Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Saturday, August 18, 2012

gre with crypto...

you have the tunnel from the previous post, now lock it up...


crypto isakmp policy ?
encry 3des
hash md5
authenti pre-share
group 2
lifetime ?

crypto isakmp sets up the policy
3des (triple des) is the encryption method (strong)
md5 (message digest 5) is the hash
pre-shared key is the authentication method
group 2 is the diffie-hellman group
and 86400 is the key's session lifetime

crypto isakmp key suck-key add 1.1.1.2

reverse the address on the peer
this is the key shared with 1.1.1.2

a transform set is needed for data protection, we can call it tset

crypto ipsec transform-set tset esp-3des esp-md5-hmac
mode transport

next associate an ipsec profile to the transform set

crypto ipsec profile gre-lock
set security-association lifetime seconds 86400
set transform-set tset

apply it to the tunnel

int tun 0
tunnel protection ipsec profile gre-lock

do the same for the peer


i1(config)#crypto isakmp policy ?
  <1 -10000="-10000">  Priority of protection suite

i1(config)#crypto isakmp policy 1
i1(config-isakmp)#encry 3des
i1(config-isakmp)#hash md5
i1(config-isakmp)#authenti pre-share
i1(config-isakmp)#group 2
i1(config-isakmp)#lifetime ?
  <60 -86400="-86400">  lifetime in seconds

i1(config-isakmp)#lifetime 86400
i1(config-isakmp)#exit
i1(config)#crypto isakmp key suck-key add 1.1.1.2
i1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac
i1(cfg-crypto-trans)#mode transport
i1(cfg-crypto-trans)#crypto ipsec profile gre-lock
i1(ipsec-profile)#set security-association lifetime seconds 86400
i1(ipsec-profile)#set transform-set tset
i1(ipsec-profile)#exit
i1(config)#int tun 0
i1(config-if)#tunnel protection ipsec profile gre-lock
i1(config-if)#
*Aug 18 06:35:13: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
i1(config-if)#end
i1#
*Aug 18 06:37:38: %SYS-5-CONFIG_I: Configured from console by console
i1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/17/36 ms
i1#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE    
Peer: 1.1.1.2 port 500
  IKEv1 SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
  IPSEC FLOW: permit 47 host 1.1.1.1 host 1.1.1.2
        Active SAs: 2, origin: crypto map


push...  uuuuuuuuuuuunnnhhh... you just gave birth to a simple vpn... how'd that feel...


2 comments: