CCNA Security

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

(Instructor Version)
Instructor Note: Red font color or Gray highlights indicate text that appears in the instructor copy only.

Topology

Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

Fa0/1 192.168.1.1 255.255.255.0 N/A S1 Fa0/5

R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
Fa0/1 192.168.3.1 255.255.255.0 N/A S3 Fa0/5
R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 Fa0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 Fa0/18

Objectives
Part 1: Configure Basic Device Settings
 Configure hostnames, interface IP addresses, and access passwords.
 Configure the OSPF dynamic routing protocol.
Part 2: Configure a Site-to-Site VPN Using Cisco IOS
 Configure IPsec VPN settings on R1 and R3.
 Verify site-to-site IPsec VPN configuration.
 Test IPsec VPN operation.
Part 3: Configure a Site-to-Site VPN Using CCP
 Configure IPsec VPN settings on R1.
 Create a mirror configuration for R3.
 Apply the mirror configuration to R3.
 Verify the configuration.
 Test the VPN configuration using CCP.

Background / Scenario
VPNs can provide a secure method of transmitting data over a public network, such as the Internet. VPN
connections can help reduce the costs associated with leased lines. Site-to-Site VPNs typically provide a
secure (IPsec or other) tunnel between a branch office and a central office. Another common implementation
that uses VPN technology is remote access to a corporate office from a telecommuter location, such as a
small office or home office.
In this lab, you will build and configure a multi-router network, and then use Cisco IOS and CCP to configure a
site-to-site IPsec VPN and then test it. The IPsec VPN tunnel is from router R1 to router R3 via R2. R2 acts
as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive
information over unprotected networks, such as the Internet. IPsec acts at the network layer, protecting and
authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.
The router commands and output in this lab are from a Cisco 1841 router using Cisco IOS software, release
15.1(4)M8 (Advanced IP Services image). Other routers and Cisco IOS versions can be used. See the Router

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Interface Summary Table at the end of the lab to determine which interface identifiers to use based on the
equipment in the lab. Depending on the model of the router, the commands available and output produced
may vary from what is shown in this lab.
Note: Make sure that the routers and the switches have been erased and have no startup configurations.
Instructor Note: Instructions for erasing switches and routers are provided in Lab 0.0.0.0.

Required Resources
 3 Routers (Cisco 1841 with Cisco IOS Release 15.1(4)M8 Advanced IP Services image or comparable)
 2 Switches (Cisco 2960 or comparable)
 2 PCs (Windows Vista or Windows 7 with CCP 2.5, latest Java version, Internet Explorer, and Flash
Player)
 Serial and Ethernet cables as shown in the topology
 Console cables to configure Cisco networking devices
CCP Notes:
 Refer to Lab 0.0.0.0 for instructions on how to install and run CCP.
 If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-
click the CCP icon or menu item, and select Run as administrator.
 To run CCP, it may be necessary to temporarily disable antivirus programs and O/S firewalls. Make sure
that all pop-up blockers are turned off in the browser.
Instructor Notes:
This lab is divided into three parts. Each part can be administered individually or in combination with others as
time permits. The main goal of this lab is to configure a site-to-site VPN between two routers, first using the Cisco
IOS CLI and then using CCP. R1 and R3 are on separate networks and communicate through R2, which
simulates an ISP. The routers in this lab are configured with OSPF, although it is not typical for stub networks to
communicate with an ISP using an interior routing protocol. You can also use static routes for basic (non-VPN)
communication between R1 and R2 and between R1 and R3, if desired.
Students can work in teams of two for router configuration, one person configuring R1 and the other R3.
Although switches are shown in the topology, students can omit the switches and use crossover cables between
the PCs and routers R1 and R3.
The running configurations for all three routers are captured after Part 1 of the lab is completed. The running
configurations for R1 and R3 from Part 2 and Part 3 are captured and listed separately. All configurations are
found at the end of the lab.

Part 1: Configure Basic Device Settings

In Part 1, you will set up the network topology and configure basic settings, such as the interface IP
addresses, dynamic routing, device access, and passwords.
Note: All tasks should be performed on R1, R2, and R3. The procedure for R1 is shown here as an example.

Step 1: Cable the network as shown in the topology.

Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for each router.

a. Configure hostnames, as shown in the topology.
b. Configure the interface IP addresses, as shown in the IP Addressing Table.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

c. Configure a clock rate of 64000 for the serial router interfaces with a DCE serial cable attached.
R1(config)# interface S0/0/0
R1(config-if)# clock rate 64000

Step 3: Disable DNS lookup.

To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookup.
R1(config)# no ip domain-lookup

Step 4: Configure the OSPF routing protocol on R1, R2, and R3.
a. On R1, use the following commands:
R1(config)# router ospf 101
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.0 0.0.0.3 area 0
b. On R2, use the following commands:
R2(config)# router ospf 101
R2(config-router)# network 10.1.1.0 0.0.0.3 area 0
R2(config-router)# network 10.2.2.0 0.0.0.3 area 0
c. On R3, use the following commands:
R3(config)# router ospf 101
R3(config-router)# network 192.168.3.0 0.0.0.255 area 0
R3(config-router)# network 10.2.2.0 0.0.0.3 area 0

Step 5: Configure PC host IP settings.

a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP Addressing
Table.
b. Configure a static IP address, subnet mask, and default gateway for PC-C, as shown in the IP Addressing
Table.

