Leseprobe
Dedication
This book is dedicated to my parents and my family.
Acknowledgment
All books are the product of a team work and I thank all the members of the GRIN publisher: including the project editor, friends, seniors, colleagues, and my teachers.
I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of Riphah Institute of Systems Engineering, Islamabad. He guided, motivated, and encouraged me in my research work.
I also acknowledge Miss. Muntaha Sohail, Lecturer in English Department, University of Sargodha, Sub-Campus Mandi Bahauddin. She minutely and skillfully proof red this book.
Table of Contents
Chapter 1 Introduction
1 Virtual Private Network..2
1.1 VPN Services..2
1.1.1 Confidentiality..2
1.1.2 Integrity..3
1.1.3 Authentication..3
1.1.4 Availability..4
1.1.5 Anti-Replay..4
1.2 VPN Advantages..4
1.2.1 Data Security..4
1.2.2 Private Network Access..4
1.2.3 Bandwidth..5
1.2.4 Cost Reduction..5
1.2.5 Deployment Flexibility..5
1.3 VPN Types..5
1.3.1 Remote Access VPN..5
1.3.2 Site-to-Site VPN..6
1.4 VPN Protocols..6
1.5 VPN Supported Devices..6
Chapter 2 PPTP VPN
2 PPTP VPN..8
2.1 PPTP Security..8
2.2 Encapsulation..9
2.3 Router as a PPTP VPN Server..10
2.3.1 Lab Objectives..10
2.3.2 Topology..10
2.3.3 Step-1 IP Addressing..10
2.3.4 Step-2 Configuring Static IP Routing..12
2.3.5 Step-3 Connectivity Testing..13
2.3.6 Step-4 Configuring Router as a PPTP VPN Server..14
2.3.7 Step-5 Configuring & Setting of PPTP VPN Client..15
2.3.8 Step-6 Connecting VPN Client..20
2.3.9 Step-7 Testing..22
Chapter 3 L2TP VPN
3 L2TP VPN..25
3.1 L2TP Security..26
3.2 Encapsulation..27
3.3 Router as a L2TP VPN Server..28
3.3.1 Lab Objectives..28
3.3.2 Topology..28
3.3.3 Step-1 IP Addressing..28
3.3.4 Step-2 Configuring Static IP Routing..30
3.3.5 Step-3 Configuring Router as a DNS Server..31
3.3.6 Step-4 Testing Connectivity..31
3.3.7 Step-5 Configuring Router as a L2TP VPN Server..33
3.3.8 Step-6 Configuring & Setting L2TP VPN Client..34
3.3.9 Step-7 Connecting VPN Client..36
3.3.10 Step-8 Testing..38
Chapter 4 L2TP over IPsec VPN
4 L2TP over IPsec VPN..42
4.1 L2TP over IPsec Security..42
4.2 Encapsulation..42
4.3 Router as an L2TP over IPsec VPN Server..44
4.3.1 Lab Objectives..44
4.3.2 Topology..44
4.3.3 Step-1 IP Addressing..44
4.3.4 Step-2 Configuring Static IP Routing..46
4.3.5 Step-3 Testing Connectivity..47
4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN..48
4.3.7 Step-5 Configuring & Setting L2TP over IPsec VPN Client..49
4.3.8 Step-6 Connecting VPN Client..70
4.3.9 Step-7 Testing..72
Chapter 5 IPsec VPN
5 IPsec VPN..79
5.1 IPsec Security Architecture..79
5.2 Encapsulation..81
5.3 Site-to-Site IPsec VPN b/w Routers..83
5.3.1 Lab Objectives..83
5.3.2 Topology..83
5.3.3 Step-1 IP Addressing..83
5.3.4 Step-2 Configuring Static IP Routing..86
5.3.5 Step-3 Configuring NAT..88
5.3.6 Step-4 Testing Connectivity..89
5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel..90
5.3.8 Step-6 Testing..92
5.4 Site-to-Site IPsec VPN b/w PIX & ASA..95
5.4.1 Lab Objectives..95
5.4.2 Topology..95
5.4.3 Step-1 IP Addressing..95
5.4.4 Step-2 Configuring Static IP Routing..99
5.4.5 Step-3 Testing Connectivity..100
5.4.6 Step-4 Configuring IPsec Tunnel..101
5.4.7 Step-5 Testing. 102
5.5 Remote Access IPsec VPN with Router (Easy VPN)..104
5.5.1 Lab Objectives..104
5.5.2 Topology..104
5.5.3 Step-1 IP Addressing..104
5.5.4 Step-2 Configuring Static IP Routing..106
5.5.5 Step-3 Testing Connectivity..107
5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel..107
5.5.7 Step-5 Installing & Setting CISCO IPsec VPN Client..109
5.5.8 Step-6 Connecting IPsec VPN Client..113
5.5.9 Step-7 Testing..115
5.6 Remote Access IPsec VPN with ASA (Easy VPN)..116
5.6.1 Lab Objectives..116
5.6.2 Topology..116
5.6.3 Step-1 IP Addressing..116
5.6.4 Step-2 Configuring NAT..118
5.6.5 Step-3 Configuring Static IP Routing..118
5.6.6 Step-4 Testing Connectivity..119
5.6.7 Step-5 Configuring ASA as IPsec VPN Server..120
5.6.8 Step-6 Configuring VPN Client..121
5.6.9 Step-7 Connecting VPN Client..121
5.6.10 Step-8 Testing..121
Chapter 6 GRE VPN
6 GRE VPN..124
6.1 GRE Security..124
6.2 Encapsulation..124
6.3 Site-to-Site IPsec over GRE VPN..125
6.3.1 Lab Objectives..125
6.3.2 Topology..125
6.3.3 Step-1 IP Addressing..125
6.3.4 Step-2 Configuring Static IP Routing..127
6.3.5 Step-3 Configuring NAT..128
6.3.6 Step-4 Testing Connectivity..129
6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel..130
6.3.8 Step-6 Testing..132
6.4 Site-to-Site IPsec over GRE VPN (Behind ASA)..136
6.4.1 Lab Objectives..136
6.4.2 Topology..136
6.4.3 Step-1 IP Addressing..136
6.4.4 Step-2 Configuring Static IP Routing..139
6.4.5 Step-3 Configuring NAT..141
6.4.6 Step-4 Testing Connectivity..142
6.4.7 Step-5 Configuring IPsec over GRE..142
6.4.8 Step-6 Testing..145
Chapter 7 DMVPN
7 DMVPN..147
7.1 DMVPN Security..147
7.2 Encapsulation..147
7.3 Dynamic Multipoint VPN (Hub & Spokes)..148
7.3.1 Lab Objectives..148
7.3.2 Topology..148
7.3.3 Step-1 IP Addressing..148
7.3.4 Step-2 Configuring Static IP Routing..151
7.3.5 Step-3 Testing Connectivity..152
7.3.6 Step-4 Configuring DMVPN Tunnel..153
7.3.7 Step-5 Testing..155
Chapter 8 SSL VPN
8 SSL VPN..159
8.1 SSL Security..159
8.2 SSL Encapsulation..160
8.3 Router as an SSL VPN Gateway..161
8.3.1 Lab Objectives..161
8.3.2 Topology..161
8.3.3 Step-1 IP Addressing..161
8.3.4 Step-2 Configuring Static IP Routing..163
8.3.5 Step-3 Configuring Router as a DNS Server..164
8.3.6 Step-4 Testing Connectivity..164
8.3.7 Step-5 Configuring Self-Signed Certificates..166
8.3.8 Step-6 Configuring SSL VPN Gateway..168
8.3.9 Step-7 Testing..169
Chapter 9 High Availability VPN
9 High Availability VPN..172
9.1 HSRP..172
9.2 VRRP..173
9.3 GLBP..173
9.4 Site-to-Site IPsec High Availability VPN with HSRP..174
9.4.1 Lab Objectives..174
9.4.2 Topology..174
9.4.3 Step-1 IP Addressing..174
9.4.4 Step-2 Configuring Static IP Routing..177
9.4.5 Step-3 Testing Connectivity..179
9.4.6 Step-4 Configuring HSRP..179
9.4.7 Step-5 Configuring IPsec VPN over HSRP..182
9.4.8 Step-6 Testing..184
References:..17286
Learning Outcomes
This book encompasses virtual private network technologies theoretical as well as practical. In this project, it demonstrates how the VPNs actually work and their practical implementation with different lab scenarios, step by step. The objective of this book is to teach the students and professionals in an easy way. In this book, a reader learns the theoretical knowledge of VPNs, but the practical implementation of several types of VPNs in his home and office.
There are several types of VPNs with different scenarios. After a study of this book, the reader will familiar with almost all type of VPN and can perform all these types of VPNs with different scenarios in his office and home.
