003 Flex Access VPN
Uploaded by
luis velazco003 Flex Access VPN
Uploaded by
luis velazcoCCNP Security:SVPN – FlexVPN : Part 3
CCNP Security- Cisco Certified Network Professional Security
Part 3- Flex VPN
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Index for Part 3- FlexVPN
IPSEC IKEv2 4
IKEv2 - Site to Site VPN 18
LAB - FlexVPN -Site to Site VPN -Static VTI 42
LAB - FLEXVPN - Hub - Spokes Tunnels
LAB - FLEXVPN - Hub - Spokes Tunnels - Multiple Sites
LAB - IKEv2 Authorization Policy
FLEXVPN -Spoke To Spoke Tunnels
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IPSEC IKEv2
Internet Key Exchange - version 2
KEV2 is the next version of IKEv1
Initially defined in RFC 4306 (updated in RFC 5996 , Current RFCs are RFC 7296 and RFC
7427)
IKEV2 was developed by Microsoft together with Cisco.
Purpose of IKE remains the same whether IKEv1 or IKEv2 (works different)
o Establish a secure tunnel between Peers
o Authenticate peers
o Establish security associations (SAs) used for protecting traffic (Agreeing on which
encryption methods will be used)
o Providing Privacy & Integrity.
Internet Key Exchange - version 2
Simplifies SA negotiation and enhances negotiation efficiency.
Like IKEv1, IKEv2 runs over UDP ports 500 and 4500 (IPsec NAT Traversal)
More Resistant to DOS attacks with improved peer validation.
Closes many cryptographic loopholes, improving security.
Built-in health check automatically re-establishes a tunnel if it goes down. (Replaces the
Dead Peer Detection in IKEv1
IKEv2 is not backwards compatible with IKEv1
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2 (VS) IKEV1
IKEv2 consume less bandwidth and faster (Less number of messages to establish
tunnel).
IKEv2 provides inbuilt NAT Traversal (IKEv1 doesn' t have)
Unlike IKEv1, IKEv2 can actually detect if a VPN tunnel is "alive" or not.
o This feature allows IKEv2 to automatically re-establish a tunnel if its goes down.
IKEv2 supports EAP authentication (while IKEv1 doesn' t.) along with Pre-shared key &
Certificates Authentication.
IKEv2 support Asymmetric Authentication.
o Different pre-shared keys can be used on each site
o One side pre-shared key & other side PKI
o IKEv1 requires symmetric authentication (both have to use the same key & method
of authentication)
IKEV2 supports MOBIKE (while IKEv1 doesn' t)
Instant reconnection upon network/IP address changes (think smartphone switching
between WiFi and 4G).
IKEV2 encryption supports more stronger algorithms than IKEv1 (still faster)
o IKEV2 supports PFS (Perfect Forward Secrecy).
o The IKEV2 VPN protocol uses encryption keys for both sides, making it more secure
than IKEv1
IKEV2 has facility to negotiate multiple sets of selectors.
o IKEV2 has clear method to choose subset of selectors when both sites are not
configured with exact selector values.
IKEV2 offers better reliability through improved sequence numbers and
acknowledgements.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2 - Phases
IKEV2 also has a two Phase negotiation process.( 4 Exchange messages)
IKE SA (Phase 1) - The SA that carries IKE messages is referred to as the IKE SA (Builds
Secure channel)
Child SA (Phase 2) - The SAs for ESP and AH are child SAs. ( Protect Traffic)
Phase 1 (IKESA)
KE_SAJNIT - Exchange IKE proposals
IKE AUTH - Authentication /Identity Exchange
Phase 2 (IKESA)
CREATE_CHILD_SA - Acceptable proposals for IPSEC SA
INFORMATIONAL - Maintenance exchange with ACK.
IKEV2 - Phase 1
IKEV2 Phase 1 also has a two step negotiation process.
1. IKE_SA_INIT- Exchange IKE proposals
2. IKE AUTH - Authentication /Identity Exchange
IKE SA INIT- Exchange IKE proposals
Negotiates security parameters (cryptographic algorithms) for the IKE SA.
Sends nonces & Diffie-Hellman values,(to derive common shared keys)
Shared keys used for next Phases to
o Authenticate the IKE peers
o Authenticate messages sent under the protection of this IKE SA
o Encrypt messages that are sent under the protection of this IKE SA
o Keying material that derives keys that are established for child SAs
Combines all the information usually exchanged in MMI-4 in IKEv1
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2 - Phase 1
IKEV2 also has a two Phase negotiation process.
1. IKE_SA_INIT- Exchange IKE proposals
2. IKE AUTH - Authentication /Identity Exchange
IKE AUTH Authentication /Identity Exchange
Used to authenticate the remote peer&initiates the IPSec SA(first child SA ).
Includes Authentication information ( PSK, Certificates, EAP)
Includes SA Traffic selector payload (determine what traffic is allowed through the
tunnel.)
Certificate Exchange & Configuration exchange (Optional)
CREATE_CHILD_SA - Acceptable proposals for IPSEC SA
IKEV2 - Phase 2
Second phase in IKEv2 is known as Child Mode.
CREATE_CHILD_SA - Acceptable proposals for IPSEC SA
INFORMATIONAL - Maintenance exchange with ACK.
IKEV2 - Phase 2
Second phase in IKEv2 is known as Child Mode.
CREATE_CHILD_SA - Acceptable proposals for IPSEC SA
INFORMATIONAL - Maintenance exchange with ACK.
CREATE_CHILD_SA
The initiator sends a CREATE_CHILD_SA request, containing a list of acceptable
proposals for the Child SA.
The attributes that can be negotiated include the following:
Protocol (AH or ESP)
Encapsulation mode (tunnel or transport)
Encryption algorithm (for example, DES, 3DES or AES)
Authentication algorithm (for example, HMAC-MDs or HMAC-SHA)
Diffie-Hellman group information (for example, group 1, group 2, group 5 or group 14)
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Responder picks a proposal that is acceptable and returns the choice to the initiator in
the CREATE_CHILD_SA response.
IKEV2 - Phase 2
Second phase in IKEv2 is known as Child Mode.
CREATE_CHILD_SA - Acceptable proposals for IPSEC SA
INFORMATIONAL - Maintenance exchange with ACK.
INFORMATIONAL This is a maintenance exchange with ACK notifications including
Notify payload (N)
Error and status information
Report error conditions
Check SA liveliness
Delete payload(D)
o Infonns the peer that the sender has deleted one or more of its incoming SAs.(Delete
SAs as needed )
Configuration payload (CP)
To exchange configuration information between the IKE peers
CFG_REQUEST
CFG.REPLY
CFG_SET
CFG ACK
IKEV2-Platform support
IPsec did not change
Only the key management framework did
Both ASA and IOS routers support IKEv2
Assuming you run the proper code
Site-to-site and remote-access
Physical Hardware
IKEV2 was first supported in IOS 15.1.1T with site-to-site.
IKEV2 is available on ISR G2 [ 1900 - 2900 - 3900 - 880's 890's ] onwards [ and ASR1000].
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Cisco ASA introduced support for IPSEC IKEv2 in software version 8.4(1) and later.
With GNS3 Practice
IKEv2 was first supported in IOS 15.1.1T with site-to-site.
7200 IOS Image - running 15.1 ( or later IOS )
lOSv or IOU Image running later version of 15.1 Images.
Cisco ASAv appliance
IKEV2 Supported VPN Types
IPsec Site-to-Site VPN Types
Crypto-map (ASA still supports only this option)
Not recommended, kept for interoperability
GRE with IPSEC
SVTI/DVTI
DMVPN
GETVPN
IKEV2 Supported VPN Types
IPsec Remote-Access VPN
AnyConnect client supports both IKEv2 and SSL
You can also use other vendor clients to connect to a Cisco VPN gateway
You can also use the built-in/native clients within the operating system
IKEV2- Site to Site VPN - Feature Support
IKEV2 was first supported in IOS 15.1.1T with site-to-site.
https://cfti.cloudappsxisco.com/ITDIT/CFN/isp/index.jsp
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2- Site to Site VPN
Configure a IPSEC Tunnel to encrypt traffic from R1 and R2 LAN networks.( 192.168.1.0/24
192.168.2.0/24)
IKEV2 Proposal Parameters (or use default)
Integrity:SHA1
Encryption: 3DES
Group: 2
Authentication:Pre-share
Pre-Shared Key (Rl):cisco123
Pre-Shared Key (R2):aws123
IPSec Parameters
Encryption:ESP-3DES
Authentication:ESP-MDs-HMAC
IKEV2 - Site to Site VPN - Building Blocks
1. IKEV2 proposal (Hash, Encryption, Authentication) - use default one
2. IKEV2 Policy ( Peer, Proposal) - use default one
3. IKEV2 Key ring(only for PSK)
4. Configure IKEV2 Profile (remote peer, Authentication method).
5. Define Interesting traffic,(if using Crypto-maps)
6. Configure Transform-set
7. Apply Crypto maps ( match transform-set, Peer, IKev2 Profile, Interesting Traffic)
IKEV2 - Site to Site VPN - Configuration
IKEV2 proposal (Hash, Encryption, DH group)
Same as ISAKMP Policy used in IKEvl ( defined with NAME )
Default one exists can be used or we can create our own proposal parameters (Named).
used in the negotiation of IKE SAs as part of the IKE_SA_INIT exchange.
o Encryption , Integrity,, DH group, Pseudo-Random Function (PRF)
o PRF is the same as the integrity algorithm, and hence,it is not configured separately.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Rl#show crypto ikev2 proposal
IKEV2 proposal: default
Encryption:AES-CBC-256 AES-CBC-192 AES-CBC-128
ntegrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF: SHA512 SHA384 SHA256 SHAl MD5
DH Group : DH_GROUP_l536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
You can modify the default configuration, which is displayed in the show running-config
all command.