Step 6: Verify basic network connectivity.

a. Ping from R1 to the R3 Fa0/1 interface at IP address 192.168.3.1.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from PC-A to PC-C, you have demonstrated that the OSPF routing protocol is
configured and functioning correctly. If you cannot ping, but the device interfaces are up and IP
addresses are correct, use the show run and show ip route commands to help identify routing protocol-
related problems.

Step 7: Configure a minimum password length.

Note: Passwords in this lab are set to a minimum of 10 characters, but are relatively simple for the benefit of
performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)# security passwords min-length 10

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Step 8: Configure the basic console and vty lines.

a. Configure ciscoconpass as the console password and enable login for R1. For additional security, the
exec-timeout command causes the line to log out after 5 minutes of inactivity. The logging
synchronous command prevents console messages from interrupting command entry.
R1(config)# line console 0
R1(config-line)# password ciscoconpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous
b. Configure ciscovtypass as the vty line password and enable login on R1. For additional security, the
exec-timeout command causes the line to log out after 5 minutes of inactivity.
R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
c. Repeat these configurations on both R2 and R3.

Step 9: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.
R1(config)# service password-encryption
b. Issue the show run command. Can you read the console, aux, and vty passwords? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
No. The passwords are now encrypted.
c. Repeat this configuration on both R2 and R3.

Step 10: Save the basic running configuration for all three routers.
Save the running configuration to the startup configuration from the privileged EXEC mode prompt on R1, R2,
and R3.
R1# copy running-config startup-config

Step 11: Save the configuration on R1 and R3 for later restoration.

Save the R1 and R3 running configurations as text files so the configurations can be used later, in Part 3 of
this lab, to restore the routers to configure the VPN with CCP.

Part 2: Configure a Site-to-Site VPN with Cisco IOS

In Part 2 of this lab, you will configure an IPsec VPN tunnel between R1 and R3 that passes through R2. You
will configure R1 and R3 using the Cisco IOS CLI. You then review and test the resulting configuration.

Task 1: Configure IPsec VPN Settings on R1 and R3.

Step 1: Verify connectivity from the R1 LAN to the R3 LAN.

In this task, you will verify that with no tunnel in place, the PC-A on the R1 LAN can ping the PC-C on R3
LAN.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

From PC-A, ping the PC-C IP address of 192.168.3.3.

PC-A:\> ping 192.168.3.3
If the pings are unsuccessful, troubleshoot the basic device configurations before continuing.

Step 2: Enable IKE policies on R1 and R3.

IPsec is an open framework that allows the exchange of security protocols as new technologies, such as
encryption algorithms, are developed.
There are two central configuration elements to the implementation of an IPsec VPN:
 Implement Internet Key Exchange (IKE) parameters
 Implement IPsec parameters
a. Verify that IKE is supported and enabled.
IKE Phase 1 defines the key exchange method used to pass and validate IKE policies between peers. In
IKE Phase 2, the peers exchange and match IPsec policies for the authentication and encryption of data
traffic.
IKE must be enabled for IPsec to function. IKE is enabled, by default, on IOS images with cryptographic
feature sets. If it is disabled, you can enable it with the crypto isakmp enable command. Use this
command to verify that the router IOS supports IKE and that it is enabled.
R1(config)# crypto isakmp enable

R3(config)# crypto isakmp enable

Note: If you cannot execute this command on the router, you must upgrade the IOS image that includes
the Cisco cryptographic services.
b. Establish an Internet Security Association and Key Management Protocol (ISAKMP) policy and view the
available options.
To allow IKE Phase 1 negotiation, you must create an ISAKMP policy and configure a peer association
involving that ISAKMP policy. An ISAKMP policy defines the authentication and encryption algorithms and
hash function used to send control traffic between the two VPN endpoints. When an ISAKMP security
association has been accepted by the IKE peers, IKE Phase 1 has been completed. IKE Phase 2
parameters will be configured later.
Issue the crypto isakmp policy number global configuration mode command on R1 for policy 10.
R1(config)# crypto isakmp policy 10
c. View the various IKE parameters available using Cisco IOS help by typing a question mark (?).
R1(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Step 3: Configure ISAKMP policy parameters on R1 and R3.

Your choice of an encryption algorithm determines how confidential the control channel between the
endpoints is. The hash algorithm controls data integrity, ensuring that the data received from a peer has not
been tampered with in transit. The authentication type ensures that the packet was, indeed, sent and signed
by the remote peer. The Diffie-Hellman group is used to create a secret key shared by the peers that has not
been sent across the network.
a. Configure an ISAKMP policy with a priority of 10. Use pre-shared key as the authentication type,.aes
256 for the encryption algorithm, sha as the hash algorithm, and Diffie-Hellman group 5 key exchange.
Give the policy a lifetime of 3600 seconds (one hour).
Note: Older versions of Cisco IOS do not support AES 256 encryption and SHA as a hash algorithm.
Substitute whatever encryption and hashing algorithm your router supports. Ensure that the same
changes are made on the other VPN endpoint to be in sync.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash sha
R1(config-isakmp)# group 5
R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# end
b. Configure the same policy on R3.
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# hash sha
R3(config-isakmp)# group 5
R3(config-isakmp)# lifetime 3600
R3(config-isakmp)# end
c. Verify the IKE policy with the show crypto isakmp policy command.
R1# show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

Step 4: Configure pre-shared keys.