1. Introduction
1 Virtual Private Network
Virtual Private Network (VPN) is a secure, reliable and logical connection that is created over a public network (Internet). CISCO defines a VPN as an encrypted connection between private networks over a public network [1]. It is a virtual connection but not a physical. It extends the private network across shared or public network. It enables a computer to send or receive data safely through shared or public network, it does not matter if it is directly connected to the private network. It is done by establishing a virtual connection through the Internet.
1.1 VPN Services
VPNs provide different types of security services through different security protocols. These services are:
1. Confidentiality
2. Integrity
3. Authentication
4. Availability
5. Anti-replay
1.1.1 Confidentiality
Confidentiality means secrecy. It is a technique in which original data may hide or replace with some other data. The concept behind is that the data is not disclosed to anyone intentionally or unintentionally during transmission. In network security, it is also called encryption. It is the process in which the plaintext (original text) is replaced or substituted with the help of certain encryption algorithm, key, and the mechanism. After this process, the plain text is converted into encrypted text (ciphertext). Encrypted text transmits over an insecure network. If somebody catches the encrypted text, it is not easy to understand it. On the receiving side, the reverse process of encryption takes place, it is called decryption. The same algorithm, key, and mechanism are used to decrypt the text and original text is extracted. There are several encryption algorithms. Some of them work character by character and remaining work block by block. There are two types of keys. Symmetric or asymmetric. In symmetric, the same key is used to encrypt or decrypt while in asymmetric, a pair of the key is used. One key is private key and the second key is called public key. The public key is used to encrypt the data if its private key is used to decrypt the data whereas the private key is used to encrypt the data if its public key is used to decrypt data. The mechanism means, the way or method defines how to drive the algorithm and key. Modern encryption algorithms are:
1. DES (Data Encryption Standard)
2. 3DES (Triple Data Encryption Standard)
3. AES (Advanced Encryption Standard)
1.1.2 Integrity
Integrity means originality. It is a technique to ensure that data is not modified or altered by an unauthorized person during the transmission. The data remains consistent, both internally and externally. It is guaranteed that data is received by the receiver in original and there is no any change in data during transmission. In network security, it is also called hashing. Hashing is one-way process in which a 32-bit long hash value is calculated from the data with a specific algorithm. This hash value also transmits while transmitting the data. On the receiver side, the receiver once again calculates the hash value of the received data with the same algorithm and compares this hash value with that value which came with data. If the value is same then its integrity is not compromised on the other hand, the hash value is different even one character then it indicates that its integrity is compromised. The receiver will discard his receiving data. Modern hashing algorithms are:
1. MD-5 (Message Digest)
2. SHA-1 (Secure Hash Algorithm)
1.1.3 Authentication
Authentication is a technique which verifies the identity of a user or a process. It restricts unauthorized users to access data or service. In this process, the credentials provided by the user are compared to those which are already saved in the database file. Moreover, the user is granted authorization for access if credentials match and the process is completed. If the credentials mismatch, the user is not granted access. Authentication is may be local or remote. In local authentication, the credentials are saved on the same machine while in remote authentication, user credentials are saved on another server. The receiver machine sends user credentials for checking either it is true or false to authentication server and responds. If the machine receives true by authentication server then it grants access and if it receives false then it denies access. For security purpose, Challenge Handshake Authentication Protocol (CHAP) is used between machine and authentication server. Modern remote authentication servers are:
1. TACACS (Terminal Access Controller Access Control System)
2. RADIUS (Remote Authentication Dial-In User Service)
1.1.4 Availability
Availability provides reliable and timely access to data and resources. Once a VPN is connected, its time period is 24 hours by default. It means that user can access data or services at any time during the VPN connection.
1.1.5 Anti-Replay
It is a technique in which the receiver verifies that each packet is unique and is not duplicate. In this process, sequence numbers are used with the packet and arranged all these packets on receiver side accordingly sequence numbers. If any duplicate packet is received then the receiver will discard.
1.2 VPN Advantages
VPN technology is heavily influenced the corporate sector by its many advantages. Due to these advantages, it is more popular and deployable technology in the industry. These advantages are:
1.2.1 Data Security
Public network (Internet) is not a secure network and it is not possible to secure it, as complete. It is very risky and easy to access or alter data by a third person (Intruder) when data moves across the public network. So, it is needed to secure data before transferring it over a public network. VPN allows data to encapsulate it into security header before transmitting transfer to its destination. When data is encapsulated in security header then it is not easy to access or alter data. On the receiving side, it is decapsulated.
1.2.2 Private Network Access
VPNs allow employees to securely access their company's private network or data while travelling outside the office or at home. Most of the employees work in branch offices and others employees work as teleworker in the market. They are away from the central sites and if they are needed to access company’s data or services for business operations so they can access it securely through VPN connection.
1.2.3 Bandwidth
Users or branch offices use leased lines such as E1, T1, Frame Relay or Asynchronous Transfer Mode (ATM) to access company’s data or services securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512 Kbps connection speeds. These leased lines are expensive. Users and branch offices require more bandwidth for their services or advance applications and its speed. The Internet Service Providers (ISPs) are providing relatively high-bandwidth IP connections, such as broadband Digital Subscriber Line (DSL) or cable access for VPN on shared bases.
1.2.4 Cost Reduction
ISPs are providing relatively high-bandwidth IP connections, such as broadband DSL or cable service on shared bases. As a result, many customers are migrating their primary WAN connectivity to these services or deploying such WAN alternatives as a secondary high-speed WAN circuit to augment their existing private network. These high-bandwidth and share bases IP connections are relatively lower cost as compared to leased lines.
1.2.5 Deployment Flexibility
VPNs can be quickly established wherever an Internet access connection is available. They offer a great degree of flexibility in connecting branch offices or even while traveling outside the office or at home.
1.3 VPN Types
VPN can be connected in different forms. A secure connection is created over a public network. Sometimes it is called as a tunnel. All traffic is passed through this tunnel. There are two basic types of VPN and they are:
1. Remote Access VPN
2. Site-to-Site VPN
1.3.1 Remote Access VPN
In remote access VPN type, a single user is connected to a private network and access its services and resources remotely. The connection between the user and the private network happens through the Internet, this connection is secure and private. Usually, home users or teleworkers use this type of VPN. The teleworkers or employees use a remote access VPN to connect to his/her company’s private network and remotely access files and resources on the private network while traveling.
1.3.2 Site-to-Site VPN
Site-to-Site VPN type is mostly used in the corporate network. In this type of VPN, company’s offices in different geographical locations, use Site-to-site VPN to connect the network with head office or another branch office. In this VPN type, a device acts as a gateway in one branch office and similarly in another branch office. The connection is established between the both. When the connection is established, then multiple users can use this connection in their branch offices.
1.4 VPN Protocols
As we know, communication is between two devices based upon Open Systems Interconnection (OSI model) reference model. It is a universal standard which is proposed by International Organization for Standardization (ISO) in 1984. It consists of seven layers. Each layer of this model performs specific tasks through several communication protocols. These communication protocols are classified into different forms according to these layers. These VPN protocols are also classified according to OSI model’s layers for security purposes. These VPN protocols are:
1. PPTP (Point-to-Point Tunneling Protocol)
2. L2TP (Layer 2 Tunneling Protocol)
3. IPsec (Internet Protocol Security)
4. L2TP over IPsec.
5. GRE (Generic Routing Encapsulation)
6. IPsec over GRE
7. TSL (Transport Layer Security)
8. SSL (Secure Sockets Layer)
1.5 VPN Support Devices
A dedicated VPN support device is VPN Concentrator. A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. However, some other devices like (Routers, multi-layer switches, PIX, ASA, PCs, smartphones and tablets) may also support VPN. These devices should have VPN support operating systems. Multiple vendors have designed such types of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The VPN service provided by these devices is said to be IOS based VPN. Moreover, in this guide, CISCO based devices (Router, PIX & ASA) and Window based PCs are used.
2 PPTP VPN
Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN technique in network security. It was introduced by “Matthew Ramsay” in 1999 with the support of Microsoft. Its specification was described in RFC 2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP transfers multi-protocol datagrams over a point-to-point link. It uses dial-up networking method which is called Virtual Private Dial-up Network (VPDN). It is more suitable for remote access applications through VPN. It also supports LAN internetworking. It operates at layer 2 of the OSI model. It works as a client/server model which is simply configured. By default, the client is a software based system which is normally available in all Microsoft Windows, Linux and MAC operating systems. It remains most popular technology, especially on Microsoft Windows computers. It is connection oriented protocol and it uses TCP port 1723. In this tunneling technique, tunnels are created by following two steps:
1. First of all, the clients connect to their ISPs through using any service (dial-up, ISDN, DSL modem or LAN).
2. Secondly, PPTP creates a TCP session between client and server to establish a secure tunnel.
Once the PPTP tunnel is established between client and server then two types of information can be passed through a tunnel. Moreover, a unique Call ID value is assigned to each session for its identification.
