Lab ID: 9.9K516A158.SUP.

Configuring IPSec
Objective
Configure an IP Security (IPSec) virtual private network (VPN) tunnel between the P1R1 router and the
P2R1 router. You will test this tunnel by pinging from P1R2 to P2R2 and verifying that the packets were
encrypted.
For this lab, you will be responsible for configuring P1R1 and P1R2. P2R1 and P2R2 will be configured
when the lab is loaded from the Lab Navigator.

Lab Topology
The topology diagram below represents the NetMap in the Simulator.

P1R2 P2R2

P1R1 P2R1

Command Summary
Command Description
access-list access-list-number {deny | defines an extended IP access control list (ACL) for the
permit} protocol source source-wildcard traffic type specified by the protocol parameter
[operator [port]] destination destination-
wildcard [operator [port]]
authentication {rsa-sig | rsa-encr | pre- specifies the authentication method within an Internet Key
share} Exchange (IKE) policy
clock rate clock-rate sets the clock rate for a Data Communications Equipment
(DCE) interface
configure terminal enters global configuration mode from privileged EXEC
mode
crypto ipsec transform-set transform-set- defines a transform set, which is an acceptable combination
name transform1 [transform2] [transform3] of security protocols and algorithms; can include IPSec
[transform4] Authentication Header (AH) and Encapsulating Security
Protocol (ESP) security parameters

1 Boson NetSim Lab Manual

 Command Description
crypto isakmp key password address defines a preshared key
ip-address
crypto isakmp policy priority defines an IKE policy and enables Internet Security
Association and Key Management Protocol (ISAKMP)
policy configuration mode
crypto map map-name applies a previously defined crypto map to an interface
crypto map map-name sequence-number creates or modifies a crypto map entry and enters the
[ipsec-isakmp] crypto map configuration mode
enable enters privileged EXEC mode
encryption {des | 3des} specifies the encryption algorithm within an IKE policy
end ends and exits configuration mode
exit exits one level in the menu structure
group {1 | 2 | 5} specifies the Diffie-Hellman (D-H) group identifier within an
IKE policy
hash {sha | md5} specifies the hash algorithm within an IKE policy
hostname host-name sets the device name
interface type number changes from global configuration mode to interface
configuration mode
ip address ip-address subnet-mask assigns an IP address to an interface
match address [access-list-id | name] specifies an extended ACL for a crypto map entry
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the specified address
router rip enables Routing Information Protocol (RIP) routing
network network-address activates the specified routing protocol on the specified
network
set peer {host-name | ip-address} specifies an IPSec peer in a crypto map entry
set transform-set transform-set-name specifies which transform sets can be used with the crypto
[transform-set-name2 … transform-set- map entry
name6]
show controllers [interface-type interface- displays cable orientation for serial interfaces
number]
show running-config displays the active configuration file
shutdown; no shutdown disables an interface; enables an interface
show crypto ipsec sa shows the settings used by current SAs
show crypto ipsec transform-set displays the configured transform sets
show crypto isakmp policy shows the parameters for each IKE policy
show crypto map shows the crypto map configuration
version 2 enables RIP version 2 (RIPv2)

2 Boson NetSim Lab Manual

 The IP addresses and subnet masks used in this lab are shown in the table below:

IP Addresses
Device Interface IP Address Subnet Mask
P1R1 Serial 0/1 10.1.1.1 255.255.255.0
FastEthernet 0/0 10.2.2.1 255.255.255.0
P1R2 Serial 0/0 10.1.1.2 255.255.255.0
P2R1 Serial 0/1 10.1.2.1 255.255.255.0
FastEthernet 0/0 10.2.2.2 255.255.255.0
P2R2 Serial 0/0 10.1.2.2 255.255.255.0

Lab Tasks
Task 1: Configure an IPSec VPN Tunnel
1. Configure P1R1 with a host name of P1R1 and P1R2 with a host name of P1R2.

2. On P1R1, configure the appropriate IP addresses for the Serial 0/1 interface and the FastEthernet
0/0 interface; refer to the IP Addresses table.

3. On P1R2, configure the appropriate IP address for the Serial 0/0 interface; refer to the IP Addresses
table.

4. What command should you issue to determine which end of the link between P1R1 and P1R2 has
the DCE interface? _______________________________________________________________

5. Configure a clock rate of 1,000 kilobits per second (Kbps) on the Serial interface of the router with
the DCE interface.

6. Configure RIPv2 on P1R1 and P1R2. Define a network statement for 10.0.0.0.

7. From P1R2, ping P2R2’s Serial 0/0 interface (10.1.2.2). Is the ping successful? _______________

8. On P1R1, create an ISAKMP policy with a priority of 1 and with the following security parameters:
a Message Digest 5 (MD5) hash, Data Encryption Standard (DES) encryption, preshared keys for
authentication, and a 768-bit D-H group.

9. On P1R1, issue the command necessary to create ACL 110 that will allow traffic from the P1R2
network (10.1.1.0) to the P2R2 (10.1.2.0) network.

10. On P1R1, define a preshared key of cisco to be used for authenticating P1R1 to P2R1.

11. On P1R1, define an IPSec transform set that includes AH SHA authentication and ESP DES
encryption; use set_1 as the transform set name.

3 Boson NetSim Lab Manual

 12. On P1R1, define a crypto map that ties together the IPSec transform set and the crypto access list
you defined and that points to P2R1; use the name crypto_map and sequence number 1.

13. On P1R1, assign the crypto map you created to the FastEthernet 0/0 interface.

14. Test the IPSec tunnel by pinging from P1R2 to P2R2’s Serial 0/0 interface (10.1.2.2) and then
pinging from P2R2 to P1R2’s Serial 0/0 interface (10.1.1.2).

15. Issue the show crypto ipsec sa command on P1R1 to verify that the ICMP packets were
encrypted. Does the output show nonzero counters for packets encrypted/decrypted? __________

16. From P1R1, issue the show crypto isakmp policy command to display the ISAKMP policy you
created.

17. From P1R1, issue the show crypto ipsec transform-set command to display the IPSec transform
set you created.

18. From P1R1, issue the show crypto map command to display the crypto map you created.

Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

4 Boson NetSim Lab Manual

 Lab Solutions
Task 1: Configure an IPSec VPN Tunnel
1. You should issue the following commands to configure P1R1 with a host name of P1R1 and P1R2
with a host name of P1R2:

On P1R1:
Router(config)#hostname P1R1

On P1R2:
Router(config)#hostname P1R2

2. On P1R1, you should issue the following commands to configure the appropriate IP addresses for
the Serial 0/1 interface and the FastEthernet 0/0 interface:

P1R1(config)#interface serial 0/1

P1R1(config-if)#ip address 10.1.1.1 255.255.255.0
P1R1(config-if)#no shutdown
P1R1(config-if)#interface fastethernet 0/0
P1R1(config-if)#ip address 10.2.2.1 255.255.255.0
P1R1(config-if)#no shutdown

3. On P1R2, you should issue the following commands to configure the appropriate IP address for the
Serial 0/0 interface:

P1R2(config)#interface serial 0/0

P1R2(config-if)#ip address 10.1.1.2 255.255.255.0
P1R2(config-if)#no shutdown

4. You should issue the following command to determine which end of the link between P1R1 and
P1R2 has the DCE interface. The Serial 0/1 interface on P1R1 is the DCE end of the link, as shown
in the following sample output:

P1R1#show controllers
interface Serial0/0
HD unit 0, idb = 0x1AE828, driver structure at 0x1B4BA0
buffer size 1524 HD unit 0,V.35 DTE cable
cpb = 0x7, eda = 0x58DC, cda = 0x58F0
RX ring with 16 entries at 0x4075800
<output omitted>
interface Serial0/1
HD unit 0, idb = 0x1AE828, driver structure at 0x1B4BA0
buffer size 1524 HD unit 0,V.35 DCE cable
cpb = 0x7, eda = 0x58DC, cda = 0x58F0
RX ring with 16 entries at 0x4075800
<output omitted>

5 Boson NetSim Lab Manual

 5. On P1R1, which is the router with the DCE interface, you should issue the following commands to
configure a clock rate of 1,000 Kbps on the Serial 0/1 interface:

P1R1(config)#interface serial 0/1

P1R1(config-if)#clock rate 1000000

6. You should issue the following commands to enable RIPv2 on P1R1 and P1R2 and to define a
network statement for 10.0.0.0:

P1R1(config)#router rip
P1R1(config-router)#version 2
P1R1(config-router)#network 10.0.0.0

P1R2(config)#router rip
P1R2(config-router)#version 2
P1R2(config-router)#network 10.0.0.0

7. From P1R2, a ping to P2R2’s Serial 0/0 interface (10.1.2.2) should fail because IPSec has not been
configured on P1R1 and P1R2.

