Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Tuesday, August 28, 2012

lab 7-1 part III...

crypto map/session and gre... for a similar but more basic setup, see also...

http://insearchofthecert.blogspot.com/2012/08/gre.html
and
http://insearchofthecert.blogspot.com/2012/08/gre-with-crypto.html

same concept as those earlier posts, but with the added complexity of nat, which if you followed the first two of these labs, is already good to go...


i think the lab does this backwards... establishing the tunnel first is vital...

branch

int tunnel0
ip add 172.16.100.2 255.255.255.252
tunnel source 209.165.200.242
tunnel destination 209.165.200.226

hq

int tunnel0
ip add 172.16.100.1 255.255.255.252
tunnel source 209.165.200.226
tunnel destination 209.165.200.242

hq(config-if)#
*Aug 28 14:32:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up


adding the crypto now would be silly because there is no route on either end to facilitate the 172 network for the tunnel...  after all this is route, and setting up static and default routes for this lab as opposed to a dynamic routing protocol from the very beginning was, in a word, awful...  let's do some dynamic routing and fix this mess...

branch

router eigrp 1
netw 192.168.1.0 0.0.0.255
netw 172.16.100.0 0.0.0.3
no auto-summ

hq

router eigrp 1
netw 10.10.0.0 0.0.255.255
netw 172.16.100.0 0.0.0.3
no auto-summ

*Aug 28 14:44:57: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.100.2 (Tunnel0) is up: new adjacency

i feel so much better already... now encrypt the traffic...

steps:
set up isakmp policy
set ipsec details
set vpn tunnel information
specify acl/traffic
apply crypto map to interface

branch

crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key suck-key address 209.165.200.226

crypto ipsec transform-set hqt-set esp-3des esp-sha-hmac

crypto map sec-map 10 ipsec-isakmp
set peer 209.165.200.226
set transform-set hqt-set
match address vpn-acl
exit

ip access-list ext vpn-acl
permit gre host 209.165.200.242 host 209.165.200.226

exit

int s1/1
crypto map sec-map
exit

and flip it for the hq router...

crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key suck-key address 209.165.200.242

crypto ipsec transform-set hqt-set esp-3des esp-sha-hmac
crypto map sec-map 10 ipsec-isakmp
set peer 209.165.200.242
set transform-set hqt-set
match address vpn-acl
exit

ip access-list ext vpn-acl
permit gre host  209.165.200.226 host 209.165.200.242
exit

int s1/2
crypto map sec-map
exit


 hq#trace 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.100.2 20 msec 28 msec *

branch#sh crypto sess det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial1/1
Uptime: 00:07:51
Session status: UP-ACTIVE    
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 209.165.200.226
      Desc: (none)
  IKEv1 SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
          Capabilities:(none) connid:1001 lifetime:22:47:35
  IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 126 drop 0 life (KB/Sec) 4367615/3128
        Outbound: #pkts enc'ed 121 drop 0 life (KB/Sec) 4367616/3128

this proves traffic to the imaginary internet does not traverse the tunnel...

branch#trace 209.165.200.238 source 192.168.1.1
Type escape sequence to abort.
Tracing the route to 209.165.200.238
VRF info: (vrf in name/id, vrf out name/id)
  1 209.165.200.241 12 msec 8 msec 4 msec
  2 209.165.200.226 12 msec 16 msec *

this proves traffic for the private network (imaginary email) uses the tunnel...

branch#trace 10.10.20.238 source 192.168.1.1
Type escape sequence to abort.
Tracing the route to 10.10.20.238
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.100.1 20 msec 20 msec *
branch#


No comments:

Post a Comment