1. Control Messages: These messages directly pass through the tunnel to the client and server and finally tearing down the connections. The variety of these control messages are used to maintain the VPN connections whereas, some of these messages are shown in the Fig. 2.1 below.
2. Data Packets: It passes through the tunnel to the client and the client sends back.
2.1 PPTP Security
PPTP supports authentication, encryption and packet filtering. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior choice. However, it requires a Public Key Infrastructure implementation for both client and server certificates. When MS-CHAPv1/v2 is used in PPTP then the payloads encrypt by using Microsoft Point-to-Point Encryption (MPPE). The MPPE supported 40-bits, 56-bits & 128-bits encryption. It enhances the confidentiality of PPP-encapsulated packets [3]. Packet filtering is implemented on VPN servers.
[Figures and tables are omitted from this preview.]
Figure 2.1 PPTP Control Messages
2.2 Encapsulation
PPTP encapsulates the PPP frames in IP packet. It uses TCP connection for tunnel management. The encapsulated PPP frames may encrypt, compress or the both as it is highlighted in the Fig. 2.2.
[Figures and tables are omitted from this preview.]
Figure 2.2 PPTP Encapsulation
In Oct. 2012, security of PPTP is broken and its usage is no longer and also not recommended by Microsoft [4].
2.3 Router as a PPTP VPN Server
2.3.1 Lab Objectives
- Assign IP addresses according to topology
- Configure IP Routing
- Test Connectivity
- Configure Router as a PPTP VPN Server
- Configure PC as a Microsoft PPTP VPN Client
- Try to Connect VPN Client
- Test VPN
2.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 2.3 PPTP VPN Setup
2.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 2.3. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.18 YES manual up up
FastEthernet0/1 203.0.113.33 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.16/28 is directly connected, FastEthernet0/0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
Branch:
Branch>enable
Branch#configure terminal
Branch(config)#interface fastEthernet 0/0
Branch(config-if)# ip address 203.0.113.34 255.255.255.240
Branch(config-if)#no shutdown
Branch(config-if)#exit
Branch(config)#interface fastEthernet 0/1
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#no shutdown
Branch(config-if)#^Z
Branch#
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Branch#
PC:
[Figures and tables are omitted from this preview.]
Figure 2.4 Client IP Address
2.3.4 Step-2 Configuring Static IP Routing
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C :\>
Branch:
Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
Branch(config)#exit
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
C 192.168.1.0/24 is directly connected, FastEthernet0/1
C 203.0.113.32/28 is directly connected, FastEthernet0/0
Branch#
2.3.5 Step-3 Connectivity Testing
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Request timed out.
Reply from 203.0.113.34: bytes=32 time=258ms TTL=254
Reply from 203.0.113.34: bytes=32 time=185ms TTL=254
Reply from 203.0.113.34: bytes=32 time=184ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 258ms, Average = 209ms
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Branch:
Branch#ping 203.0.113.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms
Branch#
2.3.6 Step-4 Configuring Router as a PPTP VPN Server
Branch(config)#vpdn enable
Branch(config)#vpdn-group pptp-vpn
Branch(config-vpdn)#accept-dialin
Branch(config-vpdn-acc-in)#protocol pptp
Branch(config-vpdn-acc-in)#virtual-template 1
Branch(config-vpdn-acc-in)#exit
Branch(config-vpdn)#exit
Branch(config)#
Branch(config)# ip local pool pptp-pool 172.16.1.10 172.16.1.50
Branch(config)#username test password 0 test
Branch(config)#interface virtual-template 1
Branch(config-if)#encapsulation ppp
Branch(config-if)# peer default ip address pool pptp-pool
Branch(config-if)#ip unnumbered fastEthernet 0/1
Branch(config-if)#no keepalive
Branch(config-if)#ppp encrypt mppe auto required
Branch(config-if)# ppp authentication ms-chap ms-chap-v2
Branch(config-if)#^Z
Branch#
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 192.168.1.1 YES unset down down
Branch#show vpdn group
VPDN group 1
Group session limit 65535 Active sessions 0 Active tunnels 0
VPDN group pptp-vpn
Group session limit 65535 Active sessions 0 Active tunnels 0
Branch#show vpdn session
%No active PPTP tunnels
2.3.7 Step-5 Configuring & Setting of PPTP VPN Client
1. Choose Start > Control Panel > Network & Sharing Center > Set up a New Connection
[Figures and tables are omitted from this preview.]
Figure 2.5 Set up a new Connection
2. After the Network Connection Wizard window appears, chooseConnect to a workplace & Click Next
[Figures and tables are omitted from this preview.]
Figure 2.6 Connect to a Workplace
3. Choose No, create a new connection & Click Next
[Figures and tables are omitted from this preview.]
Figure 2.7 Create new Connection
4. Select Use my Internet Connection
[Figures and tables are omitted from this preview.]
Figure 2.8 New Connection Name & IP Address
5. Choose Start > Control Panel > Network & Sharing Center > Change Adapter Settings and select the properties of the recently configured connection
[Figures and tables are omitted from this preview.]
Figure 2.9 Properties
6. Chose Security
[Figures and tables are omitted from this preview.]
Figure 2.10 Security
7. Under Type of VPN choose PPTP VPN, Choose Required Encryption from Data Encryption,Select Authentication Protocols and click OK
[Figures and tables are omitted from this preview.]
Figure 2.11 Select Properties
2.3.8 Step-6 Connecting VPN Client
1. Try to connect
[Figures and tables are omitted from this preview.]
Figure 2.12 Username & Password
2. Type username test & password test and click OK
[Figures and tables are omitted from this preview.]
Figure 2.13 Connecting
3. The verifying username and password window appears
[Figures and tables are omitted from this preview.]
Figure 2.14 Verifying
4. The registering your computer on the network window appears
[Figures and tables are omitted from this preview.]
Figure 2.15 Completing
5. When connected then it can check the status of the connection
[Figures and tables are omitted from this preview.]
Figure 2.16 Connection Status
2.3.9 Step-7 Testing
PC:
[Figures and tables are omitted from this preview.]
Figure 2.17 Connection Details
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=232ms TTL=255
Reply from 192.168.1.1: bytes=32 time=226ms TTL=255
Reply from 192.168.1.1: bytes=32 time=338ms TTL=255
Reply from 192.168.1.1: bytes=32 time=351ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 226ms, Maximum = 351ms, Average = 286ms
Branch:
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Virtual-Access1 192.168.1.1 YES unset up up
Virtual-Template1 192.168.1.1 YES unset down down
Branch#show interface virtual-access 1
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0/1 (192.168.1.1)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CCP
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x44
Protocol pptp, tunnel id 36776, session id 20632, loopback not set
Keepalive not set
DTR is pulsed for 5 seconds on reset
Last input 00:05:07, output never, output hang never
Last clearing of "show interface" counters 00:22:57
Branch#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
Interface User Mode Idle Peer Address
Vi3 test PPPoVPDN 00:09:55 172.16.1.11
Branch#show vpdn session
PPTP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Intf Username State Last Chg Uniq ID
20632 256 36776 Vi3 test estabd 00:00:41 2
Branch#show vpdn tunnel pptp
PPTP Tunnel Information Total tunnels 1 sessions 1
LocID Rem. Name State Remote Address Port Sessions VPDN Group
36776 estabd 203.0.113.17 4993 1 1
Branch#show vpdn tunnel pptp transport
PPTP Tunnel Information Total tunnels 1 sessions 1
LocID Type Local Address Port Remote Address Port
36776 IP 203.0.113.34 1723 203.0.113.17 4993
Branch#show vpdn tunnel packets
PPTP Tunnel Information Total tunnels 1 sessions 1
LocID Pkts-In Pkts-Out Bytes-In Bytes-Out
36776 61 21 6679 521
Branch#
3 L2TP VPN
Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP) by Microsoft. It merges the best features of the both. In other words, it is an extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling protocol and it was developed to establish VPN over the public network (Internet). It does not provide encryption by itself. It was specially designed to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as L2TPv3 with additional security features, improved encapsulation and the ability to carry data links over the network. Its specification was described in RFC 3931 [6].
The entire L2TP packet including (payload & L2TP header) is sent within a User Datagram Protocol (UDP) with port number 1701. It is common to carry PPP session within an L2TP tunnel. It does not support strong authentication and confidentiality by itself. The IPsec protocol is often used with L2TP to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. L2TP allows creating a VPDN to connect remote clients to its corporate network by using different connecting services provided by ISPs. It operates at layer 2 of the OSI model. It works as a client/server model.
