w/ISAKMP

match Match address of packets to encrypt

set Specify crypto map settings

ciscoasa(config)# crypto map CMAP 10 match address ?

configure mode commands/options:

WORD Access-list name

ciscoasa(config)# crypto map CMAP 10 match address VPN

ciscoasa(config)# crypto map CMAP 10 set peer ?

configure mode commands/options:

Hostname or A.B.C.D IP address

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 143
CCIE Security Ver. 4 Lab Manual
Hostname or X:X:X:X::X IPv6 address

ciscoasa(config)# crypto map CMAP 10 set peer 110.1.23.3

ciscoasa(config)# crypto map CMAP 10 set ?

configure mode commands/options:

connection-type Specify connection-type for site-site


connection based on this entry

ikev1 Configure IKEv1 policy

ikev2 Configure IKEv2 policy

nat-t-disable Disable nat-t negotiation for connections


based on this entry

peer Set IP address of peer

pfs Specify pfs settings

reverse-route Enable reverse route injection for


connections based on this entry

security-association Security association duration

trustpoint Specify trustpoint that defines the


certificate to be used while initiating a connection based on
this entry

ciscoasa(config)# crypto map CMAP 10 set ikev2 ?

configure mode commands/options:

ipsec-proposal Specify list of IPSec proposals in priority


order

pre-shared-key Specify a pre-shared key to be used while


initiating a connection based on this entry

ciscoasa(config)# crypto map CMAP 10 set ikev2 ipsec-proposal ?

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 144
CCIE Security Ver. 4 Lab Manual
configure mode commands/options:

WORD ipsec-proposal tag

ciscoasa(config)# crypto map CMAP 10 set ikev2 ipsec-proposal


IKEV2PROPOSAL

ciscoasa(config)# crypto map CMAP interface outside

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 145
CCIE Security Ver. 4 Lab Manual

Module 6: Flex VPN

Site-To-Site

Spoke-To-Spoke

Server-To-Client

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 146
CCIE Security Ver. 4 Lab Manual

Flex VPN Site-To-Site

SERVER SITE

R1(config)#int loo10

R1(config-if)#ip add 192.168.10.1 255.255.255.0

R1(config-if)#exit

R1(config)#

R1(config)#

R1(config)#

*Jul 10 13:38:56.935: %LINEPROTO-5-UPDOWN: Line protocol on Inte


rface Loopback10, changed state to up

R1(config)#int virtual-template 1 type tunnel

R1(config-if)# ip unnumbered loopback10

R1(config-if)# tunnel source 110.1.12.1

R1(config-if)# tunnel mode ipsec ipv4

R1(config-if)#exit

*Jul 10 13:39:06.475: %LINEPROTO-5-UPDOWN: Line protocol on Inte


rface Virtual-Template1, changed state to down

R1(config-if)#exit

R1(config)#

R1(config)#crypto ikev2 proposal PROPOSAL1

IKEv2 proposal MUST have atleast an encryption algorithm, an int


egrity algorithm and a dh group configured

R1(config-ikev2-proposal)# integrity sha1

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 147
CCIE Security Ver. 4 Lab Manual
R1(config-ikev2-proposal)# encry 3des aes-cbc-128

R1(config-ikev2-proposal)# group 2 5

R1(config-ikev2-proposal)# exit

R1(config)#

R1(config)#!IKEv2 Policy

R1(config)#crypto ikev2 policy POLICY1

IKEv2 policy MUST have atleast one complete proposal attached

R1(config-ikev2-policy)#proposal PROPOSAL1

R1(config-ikev2-policy)#exit

R1(config)#

R1(config)#!IKEv2 Keyring

R1(config)#crypto ikev2 keyring KRING1

R1(config-ikev2-keyring)#peer R3

R1(config-ikev2-keyring-peer)# address 0.0.0.0

R1(config-ikev2-keyring-peer)# pre-shared-key cisco123

R1(config-ikev2-keyring-peer)#exit

R1(config-ikev2-keyring)#exit

R1(config)#

R1(config)#! IKEv2 Profile

R1(config)#crypto ikev2 profile IKEV2PROFILE

IKEv2 profile MUST have:

1. A local and a remote authentication method.

2. A match identity or a match certificate statement.

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 148
CCIE Security Ver. 4 Lab Manual
R1(config-ikev2-profile)# match identity remote address 0.0.0.0

R1(config-ikev2-profile)# authentication local pre-share

R1(config-ikev2-profile)# authentication remote pre-share

R1(config-ikev2-profile)# keyring local KRING1

R1(config-ikev2-profile)# virtual-template 1

R1(config-ikev2-profile)#exit

R1(config)#

R1(config)#

R1(config)#router eigrp 10

R1(config-router)#no auto-summary

R1(config-router)#network 192.168.10.0

R1(config-router)#network 10.1.1.0

R1(config-router)#end

R1#

R1#

*Jul 10 13:40:41.827: %SYS-5-CONFIG_I: Configured from console by console

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#

R1(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac

R1(cfg-crypto-trans)#exit

R1(config)#

R1(config)#crypto ipsec profile IPSEC

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 149
CCIE Security Ver. 4 Lab Manual
R1(ipsec-profile)# set transform-set TSET

R1(ipsec-profile)# set ikev2-profile IKEV2PROFILE

R1(ipsec-profile)#exit

R1(config)#

R1(config)#int virtual-template 1 type tunnel

R1(config-if)# tunnel protection ipsec profile IPSEC

R1(config-if)#exit

R1(config)#end

R1#

*Jul 10 13:41:02.287: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1#

*Jul 10 13:41:04.055: %SYS-5-CONFIG_I: Configured from console by console

R1#

*Jul 10 13:44:20.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1,


changed state to up

R1#

*Jul 10 13:44:24.719: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor


192.168.10.3 (Virtual-Access1) is up: new adjacency

CLIENT SITE

R3(config)#crypto ikev2 proposal PROPOSAL1

IKEv2 proposal MUST have atleast an encryption algorithm, an int


egrity algorithm and a dh group configured

R3(config-ikev2-proposal)# integrity sha1

R3(config-ikev2-proposal)# encry 3des aes-cbc-128

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 150
CCIE Security Ver. 4 Lab Manual
R3(config-ikev2-proposal)# group 2 5

R3(config-ikev2-proposal)# exit

R3(config)#

R3(config)#!IKEv2 Policy

R3(config)#crypto ikev2 policy POLICY1

IKEv2 policy MUST have atleast one complete proposal attached

R3(config-ikev2-policy)#proposal PROPOSAL1

R3(config-ikev2-policy)#exit

R3(config)#

R3(config)#!IKEv2 Keyring

R3(config)#crypto ikev2 keyring KRING1

R3(config-ikev2-keyring)#peer R1

R3(config-ikev2-keyring-peer)# address 110.1.12.1

R3(config-ikev2-keyring-peer)# pre-shared-key cisco123

R3(config-ikev2-keyring-peer)#exit

R3(config-ikev2-keyring)#exit

R3(config)#

R3(config)#! IKEv2 Profile

R3(config)#crypto ikev2 profile IKEV2PROFILE

IKEv2 profile MUST have:

1. A local and a remote authentication method.

2. A match identity or a match certificate statement.

R3(config-ikev2-profile)#match identity remote address 110.1.12.1 255.255.255.255

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 151
CCIE Security Ver. 4 Lab Manual
R3(config-ikev2-profile)# authentication local pre-share

R3(config-ikev2-profile)# authentication remote pre-share

R3(config-ikev2-profile)# keyring local KRING1

R3(config-ikev2-profile)#exit

R3(config)#!4. IPSec Configuration

R3(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac

R3(cfg-crypto-trans)#exit

R3(config)#

R3(config)#crypto ipsec profile IPSEC

R3(ipsec-profile)# set transform-set TSET

R3(ipsec-profile)# set ikev2-profile IKEV2PROFILE

R3(ipsec-profile)#exit

R3(config)#

R3(config)#int tunn 1

R3(config-if)# ip add 192.168.10.3 255.255.255.0

R3(config-if)# tunnel source s1/0

R3(config-if)# tunnel dest 110.1.12.1

R3(config-if)# tunnel mode ipsec ipv4

R3(config-if)# tunnel protection ipsec profile IPSEC

R3(config-if)# exit

R3(config)#

R3(config)#!6. Run routing protocol

R3(config)#router eigrp 10

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 152
CCIE Security Ver. 4 Lab Manual
R3(config-router)#no aut

R3(config-router)#netw 10.3.3.0

R3(config-router)#netw 192.168.10.0

R3(config-router)#exi

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 153
CCIE Security Ver. 4 Lab Manual

Flex VPN Spoke-To-Spoke

Pre-requisite: Load the initial configuration for all the devices in the topology from the pre-
configuration files.