To disable default IKv2 proposal - no crypto ikev2 proposal default
IKEV2 - Site to Site VPN - Configuration
1KEV2 proposal (Hash, Encryption, DH group)
Multiple entries can be configured ( Left to Right preferred)
Do not include Authentication Method & SA lifetime.
Rl(config)#crypto ikev2 proposal IKEv2_PROPl
Rl(config-ikev2-proposal)# integrity shal sha256 sha384 sha512
Rl(config-ikev2-proposal)#group 5 2 14 15
Rl(config-ikev2-proposal)# encryption 3des aes-cbc-128 aes-cbc-256
Rl(config-ikev2-proposaI)#exit
R1#show crypto ikev2 proposal
IKEV2 - Site to Site VPN - Configuration
IKEV2 Policy
Controls which proposal is used per IPsec VPN tunnel.
Not exists in IKEvi
Default one exists can be used or we can create our own policy parameters.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2 proposal needs to be attached to Policy
Default IKEV2 proposal is used in the default IKEv2 policy.
Manually configured proposals must be associated to Policy (otherwise no
negotiation)
IKEV2 - Site to Site VPN - Configuration
IKEV2 Policy
Default one exists can be used or we can create our own policy parameters.
IKEV2 proposal needs to be attached to Policy.
Default IKEV2 proposal is used in the default IKEv2 policy.
Manually configured proposals must be associated to Policy (otherwise no
negotiation)
The proposals are prioritized in the order of listing (if multiple proposal configured)
IKEV2 - Site to Site VPN - Configuration
IKEV2 Key ring
Used to define pre-shared keys for remote peer Authentication
Supports Symmetric or Asymmetric peer authentication
Different pre-shared-keys for pre-shared-key authentication
One side using pre-shared-key authentication and other side using PKI authentication
Mandatory if using PSK Authentication ( not for PKI)
In IKEv1 - this was called as ISAKMP keyring.
R1#sh run I sec crypto ikev2 keyrin
IKEV2 - Site to Site VPN - Configuration
1KEV2 Profile
Same as IKEvi ISAKMP Profile.
Used to define local/Remote Identifies & build tunnels (Authentication method, Peer
address)
Configure local & Remote Authentication method used (PSK or PKI)
If using PSK, Key-ring should be attached
If using PKI, Truspoint should be attached
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2 - Site to Site VPN - Building Blocks
1. IKEV2 proposal (Hash, Encryption, Authentication) - use default one
2. IKEV2 Policy ( Peer, Proposal) - use default one
3. IKEV2 Key ring(only for PSK)
4. Configure IKEV2 Profile (remote peer, Authentication method).
5. Define Interesting traffic,(if using Crypto-maps)
6. Configure Transform-set
7. Apply Crypto maps ( match transform-set, Peer, IKev2 Profile,Interesting Traffic)
IKEV2 - Site to Site VPN - Configuration
5) IPsec Configuration (same as IKEv1)
Configure Interesting traffic to apply IPSec.
Configure IPsec Transform-set
Apply Crypto maps ( match transform-set, Peer, IKev2 Profile, Interesting Traffic)
You have to bind the IKEv2 Profile at the crypto-map or IPsec profile level
IKEV2 - Site to Site VPN – Verification
IKEV2 Configuration Verification
Verify IKEv2 policy # show crypto ikev2 policy
Verify IKEv2 proposal # show crypto ikev2 proposal
Verify IKEv2 keyring #show running-config section crypto ikev2
keyring
Verify IKEv2 profile # show crypto ikev2 profile
IPsec Configuration Verification
Verify IPsec transform-set # show crypto ipsec transform-set
Verify IPsec profile # show crypto ipsec profile
Site to Site VPN - Verification & Troubleshooting
Session Verification
Verify IKEv2 SA
# show crypto ikev2 sa
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
# show crypto ikev2 sa detailed
# Show crypto Session
Verify IPsec SA
# show crypto ipsec sa
# show crypto ipsec sa detail
Verify IKEv2 and IPsec SA
# show crypto ikev2 session
# show crypto ikev2 session detailed
Session Troubleshooting
Troubleshoot the IKEv2 SA
# debug crypto ikev2
# debug crypto ikev2 packet
Troubleshoot the IPsec SA
# debug crypto ipsec
# debug crypto ipsec state
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
LAB: IKEv2 - Site to Site VPN
Background:
• In this lab we are going to show a simple example of configuring a Simple Site-to-Site IKEv2
VPN between two Cisco Routers.
• The configuration is not difficult at all, but as with any technology, if you aren't familiar with it
you're going to struggle through it at first.
• The topology used in this example is very simple. We have R 1 and R2, with a cloud (R5)
simulating connection over internet in between.
TASK
• Configure a IPSec Tunnel to encrypt traffic from R 1 and R2 LAN networks. ( 192.168.1.0 /24
192.168.2.0 /24)
Use the following Parameters
• IKEv2 Proposal Parameters
• Integrity : SHA1
• Encryption : 3DES
• Group : 2
• Authentication : Pre-share
• Pre-Shared Key (Rl ): cisco 11 Pre-Shared Key (R2): cisco222
IPSec Parameters
• Encryption : ESP-3DES
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
• Authentication : ESP-MD5-HMAC
• IKEv2 was first supported in IOS 15.1.IT with site-to-site.
• As this version is not available on the older 2600 and 3600 routers, they can't be configured
with IKEv2.
Initial Setup:
• Configure the IP Addresses based on the Diagram.
• Configure Default Routes on Rl , R2, towards R5. R5 is acting as the Internet.
• Ensure that Rl - R2 have reachability to their respective public IP used.
Configuring the IKEv2 Proposal (IKEv2 Proposal)
• An IKEv2 proposal is a collection of transforms used in the negotiation of IKE SAs as part of
the IKE_SA_INIT exchange.
• The transform types used in the negotiation are as follows:
Encryption algorithm
Integrity algorithm
Pseudo-Random Function (PRF) algorithm
Diffie-Hellman (DH) group
You must configure at least one encryption algorithm, one integrity algorithm, and one
DH group for the proposal to be considered incomplete.
The PRF algorithm is the same as the integrity algorithm, and hence, it is not configured
separately.
Multiple transforms can be configured and proposed by the initiator for encryption,
integrity, and group, of which one transform is selected by the responder.
When multiple transforms are configured for a transform type, the order of priority is
from left to right.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Note
• Unlike IKEv1 , the authentication method and SA lifetime are not negotiable in IKEv2, and they
cannot be configured in the IKEv2 proposal.
• Though the crypto ikev2 proposal command looks similar to the IKEvl crypto isakmp policy
command, the IKEv2 proposal configuration supports specifying multiple options for each
transform type.
• IKEv2 proposals are named and not numbered during the configuration.
• Manually configured IKEv2 proposals must be linked with an IKEv2 policy; otherwise, the
proposals are not used in the negotiation.
• Cisco IOS Suite-B Support for IKEv2 Proposal
Note:
• The default IKEv2 proposal is used in the default IKEv2 policy.
• Perform this task to configure the proposals manually if you do not want to use the default
proposal.
• The default IKEv2 proposal requires no configuration and is a collection of commonly used
transforms types, which are as follows:
encryption aes-cbc-128 3des
integrity sha md5
group 5 2
IKEv2 Smart Defaults
The IKEv2 Smart Defaults feature minimizes the FlexVPN configuration by covering most of the
usecases. IKEv2 smart defaults can be customized for specific use cases, though this is not
recommended.
The following rules apply to the IKEv2 Smart Defaults feature:
A default configuration is displayed in the corresponding show command with default as
a keyword and with no argument. For example, the show crypto ikev2 proposal default
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
command displays the default IKEv2 proposal and the show crypto ikev2 proposal
command displays the default IKEv2 proposal, along with any user-configured proposals.