Two endpoints of the L2TP tunnel are called LAC (L2TP Access Concentrator) and LNS (L2TP Network Server). The LNS waits for new tunnels. The LAC remains between an LNS and a remote system and forwards packets to the server. Once the tunnel is established between peer then, the network traffic moves in bidirectional. The packets exchanged within the tunnel characterized as either it is controlled packet or it is a data packet, it is reliable for control packets and not reliable for data packets. If the reliability is desired for data packets then it is provided by another protocol running within the session of the tunnel.
In this tunneling technique as the tunnels are created by following two steps:
1. A control connection is established for a tunnel between LAC and LNS.
2. Secondly, a session is established between client and server.
During the setup of the L2TP tunnel, different types of control messages and data messages are exchanged between LAC and LNS. It is highlighted in the Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is possible to setup multiple virtual networks against a single tunnel. The Maximum Transmission Unit (MTU) remains same. The Hello messages are sent to peer as control messages for keep alive after every 60 seconds.
[Figures and tables are omitted from this preview.]
Figure 3.1 Tunnel Setup
Once the tunnel is established, PPP frames from the remote systems are received at LAC. It encapsulates in L2TP and forwards to LNS over the appropriate tunnel.
3.1 L2TP Security
L2TP supports authentication and encryption. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used. When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It also supports Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP-encapsulated packets.
3.2 Encapsulation
Data messages are used to encapsulate the PPP frames. These frames are passed over unreliable data channels. Data is not retransmitted when a packet loss occurs. The entire PPP frame is encapsulated in L2TP header first and then L2TP frame is encapsulated in UDP header as it is shown in the Fig. 3.2 below.
[Figures and tables are omitted from this preview.]
Figure 3.2 L2TP Encapsulation
3.3 Router as a L2TP VPN Server
3.3.1 Lab Objectives
- Assign IP addresses according to topology
- Configure IP Routing
- Configure Router as a DNS Server
- Test Connectivity
- Configure Router as a L2TP VPN Server
- Configure PC as a Microsoft L2TP VPN Client
- Try to Connect VPN Client by Domain Name
- Test VPN
3.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 3.3 L2TP VPN Setup
3.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 3.3. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.18 YES manual up up
FastEthernet0/1 203.0.113.33 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.16/28 is directly connected, FastEthernet0/0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
Branch:
Branch>enable
Branch#configure terminal
Branch(config)#interface fastEthernet 0/0
Branch(config-if)# ip address 203.0.113.34 255.255.255.240
Branch(config-if)#no shutdown
Branch(config-if)#exit
Branch(config)#interface fastEthernet 0/1
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#no shutdown
Branch(config-if)#^Z
Branch#
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Branch#
PC:
Figure 3.4 Client IP Addressing
3.3.4 Step-2 Configuring Static IP Routing
Branch:
Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
Branch(config)#exit
Branch#
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
C 192.168.1.0/24 is directly connected, FastEthernet0/1
C 203.0.113.32/28 is directly connected, FastEthernet0/0
Branch#
3.3.5 Step-3 Configuring Router as a DNS Server
Internet:
Internet(config)#ip dns server
Internet(config)#ip name-server 203.0.113.18
Internet(config)#ip host l2tpvpn.com 203.0.113.34
Internet(config)#no ip domain-lookup
Internet(config)#exit
Internet#
Internet#show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
Domain lookup is disabled
Default domain name: lab.local
Domain search list:
Lookup timeout: 3 seconds
Lookup retries: 2
Domain name-servers:
203.0.113.18
DNS Server settings:
Forwarding of queries is disabled
Forwarder timeout: 3 seconds
Forwarder retries: 2
Forwarder addresses:
3.3.6 Step-4 Testing Connectivity
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=333ms TTL=254
Reply from 203.0.113.34: bytes=32 time=242ms TTL=254
Reply from 203.0.113.34: bytes=32 time=338ms TTL=254
Reply from 203.0.113.34: bytes=32 time=265ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 338ms, Average = 294ms
C:\>ping l2tpvpn.com
Pinging l2tpvpn.com [203.0.113.34] with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=148ms TTL=254
Reply from 203.0.113.34: bytes=32 time=213ms TTL=254
Reply from 203.0.113.34: bytes=32 time=191ms TTL=254
Reply from 203.0.113.34: bytes=32 time=220ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 148ms, Maximum = 220ms, Average = 193ms
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Branch:
Branch#ping 203.0.113.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms
Branch#
Internet:
Internet#show ip dns statistics
DNS requests received = 2 ( 2 + 0 )
DNS requests dropped = 0 ( 0 + 0 )
DNS responses replied = 2 ( 2 + 0 )
Forwarder queue statistics:
Current size = 0
Maximum size = 5
Drops = 0
3.3.7 Step-5 Configuring Router as a L2TP VPN Server
Branch(config)#vpdn enable
Branch(config)#vpdn-group l2tp-vpn
Branch(config-vpdn)#accept-dialin
Branch(config-vpdn-acc-in)#protocol l2tp
Branch(config-vpdn-acc-in)#virtual-template 1
Branch(config-vpdn-acc-in)#exit
Branch(config-vpdn)#exit
Branch(config)#
Branch(config)# ip local pool l2tp-pool 172.16.1.1 172.16.1.50
Branch(config)#username test password 0 test
Branch(config)#interface virtual-template 1
Branch(config-if)#encapsulation ppp
Branch(config-if)# peer default ip address pool l2tp-pool
Branch(config-if)#ip unnumbered fastEthernet 0/1
Branch(config-if)#ppp encrypt mppe auto required
Branch(config-if)# ppp authentication ms-chap ms-chap-v2
Branch(config-if)#^Z
Branch#
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 192.168.1.1 YES unset down down
Branch#
Branch#show vpdn group
VPDN group l2tp-vpn
Group session limit 65535 Active sessions 0 Active tunnels 0
Branch#show vpdn tunnel l2tp
%No active L2TP tunnels
3.3.8 Step-6 Configuring & Setting L2TP VPN Client
1. Follow Step-5 in PPTP Lab
2. Type Hostname (l2tpvpn.com) instead of IP address
[Figures and tables are omitted from this preview.]
Figure 3.5 Properties
3. Chose Security
[Figures and tables are omitted from this preview.]
Figure 3.6 Security
4. Under Type of VPN choose L2TP VPN, Choose Required Encryption from Data Encryption, Select Authentication Protocols
[Figures and tables are omitted from this preview.]
Figure 3.7 Select Protocol
5. Click on Advanced Settings
[Figures and tables are omitted from this preview.]
Figure 3.8 Advance Setting
3.3.9 Step-7 Connecting VPN Client
1. After type username & password click connect
[Figures and tables are omitted from this preview.]
Figure 3.9 Connecting
2. The Verifying username and password window appears
[Figures and tables are omitted from this preview.]
Figure 3.10 Verifying
3. The Registering your computer on the network window appears
[Figures and tables are omitted from this preview.]
Figure 3.11 Completing
4. The Connection Status window appears
[Figures and tables are omitted from this preview.]
Figure 3.12 Connection Status
3.3.10 Step-8 Testing
PC:
[Figures and tables are omitted from this preview.]
Figure 3.13 Connection Details
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=166ms TTL=255
Reply from 192.168.1.1: bytes=32 time=246ms TTL=255
Reply from 192.168.1.1: bytes=32 time=285ms TTL=255
Reply from 192.168.1.1: bytes=32 time=277ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 166ms, Maximum = 285ms, Average = 243ms
Branch:
Branch#ping 172.16.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/204/300 ms
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 192.168.1.1 YES unset up up
Virtual-Template1 192.168.1.1 YES unset down down
Branch#show interfaces virtual-access 3
Virtual-Access3 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0/1 (192.168.1.1)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x0
Protocol l2tp, tunnel id 35949, session id 29839
Keepalive set (10 sec)
40 packets input, 4522 bytes
15 packets output, 237 bytes
Last clearing of "show interface" counters never
Branch#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
Interface User Mode Idle Peer Address
Vi3 test PPPoVPDN 00:09:55 172.16.1.4
Branch#show vpdn group
VPDN group l2tp-vpn
Group session limit 65535 Active sessions 1 Active tunnels 1
Branch#show vpdn tunnel l2tp
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class
35949 1 zeeshan est 203.0.113.17 1 l2tp
Branch#show vpdn session l2tp state
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID Vcid
56894 1 35949 test, Vi3 est 00:10:24 6
Branch#show vpdn tunnel l2tp transport
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID Type Prot Local Address Port Remote Address Port
35949 UDP 17 203.0.113.34 1701 203.0.113.17 1701
Branch#show vpdn tunnel l2tp packets
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID Pkts-In Pkts-Out Bytes-In Bytes-Out
35949 154 114 8332 2477
4 L2TP over IPsec VPN
L2TP does not provide strong authentication and confidentiality by itself. It is often used with IPsec protocol to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. The IPsec is a protocol suite which is used at upper layer (network layer) to provide secure communication between two peers [7]. This protocol provides IP Security Architecture, Internet Key Exchange (IKE), IPsec Authentication Header (AH) and IPsec Encapsulation Security Payload (ESP). The IKE is the key management protocol while AH and ESP are used to protect IP traffic. It would be discussed in detail in the next part.