Lab Topology:

Task:

Implement Flex-VPN spoke-to-spoke. Configure R1 as the HUB. R3 and R4 are the Spokes in
the topology where else R2 is working as ISP. The objective is to communicate from spoke to
spoke i.e. from R3 (10.3.3.0/24) to R4 (10.4.4.0/24).

Use the following details to complete the task.

Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: 10.1.1.0/24
Network For Tunnel interface: 192.168.10.0/24

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 154
CCIE Security Ver. 4 Lab Manual
Local/Remote Authentication method: Pre-shared-key
Pre-shared-key: cisco123
Virtual-template 1
Ikev2 Profile Name: IKEV2PROFILE
IPsec Profile Name: IPSEC
IP NHRP network-id: 100
Tunnel Interface: Tunnel1
Interior Routing Protocol: EIGRP-10

On Spokes:

Server: R1 (110.1.12.1/24)
Spokes: R3 (110.1.23.3/24) and R4 (110.1.24.4/24)
Private Network: R3 (10.3.3.0/24), R4 (10.4.4.0/24)
Network For Tunnel interface: 192.168.10.0/24
Local/Remote Authentication method: Pre-shared-key
Pre-shared-key: cisco123
Ikev2 Profile Name: IKEV2PROFILE
IPsec Profile Name: IPSEC
IP NHRP network-id: 100
Tunnel Interface: Tunnel1
Tunnel interface IP: negotiated
Tunnel source: S1/0
Tunnel destination: 110.1.12.1
Interior Routing Protocol: EIGRP-10

Solution : On AVI

R1(config)#
*Jul 11 11:48:10.959: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
R1(config)#
*Jul 11 11:48:11.427: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to down
*Jul 11 11:48:40.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual- Access1,
changed state to up
R1(config)#
*Jul 11 11:48:46.371: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.11
(Virtual-Access1) is up: new adjacency
R1#
R1#
*Jul 11 11:49:35.063: %SYS-5-CONFIG_I: Configured from console by consoler

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 155
CCIE Security Ver. 4 Lab Manual
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial1/0 110.1.12.1 YES manual up up
Loopback1 10.1.1.1 YES manual up up
Loopback11 192.168.10.1 YES manual up up
Virtual-Access1 192.168.10.1 YES unset up up
Virtual-Template1 192.168.10.1 YES unset up down

Virtual-Access1 is assigned the IP address of Loopback 11. As we have given in the command
under interface virtual-template 1 type tunnel using – “ip unnumbered loopback 11”.

R1#
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.12.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 110.1.12.2


10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback1
L 10.1.1.1/32 is directly connected, Loopback1
D 10.3.3.0/24 [90/1433600] via 192.168.10.11, 00:00:52, Virtual-Access1
110.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 110.1.12.0/24 is directly connected, Serial1/0
L 110.1.12.1/32 is directly connected, Serial1/0
192.168.10.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Loopback11
L 192.168.10.1/32 is directly connected, Loopback11
S 192.168.10.11/32 is directly connected, Virtual-Access1
R1#
*Jul 11 11:52:39.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-
Access2, changed state to up
R1#
*Jul 11 11:52:53.791: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.12
(Virtual-Access2) is up: new adjacency
R1#

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 156
CCIE Security Ver. 4 Lab Manual
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial1/0 110.1.12.1 YES manual up up
Loopback1 10.1.1.1 YES manual up up
Loopback11 192.168.10.1 YES manual up up
Virtual-Access1 192.168.10.1 YES unset up up
Virtual-Access2 192.168.10.1 YES unset up up
Virtual-Template1 192.168.10.1 YES unset up down

R1#sh ip route static


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.12.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 110.1.12.2