Because pre-shared keys are used as the authentication method in the IKE policy, a key must be configured
on each router that points to the other VPN endpoint. These keys must match for authentication to be
successful. The global configuration mode crypto isakmp key key-string address address command is
used to enter a pre-shared key. Use the IP address of the remote peer, the remote interface that the peer
would use to route traffic to the local router.
Which IP addresses should you use to configure the IKE peers, given the topology diagram and IP
addressing table?
____________________________________________________________________________________

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

____________________________________________________________________________________
____________________________________________________________________________________
The IP addresses should be R1 S0/0/0 IP address 10.1.1.1 and R3 S0/0/1 IP address 10.2.2.1. These are the
addresses that are used to send normal traffic between R1 and R3.
a. Each IP address that is used to configure the IKE peers is also referred to as the IP address of the
remote VPN endpoint. Configure the pre-shared key of cisco123 on router R1. Production networks
should use a complex key. This command points to the remote peer R3 S0/0/1 IP address.
R1(config)# crypto isakmp key cisco123 address 10.2.2.1
b. Configure the pre-shared key of cisco123 on router R3. The command for R3 points to the R1 S0/0/0 IP
address.
R3(config)# crypto isakmp key cisco123 address 10.1.1.1

Step 5: Configure the IPsec transform set and life times.

a. The IPsec transform set is another crypto configuration parameter that routers negotiate to form a security
association. To create an IPsec transform set, use the crypto ipsec transform-set tag command. Use ?
to see which parameters are available.
R1(config)# crypto ipsec transform-set 50 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
b. On R1 and R3, create a transform set with tag 50 and use an Encapsulating Security Protocol (ESP)
transform with an AES 256 cipher with ESP and the SHA hash function. The transform sets must match.
R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)# exit

R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

R3(cfg-crypto-trans)# exit
What is the function of the IPsec transform set?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The IPsec transform set specifies the cryptographic algorithms and functions (transforms) that a router
employs on the actual data packets sent through the IPsec tunnel. These algorithms include the
encryption, encapsulation, authentication, and data integrity services that IPsec can apply.
c. You can also change the IPsec security association life times from the default of 3600 seconds. On R1
and R3, set the IPsec security association life time to 30 minutes, or 1800 seconds.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

R1(config)# crypto ipsec security-association lifetime seconds 1800

R3(config)# crypto ipsec security-association lifetime seconds 1800

Step 6: Define interesting traffic.

To make use of the IPsec encryption with the VPN, it is necessary to define extended access lists to tell the
router which traffic to encrypt. A packet that is permitted by an access list used for defining IPsec traffic is
encrypted if the IPsec session is configured correctly. A packet that is denied by one of these access lists is
not dropped, but sent unencrypted. Also, like any other access list, there is an implicit deny at the end, which,
in this case, means the default action is to not encrypt traffic. If there is no IPsec security association correctly
configured, no traffic is encrypted, and traffic is forwarded as unencrypted.
In this scenario, the traffic you want to encrypt is traffic going from R1’s Ethernet LAN to R3’s Ethernet LAN,
or vice versa. These access lists are used outbound on the VPN endpoint interfaces and must mirror each
other.
a. Configure the IPsec VPN interesting traffic ACL on R1.
R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0
0.0.0.255
b. Configure the IPsec VPN interesting traffic ACL on R3.
R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0
0.0.0.255
Does IPsec evaluate whether the access lists are mirrored as a requirement to negotiate its security
association?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Yes. IPsec does evaluate whether access lists are mirrored. IPsec does not form a security association if
the peers do not have mirrored access lists to select interesting traffic.

Step 7: Create and apply a crypto map.

A crypto map associates traffic that matches an access list to a peer and various IKE and IPsec settings. After
the crypto map is created, it can be applied to one or more interfaces. The interfaces that it is applied to
should be the ones facing the IPsec peer.
To create a crypto map, use crypto map name sequence-num type command in global configuration mode
to enter crypto map configuration mode for that sequence number. Multiple crypto map statements can
belong to the same crypto map and are evaluated in ascending numerical order. Enter crypto map
configuration mode on R1. Use a type of ipsec-isakmp, which means IKE is used to establish IPsec security
associations.
a. Create the crypto map on R1, name it CMAP, and use 10 as the sequence number. A message displays
after the command is issued.
R1(config)# crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
b. Use the match address access-list command to specify which access list defines which traffic to
encrypt.
R1(config-crypto-map)# match address 101

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

c. To view the list of possible set commands that you can do in a crypto map, use the help function.
R1(config-crypto-map)# set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
d. Setting a peer IP or hostname is required. Set it to R3’s remote VPN endpoint interface using the
following command.
R1(config-crypto-map)# set peer 10.2.2.1
e. Hard code the transform set to be used with this peer, using the set transform-set tag command. Set the
perfect forwarding secrecy type using the set pfs type command, and also modify the default IPsec
security association life time with the set security-association lifetime seconds seconds command.
R1(config-crypto-map)# set pfs group5
R1(config-crypto-map)# set transform-set 50
R1(config-crypto-map)# set security-association lifetime seconds 900
R1(config-crypto-map)# exit
f. Create a mirrored matching crypto map on R3.
R3(config)# crypto map CMAP 10 ipsec-isakmp
R3(config-crypto-map)# match address 101
R3(config-crypto-map)# set peer 10.1.1.1
R3(config-crypto-map)# set pfs group5
R3(config-crypto-map)# set transform-set 50
R3(config-crypto-map)# set security-association lifetime seconds 900
R3(config-crypto-map)# exit
g. The last step is applying the crypto map to interfaces.
Note: The security associations (SAs) are not established until the crypto map has been activated by
interesting traffic. The router generates a notification that crypto is now on.
Apply the crypto maps to the appropriate interfaces on R1 and R3.
R1(config)# interface S0/0/0
R1(config-if)# crypto map CMAP
*Jan 28 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)# end

R3(config)# interface S0/0/1

R3(config-if)# crypto map CMAP
*Jan 28 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)# end

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Task 2: Verify the Site-to-Site IPsec VPN Configuration.

Step 1: Verify the IPsec configuration on R1 and R3.

a. Previously, you used the show crypto isakmp policy command to display the configured ISAKMP
policies on the router. Similarly, the show crypto ipsec transform-set command displays the configured
IPsec policies in the form of the transform sets.
R1# show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }

will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },

R3# show crypto ipsec transform-set

Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }

will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },
b. Use the show crypto map command to display the crypto maps that will be applied to the router.
R1# show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.2.2.1
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 10.2.2.1
Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Serial0/0/0

R3# show crypto map

Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Current peer: 10.1.1.1

Security association lifetime: 4608000 kilobytes/900 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CMAP:
Serial0/0/1
Note: The output of these show commands does not change if interesting traffic goes across the
connection. You test various types of traffic in the next task.

Task 3: Verify the IPsec VPN Operation.

Step 1: Display isakmp security associations.

The show crypto isakmp sa command reveals that no IKE SAs exist yet. When interesting traffic is sent, this
command output changes.
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

Step 2: Display IPsec security associations.

The show crypto ipsec sa command shows the unused SA between R1 and R3.
Note: The number of packets sent across and the lack of any security associations listed toward the bottom of
the output. The output for R1 is shown here.
R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Why have no SAs been negotiated?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Because no interesting traffic has been identified, IPsec has not begun to negotiate a security association
over which it will encrypt traffic.

Step 3: Generate some uninteresting test traffic and observe the results.
a. Ping from R1 to the R3 S0/0/1 interface IP address 10.2.2.1. These pings should be successful.
b. Issue the show crypto isakmp sa command.
c. Ping from R1 to the R3 Fa01 interface IP address 192.168.3.1. These pings should be successful.
d. Issue the show crypto isakmp sa command again. Was an SA created for these pings? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
SA was not created. The source address of both pings was the R1 S0/0/0 address of 10.1.1.1. In the first
case, the destination address was 10.2.2.1. In the second case, the destination address was 192.168.3.1.
This is not “interesting” traffic. The ACL 101 that is associated with the crypto map for R1 defines
interesting traffic as IP packets from the 192.168.1.0/24 network to the 192.168.3.0/24 network.
e. Issue the debug ip ospf hello command. You should see OSPF hello packets passing between R1 and
R3.
R1# debug ip ospf hello
OSPF hello events debugging is on
R1#
*Apr 7 18:04:46.467: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from
192.168.1.1
*Apr 7 18:04:50.055: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/0 from
10.1.1.1
*Apr 7 18:04:52.463: OSPF: Rcv hello from 10.2.2.2 area 0 from Serial0/0/0 10.1.1.2
*Apr 7 18:04:52.463: OSPF: End of hello processing
*Apr 7 18:04:55.675: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from
192.168.1.1

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

*Apr 7 18:04:59.387: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/0 from

10.1.1.1
*Apr 7 18:05:02.431: OSPF: Rcv hello from 10.2.2.2 area 0 from Serial0/0/0 10.1.1.2
*Apr 7 18:05:02.431: OSPF: End of hello processing
f. Turn off debugging with the no debug ip ospf hello or undebug all command.
g. Re-issue the show crypto isakmp sa command. Was an SA created between R1 and R3? Explain.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
No. This is router-to-router routing protocol traffic. The source and destination of these packets is not
interesting, does not initiate the SA, and is not encrypted.

Step 4: Generate some interesting test traffic and observe the results.
a. Use an extended ping from R1 to the R3 Fa01 interface IP address 192.168.3.1. Extended ping allows
you to control the source address of the packets. Respond as shown in the following example. Press
Enter to accept the defaults, except where a specific response is indicated.
R1# ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

..!!!
Success rate is 100 percent (3/5), round-trip min/avg/max = 92/92/92 ms
b. Re-issue the show crypto isakmp sa command.
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.2.2.1 10.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Why was an SA created between R1 and R3 this time?

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The source was 192.168.1.1, and the destination was 192.168.3.1. This is interesting traffic based on the
ACL 101 definition. An SA is established, and packets travel through the tunnel as encrypted traffic.
What are the endpoints of the IPsec VPN tunnel?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Src: 10.1.1.1 (R1 S0/0/0), Dst: 10.2.2.1 (R3 S0/0/1).
c. Ping from PC-A to PC-C. If the pings were successful, issue the show crypto ipsec sa command. How
many packets have been transformed between R1 and R3?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Answers may vary. Seven: Three of the five packets from the R1 to R3 pings, four packets from the PC-A
to R3 pings, and one packet for each echo request. The number of packet may vary depending on how
many pings have been issued and from where.
R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0xC1DD058(203280472)

inbound esp sas:

spi: 0xDF57120F(3747025423)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

conn id: 2005, flow_id: FPGA:5, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4485195/877)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC1DD058(203280472)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: FPGA:6, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4485195/877)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

d. The previous example used pings to generate interesting traffic. What other types of traffic would result in
an SA forming and tunnel establishment?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Any traffic initiated from R1 with a source address in the 192.168.1.0/24 network and a destination
address in the 192.168.3.0/24 network. On R3, interesting traffic is any traffic with a source address in the
192.168.3.0/24 network and a destination address in the 192.168.1.0/24 network. This includes FTP,
HTTP, Telnet, and others.

Part 3: Configure a Site-to-Site IPsec VPN with CCP

In Part 3, configure an IPsec VPN tunnel between R1 and R3 that passes through R2. Task 1 will restore the
router to the basic settings using your saved configurations. In Task 2, configure R1 using Cisco CCP. In
Task 3, mirror those settings to R3 using CCP utilities. Finally, review and test the resulting configuration.

Task 1: Restore Router R1 and R3 to the Basic Settings.

To avoid confusion as to what was entered in Part 2, start by restoring R1 and R3 to the basic configuration
as described in Part 1 of this lab.

Step 1: Restore the basic configuration.

a. Connect to the R1 console using the ciscoconpass password.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

b. Enter privileged EXEC mode.

c. Reload the router and enter no when prompted to save the configuration.
R1# reload

System configuration has been modified. Save? [yes/no]: no

Proceed with reload? [confirm]
d. Connect to the R1 console using the ciscoconpass password.
e. Enter privileged EXEC mode.
f. Repeat on R3.

Step 2: Verify connectivity.

Test connectivity by pinging from host PC-A to PC-C. If the pings are unsuccessful, troubleshoot the router
and PC configurations before continuing.

Task 2: Configure IPsec VPN Settings on R1 Using CCP.

Step 1: Configure a username and password pair and enable HTTP router access.
a. From the CLI, configure a username admin and password cisco12345 to use with CCP on R1 and R3.
R1(config)# username admin privilege 15 secret cisco12345

R3(config)# username admin privilege 15 secret cisco12345

b. Enable the secure HTTP server on R1 and R3.
R1(config)#ip http secure-server

R3(config)#ip http secure-server

c. Configure local database authentication of web sessions to support CCP connectivity.
R1(config)# ip http authentication local

R3(config)# ip http authentication local

Step 2: Access CCP and discover R1.

a. Run the CCP application on PC-A. In the Select/Manage Community window, in the Hostname/Address
field, enter the R1 IP address 192.168.1.1, in the Username field, enter admin, and in the Password field,
cisco12345. Click the Connect Securely check box, and then click OK.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

b. At the CCP Dashboard, click Discover to discover and connect to R1. If the discovery process fails, click
Discover Details to determine the problem and resolve the issue.

Step 3: Start the CCP VPN wizard to configure R1.

a. On the CCP menu bar, click Configure, and click Security > VPN > Site-to-Site VPN. Read through the
description of this option.
What must you know to complete the configuration?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

The remote device (R3 S0/0/1) IP address and the pre-shared key (cisco12345), which will be
established in Task 2, Step 4.

b. Click Launch the selected task to begin the CCP Site-to-Site VPN wizard.
c. On the initial Site-to-Site VPN Wizard window, the Quick Setup option is selected by default. Click View
Defaults to see what settings this option uses. What type of encryption does the default transform set
use?
___________________________________________________________________________________
ESP_3DES
d. In the initial Site-to-Site VPN wizard window, choose the Step by Step wizard, and then click Next. Why
would you use this option over the Quick setup option?
____________________________________________________________________________________
____________________________________________________________________________________
So that you have more control over the VPN settings used.