4.1 L2TP over IPsec Security
L2TP is used over IPsec then its security is high. The client negotiates the IPsec Security Association (SA) usually through IKE. It is carried out over UDP with port 500. It uses a pre-shared key, public key or certificates for authentication. Transport mode of IPsec is used in this security mechanism. IPsec supports a variety of encryption standards like (DES, 3DES & AES) for data confidentiality. It also supports a range of data integrity protocols like (MD-5 & SHA).
4.2 Encapsulation
The connection is established between two endpoints. Here, L2TP packets are encapsulated by IPsec header as it is displayed in the Fig. 4.1 below.
[Figures and tables are omitted from this preview.]
Figure 4.1 L2TP over IPsec Encapsulation
Since L2TP packet is wrapped within the IPsec header and it does not gather any information about the internal L2TP packet. So, it is not necessary to open UDP port 1701 on firewalls between the endpoints. The inner packet is not acted upon until after IPsec data has been decrypted and stripped which only takes place at the endpoints.
4.3 Router as an L2TP over IPsec VPN Server
4.3.1 Lab Objectives
- Assign IP addresses according to topology
- Configure IP Routing
- Test Connectivity
- Configure Router as an L2TP over IPsec VPN Server
- Configure PC as a Microsoft L2TP over IPsec VPN Client
- Try to Connect VPN Client
- Test VPN
4.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 4.2 L2TP over IPsec VPN Setup
4.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 4.2. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.18 YES manual up up
FastEthernet0/1 203.0.113.33 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.16/28 is directly connected, FastEthernet0/0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
Branch:
Branch>enable
Branch#configure terminal
Branch(config)#interface fastEthernet 0/0
Branch(config-if)# ip address 203.0.113.34 255.255.255.240
Branch(config-if)#no shutdown
Branch(config-if)#exit
Branch(config)#interface fastEthernet 0/1
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#no shutdown
Branch(config-if)#^Z
Branch#
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Branch#
PC:
[Figures and tables are omitted from this preview.]
Figure 4.3 Client IP Addressing
4.3.4 Step-2 Configuring Static IP Routing
Branch:
Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
Branch(config)#exit
Branch#
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
C 192.168.1.0/24 is directly connected, FastEthernet0/1
C 203.0.113.32/28 is directly connected, FastEthernet0/0
Branch#
4.3.5 Step-3 Testing Connectivity
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=333ms TTL=254
Reply from 203.0.113.34: bytes=32 time=242ms TTL=254
Reply from 203.0.113.34: bytes=32 time=338ms TTL=254
Reply from 203.0.113.34: bytes=32 time=265ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 338ms, Average = 294ms
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Branch:
Branch#ping 203.0.113.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms
4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN
Branch(config)#vpdn enable
Branch(config)#vpdn-group l2tp-vpn
Branch(config-vpdn)#accept-dialin
Branch(config-vpdn-acc-in)#protocol l2tp
Branch(config-vpdn-acc-in)#virtual-template 1
Branch(config-vpdn-acc-in)#exit
Branch(config-vpdn)#exit
Branch(config)#
Branch(config)# ip local pool l2tp-pool 172.16.1.1 172.16.1.50
Branch(config)#username test password 0 test
Branch(config)#interface virtual-template 1
Branch(config-if)#encapsulation ppp
Branch(config-if)# peer default ip address pool l2tp-pool
Branch(config-if)#ip unnumbered fastEthernet 0/1
Branch(config-if)# ppp authentication ms-chap ms-chap-v2
Branch(config-if)#exit
Branch(config)#crypto isakmp policy 5
Branch(config-isakmp)#encryption 3des
Branch(config-isakmp)#hash sha
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group 2
Branch(config-isakmp)#exit
Branch(config)#
Branch(config)# crypto isakmp key l2tpipsec address 0.0.0.0 0.0.0.0
Branch(config)# crypto ipsec transform-set tset esp-3des esp-sha-hmac
Branch(cfg-crypto-trans)#mode transport
Branch(cfg-crypto-trans)#exit
Branch(config)#crypto dynamic-map dmap 10
Branch(config-crypto-map)#set transform-set tset
Branch(config-crypto-map)#exit
Branch(config)# crypto map l2tpmap 10 ipsec-isakmp dynamic dmap
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#crypto map l2tpmap
Branch(config-if)#^Z
Branch#
4.3.7 Step-5 Configuring & Setting L2TP over IPsec VPN Client
1. Follow Step-6 in L2TP Lab.
2. Click on Advanced Settings and enter the pre-shared key
[Figures and tables are omitted from this preview.]
Figure 4.4 Advanced Properties
3. (Optional, if the operating system is old like Windows XP/2000). Execute mmc.exe command in Run to manage IP security policy.
[Figures and tables are omitted from this preview.]
Figure 4.5 Run
4. Add IP Security Policy Management by choosing Add/Remove Snap-in from File.
[Figures and tables are omitted from this preview.]
Figure 4.6 Console
5. Choose IP Security Policy Management and click Add.
[Figures and tables are omitted from this preview.]
Figure 4.7 Add or Remove
6. When the following screen appears, please choose a Local computer and click Finish.
[Figures and tables are omitted from this preview.]
Figure 4.8 Select Domain
7. The IP Security Policy Management is added in Snap-in Click OK.
[Figures and tables are omitted from this preview.]
Figure 4.9 Add IP Security Policies
8. The IP Security Policy Management is added click OK
[Figures and tables are omitted from this preview.]
Figure 4.10 IP Security Policy Management
9. Select Create IP Security Policy to create a policy for IPSec-VPN from Action.
[Figures and tables are omitted from this preview.]
Figure 4.11 Console
10. When the IP Security Policy Wizard appears, please click Next.
[Figures and tables are omitted from this preview.]
Figure 4.12 IP Security Policy Wizard
11. Type a suitable name in the name field, such as “ L2TP over IPsec” and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.13 IP Security Policy Name
12. Uncheck Activate the default response rule and Click Next.
[Figures and tables are omitted from this preview.]
Figure 4.14 Request for Secure Communication
13. When the following window appears, please check Edit properties and click Finish.
[Figures and tables are omitted from this preview.]
Figure 4.15 Completing IP Security Policy
14. Open IPsec Properties window, there is a default rule “<Dynamic>”. Please click Add.
[Figures and tables are omitted from this preview.]
Figure 4.16 Filter Rules
15. When the Security Rule Wizard appears, please click Next.
[Figures and tables are omitted from this preview.]
Figure 4.17 Creating New Security Rule
16. Select this rule does not specify a tunnel and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.18 Tunnel Endpoint
17. Select All network connections and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.19 Network Type
18. Add an IP Filter list to this rule by clicking Add .
[Figures and tables are omitted from this preview.]
Figure 4.20 Add New Filter List
19. Type IPsec Out as the name and click Add.
[Figures and tables are omitted from this preview.]
Figure 4.21 IP Filter List for Outside
20. When the IP Filter Wizard appears, please click Next.
[Figures and tables are omitted from this preview.]
Figure 4.22 New IP Filter Wizard
21. Type Filter Description and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.23 IP Filter Description
22. Choose A specific IP Address & type the IP address as (Source) and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.24 IP Traffic Source
23. Choose A specific IP Address & type the IP address as (Destination) and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.25 IP Traffic Destination
24. Choose UDP as the protocol type. Click Next.
[Figures and tables are omitted from this preview.]
Figure 4.26 IP Protocol Types
25. Set the port no. as 1701 and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.27 IP Protocol Ports
26. Checkbox Edit properties and Click Finish to completing the IP filter wizard.
[Figures and tables are omitted from this preview.]
Figure 4.28 Completing IP Filter Wizard
27. Click OK to finish the settings.
[Figures and tables are omitted from this preview.]
Figure 4.29 IP Filter Properties
28. Click OK to finish the settings.
[Figures and tables are omitted from this preview.]
Figure 4.30 IP Filter List
29. Choose IPsec Out in the IP Filter list and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.31 IPsec Filter List
30. Click Add to set up action for this rule.
[Figures and tables are omitted from this preview.]
Figure 4.32 New Filter Rule
31. The Filter Action Wizard will appear, then. Please click Next.
[Figures and tables are omitted from this preview.]
Figure 4.33 New IP Security Filter Wizard
32. Type IPsec Out as the name and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.34 Filter Action Name
33. Choose Negotiate security and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.35 General Options
34. Choose Do not communicate…. and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.36 Communicating with Computers
35. Choose Encryption and Integrity and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.37 IP Traffic Security Policies
36. Uncheck Edit properties and click Finish.
[Figures and tables are omitted from this preview.]
Figure 4.38 Completing IP Security Filter Wizard
37. Select IPsec Out from IP Filter list, and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.39 Filter Action
38. Type key as an Authentication Method (preshared key) and Click Next.
[Figures and tables are omitted from this preview.]
Figure 4.40 Authentication Method
39. Choose IPsec Out for Filter Action, and click Next.
[Figures and tables are omitted from this preview.]
Figure 4.41 Completing Security Rule
40. Now you can see IPsec Out rule. Click OK.
[Figures and tables are omitted from this preview.]
Figure 4.42 IPsec Rules
41. Click IP Security Policies on Local Computer
[Figures and tables are omitted from this preview.]
Figure 4.43 New Created Security Policy
42. Choose L2TP over IPsec > Assign from the Console screen.
[Figures and tables are omitted from this preview.]
Figure 4.44 Assigned Policy
43. Now you can see that the policy is activated.
[Figures and tables are omitted from this preview.]
Figure 4.45 Policy Activated
44. Save Setting.
4.3.8 Step-6 Connecting VPN Client
1. After type username & password click connect
[Figures and tables are omitted from this preview.]
Figure 4.46 Connecting
2. The Verifying username and password window appears
[Figures and tables are omitted from this preview.]
Figure 4.47 Verifying
3. The Registering your computer on the network window appears
[Figures and tables are omitted from this preview.]
Figure 4.48 Completing
4. The Connection Status window
[Figures and tables are omitted from this preview.]
Figure 4.49 Connection Status
4.3.9 Step-7 Testing
PC:
[Figures and tables are omitted from this preview.]
Figure 4.50 Connection Details
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=237ms TTL=255
Reply from 192.168.1.1: bytes=32 time=360ms TTL=255
Reply from 192.168.1.1: bytes=32 time=340ms TTL=255
Reply from 192.168.1.1: bytes=32 time=314ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 237ms, Maximum = 360ms, Average = 312ms
Branch:
Branch#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!.!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 184/210/248 ms
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access2.1 192.168.1.1 YES unset up up
Virtual-Template1 192.168.1.1 YES unset down down
Branch#show vpdn group
VPDN group l2tp
Group session limit 65535 Active sessions 1 Active tunnels 1
Branch#show vpdn tunnel l2tp state
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Local Name Remote Name State Last-Chg
47589 1 Branch zeeshan est 00:10:55
Branch#show vpdn tunnel l2tp summary
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class
47589 1 zeeshan est 203.0.113.17 1 l2tp
Branch#show vpdn tunnel transport
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID Type Prot Local Address Port Remote Address Port
47589 UDP 17 203.0.113.34 1701 203.0.113.17 1701
Branch#show interfaces virtual-access 2.1
Virtual-Access2.1 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0/1 (192.168.1.1)
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP
PPPoVPDN vaccess, cloned from Virtual-Template1
Vaccess status 0x0
Protocol l2tp, tunnel id 47589, session id 981
Keepalive set (10 sec)
151 packets input, 8066 bytes
132 packets output, 3575 bytes
Last clearing of "show interface" counters never
Branch#show vpdn tunnel packets
L2TP Tunnel Information Total tunnels 1 sessions 1
LocTunID Pkts-In Pkts-Out Bytes-In Bytes-Out
47589 215 215 13074 6727
Branch#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 203.0.113.17 port 500
IKE SA: local 203.0.113.34/500 remote 203.0.113.17/500 Active
IPSEC FLOW: permit 17 host 203.0.113.34 host 203.0.113.17 port 1701
Active SAs: 2, origin: dynamic crypto map
Branch#show crypto session brief
Status: A-Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
203.0.113.17 Fa0/0 203.0.113.17 00:12:02 UA
Branch#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 0.0.0.0 [0.0.0.0 ] l2tpipsec
Branch#show crypto isakmp sa count
Active ISAKMP SA's: 1
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
Branch#show crypto isakmp peers
Peer: 203.0.113.17 Port: 500 Local: 203.0.113.34
Phase1 id: 203.0.113.17
Branch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
203.0.113.34 203.0.113.17 QM_IDLE 1001 ACTIVE
Branch#show crypto ipsec transform-set
Transform set tset: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
Branch#show crypto isakmp policy
Global IKE policy
Protection suite of priority 5
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Branch#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: l2tp, local addr 203.0.113.34
protected vrf: (none)
local ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/17/0)
remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/17/1701)
current_peer 203.0.113.17 port 500
PERMIT, flags={}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
local crypto endpt.: 203.0.113.34, remote crypto endpt.: 203.0.113.17
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB495FFE2(3029729250)
PFS (Y/N): N, DH group: none
[Output omitted]
PC:
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=237ms TTL=255
Reply from 192.168.1.1: bytes=32 time=360ms TTL=255
Reply from 192.168.1.1: bytes=32 time=340ms TTL=255
Reply from 192.168.1.1: bytes=32 time=314ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 237ms, Maximum = 360ms, Average = 312ms
Branch#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: l2tp, local addr 203.0.113.34
protected vrf: (none)
local ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/17/0)
remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/17/1701)
current_peer 203.0.113.17 port 500
PERMIT, flags={}
#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Branch#show crypto map
Crypto Map "l2tpmap" 10 ipsec-isakmp
Dynamic map template tag: dmap
Crypto Map "l2tpmap" 65536 ipsec-isakmp
Peer = 203.0.113.17
Extended IP access list
access-list permit udp host 203.0.113.34 host 203.0.113.17 port = 1701
dynamic (created from dynamic map dmap/10)
Current peer: 203.0.113.17
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
tset: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map l2tpmap:
FastEthernet0/0
5 IPsec VPN
Internet Protocol Security (IPsec) is a network security protocol suite. It provides strong authentication, data encryption, data origin authentication and data integrity features. It can use as network-to-network, host-to-host, and host-to-network over the public network (Internet). It works at the network layer of the OSI model to provide end-to-end security. In 1992, IETF started to create an open and freely available security protocol for Internet Protocol (IP). It is officially standardized by IETF. It was specified in RFC 1825 [8]. The IP is used at the network layer of the OSI model to deliver datagrams over the public network. There are two versions of IP: IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing protocol. The Network Address Translation (NAT) is used with IPv4 in private networks to save the public IP addresses as well as to provide security in a way that it hides the public addresses during communication. Today, NAT is widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels [9].
The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the IETF has introduced IPv6 protocol with new features in terms of simple header format, larger address space, built-in security, efficient routing and better QoS [10]. The Internet Service Providers (ISPs) are trying to replace their IPv4 networks with IPv6 gradually. This transition is very slow because there are millions of devices in around the world. IPv6 is a next-generation IP network. IPsec provides security to both versions of IP. In this project, the focus is on IPv4.
5.1 IPsec Security Architecture
IPsec is an open standard protocol suite. It uses different types of protocols to provide security. These protocols are: Authentication Header (AH), Encapsulating Security Payloads (ESP), Security Associations (SA), Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE & IKEv2).
The AH provides the connectionless data integrity, data origin authentication for IP datagrams and protection against replays [11]. It does not encrypt data packets. The text is transported in clear text. Data integrity means, it assures that the data will not alter during the transmission over the network. Before sending the data, it calculates 32-bits numeric and unique hash value of data by using different hashing algorithms like (MD5, SHA-1) and sends this hash value along with data. Hashing is a one-way process [12]. On the receiving side, it verifies the hash value by re-calculating the hash value of the received data. If both hash values are equal then it means that the integrity of the data is maintained and there is no any tampering with data during transmission over the network while if the hash value does not same then it means that the integrity has intercepted and the receiver will discard the data. The anti-replay protection ensures that each packet must be unique and no duplication by using sequence numbers. The origin authentication means that to know who is on another side. The device on the other side of the tunnel must be verified before the path is considered secure. The sender sends data (certificate) after encryption with its private key and that data is verified at receiver end by decrypt with sender’s public key for authentication. There are three authentication methods:
1. Pre-shared Key
2. RSA Signature
3. RSA Encryption Nonce
In pre-shared key authentication, the same key is used to configure each peer in IPsec. In RSA signature authentication, different keys (private key & public key) are used to encrypt or decrypt digitally. It is also called digital certificates. These digital signature and digital certificates are forwarded to the other side. Finally, RSA encryption nonce authentication, nonce (a random number generated by the peer) is encrypted and exchanged between peers, this nonce is used during the authentication peer process.
The ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service and limited traffic flow confidentiality [13]. The set of services, is provided, depends on options selected at the time of Security Association (SA) establishment. It encrypts the payload to provide confidentiality. It supports several encryption algorithms. Most of the algorithms are symmetric. The DES (56-bits) is a basic and symmetric encryption algorithm, however, it also supports 3DES and AES for stronger encryption. The ESP can be used alone or with the combination of AH.