P1R2#ping 10.1.2.2

8. You should issue the following commands on P1R1 to create an ISAKMP policy with a priority of 1
and to configure it with the following security parameters: an MD5 hash, DES encryption, preshared
keys for authentication, and group 1 (which is the 768-bit D-H group):

P1R1(config)#crypto isakmp policy 1

P1R1(config-isakmp)#hash md5
P1R1(config-isakmp)#authentication pre-share
P1R1(config-isakmp)#encryption des
P1R1(config-isakmp)#group 1

9. On P1R1, you should issue the following command to create an extended ACL numbered 110 that
will allow traffic from the P1R2 network to the P2R2 network:

P1R1(config)#access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

10. On P1R1, you should issue the following command to define a preshared key of cisco that will be
used to authenticate P1R1 to P2R1:

P1R1(config)#crypto isakmp key cisco address 10.2.2.2

11. On P1R1, you should issue the following command to define an IPSec transform set that includes
AH SHA authentication and ESP DES encryption:

P1R1(config)#crypto ipsec transform-set set_1 ah-sha-hmac esp-des

6 Boson NetSim Lab Manual

 12. On P1R1, you should issue the following commands to define a crypto map named crypto_map
that ties together the IPSec transform set and the ACL and that points to P2R1:

P1R1(config)#crypto map crypto_map 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
P1R1(config-crypto-map)#set peer 10.2.2.2
P1R1(config-crypto-map)#set transform-set set_1
P1R1(config-crypto-map)#match address 110

13. On P1R1, you should issue the following commands to assign the crypto map to the FastEthernet
0/0 interface:

P1R1(config)#interface fastethernet 0/0

P1R1(config-if)#crypto map crypto_map

14. To test the IPSec tunnel, you should ping from P1R2 to P2R2’s Serial 0/0 interface (10.1.2.2) and
from P2R2 to P1R2’s Serial 0/0 interface (10.1.1.2). The pings should be successful.

P1R2#ping 10.1.2.2

P2R2#ping 10.1.1.2

15. You should issue the following command on P1R1 to verify that the ICMP packets were encrypted.
The sample output below shows nonzero counters for both encrypted and decrypted packets:

P1R1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: crypto_map, local addr. 10.2.2.1

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 10.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest 0
#pkts decaps: 11, #pkts decrypt: 11, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0

local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.2.2.2

path mtu 1500, media mtu 1500
current outbound spi:

7 Boson NetSim Lab Manual

 16. You should issue the following command on P1R1 to display the ISAKMP policy you created.
Sample output is shown below:

P1R1#show crypto isakmp policy

Global IKE Policy

Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

17. You should issue the following command on P1R1 to display the IPSec transform set you created.
Sample output is shown below:

P1R1#show crypto ipsec transform-set

Transform set set_1: { ah-sha-hmac }
will negotiate = { Tunnel, },
{ esp-des }
will negotiate = { Tunnel, },

18. You should issue the following command on P1R1 to display the crypto map you created. Sample
output is shown below:

P1R1#show crypto map

Crypto Map “crypto_map” 1 ipsec-isakmp
Peer = 10.2.2.2
Extended IP access list 110
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Current peer: 10.2.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ set_1, }
Interfaces using crypto map crypto_map:
FastEthernet0/0

8 Boson NetSim Lab Manual

 Sample Configuration Scripts
P1R1
P1R1#show running-config
Building configuration...
Current configuration : 1134 bytes
!
Version 15.b
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname P1R1
!
ip subnet-zero
!
ip cef
no ip domain-lookup
!
crypto isakmp policy 1
encryption des
authentication pre-share
hash md5
!
crypto isakmp key cisco address 10.2.2.2
!
crypto ipsec transform-set set_1 ah-sha-hmac esp-des
!
crypto map crypto_map 1 ipsec-isakmp
set peer 10.2.2.2
set transform-set set_1
match address 110
!
interface Serial0/0
no ip address
no ip directed-broadcast
!
interface Serial0/1
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
clock rate 1000000
!
interface FastEthernet0/0
ip address 10.2.2.1 255.255.255.0
no ip directed-broadcast
crypto map crypto_map
!

(P1R1’s sample configuration script is continued on the next page.)

9 Boson NetSim Lab Manual

 P1R1 (continued from previous page)
interface FastEthernet0/1
no ip address
no ip directed-broadcast
!
router rip
version 2
network 10.0.0.0
!
ip classless
no ip http server
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end

P1R2 P1R2 (continued)

P1R2#show running-config interface Bri1/0
Building configuration... no ip address
Current configuration : 766 bytes no ip directed-broadcast
! !
Version 15.b interface Bri1/0:1
service timestamps debug uptime no ip address
service timestamps log uptime no ip directed-broadcast
no service password-encryption !
! interface Bri1/0:2
hostname P1R2 no ip address
! no ip directed-broadcast
ip subnet-zero !
! router rip
ip cef version 2
no ip domain-lookup network 10.0.0.0
! !
interface Serial0/0 ip classless
ip address 10.1.1.2 255.255.255.0 no ip http server
no ip directed-broadcast !
! line con 0
interface FastEthernet0/0 line aux 0
no ip address line vty 0 4
no ip directed-broadcast login
! !
no scheduler allocate
end

Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

10 Boson NetSim Lab Manual