Faizan Naik Security in Computing IT21066

Practical 8
Aim : configure and verify a Site-to-Site Ipsec VPN using CLI
Topology

Assign Ip Address Router1

Faizan Naik Security in Computing IT21066

Assign Ip Address Router2

Faizan Naik Security in Computing IT21066

Assign Ip Address Router3

Ip to the Laptop 1
ip to laptop 2
Faizan Naik Security in Computing IT21066

ip to laptop3

Performing RIP on router1

Performing RIP on router2

Faizan Naik Security in Computing IT21066

Performing RIP on router3

Enable Security Technology package on router 1 and router 3

Router1>show version
In the end of the this command this is same in both the router

Technology Package License Information for Module:'c1900'

----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security disable None None
data disable None None

Configuration register is 0x2102

ENABLE SECURITY TECHNOLOGY PACKAGE ON ROUTER 1 AND ROUTER 3

Router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#license boot module c1900 technology-package securityk9

ACCEPT? [yes/no]: yes

% use 'write' command to make license boot config take effect on next boot

Router1(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name =

C1900 Next reboot level = securityk9 and License = securityk9

Router1(config)#exit
Router1#
%SYS-5-CONFIG_I: Configured from console by console
reload
System configuration has been modified. Save? [yes/no]:yes
Faizan Naik Security in Computing IT21066

AFTER RELOAD RE RUN THE COMMAND

License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524CHY3-

Technology Package License Information for Module:'c1900'

----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Evaluation securityk9
data disable None None

SAME PROCESS FOR THE ROUTER 3

CONFIGURE ACL< IKE P HASE 1 ISAKMP POLICY AND IKE PHASE2 IPSEC POLICY ON ROUTER 1

Router1>en
Router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption aes 256
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 5
Router1(config-isakmp)#crypto isakmp key vpnpwd address 10.2.2.1
Router1(config)#crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
Router1(config)#crypto map vpn-map 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router1(config-if)#description vpn connection to routwe3
Router1(config-if)#crypto isakmp key vpnpwd address 10.2.2.1
A pre-shared key for address mask 10.2.2.1 255.255.255.255 already exists!
Router1(config)#crypto map vpn-map 10 ipsec-isakmp
Router1(config-crypto-map)#description vpn connection to routew3
Router1(config-crypto-map)#set peer 10.2.2.1
Router1(config-crypto-map)#set transform-set vpn-set
Router1(config-crypto-map)#match address 110
Router1(config-crypto-map)#exit
Router1(config)#interface se0/0/0
Router1(config-if)#crytpo map vpn-map
^
% Invalid input detected at '^' marker.
Router1(config-if)#crypto map vpn-map
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Faizan Naik Security in Computing IT21066

Router1(config-if)#

CONFIGURE ACL< IKE P HASE 1 ISAKMP POLICY AND IKE PHASE2 IPSEC POLICY ON ROUTER 3
Router3>en
Router3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Router3(config)#crypto isakmp policy 10
Router3(config-isakmp)#encryption aes 256
Router3(config-isakmp)#authentication pre-share
Router3(config-isakmp)#group 5
Router3(config-isakmp)#exit
Router3(config)#crypto isakmp key vpnpwd address 10.1.1.1
Router3(config)#crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac
Router3(config)#crypto map vpn-map 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router3(config-crypto-map)#description vpn connection to router1
Router3(config-crypto-map)#set peer 10.1.1.1
Router3(config-crypto-map)#set transform-set vpn-set
Router3(config-crypto-map)#match address 110
Router3(config-crypto-map)#exit
Router3(config)#interface se0/0/0
Router3(config-if)#crypto map vpn-map
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

VERITY THE WORKING OF IPSEC VPN FOR INTERESTING TRAFFIC ON ROUTER 1

BEFORE PINGING FROM LAPTOP 1 TO IP 192.168.3.3
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

AFTER PINGING
Faizan Naik Security in Computing IT21066

ROUTER1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0