The SA is a logical group of security parameters. It is used to establish and share security attributes between two entities to provide secure communication. These attributes are cryptographic algorithm, mode and encryption key. The SA is established by using ISAKMP.
The ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations [14]. It only provides a framework for authentication and key exchange. It is implemented by manual configuration with pre-shared key or IKE.
During the establishment of a secure connection between two nodes, it is needed to share some security parameters such as keys over the network. Two methods are used for key exchange: manual and automatic. Manual method does not secure nor scales well [15]. Therefore, a protocol is needed to exchange or establish security parameters dynamically. The IKE is the protocol used to set up a security association dynamically. It uses X.509 certificates for authentication either pre-shared or distributed and a “Diffie–Hellman” key exchange algorithm to share a secret key between nodes over the public network.
5.2 Encapsulation
IPsec can be configured in two different modes and they are:
1. Transport Mode
2. Tunnel Mode
The transport mode is used to provide end-to-end security. The communication between a client and a server is the best example of end-to-end. In this mode, only the payload of the IP packet is usually encrypted or authenticated. The original IP header is not encrypted nor modified except that the IP protocol field is changed to ESP (50) or AH (51). The payload is encapsulated by the IPsec ESP headers & trailers as it is displayed in the Fig.5.1. It is usually used when another tunneling protocol (like GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the other tunnel packets. The IPsec protects the GRE or L2TP tunnel traffic in transport mode. The ESP is identified in the original IP header with an IP protocol ID of 50.
[Figures and tables are omitted from this preview.]
Figure 5.1 Transport Mode IPsec Encapsulation
The tunnel mode is the default mode. It is used to provide security between gateways (Router, PIX or ASA). In this mode, the entire original IP packet is protected. The entire IP packet is encapsulated with IPsec ESP headers & trailers, adds a new IP header and sends it to the other side of the tunnel as it is shown in the Fig. 5.2. The ESP is identified in the New IP header with an IP protocol ID of 50. The tunnel mode supports NAT traversal.
[Figures and tables are omitted from this preview.]
Figure 5.2 Tunnel Mode IPsec Encapsulation
5.3 Site-to-Site IPsec VPN b/w Routers
5.3.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Configure NAT
- Test Connectivity
- Configure IPsec VPN Tunnel on both sides
- Test VPN
5.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 5.3 Site-to-Site IPsec VPN Setup
5.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PCs as mentioned above in topological diagram 5.3. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.33 YES manual up up
FastEthernet0/1 203.0.113.18 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.32/28 is directly connected, FastEthernet0/0
C 203.0.113.16/28 is directly connected, FastEthernet0/1
Branch-1:
Branch-1>enable
Branch-1#configure terminal
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)# ip address 203.0.113.17 255.255.255.240
Branch-1(config-if)#no shutdown
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)# ip address 192.168.1.1 255.255.255.0
Branch-1(config-if)#no shutdown
Branch-1(config-if)#^Z
Branch-1#
Branch-1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.17 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Branch-1#
Branch-2:
Branch-2>enable
Branch-2#configure terminal
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)# ip address 203.0.113.34 255.255.255.240
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0
Branch-2(config-if)#no shutdown
Branch-2(config-if)#^Z
Branch-2#
Branch-2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.1 YES manual up up
FastEthernet0/1 203.0.113.34 YES manual up up
Branch-2#
PC-1:
[Figures and tables are omitted from this preview.]
Figure 5.4 PC-1 IP Addressing
PC-2:
[Figures and tables are omitted from this preview.]
Figure 5.5 PC-2 IP Addressing
5.3.4 Step-2 Configuring Static IP Routing
Branch-1:
Branch-1#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
. . . . .
Success rate is 0 percent (0/5)
Branch-1#
Branch-1(config)# ip route 203.0.113.32 255.255.255.240 203.0.113.18
Branch-1(config)#exit
Branch-1#
Branch-1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
203.0.113.0/28 is subnetted, 2 subnets
S 203.0.113.32 [1/0] via 203.0.113.18
C 203.0.113.16 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
Branch-1#
Branch-2:
Branch-2(config)# ip route 203.0.113.16 255.255.255.240 203.0.113.33
Branch-2(config)#exit
Branch-2#
Branch-2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
203.0.113.0/28 is subnetted, 2 subnets
C 203.0.113.32 is directly connected, FastEthernet0/1
S 203.0.113.16 [1/0] via 203.0.113.33
C 192.168.2.0/24 is directly connected, FastEthernet0/0
Branch-2#
Branch-2#ping 203.0.113.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/63/124 ms
Branch-2#
5.3.5 Step-3 Configuring NAT
PC-1:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C :\>
Branch-1:
Branch-1(config)# ip nat inside source list 10 interface fastEthernet 0/0 overload
Branch-1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)#ip nat outside
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)#ip nat inside
Branch-1(config-if)#^Z
Branch-1#
Branch-2:
Branch-2(config)# ip nat inside source list 20 interface fastEthernet 0/1 overload
Branch-2(config)# access-list 20 permit 192.168.2.0 0.0.0.255
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)#ip nat outside
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)#ip nat inside
Branch-2(config-if)#^Z
Branch-2#
PC-1
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=387ms TTL=254
Reply from 203.0.113.34: bytes=32 time=147ms TTL=254
Reply from 203.0.113.34: bytes=32 time=91ms TTL=254
Reply from 203.0.113.34: bytes=32 time=98ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 91ms, Maximum = 387ms, Average = 180ms
C :\>
Branch-1:
Branch-1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.17:1280 192.168.1.2:1280 203.0.113.34:1280 203.0.113.34:1280
Branch-1#show ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 19 Misses: 3
Expired translations: 2
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 interface FastEthernet0/0 refcount 1
Branch-1#
5.3.6 Step-4 Testing Connectivity
PC-1:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=91ms TTL=254
Reply from 203.0.113.34: bytes=32 time=89ms TTL=254
Reply from 203.0.113.34: bytes=32 time=79ms TTL=254
Reply from 203.0.113.34: bytes=32 time=89ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 79ms, Maximum = 91ms, Average = 87ms
C:\>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C :\>
5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel
Branch-1:
Branch-1(config)#crypto isakmp policy 10
Branch-1(config-isakmp)#encryption des
Branch-1(config-isakmp)#hash md5
Branch-1(config-isakmp)#authentication pre-share
Branch-1(config-isakmp)#group 2
Branch-1(config-isakmp)#exit
Branch-1(config)# crypto isakmp key testipsecvpn address 203.0.113.34
Branch-1(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
Branch-1(cfg-crypto-trans)#exit
Branch-1(config)#crypto map smap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-1(config-crypto-map)#set peer 203.0.113.34
Branch-1(config-crypto-map)#set transform-set tset
Branch-1(config-crypto-map)#match address 101
Branch-1(config-crypto-map)#exit
Branch-1(config)#ip access-list extended 101
Branch-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
Branch-1(config-ext-nacl)#exit
Branch-1(config)# ip route 192.168.2.0 255.255.255.0 203.0.113.18
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)#crypto map smap
Branch-1(config-if)#^Z
Branch-1#
Branch-2:
Branch-2(config)#crypto isakmp policy 10
Branch-2(config-isakmp)#encryption des
Branch-2(config-isakmp)#hash md5
Branch-2(config-isakmp)#authentication pre-share
Branch-2(config-isakmp)#group 2
Branch-2(config-isakmp)#exit
Branch-2(config)# crypto isakmp key testipsecvpn address 203.0.113.17
Branch-2(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
Branch-2(cfg-crypto-trans)#exit
Branch-2(config)#crypto map smap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-2(config-crypto-map)#set peer 203.0.113.17
Branch-2(config-crypto-map)#set transform-set tset
Branch-2(config-crypto-map)#match address 102
Branch-2(config-crypto-map)#exit
Branch-2(config)#ip access-list extended 102
Branch-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 any
Branch-2(config-ext-nacl)#exit
Branch-2(config)# ip route 192.168.1.0 255.255.255.0 203.0.113.33
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)#crypto map smap
Branch-2(config-if)#^Z
Branch-2#
5.3.8 Step-6 Testing
PC-1:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=112ms TTL=254
Reply from 203.0.113.34: bytes=32 time=89ms TTL=254
Reply from 203.0.113.34: bytes=32 time=98ms TTL=254
Reply from 203.0.113.34: bytes=32 time=74ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 112ms, Average = 93ms
C:\>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=90ms TTL=254
Reply from 203.0.113.34: bytes=32 time=105ms TTL=254
Reply from 203.0.113.34: bytes=32 time=90ms TTL=254
Reply from 203.0.113.34: bytes=32 time=90ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 90ms, Maximum = 105ms, Average = 93ms
C:\>
Branch-1:
Branch-1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.17:1280 192.168.1.2:1280 192.168.2.1:1280 192.168.2.1:1280
icmp 203.0.113.17:1280 192.168.1.2:1280 203.0.113.34:1280 203.0.113.34:1280
Branch-1#show crypto isakmp sa
dst src state conn-id slot
203.0.113.34 203.0.113.17 QM_IDLE 1 0
Branch-1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: smap, local addr. 203.0.113.17
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.0.113.34
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 203.0.113.17, remote crypto endpt.: 203.0.113.34
path mtu 1500, media mtu 1500
[Output omitted]
Branch-1#show crypto isakmp policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56-bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Branch-1#show crypto map
Crypto Map "smap" 10 ipsec-isakmp
Peer = 203.0.113.34
Extended IP access list 101
access-list 101 permit ip any any
Current peer: 203.0.113.34
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ tset, }
Interfaces using crypto map smap:
FastEthernet0/0
Branch-1#show crypto ipsec transform-set
Transform set tset: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
5.4 Site-to-Site IPsec VPN b/w PIX & ASA
5.4.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Test Connectivity
- Configure IPsec Tunnel on both Sides
- Test VPN
5.4.2 Topology
[Figures and tables are omitted from this preview.]