A default configuration is displayed in the show running-config all command; it is not
displayed in the show running-config command,
You can modify the default configuration, which is displayed in the show running-config
all command.
A default configuration can be disabled using the no form of the command; for
example, no crypto ikev2 proposal default. A disabled default configuration is not used
in negotiation but the configuration is displayed in the show running-config command. A
disabled default configuration loses any user modification and restores system-
configured values,
A default configuration can be reenabled using the default form of the command, which
restores system-configured values; for example, default crypto ikev2 proposal.
The default mode for the default transform set is transport; the default mode for all
other transform sets is tunnel.
we can create our own IKEv2 proposal parameters or use the default proposals.
Note:
• The default IKEv2 proposal is used in the default IKEv2 policy.
• Perform this task to configure the proposals manually if you do not want to use the default
proposal.
• The default IKEv2 proposal requires no configuration and is a collection of commonly used
transforms types, which are as follows:
encryption aes-cbc- 128 3des
integrity sha md5
group 5 2
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R1(config) ttcrypto ikev2 proposal IKEv2_PROP1
R1(config-ikev2-proposal) # integrity shal sha256 sha384 sha512
R1(config-ikev2-proposal) #group 5 2 14 15
R1(config-ikev2-proposal) # encryption 3des aesz-cbc-128 aes-cbc-256
R1(config-ikev2-proposal) #exit
R 1 (config) #crypto ikev2 policy IKEv2_POLICY1
RI (config-ikev2-policy) #proposal IKEv2_PROP1
R 1 (config-ikev2-policy) # exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Configuring the IKEv2 Keyring
• Perform this task to configure the IKEv2 keyring if the local or remote authentication method
is a preshared key.
• IKEv2 keyring keys must be configured in the peer configuration submode that defines a peer
subblock.
• An IKEv2 keyring can have multiple peer sub blocks.
• A peer subblock contains a single symmetric or asymmetric key pair for a peer or peer group
identified by any combination of hostname, identity, and IP address.
• You could use the same key on both the local and remote at both sides if you wanted to, have
the separate keys (site 1 -2 and site 2- 1) just make it a little more secure and give further
flexibility
R 1 (config) #crypto ikev2 keyring KR
RI (config-ikev2-keyring) # peer R2
R 1 (config-ikev2-keyring-peer) #address 25.0.0.2
R 1 (config-ikev2-keyring-peer) #pre-shared-key local cisco123
R 1 (config-ikev2-keyring-peer) #pre-shared-key remote cisco456
R 1 (config-ikev2-keyring-peer) #exit
RI (config-ikev2-keyring) #exit
R2(config) #crypto ikev2 keyring KR
R2(config-ikev2-keyring) # peer Rl
R2(config-ikev2-keyring-peer) # address 15.0.0.1
R2(config-ikev2-keyring-peer) #pre-shared-key local cisco123
R2(config-ikev2-keyring-peer) #pre-shared-key remote cisco456
R2(config-ikev2-keyring-peer) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Configuring the IKEv2 Profile
An IKEv2 profile is a repository of nonnegotiable parameters of the IKE SA (such as local
/remote identities and authentication methods) and the services available to the
authenticated peers that match the profile.
An IKEv2 profile must be configured and must be attached to either a crypto map or an
IPSec profile on both the IKEv2 initiator and responder
Use the command set ikev2-profile profile-name to attach the profile.
R1(config) #crypto ikev2 profile PROFILE_V2
R1(config-ikev2-profile) # match identity remote address 25.0.0.2 255.255.255.255
R1(config-ikev2-profile) # authentication local pre-share
R1(config-ikev2-profile) #authentication remote pre-share
RI (config-ikev2-profile) # keyring local KR
RI (config-ikev2-profile) #exit
R2(config) #crypto ikev2 profile PROFILE_V2
R2(config-ikev2-profile) #match identity remote address 15.0.0.1 255.255.255.255
R2(config-ikev2-profile) # authentication remote pre-share
R2(config-ikev2-profile) # authentication local pre-share
R2(config-ikev2-profile) # keyring local KR
R2(config-ikev2-profile) # exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R1(config) #crypto ipsec transform-set TR_SET esp-3des esp-md5-hmac
R11(cfg-crypto-trans) #exit
R2(config) #crypto ipsec transform-set TR_SET esp-3des esp-md5-hmac
R2(cfg-crypto-trans) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Match the interesting Traffic which need to be secured.
R 1 (config) # ip access-list extended INT_TR
R 1 (config-ext-nacl) # permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
RI (config-ext-nacl) # exit
R2(config) # ip access-list extended INT_TR
R2(config-ext-nacl) # permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
R2(config-ext-nacl) # exit
Configuring Crypto Map-Based IKEv2 Peers
R 1 (config) #crypto map CR_MAP 10 ipsec-isakmp
R 1 (config-crypto-map)#match address INT_TR
R 1 (config-crypto-map) #set peer 25.0.0.2
R 1 (config-crypto-map) # set transform-set TR_SET
R 1 (config-crypto-map) #set ikev2- profile PROFILE_V2
R 1 (config-crypto-map) #exit
R2(config) #crypto map CR MAP 10 ipsec-isakmp
R2(config-crypto-map)#match address INT_TR
R2(config-crypto-map) #set peer 15.0.0.1
R2(config-crypto-map) # set transform-set TR_SET
R2(config-crypto-map) # set ikev2-profile PROFILE_V2
R2(config-crypto-map) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Apply the Crypto-map to the interface:
R 1 (config) # int s 4/2
R 1 (config-if) # crypto map CR MAP
R 1 (config- if) # exit
R2(config) #int s 4/2
R2(config-if) #crypto map CR_MAP
R2(config-if) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
FlexVPN - IKEv2
VPN Options - Discussed
Crypto Maps
Are the initial/legacy solution with IPSec
Not scalable option ( define Interesting traffic for each site)
No support for multicast or Routing over IPsec VPN .
VTI
Runs IPsec over Tunnel P2p Interface.
Supports multicast & Routing protocols (without GRE)
DMVPN
Supports mGRE P2M tunnels build dynamically full mesh
Scalable solution.
Apply IPsec over DMVPN to provide Security
Easy VPN
Allows branch routers to behave as hardware clients that are centrally configured by a
VPN concentrator
Flexible VPN
Cisco's way of integrating all major VPNs into one Umbrella i.e. Flex-VPN or Unified
Overlay VPN
Common umbrella for all IKEv2 IPsec VPNs deployed on IOS routers
o Has technical benefits,but also marketing term
Single configuration approach for all VPN types. (Simplify the deployment of VPN)
Addresses the complexity of having multiple VPN deployments.
Combines
Site-to-site
Remote-access
Hub-and-Spoke topologies
PartialMesh( Spoke-to-Spoke Direct)
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
FlexVPN Capabilities
Flex VPN - Platform Support
FlexVPN Configuration uses IKEv2
IKEV2 was first supported in IOS 15/MT with site-to-site.
With GNS3 Practice
IKEV2 was first supported in IOS 15.1.1T with site-to-site.
7200 IOS Image - running15.1 ( or later IOS )
IOSv or IOU Image running later version of 15.1 Images.
Flex VPN - Site to Site - Feature Support
IKEv2 was first supportedinIOS 15.1.1T with site-to-site.
https://cfti.cloudappsxisco.com/ITDIT/CFN/isp/index.jsp
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Flex VPN - Site to Site
Configure a IPSEC Tunnel to encrypt traffic from R1 and R2 LAN networks.( 192.168.1.0/24
192.168.2.0/24)
IKEV2 Proposal Parameters (or use default)
Integrity : SHA1
Encryption : 3DES
Group: 2
Authentication : Pre-share
Pre-Shared Key (Rl):cisco123
Pre-Shared Key (R2):aws123
1. IKEV2 proposal(Hash, Encryption, Authentication) - use default one
2. IKEV2 Policy ( Peer, Proposal) - use default one
3. IKEV2 Key ring (only for PSK)
4. Configure IKEv2Profile (remote peer, Authentication method).
5. Define Interesting traffic,(if using Crypto-maps)
6. Configure Transform-set
7. Apply Crypto maps ( match transform-set, Peer, IKev2 Profile, Interesting Traffic)
IPSec Parameters
Encryption : ESP-3DES
Authentication : ESP-MDs-HMAC
Flex VPN - Site to Site - Building Blocks
1. IKEV2 proposal (Hash,Encryption, Authentication) - use default one
2. IKEV2 Policy ( Peer, Proposal) - use default one
3. IKEV2 Key ring(only for PSK)
4. Configure IKEv2Profile (remote peer, Authentication method).
5. Define Interesting traffic,(if using Crypto-maps)
6. Configure Transform-set
7. Apply Crypto maps ( match transform-set, Peer,IKev2 Profile, Interesting Traffic)
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Flex VPN - Site to Site - Configuration
1KEV2 proposal (Hash, Encryption, DH group)
Multiple entries can be configured ( Left to Right preferred)
Do not include Authentication Method & SA lifetime.
Rl(config)#crypto ikev2 proposal IKEv2_PROP1
Rl(config-ikev2-proposal)# integrity shal sha256 sha384 sha512
Rl(config-ikev2-proposal)#group 5 2 14 15
Rl(config-ikev2-proposal)# encryption 3des aes-cbc-128 aes-cbc-256
Rl(config-ikev2-proposaI)#exit
R1#show crypto ikev2 proposal
Flex VPN - Site to Site - Configuration
IKEV2 Policy
Controls which proposal is used per IPsec VPN tunnel.
Not exists in IKEv1
Default one exists can be used or we can create our own policy parameters.
IKEV2 proposal needs to be attached to Policy
Default IKEV2 proposal is used in the default IKEv2 policy.
Manually configured proposals must be associated to Policy (otherwise no
negotiation)
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Flex VPN - Site to Site -Configuration
IKEV2 Policy
Default one exists can be used or we can create our own policy parameters.
IKEV2 proposal needs to be attached to Policy.
Default IKEV2 proposal is used in the default IKEv2 policy.
Manually configured proposals must be associated to Policy (otherwise no
negotiation)
The proposals are prioritized in the order of listing (if multiple proposal configured)
Flex VPN -Site to Site - Configuration
IKEV2 Key ring
Used to define pre-shared keys for remote peer Authentication
Supports Symmetric or Asymmetric peer authentication
o Different pre-shared-keys for pre-shared-key authentication
o One side using pre-shared-key authentication and other side using PKI authentication
Mandatory if using PSK Authentication ( not for PKI)
In IKEv1 - this was called as ISAKMP keyring.
R1#sh run I sec crypto ikev2 keyring
Flex VPN -Site to Site Configuration
IKEV2 Profile
Same as IKEv1 ISAKMP Profile.
Used to define local/Remote Identifies & build tunnels (Authentication method, Peer
address)
Configure local & Remote Authentication method used (PSK or PKI)
o If using PSK, Key-ring should be attached
o If using PKI, Truspoint should be attached
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Flex VPN - Site to Site - Building Blocks
1. IKEV2 proposal (Hash, Encryption, Authentication) - use default one
2. IKEV2 Policy ( Peer, Proposal) - use default one
3. IKEV2 Key ring(only for PSK)
4. Configure IKEV2 Profile (remote peer, Authentication method).
5. Define Interesting traffic,(if using Crypto-maps)
6. Configure Transform-set
7. Apply Crypto maps ( match transform-set, Peer, IKev2 Profile,Interesting Traffic)
Flex VPN - Site to Site - Configuration
5) IPsec Configuration (same as IKEv1)
Configure Interesting traffic to apply IPSec.
Configure IPsec Transform-set
Apply Crypto maps ( match transform-set, Peer, IKev2 Profile, Interesting Traffic)
You have to bind the IKEv2 Profile at the crypto-map or IPsec profile level
Flex VPN - Site to Site - Verification
IKEV2 Configuration Verification
Verify IKEv2 policy # show crypto ikev2 policy
Verify IKEv2 proposal # show crypto ikev2 proposal
Verify IKEv2 keyring #show running-config section crypto ikev2
keyring
Verify IKEv2 profile # show crypto ikev2 profile
IPsec Configuration Verification
Verify IPsec transform-set # show crypto ipsec transform-set
Verify IPsec profile # show crypto ipsec profile
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Flex VPN -Site to Site - Verification & Troubleshooting
Session Verification
Verify IKEv2 SA
# show crypto ikev2 sa
# show crypto ikev2 sa detailed
# Show crypto Session
Verify IPsec SA
# show crypto ipsec sa
# show crypto ipsec sa detail
Verify IKEv2 and IPsec SA
# show crypto ikev2 session
# show crypto ikev2 session detailed
Session Troubleshooting
Troubleshoot the IKEv2 SA
# debug crypto ikev2
# debug crypto ikev2 packet
Troubleshoot the IPsec SA
# debug crypto ipsec
# debug crypto ipsec states
FlexVPN - Site-Site - Static VT
Simple way to configure Site to Site VPNs.
Uses logical tunnel interface - separate Traffic ( internet / remote site)
Does the exact same job as GRE with IPsec ( P2P tunnels) with Encrypted tunnels.
Also called as Native IPSec (not running GRE)
Allow routing protocols over tunnel interfaces.
VTIs simplify configuration of IPsec for protection of remote links.
Allows to configure ACL,NAT ,QoS more simplified way.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Static VTI- IPSec with IKEv2
1. IKEV2 proposal(Hash,Encryption, Authentication)- use default
2. IKEV2 Policy ( Peer,Proposal) use default
3. IKEV2 Key ring(only for PSK)
4. Configure IKEv2Profile (remote peer, Authentication method).
Static VTI - IPsec with IKEV2
1. Configure Transform-set
2. Configure IPsec Profile ( Transform-set, IKEv2 Profile)
3. Create tunnel Interface P2P with IPsec Profile applied.
4. Routing Protocol - LAN to LAN Reachability
IKEV2 Configuration Verification
Verify IKEv2 policy # show crypto ikev2 policy
Verify IKEv2 proposal # show crypto ikev2 proposal
Verify IKEv2 keyring #show running-config section crypto ikev2
keyring
Verify IKEv2 profile # show crypto ikev2 profile
IPsec Configuration Verification
Verify IPsec transform-set # show crypto ipsec transform-set
Verify IPsec profile # show crypto ipsec profile
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
LAB - FlexVPN -Site to Site VPN - Static VTI
TASK
• Configure an IPSec tunnel to encrypt traffic from the R1 - R2 to encrypt traffic from the
192.168.1.0 /24 - network 192.168.2.0 /24 using IKEv2.
• Use Native IPSec Tunnel for this Lab.
• Use Default IKEv2 Proposal / IKEv2 Policy for IKE SA negotiation.
• Use IKEv2 Presharedkey For Authentication – cisco123 / cisco456 as Keys for R 1 / R2
Note:
• The default IKEv2 proposal is used in the default IKEv2 policy.
• Perform this task to configure the proposals manually if you do not want to use the default
proposal.
• The default IKEv2 proposal requires no configuration and is a collection of commonly used
transforms types, which are as follows:
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
encryption aes-cbc- 128 3des
integrity sha md5
group 5 2
Configuring the IKEv2 Keyring
R2(config) #crypto ikev2 keyring KR_R2
R2(config-ikev2-keyring) ttpeer R 1
R2(config-ikev2-keyring-peer) #gddress 15.0.0.1
R2(config-ikev2-keyring-peer) #pre-shgred-key locol cisco222
R2(config-ikev2-keyring-peer) #pre-shgred-key remote cisco111
R2(config-ikev2-keyring-peer) ttexit
R2(config-ikev2-keyring) #exit
R1(config) #crypto ikev2 keyring KR_R1
R1(config-ikev2-keyring) # peer R2
R1(config-ikev2-keyring-peer) #address 25.0.0.2
R1(config-ikev2-keyring-peer) # pre-shared-key local cisco111
R1(config-ikev2-keyring-peer) #pre-shared-key remote cisco222
R1(config-ikev2-keyring-peer) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Configuring the IKEv2 Profile
R1(config) ttcrypto ikev2 profile PROFILE_V2
R1(config-ikev2-profile) #match identity remote address 25.0.0.2 255.255.255.255
R1(config-ikev2-profile) #authentication local pre-share
R1(config-ikev2-profile) #authentication remote pre-share
R1(config-ikev2-profile) #keyring local KR R1
R1(config-ikev2-profile) #exit
R2(config) #crypto ikev2 profile PROFILE_V2
R2(config-ikev2-profile) #match identity remote address 15.0.0.1 255.255.255.255
R2(config-ikev2-profile)#authentication remote pre-share
R2(config-ikev2-profile) #authentication local pre-share
R2(config-ikev2-profile) #keyring local KR R2
R2(config-ikev2-profile) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Configure IPSEC Tranform-Set & IPSEC Profile
RI (config) #crypto ipsec transform-set TR_SET esp-3des esp-md5-hmac
RI (cfg-crypto-trans) #exit
RI (config) #crypto ipsec profile PR_R12
R 1 (ipsec-profile) #set transform-set TR_SET
RI (ipsec-profile) #set ikev2-profile PROFILE V2
RI (ipsec-profile) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R2(config) # crypto ipsec transform-set TR_SET esp-3des esp-md5-hmac
R2(cfg-crypto-trans) # exit
R2(config) # crypto ipsec profile PR_R12
R2(ipsec-profile) # set transform-set TR_SET
R2(ipsec-profile) # set ikev2-profile PROFILE_V2
R2(ipsec-profile) # exit
Configure Tunnel Interface (VTI ) on R1 / R2
RI (config) #interface tunnel 12
Rl (config-if)#ip address 10.0.12.1 255.255.255.0
RI (config-if) #tunnel source 15.0.0.1
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R 1 (config-if) #tunnel destination 25.0.0.2
RI (config-if) #tunnel mode ipsec ipv4
RI (config-if)#tunnel protection ipsec profile PR_R12
R 1 (config-if) #exit
R2(config) # interface tunnel 12
R2(config-if) # ip address 10.0.12.2 255.255.255.0
R2(config-if) # tunnel source 25.0.0.2
R2(config-if) # tunnel destination 15.0.0.1
R2(config-if) # tunnel mode ipsec ipv4
R2(config-if) # tunnel protection ipsec profile PR_R12
R2(config-if) # exit
TASK
• Configure EIGRP 100 Routing between R 1 and R2 to provide Reachability
between LAN networks.