192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks
S 192.168.10.11/32 is directly connected, Virtual-Access1
S 192.168.10.12/32 is directly connected, Virtual-Access2
R1#
R1#
R1#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.12.2 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks


D 10.3.3.0/24 [90/1433600] via 192.168.10.11, 00:07:35, Virtual-Access1
D 10.4.4.0/24 [90/27008000] via 192.168.10.12, 00:03:27, Virtual-Access2
R1#
R1#
R1#

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 157
CCIE Security Ver. 4 Lab Manual
R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status


2 110.1.12.1/500 110.1.24.4/500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/747 sec

Tunnel-id Local Remote fvrf/ivrf Status


1 110.1.12.1/500 110.1.23.3/500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/984 sec
IPv6 Crypto IKEv2 SA

R1#

On Client R4

R4(config)#
*Jul 11 11:53:23.879: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.10.1 (Tunnel1)
is up: new adjacency

R4#sh crypto ikev2 sa


IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 110.1.24.4/500 110.1.12.1/500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/25 sec
IPv6 Crypto IKEv2 SA

R4#sh crypto ipsec sa


interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 110.1.24.4
protected vrf: (none)
local ident (addr/mask/prot/port): (110.1.24.4/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (110.1.12.1/255.255.255.255/47/0)
current_peer 110.1.12.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 158
CCIE Security Ver. 4 Lab Manual
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

R4#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.24.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 110.1.24.2


10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.1.0/24 [90/27008000] via 192.168.10.1, 00:00:22
D 10.3.3.0/24 [90/28288000] via 192.168.10.1, 00:00:22
C 10.4.4.0/24 is directly connected, Loopback1
L 10.4.4.4/32 is directly connected, Loopback1
110.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 110.1.24.0/24 is directly connected, Serial1/0
L 110.1.24.4/32 is directly connected, Serial1/0
192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks
D 192.168.10.0/24 [90/27008000] via 192.168.10.1, 00:00:22
S 192.168.10.1/32 is directly connected, Tunnel1
D 192.168.10.11/32 [90/28160000] via 192.168.10.1, 00:00:22
C 192.168.10.12/32 is directly connected, Tunnel1

R4#sh ip route eigrp


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.24.2 to network 0.0.0.0


10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D 10.1.1.0/24 [90/27008000] via 192.168.10.1, 00:00:27
D 10.3.3.0/24 [90/28288000] via 192.168.10.1, 00:00:27
192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 159
CCIE Security Ver. 4 Lab Manual
D 192.168.10.0/24 [90/27008000] via 192.168.10.1, 00:00:27
D 192.168.10.11/32 [90/28160000] via 192.168.10.1, 00:00:27

R4#sh ip route static


Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override Gateway of last resort is 110.1.24.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 110.1.24.2
192.168.10.0/24 is variably subnetted, 4 subnets, 2 masks
S 192.168.10.1/32 is directly connected, Tunnel1

R4#ping 10.3.3.3 source 10.4.4.4


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 184/225/256 ms

R4#
R4#traceroute 10.3.3.3 source 10.4.4.4
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.10.1 1 40 msec 208 msec 216 msec
2 192.168.10.11 256 msec * 196 msec

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 160
CCIE Security Ver. 4 Lab Manual

Flex VPN-Server-Client

Pre-requisite: Load the initial configuration for all the devices in the topology from the pre-
configuration files.

Lab Topology:

Task

Configure R1 as the Server and R3 as the client. Make sure you are able to
ping from 10.3.3.0/24 network behind R3 to 10.1.1.0/24 network behind R1.

Use pre-configuration to initialize the devices.

Solution: On AVI

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 161
CCIE Security Ver. 4 Lab Manual

Verification:

On Client (R3)