Step 4: Configure basic VPN connection information settings.

a. In the VPN Connection Information window, select the interface for the connection, which should be R1
Serial0/0/0.
b. In the Peer Identity section, select Peer with static IP address, and enter the IP address of remote peer
R3 S0/0/1 (10.2.2.1).
c. In the Authentication section, click Pre-shared Keys, and enter the pre-shared VPN key cisco12345. Re-
enter the key for confirmation. This key authenticates the initial exchange to establish the Security

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Association between devices. When finished, your screen should look similar to the following. When you
have entered these settings correctly, click Next.

Step 5: Configure IKE policy parameters.

IKE policies are used while setting up the control channel between the two VPN endpoints for key exchange.
This is also referred to as the IKE SA. In contrast, the IPsec policy is used during IKE Phase II to negotiate an
IPsec SA to pass target data traffic.
a. In the IKE Proposals window, a default policy proposal is displayed. You can use this one or create a new
one. What function does this IKE proposal serve?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The IKE proposal specifies the encryption algorithm, authentication algorithm, and key exchange method
used by this router when negotiating a VPN connection with a remote router.
b. Click Add to create a new IKE policy.
c. Set up the security policy as shown in the Add IKE Policy dialog box. These settings are matched later on
R3. When finished, click OK to add the policy, and click Next.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

d. For assistance in answering the following questions, click Help. What is the function of the encryption
algorithm in the IKE policy?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The encryption algorithm encrypts and decrypts the payload of the control packets that pass over the
secure IKE channel.
What is the purpose of the hash function?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The hash validates that the entire control packet has not been tampered with during transit. The hash
also authenticates the remote peer as the origin of the packet via a secret key.
What function does the authentication method serve?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Both endpoints verify that the IPsec traffic that they have received is sent by the remote IPsec peer.
How is the Diffie-Hellman group in the IKE policy used?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The Diffie-Hellman group is used by each of the endpoints to generate a shared secret key, which is
never transmitted across the network. Each Diffie-Hellman group has an associated key length.
What event happens at the end of the IKE policy’s lifetime?
____________________________________________________________________________________
____________________________________________________________________________________

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

____________________________________________________________________________________
IKE renegotiates the IKE association.

Step 6: Configure a transform set.

The transform set is the IPsec policy used to encrypt, hash, and authenticate packets that pass through the
tunnel. The transform set is the IKE Phase 2 policy.
a. A CCP default transform set is displayed. Click Add to create a new transform set.
b. Set up the transform set, as shown in the Add Transform Set dialog box. These settings are matched
later on R3. When finished, click OK to add the transform set, and click Next.

Step 7: Define interesting traffic.

You must define interesting traffic to be protected through the VPN tunnel. Interesting traffic is defined
through an access list applied to the router. By entering the source and destination subnets that you would
like to protect through the VPN tunnel, CCP generates the appropriate simple access list for you.
In the Traffic to protect window, enter the information as shown below. These are the opposite of the settings
configured on R3 later in the lab. When finished, click Next.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Step 8: Review the summary configuration and deliver commands to the router.
a. Review the Summary of the Configuration window. It should look similar to the one below. Do not click the
Test VPN connectivity after configuring check box. This is done after configuring R3. Click Finish to
continue.

b. In the Deliver Configuration to router window, click Deliver. After the commands have been delivered,
click OK. How many commands were delivered?

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 23 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

____________________________________________________________________________________
31 with CCP 2.5

Task 3: Create a Mirror Configuration for R3.

Step 1: Use CCP on R1 to generate a mirror configuration for R3.

a. On R1, on the CCP menu bar, click Configure, and then click Security > VPN > Site-to-Site VPN. Select
the Edit Site to Site VPN tab. You should see the VPN configuration listed that you just created on R1.
What is the description of the VPN?
____________________________________________________________________________________
Tunnel to 10.2.2.1
b. What is the status of the VPN and why?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Down. The IKE security association could not be established because the VPN peer R3 has not yet been
configured. R3 must be configured with the appropriate VPN parameters, such as matching IKE
proposals and IPsec policies and a mirrored access list, before the IKE and IPsec security associations
will activate.
c. Select the VPN policy you just configured on R1 and click Generate Mirror. The Generate Mirror window
displays the commands necessary to configure R3 as a VPN peer. Scroll through the window to see all
the commands generated.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 24 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

The text at the top of the window states that the configuration generated should only be used as a guide
for setting up a site-to-site VPN. What commands are missing to allow this crypto policy to function on
R3?
____________________________________________________________________________________
____________________________________________________________________________________
The commands to apply the crypto map to the S0/0/1 interface.
Hint: Look at the description entry following the crypto map SDM_CMAP_1 command.

Step 2: Save the configuration commands for R3.

a. Click Save to create a text file for use in the next task.
b. Save the commands to the desktop or other location and name it VPN-Mirror-Cfg-for-R3.txt.
Note: You can also copy the commands directly from the Generate Mirror window.
c. (Optional) Edit the file to remove the explanation text at the beginning and the description entry following
the crypto map SDM_CMAP_1 command.

Task 4: Apply the Mirror Configuration to R3 and Verify the Configuration.

Step 1: Access the R3 CLI and copy the mirror commands.