R 1 (config) #router eigrp 100
R 1 (config-router) #network 10.0.0.0
R 1 (config-router) t#network 192.168.1.0
RI (config-router) #end
R2(config) #router eigrp 100
R2(config-router) #network 10.0.0.0
R2(config-router) #network 192.168.2.0
R2(config-router) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R2#ping 192.168.1.1 source 192.168.2.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/ 100), round-trip min/avg/max = 16 /28 /64 ms
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
FlexVPN - HUB- SPOKE Tunnels
IKEV1 FlexVPN - Hub & Spokes
This is like DMVPN Phase 4 ( using IKEv2)
Configuration difference with DMVPN (done under FlexVPN umbrella)
Hub & Spoke Tunnels
Similar to DMVPN Phase-1
Spokes uses Pont to Point Tunnels with HUB
N0 spoke to Spoke tunnels ( all traffic via HUB)
Hub uses DVTI interfaces instead of mGRE
Spokes use regular P2P tunnel interface.
Spoke to Spoke Tunnels
Similar to DMVPN Phase-2,3
Full Mesh tunnels can be built (between Spokes & HUB)
Hub & Spokes uses DVTI interfaces instead of mGRE
FlexVPN- DVTI Interface
Used instead of mGRE interfaces to support multiple VPN connections on logical
interface.
Interface virtual template used.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Simplify the configuration when we have multiple remote Peers.
Default encapsulation is GRE ( depends on IOS)
Newer IOS have default encapsulation is AUTO (to support remote sites)
Crypto-map, SVTI/DVTI,GRE, FlexVPN client-server.
FlexVPN Client -Server ( replaces EasyVPN in IKEv1)
FlexVPN - Hub-Spokes Tunnels
Hub uses DVTI interface ( virtual template )
Spokes uses SVTI - P2P Tunnel interface ( tunnel Source & destination)
Spokes knows about the hub via P2P GRE
There is no more need for NHRP.
Hub dynamically learns about the spokes via DVTI configured on HUB.
Creates P2P Virtual access interfaces per spoke from DVTI.
Add IPsec for traffic protection IKEv2 is used for key management )
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
LAB - FLEXVPN - Hub - Spokes Tunnels
NOTE
• In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static
VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured
with a Dynamic VTI.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
• The DVTI on the Hub router is not configured with a static mapping to the peer’s IP
address. The VTI on the Hub is created dynamically from a preconfigured tunnel
template “ virtual-template“ when a tunnel is initiated by the spoke router /pee.r
• The dynamic tunnel spawns a separate “ virtual-access” interface for each spoke tunnel,
inheriting the configuration from the cloned the template.
TASK:
• Confiure tunnels between HUB (R 1) and spokes (R2) using Hub and Spoke FlexVPN
Spokes Cofiauration (R2)
Step 1 -
• Specify some Loopback Interfaces to simulate LAN Subnets (LOOPBACK 1 )
• Loopback 0 (2.2.2.2J used for tunnel interface IP.
• Configure Dynamic Routing Protocol to provide LAN to LAN Reachability
R2(config) #int loopback 0
R2(config-if) #ip address 2.2.2.2 255.255.255.255
R2(config-if) #exit
R2(config) #int loopback 1
R2(config-if) #ip address 192.168.2.2 255.255.255.0
R2(config-if) #exit
NOTE - The above Loopback 1 (192.168.1.0/24) is simulating LAN Network in our example
R2(config) #router eigrp 100
R2(config-router) #network 2.2.2.2 0.0.0.0
R2(config-router) #network 192.168.2.0 0.0.0.255
R2(config-router) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Step 2 - Create a PSK Keyring
• Use address of 0.0.0.0 for lab purposes to match all peers
• Use symmetric PSK key for simplicity
R2(config) #crypto ikev2 keyring KEYRING
R2(config-ikev2-keyring) # peer R1
R2(config-ikev2-keyring-peer) # address 15.0.0.1
R2(config-ikev2-keyring-peer) # pre-shared-key local cisco134
R2(config-ikev2-keyring-peer)# pre-shared-key remote cisco1234
R2(config-ikev2-keyring-peer) # exit
R2(config-ikev2-keyring) #exit
Step 3 Create IKEv2 Profile & Specify
• Llocal identity of FQDN
• match any peer on the domain name
• Specify authentication PSK
• Specify the Keyring to use
R2(config) #crypto ikev2 profile IKEV2_PROFILE
R2(config-ikev2-profile) # match identity remote address 15.0.0.1 255.255.255.255
R2(config-ikev2-profile)# authentication remote pre-share
R2(config-ikev2-profile) # authentication local pre-share
R2(config-ikev2-profile) # keyring local KEYRING
R2(config-ikev2-profile) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Step 4 - Create IPSec Profile
• Set IKEv2 Profile
• Use default Transform set will be used so no need to specify
R2 (config) #Crypto ipsec profile IPSEC_PROFILE
R2(ipsec-profile) # set ikev2-profile IKEV2_PROFILE
R2(ipsec-profile)#end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Step 5 Create a SVTI
• Use Lo0 as tunnel interface
• Specify tunnel source
• Tunnel destination as Hub's WAN IP (15.0.0.1)
• Specify IPSec Profile
R2(config) #interface tunnel0
R2(config- if) # ip unnumbered loopback 0
R2(config-if) # tunnel source Se4/1
R2(config-if) # tunnel destination 15.0.0.1
R2(config-if) # tunnel protection ipsec profile IPSEC_PROFILE
R2(config-if) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Hub (R1) Configuration
Step 1 –
• Loopback 0 (1.1.1.1 ) used for virtual Interface IP (virtual template )
• Configure Dynamic Routing Protocol
R1(config) #interface loopback 0
R1(config-if) #ip address 1.1.1.1 255.255.255.255
R1(config-if) #exit
R1(config) #int loopback 1
R1(config-if) #ip address 192.168.1.1 255.255.255.0
R1(config-if) #end
R1(config) #router eigrp 100
R1(config-router) #network 1.1.1.1 0.0.0.0
R1(config-router) #network 192.168.1.0 0.0.0.255
R1(config-router) #end
Step 2 - Create a Tunnel Template
• Tunnel of source WAN interface se4/0
• use Loopback 0 as IP for Tunnel
R 1 (config) #interface virtual-template 1 type tunnel
R 1 (config-if) #tunnel source Se4/0
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R 1 (config-if) #ip unnumbered loopback 0
R 1 (config-if) #end
Step-4 Create IKEv2 Profile & Specify
• Local identity of FQDN
• match any peer on the domain name
• Specify authentication PSK
• Specify the Keyring to use
• Specify the Virtual Template to clone
R1(configj #crypto ikev2 profile IKEV2_PROFILE
R1(config-ikev2-profile) # match identity remote address 25.0.0.2 255.255.255.0
R1(config-ikev2-profile) # authentication remote pre-share
R1(config-ikev2-profile) # authentication local pre-share
R1(config-ikev2-profile) # keyring local KEYRING
R1(config-ikev2-profile) # virtual-template 1
R1(config-ikev2-profile) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Step 5 - Create IPSec Profile
• Set IKEv2 Profile
• Use default Transform set will be used so no need to specify
R1(config) #crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile) # set ikev2-profile IKEV2_PROFILE
R1(ipsec-profile)#end
Step 6 - Specify the IPSec Profile on the Tunnel Template
R1(config) #interface virtual-template 1 type tunnel
R1 (config- if) # tunnel protection ipsec profile IPSEC_PROFILE
R1(config-if)#end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
LAB - FLEXVPN - Hub - Spokes Tunnels - Multiple Sites
TASK
• Continue with the configuration based on the Previous Lab
• RJ is HUB and R2 is already configured as Spoke
• Configure R3 and R4 as Spokes ( similar to R2)
• Ensure that all spokes & Hub have rechability to LAN interfaces ( Loopback1)
• Configure tunnels between HUB (Rl ) and spokes (R3/R4 ) using Hub and Spoke FlexVPN
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
• Configure R3 and R4 as Spokes ( similar to R2)
• Ensure that all spokes & Hub have rechability to LAN interfaces ( Loopback 1)
Spokes Cofiguration (R3- R4)
Step 1 -
• Specify some Loopback Interfaces to simulate LAN Subnets (LOOPBACK 1 )
• Loopback 0 (3.3.3.3 / 4.4.4.4 ) used for tunnel interface IP.