R3(config)#
*Jul 12 09:31:56.735: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#
*Jul 12 09:31:56.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to down
R3(config)#crypto ikev2 client flexvpn FLEXVPN
R3(config-ikev2-flexvpn)#peer 1 110.1.12.10
R3(config-ikev2-flexvpn)#connect auto
R3(config-ikev2-flexvpn)#client connect tunnel1
R3(config-ikev2-flexvpn)#end
R3#
R3#
*Jul 11 13:16:27.771: %SYS-5-CONFIG_I: Configured from console by console
R3#
*Jul 11 13:16:28.235: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXVPN)
Client_public_addr = 110.1.23.3 Server_public_addr = 110.1.12.10
R3#
*Jul 11 13:16:39.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed
state to up
R3#
*Jul 11 13:16:39.843: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEXVPN)
Client_public_addr = 110.1.23.3 Server_public_addr = 110.1.12.10 Assigned_Tunnel_v4_addr =
192.168.10.6
R3#
R3#
R3#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial1/0 110.1.23.3 YES manual up up
Loopback1 10.3.3.3 YES manual up up
Tunnel1 192.168.10.6 YES manual up up
R3#
R3#
R3#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 162
CCIE Security Ver. 4 Lab Manual
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.23.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 110.1.23.2


10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S 10.1.1.0/24 is directly connected, Tunnel1
C 10.3.3.0/24 is directly connected, Loopback1
L 10.3.3.3/32 is directly connected, Loopback1
110.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 110.1.23.0/24 is directly connected, Serial1/0
L 110.1.23.3/32 is directly connected, Serial1/0
192.168.10.0/32 is subnetted, 2 subnets
S 192.168.10.1 is directly connected, Tunnel1
C 192.168.10.6 is directly connected, Tunnel1
R3#
R3#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 110.1.23.3/500 110.1.12.10/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/264 sec

IPv6 Crypto IKEv2 SA

R3#
R3#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.10.6/32
MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 110.1.23.3, destination 110.1.12.10
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC")

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 163
CCIE Security Ver. 4 Lab Manual
---------------- output omitted ----------------------
R3#ping 10.1.1.1 source 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/126/144 ms

On SERVER (R1)

R1(config)#
*Jul 11 13:14:13.747: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#
*Jul 11 13:16:27.947: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to do
wn
*Jul 11 13:16:28.467: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
R1(config)#
*Jul 11 13:16:38.783: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to down
*Jul 11 13:16:39.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access
1, changed state to up
Once the Client connects to the server interface Virtual-access 1 dynamically comes up.
R1(config)#
R1(config)#end
R1#
R1#
R1#show ip
*Jul 11 13:21:24.627: %SYS-5-CONFIG_I: Configured from console by console
R1#
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial1/0 110.1.12.10 YES manual up up
Loopback1 10.1.1.1 YES manual up up
Loopback11 192.168.10.1 YES manual up up
Virtual-Access1 192.168.10.1 YES unset up up
Virtual-Template1 192.168.10.1 YES unset up down

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 164
CCIE Security Ver. 4 Lab Manual
Virtual-Access1 is assigned the IP address of Loopback 11. As we have given in the command
under interface virtual-template 1 type tunnel using – “ip unnumbered loopback 11”.
R1#
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP D - EIGRP, EX - EIGRP
external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary,
L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static
route o - ODR, P - periodic downloaded static route, H - NHRP, l – LISP + - replicated route, % -
next hop override

Gateway of last resort is 110.1.12.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 110.1.12.2


10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Loopback1
L 10.1.1.1/32 is directly connected, Loopback1
S 10.3.3.0/24 is directly connected, Virtual-Access1
110.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 110.1.12.0/24 is directly connected, Serial1/0
L 110.1.12.10/32 is directly connected, Serial1/0
192.168.10.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Loopback11
L 192.168.10.1/32 is directly connected, Loopback11
S 192.168.10.6/32 is directly connected, Virtual-Access1
Here the highlighted static route is for the IP address assigned to Client (R3) tunnel interface.
The route is added to the routing table because of command “route set interface” under crypto
ikev2 authorization policy default.

R1#
R1#
R1#show interfaces virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback11 (192.168.10.1)
MTU 17886 bytes, BW 100000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x4, loopback not set
Keepalive not set

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 165
CCIE Security Ver. 4 Lab Manual
Tunnel source 110.1.12.10, destination 110.1.23.3
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC")
--------------- OUTPUT OMITTED---------------------------

R1#
R1#
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 110.1.12.10/500 110.1.23.3/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/336 sec

IPv6 Crypto IKEv2 SA

Copyrights @ 2014-2016, Inter-Networkz, Bangalore - IN, All Rights Reserved


cciesandeep12@gmail.com | Skype: ccie.sandeep12 Page 166