Scribd Logo
Upload

Welcome to Scribd!

  • 110 views

    TP8-Configure and Verify A Site-to-Site IPsec VPN Using CLI

    Uploaded by

    kaw birthday
    This document provides instructions for configuring and verifying a site-to-site IPsec VPN using the command line interface. It describes enabling IPsec on routers R1 and R3, configuring IKE phase 1 and 2 policies with matching parameters on both routers including pre-shared keys and traffic selection, and applying the crypto maps to interfaces. It also details verifying the tunnel by viewing encryption statistics before and after interesting traffic passes and ensuring uninteresting traffic does not trigger the VPN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    TP8-Configure and Verify A Site-to-Site IPsec VPN Using CLI

    Uploaded by

    kaw birthday
    110 views11 pages
    This document provides instructions for configuring and verifying a site-to-site IPsec VPN using the command line interface. It describes enabling IPsec on routers R1 and R3, configuring IKE phase 1 and 2 policies with matching parameters on both routers including pre-shared keys and traffic selection, and applying the crypto maps to interfaces. It also details verifying the tunnel by viewing encryption statistics before and after interesting traffic passes and ensuring uninteresting traffic does not trigger the VPN.

    Original Title

    TP8-Configure_and_Verify_a_Site-to-Site_IPsec_VPN_Using_CLI

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides instructions for configuring and verifying a site-to-site IPsec VPN using the command line interface. It describes enabling IPsec on routers R1 and R3, configuring IKE phase 1 and 2 policies with matching parameters on both routers including pre-shared keys and traffic selection, and applying the crypto maps to interfaces. It also details verifying the tunnel by viewing encryption statistics before and after interesting traffic passes and ensuring uninteresting traffic does not trigger the VPN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    110 views11 pages

    TP8-Configure and Verify A Site-to-Site IPsec VPN Using CLI

    Uploaded by

    kaw birthday
    This document provides instructions for configuring and verifying a site-to-site IPsec VPN using the command line interface. It describes enabling IPsec on routers R1 and R3, configuring IKE phase 1 and 2 policies with matching parameters on both routers including pre-shared keys and traffic selection, and applying the crypto maps to interfaces. It also details verifying the tunnel by viewing encryption statistics before and after interesting traffic passes and ensuring uninteresting traffic does not trigger the VPN.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 11

    TP 8 :

    Packet Tracer - Configure and Verify a Site-to-


    Site IPsec VPN Using CLI

    Élaboré par : Kaouther Messaoudi 3 DNI 2


    Packet Tracer - Configure and Verify a Site-to-
    Site IPsec VPN Using CLI
    Part 1: Configure IPsec Parameters on R1
    Step 1: Test connectivity.
    Ping from PC-A to PC-C.

    Step 2: Enable the Security Technology package.


    a. On R1, issue the show version command to view the Security Technology
    package license information.

    1
    b. If the Security Technology package has not been enabled, use the following
    command to enable the package.
    c. Accept the end-user license agreement.

    d. Save the running-config and reload the router to enable the security license.

    e. Verify that the Security Technology package has been enabled by using the
    show version command.

    2
    Step 3: Identify interesting traffic on R1.

    Step 4: Configure the IKE Phase 1 ISAKMP policy on R1.


    Configure the crypto ISAKMP policy 10 properties on R1 along with the shared
    crypto key vpnpa55. Refer to the ISAKMP Phase 1 table for the specific parameters to
    configure. Default values do not have to be configured. Therefore, only the encryption
    method, key exchange method, and DH method must be configured.
    Note: The highest DH group currently supported by Packet Tracer is group 5. In a
    production network, you would configure at least DH 14.

    Step 5: Configure the IKE Phase 2 IPsec policy on R1.


    a. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac.

    3
    b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters
    together. Use sequence number 10 and identify it as an ipsec-isakmp map.

    Step 6: Configure the crypto map on the outgoing interface.


    Bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface.

    Part 2: Configure IPsec Parameters on R3


    Step 1: Enable the Security Technology package.
    a. On R3, issue the show version command to verify that the Security Technology
    package license information has been enabled.

    4
    b. If the Security Technology package has not been enabled, enable the package
    and reload R3.

    5
    Step 2: Configure router R3 to support a site-to-site VPN with R1.
    Configure reciprocating parameters on R3. Configure ACL 110 identifying the
    traffic from the LAN on R3 to the LAN on R1 as interesting.

    6
    Step 3: Configure the IKE Phase 1 ISAKMP properties on R3.
    Configure the crypto ISAKMP policy 10 properties on R3 along with the shared
    crypto key vpnpa55.

    Step 4: Configure the IKE Phase 2 IPsec policy on R3.


    a. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac.

    b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters
    together. Use sequence number 10 and identify it as an ipsec-isakmp map.

    Step 5: Configure the crypto map on the outgoing interface.


    Bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface.
    Note: This is not graded.

    Part 3: Verify the IPsec VPN


    Step 1: Verify the tunnel prior to interesting traffic.
    Issue the show crypto ipsec sa command on R1. Notice that the number of
    packets encapsulated, encrypted, decapsulated, and decrypted are all set to 0.

    7
    Step 2: Create interesting traffic.
    Ping PC-C from PC-A

    Step 3: Verify the tunnel after interesting traffic.


    On R1, re-issue the show crypto ipsec sa command. Notice that the number of
    packets is more than 0, which indicates that the IPsec VPN tunnel is working

    8
    Step 4: Create uninteresting traffic.
    Ping PC-B from PC-A.
    Note: Issuing a ping from router R1 to PC-C or R3 to PC-A is not interesting
    traffic

    Step 5: Verify the tunnel.

    9
    10

    You might also like