• Configure Dynamic Routing Protocol to provide LAN to LANReachability
R3 (config) #int loop 0
R3 (config-if)#ip add 3.3.3.3 255.255.255.255
R3 (config-if) #int loop 1
R3 (config-if) #ip add 192.168.3.3 255.255.255.0
R3 (config-if) #router eigrp 100
R3 (config-router) #network 3.3.3.3 0.0.0.0
R3 (config-router) #network 192.168.3.0 0.0.0.255
R3 (config-router) #end
R4(config) #int loop 0
R4(config-if) #ip add 4.4.4.4 255.255.255.255
R4(config-if) #int loop 1
R4(config-if) #ip add 192.168.4.4 255.255.255.0
R4(config-if) #router eigrp 100
R4(config-router) #network 4.4.4.4 0.0.0.0
R4(config-router) #network 192.168.4.0 0.0.0.255
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Step 2 - Create a PSK Keyring
• Use address of 0.0.0.0 for lab purposes to match all peers
• Use symmetric PSK key for simplicity
R3 / R4
Rx(config) #crypto ikev2 keyring KEYRING
Rx(config-ikev2-keyring) # peer R1
Rx(config-ikev2-keyring-peer) # address 15.0.0.1
Rx(config-ikev2-keyring-peer) # pre-shared-key local ciaco1234
Rx(config-ikev2-keyring-peer)# pre-shared-key remote cisco1234
Rx(config-ikev2-keyring-peer) # exit
R2(config-ikev2-keyring) #exit
Step 3 Create IKEv2 Profile & Specify
• Local identity of FQDN
• match any peer on the domain name
• Specify authentication PSK
• Specify the Keyring to use
R3 / R4
R3 (config) #crypto ikev2 profile IKEV2_PROFILE
R3 (config-ikev2-profile) # match identity remote address 15.0.0.1255.255.255.255
R3 (config-ikev2-profile)# authentication remote pre-share
R3 (config-ikev2-profile) # authentication local pre-share
R3 (config-ikev2-profile) # keyring local KEYRING
R3 (config-ikev2-profile) #exit
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Step 4 - Create IPSec Profile
• Set IKEv2 Profile
• Use default Transform set will be used so no need to specify
R3 / R4 ( SPOKES)
Rx(config)#Crypto ipsec profile IPSEC_PROFILE
Rx(ipsec-profile) # set ikev2-profile IKEV2_PROFILE
Rx(ipsec-profile) #exit
R4(config) # end
Step 5 Create a SVTI
• Use Lo0 as tunnel interface
• Specify tunnel source
• Tunnel destination as Hub’s WAN IP (15.0.0.1)
• Specify IPSec Profile
R3 / R4
Rx(config) #interface tunnelO
Rx(config-if) # ip unnumbered loopback 0
Rx(config-if) # tunnel source gigabitethernet 0/0
Rx(config-if) # tunnel destination 15.0.0.1
Rx(config-if) # tunnel protection ipsec profile IPSEC_PROFILE
R4(config-if) #en
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R1(config) #crypto ikev2 keyring KEYRING
R1(config-ikev2-keyring) # peer R3
R1(config-ikev2-keyring-peer) #address 35.0.0.3
R1(config-ikev2-keyring-peer) # pre-shared-key local cisco1234
R1(config-ikev2-keyring-peer) # pre-shared-key remote cisco1234
R1(config-ikev2-keyring-peer) #exit
R1(config-ikev2-keyring) #peer R4
R1(config-ikev2-keyring-peer) #address 45.0.0.4
R1(config-ikev2-keyring-peer) # pre-shared-key local cisco1234
R1(config-ikev2-keyring-peer) # pre-shared-key remote cisco1234
R1(config-ikev2-keyring-peer) #end
R 1 (configj #crypto ikev2 profile IKEV2_PROFILE
R 1 (config-ikev2-profile) # match identity remote address 35.0.0.3
255.255.255.255
R 1 (config-ikev2-profile) # match identity remote address 45.0.0.4
255.255.255.255
R 1 (config-ikev2-profile) #end
R4#ping 192.168.1.1 source 192.168.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.4
mu
Success rate is 100 percent (5 /5), round-trip min/avg/max = 44/67/ 119 ms
R4#traceroute 192.168.2.2
Type escape sequence to abort.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Tracing the route to 192.168.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 1.1 .1.1 115 msec 60 msec 50 msec
2 2.2.2.2 87 msec 77 msec 91 msec
R4#traceroute 192.168.3.3
Type escape sequence to abort.
Tracing the route to 192.168.3.3
VRF info: (vrf in name/ id, vrf out name/ id)
1 1.1 .1.1 107 msec 93 msec 35 msec
2 3.3.3.3 96 msec 81 msec 130 msec
R4#
R3#traceroute 192.168.4.4 source 192.168.3.3
Type escape sequence to abort.
Tracing the route to 192.168.4.4
VRF info: (vrf in name/id, vrf out name/id)
1 1.1 .1.1 93 msec 35 msec 36 msec
2 4.4.4.4 54 msec 57 msec 71 msec
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
FLEX VPN HUB & SPOKES
FlexVPN Authorization
Provides a policy for an authenticated session by using the AAA.
Provides policy attributes for an IKEv2/IPsec session based on the authenticated peer
IKE identity.
• IP address, DNS, Domain name, routes etc.
• Spokes will dynamically be assigned IP addresses by the hub from the same subnet
as itself
• IKEv2 routing (mainly used in FlexVPN client-server)
Push authorization attributes to remote-access clients (from local configuration or
remote RADIUS server)
IP address, DNS and WiNS servers.
FlexVPN Hub-Spoke Routing issues
On HUB, ip unnumbered command is always needed for DVTI
• DVTIs statically configured IP address on the virtual-template, it is not cloned to the
virtual-access.
If the spokes are using a static IP address on GRE tunnel
• IGP adjacency cannot work.
• BGP will work.
FlexVPN Hub-Spoke Routing Solutions
Use static IP addresses in same subnet on both hub and spokes
• IGP adjacency will also work
Use IP unnumbered on both Hub and spokes
• IGP adjacency will also work ( even if on different subnets)
• Disables IGP verification of same subnets.
Use IKEV2 Authorization policy
• Spokes will dynamically be assigned IP addresses by the hub
• IP can be from same/different subnet.
• IKEV2 authorization policy (a default one exists)
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
IKEV2 Authorization Policy
IKEv2 authorization policy default role
Inject a /32 route into peer's routing table for local IP address at the tunnel level.
Happens through Configuration Exchange messages.
IKEv2 authorization policy additional roles
IKEV2 routing (mainly used in FlexVPN client-server)
Push authorization attributes to remote-access clients (from local configuration or
remote RADIUS server)
• IP address, DNS and WINS servers, Domain-name etc.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
LAB - IKEv2 Authorization Policy
TASK
• Continue based on the previous lab configurations ( R 1 HUB -SPOKES tunnels built )
• Configure Local pool on HUB (R 1) with IP range - 1.1.1.2 - 1.1.1.10
• Ensure the Spokes should get tunnel IP from pool configured on HUB using IKEv2
Authorization Policy
TASK
• Configure Local pool on HUB (Rl ) with IP range - 1.1.1.2 - 1.1 .1.10
• Ensure the Spokes should get tunnel IP from pool configured on HUB using IKEv2
Authorization Policy.
R1(config) #aaa new-model
R1(config) #aaa authorization network default local
Rl (config) #ip local pool FLEX_POOL 1.1.1.2 1.1 .1.10
R1(config) #crypto ikev2 authorization policy AUTH_POLICY1
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R1(config-ikev2-author-policy ) #pool FLEX_POOL
R1(config-ikev2-author-policy) #route set interface
R1(config-ikev2-author-policy) #exit
R1(config) #end
R1(config) #crypto ikev2 profile IKEV2_PROFILE
R1(config-ikev2-profile)#aaa authorization group override psk list AUTH_POLICY1
AUTH_POLICY1
R1(config-ikev2-profile) #end
SPOKES Configuration (R2/R3/R4 )
Rx(config) #aaa new-model
Rx(config) #aaa authorization network default local
Rx(config) # crypto ikev2 authorization policy AUTH_POLICY 1
Rx(config-ikev2-author-policy ) # route set interface
Rxfconfig-ikev2-author-policy ) #exit
Rx(config) #crypto ikev2 profile IKEV2_PROFILE
Rx(config-ikev2-profile)#aaa authorization group override psk list AUTH_POLICY1
AUTH_POLICY1
Rx(config-ikev2-profile)#end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Rx(config) # interface tunnel 0
Rx(config-if) #shutdown
Rx(config-if) #ip address negotiated
Rx(config-if) #no shutdown
Rx(config-if) #end
TASK
• Configure EIGPR 100 to advertise 1.1 .1.0/24) to ensure all routers can
exchanges routes.