Note: You can also use CCP on R3 to create the appropriate VPN configuration, but copying and pasting the
mirror commands generated from R1 is easier.
NETLAB+ Note: If you are using NETLAB+, Telnet into R3 (10.2.2.1) from PC-A to paste the commands
generated for R3 using CCP. Use the terminal monitor command to view messages during Telnet session.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 25 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

a. On R3, enter privileged EXEC mode and then global configuration mode.
b. Copy the commands from the text file into the R3 CLI.

Step 2: Apply the crypto map to the R3 S0/0/1 interface.

R3(config)# interface S0/0/1
R3(config-if)# crypto map SDM_CMAP_1
*Jan 30 13:00:38.184: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 3: Verify the VPN configuration on R3 using Cisco IOS.

a. Display the running configuration beginning with the first line that contains the string “0/0/1” to verify that
the crypto map is applied to S0/0/1.
R3# show run | begin 0/0/1
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map SDM_CMAP_1
b. On R3, use the show crypto isakmp policy command to show the configured ISAKMP policies on the
router.
Note: The default CCP policy is also present.
R3# show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
c. In the above output, how many ISAKMP policies are there?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Two, the CCP default with priority 1 and the one with priority 10, which was created during the CCP
session with R1 and copied as part of the mirror configuration.
d. Issue the show crypto ipsec transform-set command to display the configured IPsec policies in the
form of the transform sets.
R3# show crypto ipsec transform-set
Transform set Lab-Transform: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 26 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }

will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },
e. Use the show crypto map command to display the crypto maps that will be applied to the router.
R3# show crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Apply the crypto map on the peer router's interface having IP
address 10.2.2.1 that connects to this router.
Peer = 10.1.1.1
Extended IP access list SDM_1
access-list SDM_1 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
Lab-Transform: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
Serial0/0/1
In the above output, the ISAKMP policy being used by the crypto map is the CCP default policy with
sequence number priority 1, indicated by the number 1 in the first output line: Crypto Map
“SDM_CMAP_1” 1 ipsec-isakmp. Why is it not using the one you created in the CCP session — the one
shown with priority 10 in Step 3b above?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
The CCP crypto map config defaults to using the default ISAKMP policy.
f. (Optional) In Part 3 Task 2 Step 5, ISAKMP policy 10 was configured on R1, in addition to the default
ISAKMP policy 1. Both policies were included in the VPN policy that was generated in Part 3, Task 3. You
can force the routers to use the more stringent policy that you created by changing the crypto map
references in the R1 and R3 router configurations. In this example, the default ISAKMP policy 1 was
removed from both routers.
R1(config)# interface S0/0/0
R1(config-if)# no crypto map SDM_CMAP_1
R1(config-if)# exit
*Jan 30 17:01:46.099: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config)# no crypto map SDM_CMAP_1 1
R1(config)# crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)# description Tunnel to 10.2.2.1
R1(config-crypto-map)# set peer 10.2.2.1
R1(config-crypto-map)# set transform-set Lab-Transform
R1(config-crypto-map)# match address 100

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 27 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

R1(config-crypto-map)# exit
R1(config)#interface S0/0/0
R1(config-if)# crypto map SDM_CMAP_1
R1(config-if)#
*Jan 30 17:03:16.603: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R3(config)# interface S0/0/1

R3(config-if)# no crypto map SDM_CMAP_1
R3(config-if)# exit
R3(config)# no crypto map SDM_CMAP_1 1
R3(config)# crypto map SDM_CMAP_1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)# description Tunnel to 10.1.1.1
R3(config-crypto-map)# set peer 10.1.1.1
R3(config-crypto-map)# set transform-set Lab-Transform
R3(config-crypto-map)# match address SDM_1
R3(config-crypto-map)# exit
R3(config)# interface S0/0/1
R3(config-if)# crypto map SDM_CMAP_1
R3(config-if)#
*Jan 30 22:18:28.487: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Task 5: Test the VPN Configuration Using CCP on R1.

a. On PC-A, use CCP to test the IPsec VPN tunnel between the two routers. Click Security > VPN > Site-
to-Site VPN, and then select the Edit Site-to-Site VPN tab.
b. On the Edit Site to Site VPN tab, select the VPN and click Test Tunnel.
c. When the VPN Troubleshooting window displays, click Start to enable CCP to troubleshoot the tunnel.
d. When the CCP Warning window displays indicating that CCP will enable router debugs and generate
some tunnel traffic, click Yes to continue.
e. In the next VPN Troubleshooting window, the IP address of the R1 Fa0/1 interface in the source network
is displayed by default (192.168.1.1). Enter the IP address of the R3 Fa0/1 interface in the destination
network field (192.168.3.1), and click Continue to begin the debugging process.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 28 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

f. If the debug is successful and the tunnel is up, you should see the screen below. If the testing fails, CCP
displays failure reasons and recommended actions. Click OK to remove the window.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 29 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

g. You can save the report if desired; otherwise, click Close.

Note: To reset the tunnel and test again, click Clear Connection in the Edit Suite-to-Site VPN window.
This can also be accomplished at the CLI using the clear crypto session command.
h. Issue the show run interface s0/0/1 command to verify that the crypto map is applied to S0/0/1.
R3# show run interface s0/0/1
Building configuration...

Current configuration : 89 bytes

!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map SDM_CMAP_1
end
i. Issue the show crypto isakmp sa command on R3 to view the security association created.
R3# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 30 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

j. Issue the show crypto ipsec sa command. How many packets have been transformed between R1 and
R3?
____________________________________________________________________________________
116 from the CCP testing
R3# show crypto ipsec sa

interface: Serial0/0/1
Crypto map tag: SDM_CMAP_1, local addr 10.2.2.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 116, #pkts encrypt: 116, #pkts digest: 116
#pkts decaps: 116, #pkts decrypt: 116, #pkts verify: 116
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1
current outbound spi: 0x207AAD8A(544910730)

inbound esp sas:

spi: 0xAF102CAE(2937072814)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:7, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4558294/3037)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x207AAD8A(544910730)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:8, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4558294/3037)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 31 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

outbound ah sas:

outbound pcp sas:

Reflection
1. Would traffic on the Fast Ethernet link between PC-A and the R1 Fa0/0 interface be encrypted by the site-to-
site IPsec VPN tunnel? Explain.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
No. This site-to-site VPN only encrypts from router R1 to R3. A sniffer could be used to see the traffic from
PC-A to the R1 default gateway.
2. Compared to using the CCP VPN wizard GUI, what are some factors to consider when configuring site-to-site
IPsec VPNs using the manual CLI?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary but could include the following:
Traditional CLI methods are time-consuming and prone to keystroke errors. They also require the
administrator to have an extensive knowledge of IPsec VPNs and Cisco IOS command syntax.
CCP gives the maximum flexibility and greatly simplifies IPsec VPN configuration. CCP also provides help
and explanations on various technologies and settings available.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 32 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Router Interface Summary Table

Router Interface Summary

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.

Router Configs
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.

Router R1 after Part 1

R1# show run
Building configuration...

Current configuration : 1385 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 33 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
router ospf 101
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 34 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

exec-timeout 0 0
password 7 14141B180F0B29242A38322631
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 05080F1C2243581D0015160118
login
!
scheduler allocate 20000 1000
end

Router R2 after Part 1

R2# show run
Building configuration...

Current configuration : 1369 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
shutdown

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 35 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
no fair-queue
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
clock rate 64000
!
interface Vlan1
no ip address
!
router ospf 101
network 10.1.1.0 0.0.0.3 area 0
network 10.2.2.0 0.0.0.3 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 05080F1C22434D061715160118
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 02050D4808091935555E080A16
login
!
scheduler allocate 20000 1000
end

Router R3 after Part 1

R3# show run
Building configuration...

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 36 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Current configuration : 1347 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 37 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

interface Vlan1
no ip address
!
router ospf 101
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 01100F17580405002F5C4F1A0A
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 14141B180F0B3C3F3D38322631
login
!
scheduler allocate 20000 1000
end

Router R1 after Part 2

R1# show run
Building configuration...

Current configuration : 1815 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 38 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco123 address 10.2.2.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.2.2.1
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 64000
crypto map CMAP
!
interface Serial0/0/1
no ip address
shutdown

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 39 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

clock rate 2000000

!
interface Vlan1
no ip address
!
router ospf 101
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 00071A150754080901314D5D1A
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 00071A1507541D1216314D5D1A
login
!
scheduler allocate 20000 1000
end

Router R3 after Part 2

R3# show run
Building configuration...

Current configuration : 1797 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 40 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco123 address 10.1.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 10.1.1.1
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 41 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map CMAP
!
interface Vlan1
no ip address
!
router ospf 101
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 03075218050022434019181604
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 14141B180F0B3C3F3D38322631
login
!
scheduler allocate 20000 1000
end

Router R1 after Part 3

R1# show run
Building configuration...

Current configuration : 1966 bytes

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 42 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

!
security passwords min-length 10
logging message-counter syslog
no logging buffered
enable secret 5 $1$jV0j$TkWKZZFegFd3ZYmfsmXaC1
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key cisco12345 address 10.2.2.1
!
crypto ipsec transform-set Lab-Transform esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 10.2.2.1
set peer 10.2.2.1
set transform-set Lab-Transform
match address 100
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 43 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
clock rate 64000
crypto map SDM_CMAP_1
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
router ospf 101
network 10.1.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPsec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 094F471A1A0A141D051C053938
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 01100F175804101B385C4F1A0A
login
!
scheduler allocate 20000 1000
end

Router R3 after Part 3

R3# show run
Building configuration...

Current configuration : 1982 bytes

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 44 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key cisco12345 address 10.1.1.1
!
!
crypto ipsec transform-set Lab-Transform esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set Lab-Transform
match address SDM_1
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 45 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
crypto map SDM_CMAP_1
!
interface Vlan1
no ip address
!
router ospf 101
network 10.2.2.0 0.0.0.3 area 0
network 192.168.3.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPsec Rule
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 110A1016141D08030A3A2A373B
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 0
password 7 14141B180F0B3C3F3D38322631

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 46 of 47
Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

login
!
scheduler allocate 20000 1000
end

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 47 of 47