• Other routes are already advertised in the previous LAB.
On all routers
R1(config) #router eigrp 100
R1(config-router) # network 1.1.1.0 0.0.0.255
R1 (config-router) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
FlexVPN - Spokes to Spokes Tunnels
Still DMVPN Phase 4
We also want spoke-to-spoke direct tunnel.
Like in DMVPN Phase 3.
Hub still uses DVTI interface instead of mGRE interface
Spokes still uses a regular point-to-point GRE interface for connection to hub
Spokes will additionally use DVTI for spoke-to-spoke tunnel formation
FlexVPN - Spokes to Spokes Tunnels - Configuration
HUB Configuration
Configure Local Pool (to assign IP on remote Spokes)
Configure AAA Authorization Policy (used in IKEv2 Profile)
Configure IKEv2 as in previous examples
• IKEV2 Proposal (use default)
• IKEV2 Policy (use default)
• IKEV2 Keyring (if using PSK)
• IKEV2 Profile (identity / Authentication/ Virtual-template Authorization Policy /
Authorization Policy )
Configure IPsec as in previous examples
• Transform-set (ESP-Encryption-Hashing) (default)
• IPSEC Profile ( Transform-set / Ikev2 Profile)
Configure Virtual-template Interface (DVTI/NHRP)
Apply IPsec Profile P2P interface (DVTI)
Configure Routing ( any IGP /BGP / Static )
SPOKES Configuration
Configure AAA Authorization Policy (used in IKEv2 Profile)
Configure IKEv2 as in previous examples
• IKEV2 Proposal (use default)
• IKEV2 Policy (use default)
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
• IKEV2 Keyring (if using PSK)
• IKEV2 Profile (identity / Authentication / Authorization Policy)
Configure IPsec as in previous examples
• Transform-set (ESP-Encryption-Hashing) (default)
• IPSEC Profile ( Transform-set / Ikev2 Profile)
Configure SVTI - Tunnel Interface (SVTI / NHRP ) Spoke to Hub
Configure Virtual-template Interface (DVTI / NHRP ) -Spoke to Spoke
Apply IPsec Profile P2P interface (DVTI / SVTI)
Configure Routing ( any IGP /BGP / Static )
FlexVPN - Spokes to Spokes Tunnels - Verification
IKEV2 Configuration Verification
Verify IKEv2 policy # show crypto lkev2 policy
Verify IKEv2 proposal # show crypto lkev2 proposal
Verify IKEv2 keyring #show running-configIsection crypto ikev2 keyring
Verify IKEv2 profile # show crypto Ikev2 profile
IPsec Configuration Verification
Verify IPsec transform-set # show crypto ipsec transform-set
Verify IPsec profile # show crypto ipsec profile
FlexVPN - Spokes to Spokes Tunnels - Verification
Session Verification
Verify IKEv2 SA
# show crypto ikev2 sa
# show crypto ikev2 sa detailed
# Show crypto Session
Verify IPsec SA
# show crypto ipsec sa
# show crypto ipsec sa detail
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Verify IKEv2 and IPsec SA
# show crypto ikev2 session
# show crypto ikev2 session detailed
Session Troubleshooting
Troubleshoot the IKEv2 SA
# debug crypto ikev2
# debug crypto ikev2 packet
Troubleshoot the IPsec SA
# debug crypto ipsec
# debug crypto ipsec states
NHRP Resolution Request and Reply in FlexVPN
The hub determines that ingress and the egress interfaces (virtual access interfacel and
virtual access interface2) belong to same NHRP network (network D configured on both
the interfaces),
The hub sends out an NHRP redirect message to spoken on virtual access interfacel.
On receiving the redirect, Spokel initiates a resolution request for SPoke2 LAN over the
point-to-point tunnel interface
The resolution request traverses the routed path (Spokel-hub-spoke2)
Spoke2 receives the resolution request on the tunnel interface and retrieves the virtual
template number from the tunnel interface.
Spoke 2 create the virtual access interface to start a crypto channel and establishes
IKEv2 and IPsec security associations (SAs).
Spoke2 installs the necessary NHRP cache entries for Spokel and its network under the
newly created virtual access interface
• and sends out the resolution reply over the virtual access interface.
After receiving the resolution request over the virtual access interface, Spokel installs
the necessary cache entries for Spoke2 and its network.
Spoke 1 also deletes the temporary cache entry pointing to the hub to resolve the
network under tunnel interface.
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
LAB: FLEXVPN - Spoke To Spoke Tunnels
TASK
Configure FlexVPN to build full mesh spoke to spoke tunnels beween R1 -R2-R3-
R4 ( R1 as HUB)
R 1#ping 25.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 25.0.0.2, timeout is 2 seconds:
IIIII
Success rate is 100 percent (5 /5), round-trip min/avg/max = 4 /23 /47 ms
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R1(config) #int loopback 1
R1(config-if) #ip add 192.168.1.1 255.255.255.0
R1(config-if) #exit
R1(config-if) #int loop 123
R1(config-if) #ip add 10.0.123.1 255.255.255.0
Configure a Local Pool to assign IP on remote Spokes ( use 10.0.123.0 /24
subnet)
R1(config) #ip local pool FLEX_POOL 10.0.123.2 10.0.123.10
R1(config) #aaa new-model
R1(config) #aaa authorization network default local
R1(config) #end
R1(config) #crypto ikev2 authorization policy AUTH_POLICY1
R1(config-ikev2-author-policy) #pool FLEX_POOL
R1(config-ikev2-author-policy) #route set interface
R1(config-ikev2-author-policy) #exit
R1(config) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Configure Phase – 1
R1(config)#crypto ikev2 keyring KR_123
R1(config-ikev2-keyring)#peer ANY_PEER
R1(config-ikev2-keyring-peer)#address 0.0.0.0
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco1234
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco1234
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#exit
R1(config) #crypto ikev2 profile IKEV2_PROFILE1
R1(config-ikev2-profile)#match identity remote address 0.0.0.0 0.0.0.0
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share
R1(config-ikev2-profile)# keyring local KR_123
R1(config-ikev2-profile)# aaa authorization group override psk list AUTH_POLICY1
AUTH_POLICY1
R1(config-ikev2-profile)#virtual-template 1
R1(config-ikev2-profile)#exit
R1(config) #end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
Configure Phase -2 ( IPSEC Transformset / IPSEC Profile)
R1(config)#crypto ipsec transform-set TR_SET esp-aes esp-md5-hmac
R1(cfg-crypto-trans) #exit
R1(config) #crypto ipsec profile IPSEC_PROFILE1
R (ipsec-profile)#set transform-set TR_SET
R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE1
R1(ipsec-profile)#exit
R1(config) interface Virtual -Template 1 type tunnel
R1(config-if) #ip unnumbered Loopback123
R1(config-if) #tunnel source S4/0
R1(config-if) #ip nhrp network-id 1
R1(config-if) #ip nhrp redirect
R1(config-if) #tunnel protection ipsec profile IPSEC_PROFILE1
R1(config- if) #end
On all Spokes (R2 /R3 / R4)
R4(config)# aaa new-model
R4(config)# aaa authorization network default local
R4 (config)# crypto ikev2 authorization policy AUTH_POLICY1
R4(config-ikev2-author-policy)# route set interface
R4(config-ikev2-author-policy)# exit
R4 (config)# end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R4(config) #crypto ikev2 keyring KR_123
R4(config-ikev2-keyring) #peer ANY_PEER
R4(config-ikev2-keyring-peer)#address 0.0.0.0
R4(config-ikev2-keyring-peer)#pre-shared-key local cisco1234
R4(config-ikev2-keyring-peer)#pre-shared-key remote cisco1234
R4(config-ikev2-keyring-peer)#exit
R4(config-ikev2-keyring) #exit
R4(config) #crypto ikev2 profile IKEV2_PROFILE1
R4(config-ikev2-profile) #match identity remote address 0.0.0.0
R4(config-ikev2-profile) #authentication remote pre-share
R4(config-ikev2-profile) #authentication local pre-share
R4(config-ikev2-profile) #keyring local K_123
R4(config-ikev2-profile) # aaa authorization group override psk list
AUTH_POLICY1 AUTH_POLICY1
R4(config-ikev2-profile) #exit
Configure PHASE-2 ( IPSEC Configuration)
R4(configj #crypto ipsec transform-set TR_SET esp-aes esp-md5-hmac
R4(cfg-crypto-trans) #exit
R4(config)#crypto ipsec profile IPSEC_PROFILE1
R4(ipsec-profile)#set transform-set TR_SET
R4 (ipsec-profile)#set ikev2-profile IKEV2_PROFILE1
R4 (ipsec-profile)#end
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R4(config) #interface Tunnel 12
R4(config-if)#ip address negotiated
R4(config-if)#tunnel source se4/3
R4(config-if)#tunnel destination 15.0.0.1
R4(config-if)#ip nhrp network-id 1
R4(config-if)#ip nhrp shortcut virtual-template 23
R4(config-if)# tunnel protection ipsec profile IPSEC_PROFILE1
R4(config-if)#exit
R4(config) ttint virtual-template 23 type tunnel
R4(config-if) # IP unnumbered tunnel 12
R4(config-if) #tunnel source se4/3
R4(config-if) #ip nhrp network-id 1
R4(config-if) #ip nhrp shortcut virtual-template 23
R4(config-if) #tunnel protection ipsec profile IPSEC_PROFILE1
R4(config-ifj #exit
TASK Configure EIGRP 100 Routing to provide LAN to LAN rechability
R2(config) # router eigrp 100
R2(config-roufer) #network 10.0.123.0 0.0.0.255
R2(config-router) # network 192.168.2.0
R2(config-router) # exit
R2(config) #
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
CCNP Security:SVPN – FlexVPN : Part 3
R3 (config) # router eigrp 100
R3 (config-router) # network 10.0.123.0 0.0.0.255
R3 (config-router) # network 192.168.3.0
R3 (config-router) # exit
R4(config) # router eigrp 100
R4(config-router) # network 10.0.123.0 0.0.0.255
R4(config-router) # network 192.168.4.0
R4(config-router) # exit
R1(config) # router eigrp 100
R1(config-router) # network 10.0.123.0 0.0.0.255
R1(config-router) # network 192.168.1.0
R1(config-router) # end
R1# ping 192.168.4.4 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
Success rate is 100 percent (5 /5), round-trip min/avg/max = 43 /54 /72 ms
END OF PART 3
Whatsapp/Call: +91 7567504045 (INDIA) | Mail: [email protected] |www.hazynetwork.com
You might also like
- Specificatii Tehnice Motorola TETRA MTH 800No ratings yetSpecificatii Tehnice Motorola TETRA MTH 80010 pages
- The World's Most Trusted Free PDF Viewer: Take The Work Out of Paperwork - For FreeNo ratings yetThe World's Most Trusted Free PDF Viewer: Take The Work Out of Paperwork - For Free2 pages
- Configuring Multiple Default Routes On Juniper SRX Using Routing InstancesNo ratings yetConfiguring Multiple Default Routes On Juniper SRX Using Routing Instances7 pages
- 6.2.1 Packet Tracer - Configure IPv4 and IPv6 Static and Default Routes - ILMNo ratings yet6.2.1 Packet Tracer - Configure IPv4 and IPv6 Static and Default Routes - ILM4 pages
- Tema: " Algoritmul de Criptare/decriptare TEA"No ratings yetTema: " Algoritmul de Criptare/decriptare TEA"5 pages
- Configuring Cisco Site To Site Ipsec VPN With Dynamic Ip Endpoint Cisco RoutersNo ratings yetConfiguring Cisco Site To Site Ipsec VPN With Dynamic Ip Endpoint Cisco Routers8 pages
- Design and Simulation of VoIP System For Campus Usage A Case Study at PTUNo ratings yetDesign and Simulation of VoIP System For Campus Usage A Case Study at PTU5 pages
- Nortel Switch 5500 Series-Security - ConfigurationNo ratings yetNortel Switch 5500 Series-Security - Configuration304 pages
- Ghid 1.1.2 ORIGINAL 04.05.2018 CompressedNo ratings yetGhid 1.1.2 ORIGINAL 04.05.2018 Compressed38 pages
- Intrebari Si Raspunsuri CISCO Capitolul 8No ratings yetIntrebari Si Raspunsuri CISCO Capitolul 814 pages
- CCNA Practical Studies - Recommendations and Methodology - InformITNo ratings yetCCNA Practical Studies - Recommendations and Methodology - InformIT2 pages
- CCNA I - Cap 11 - Intrebari (Cu RaspunsuriNo ratings yetCCNA I - Cap 11 - Intrebari (Cu Raspunsuri10 pages
- Instalallation Manual Controllers KS 1012 - 24 RS - IP100% (1)Instalallation Manual Controllers KS 1012 - 24 RS - IP36 pages
- Wireless Communication Using Hc-05 Bluetooth Module Interfaced With ArduinoNo ratings yetWireless Communication Using Hc-05 Bluetooth Module Interfaced With Arduino4 pages
- iTM/CPS Plus Feature User Guide: November 2021No ratings yetiTM/CPS Plus Feature User Guide: November 202137 pages
- SJ-20101126132257-012-ZXA10 C220 (V1.2.1) xPON Optical Access Convergence Equipment Command Reference (Volume II)No ratings yetSJ-20101126132257-012-ZXA10 C220 (V1.2.1) xPON Optical Access Convergence Equipment Command Reference (Volume II)302 pages
- 15.1. Addressable Manual Call Points Securiline ExtendedNo ratings yet15.1. Addressable Manual Call Points Securiline Extended1 page
- Exam Viewer - Dhomesb Chapter 1 - Ccna Discovery: Networking For Home and Small Businesses (Version 4.0)No ratings yetExam Viewer - Dhomesb Chapter 1 - Ccna Discovery: Networking For Home and Small Businesses (Version 4.0)3 pages
- Manual de Utilizare Sistem de Control AccesNo ratings yetManual de Utilizare Sistem de Control Acces16 pages
- Waste Management Development: European ProjectsNo ratings yetWaste Management Development: European Projects25 pages
- Configuring Site To Site IPSec VPN Tunnel Between Cisco RoutersNo ratings yetConfiguring Site To Site IPSec VPN Tunnel Between Cisco Routers7 pages
- Ikev2 Message Exchange in Congestion With Ikev1No ratings yetIkev2 Message Exchange in Congestion With Ikev14 pages
- Difference Between Ikev1 and Ikev2 Key ExchangeNo ratings yetDifference Between Ikev1 and Ikev2 Key Exchange2 pages
- Introduction To Flexvpn: Configuring Internet Key Exchange Version 2 (Ikev2) and Flexvpn Remote AccessNo ratings yetIntroduction To Flexvpn: Configuring Internet Key Exchange Version 2 (Ikev2) and Flexvpn Remote Access4 pages
- Study Guide Cisco 300-730 SVPN Implementing Secure Solutions with Virtual Private NetworksFrom EverandStudy Guide Cisco 300-730 SVPN Implementing Secure Solutions with Virtual Private NetworksNo ratings yet
- Cambridge International Examinations: 0417/13 Information and Communication TechnologyNo ratings yetCambridge International Examinations: 0417/13 Information and Communication Technology16 pages
- Flexcel Reports Designers Guide: Tms SoftwareNo ratings yetFlexcel Reports Designers Guide: Tms Software37 pages
- Computer Organization and Assembly Language: Lecture 5 & 6 Computer Arithmetic Integer Representation, Integer ArithmeticNo ratings yetComputer Organization and Assembly Language: Lecture 5 & 6 Computer Arithmetic Integer Representation, Integer Arithmetic29 pages
- GTD2000-Tx Instruction Manual: Revision: 1No ratings yetGTD2000-Tx Instruction Manual: Revision: 144 pages
- 09 - File Processing Versus Database Management SystemsNo ratings yet09 - File Processing Versus Database Management Systems4 pages
- Implementing EHR in Nigeria: Potential Challenge and BenefitsNo ratings yetImplementing EHR in Nigeria: Potential Challenge and Benefits5 pages
- A Novel Approach To Avoid Block Resynthesis For Big Functional/Backend EcosNo ratings yetA Novel Approach To Avoid Block Resynthesis For Big Functional/Backend Ecos7 pages
- Shell Script Guide For Red Teams - by CodelivlyNo ratings yetShell Script Guide For Red Teams - by Codelivly50 pages
- Compal Confidential: Schematics Document Mobile Merom uFCPGA With Intel Crestline - GM/PM+ICH8-M Core Logic IGT10/11No ratings yetCompal Confidential: Schematics Document Mobile Merom uFCPGA With Intel Crestline - GM/PM+ICH8-M Core Logic IGT10/1148 pages
- Develop and Use Complex Spreadsheets Module Main100% (1)Develop and Use Complex Spreadsheets Module Main38 pages
- Agile Web Development With Rails 6 1st Edition Sam Ruby All Chapter Instant Download100% (3)Agile Web Development With Rails 6 1st Edition Sam Ruby All Chapter Instant Download54 pages
- P2 - Tutorial 6 - Trigonometric Identities and EquationsNo ratings yetP2 - Tutorial 6 - Trigonometric Identities and Equations4 pages