Figure 5.6 Site-to-Site IPsec VPN Setup
5.4.3 Step-1 IP Addressing
Assign IP addresses as given above in topological diagram 5.6 on router’s interfaces, PIX and ASA. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface Ethernet 0/0
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface Ethernet 0/1
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 203.0.113.18 YES NVRAM up up
Ethernet0/1 203.0.113.33 YES NVRAM up up
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.16/28 is directly connected, Ethernet0/0
C 203.0.113.32/28 is directly connected, Ethernet0/1
Internet#
PIX:
pixfirewall>enable
pixfirewall#show version
Cisco PIX Security Appliance Software Version 8.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "Unknown, monitor mode TFTP booted image"
Config file at boot was "startup-config"
pixfirewall up 7 secs
Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: Ext: Ethernet0 : address is 00ab.15a8.0c00, irq 9
1: Ext: Ethernet1 : address is 0000.abc1.3101, irq 11
pixfirewall#configuration terminal
pixfirewall(config)#interface ethernet 1
pixfirewall(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)#no shutdown
pixfirewall(config-if)# ip address 192.168.2.1 255.255.255.0
pixfirewall(config-if)#exit
pixfirewall(config)#interface ethernet 0
pixfirewall(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
pixfirewall(config-if)#no shutdown
pixfirewall(config-if)# ip address 203.0.113.34 255.255.255.240
pixfirewall(config-if)#exit
pixfirewall(config)#exit
pixfirewall#
pixfirewall#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.2.0 255.255.255.0 is directly connected, inside
C 203.0.113.32 255.255.255.240 is directly connected, outside
pixfirewall#show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 203.0.113.34 YES manual up up
Ethernet1 192.168.2.1 YES manual up up
pixfirewall#
ASA:
ciscoasa>enable
ciscoasa#show version
Cisco Adaptive Security Appliance Software Version 8.0(2)
Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 8 secs
Hardware: ASA5520, 128 MB RAM, CPU Pentium II 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
0: Ext: Ethernet0/0 : address is 00ab.b46c.e500, irq 255
1: Ext: Ethernet0/1 : address is 0000.abb2.3f01, irq 255
ciscoasa#configure terminal
ciscoasa(config)#interface ethernet 0/0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 203.0.113.17 255.255.255.240
ciscoasa(config-if)#exit
ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 203.0.113.16 255.255.255.240 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
ciscoasa#show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 203.0.113.17 YES manual up up
Ethernet0/1 192.168.1.1 YES manual up up
ciscoasa#
5.4.4 Step-2 Configuring Static IP Routing
PIX:
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.33
pixfirewall(config)# access-list 101 permit icmp any any
pixfirewall(config)# access-group 101 in interface outside
pixfirewall(config)#exit
pixfirewall#
pixfirewall#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
C 192.168.2.0 255.255.255.0 is directly connected, inside
C 203.0.113.32 255.255.255.240 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.33, outside
ASA:
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.18
ciscoasa(config)#access-list 101 permit icmp any any
ciscoasa(config)#access-group 101 in interface outside
ciscoasa(config)#exit
ciscoasa#
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.18 to network 0.0.0.0
C 203.0.113.16 255.255.255.240 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.18, outside
5.4.5 Step-3 Testing Connectivity
ASA:
ciscoasa#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/50 ms
ciscoasa#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
PIX:
pixfirewall#ping 203.0.113.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/80 ms
pixfirewall#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/80 ms
Pixfirewall#
5.4.6 Step-4 Configuring IPsec Tunnel
ASA:
ciscoasa(config)#crypto isakmp enable outside
ciscoasa(config)#crypto isakmp policy 10
ciscoasa(config-isakmp-policy)#authentication pre-share
ciscoasa(config-isakmp-policy)#encryption des
ciscoasa(config-isakmp-policy)#hash md5
ciscoasa(config-isakmp-policy)#group 2
ciscoasa(config-isakmp-policy)#exit
ciscoasa(config)# access-list smap extended permit ip any any
ciscoasa(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
ciscoasa(config)#crypto map smap 1 match address smap
ciscoasa(config)# crypto map smap 1 set peer 203.0.113.34
ciscoasa(config)# crypto map smap 1 set transform-set tset
ciscoasa(config)#crypto map smap interface outside
ciscoasa(config)# tunnel-group 203.0.113.34 type ipsec-l2l
ciscoasa(config)# tunnel-group 203.0.113.34 ipsec-attributes
ciscoasa(config-tunnel-ipsec)#pre-shared-key cisco
ciscoasa(config-tunnel-ipsec)#exit
ciscoasa(config)#exit
ciscoasa#
PIX:
pixfirewall(config)#isakmp enable outside
pixfirewall(config)#isakmp policy 10
pixfirewall(config-isakmp-policy)#authentication pre-share
pixfirewall(config-isakmp-policy)#encryption des
pixfirewall(config-isakmp-policy)#hash md5
pixfirewall(config-isakmp-policy)#group 2
pixfirewall(config-isakmp-policy)#exit
pixfirewall(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
pixfirewall(config)#access-list 105 permit ip any any
pixfirewall(config)# crypto map smap 1 match address 105
pixfirewall(config)# crypto map smap 1 set peer 203.0.113.17
pixfirewall(config)# crypto map smap 1 set transform-set tset
pixfirewall(config)#crypto map smap interface outside
pixfirewall(config)# isakmp key cisco address 203.0.113.17 netmask 255.255.255.255
pixfirewall(config)#exit
pixfirewall#
5.4.7 Step-5 Testing
ASA:
ciscoasa#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 30/50/80 ms
ciscoasa#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/52/80 ms
ciscoasa#show crypto ipsec sa
interface: outside
Crypto map tag: smap, seq num: 1, local addr: 203.0.113.17
access-list smap permit ip any any
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.0.113.34
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.0.113.17, remote crypto endpt.: 203.0.113.34
[Output ommitted]
ciscoasa#show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 203.0.113.34
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ciscoasa#
PIX:
pixfirewall#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 90/126/170 ms
pixfirewall#
5.5 Remote Access IPsec VPN with Router (Easy VPN)
5.5.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Test Connectivity
- Configure Router as an IPsec VPN Server
- Install & Configure CISCO IPsec VPN Client
- Connect VPN Client
- Test VPN
5.5.2 Topology
[Figures and tables are omitted from this preview.]
Figure 5.7 Remote Access IPsec VPN Setup
5.5.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PCs as mentioned above in topological diagram 5.7. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.33 YES manual up up
FastEthernet0/1 203.0.113.18 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.32/28 is directly connected, FastEthernet0/0
C 203.0.113.16/28 is directly connected, FastEthernet0/1
H.Office:
H.Office>enable
H.Office#configure terminal
H.Office(config)#interface fastEthernet 0/1
H.Office(config-if)# ip address 203.0.113.34 255.255.255.240
H.Office(config-if)#no shutdown
H.Office(config-if)#exit
H.Office(config)#interface fastEthernet 0/0
H.Office(config-if)# ip address 192.168.1.1 255.255.255.0
H.Office(config-if)#no shutdown
H.Office(config-if)#^Z
H.Office#
H.Office#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet0/1 203.0.113.34 YES manual up up
H.Office#
PC:
Figure 5.8 Client IP Addressing
5.5.4 Step-2 Configuring Static IP Routing
H.Office:
H.Office(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
H.Office(config)#exit
H.Office#
H.Office#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
C 192.168.2.0/24 is directly connected, FastEthernet0/0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
H.Office#
5.5.5 Step-3 Testing Connectivity
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=149ms TTL=253
Reply from 203.0.113.34: bytes=32 time=83ms TTL=253
Reply from 203.0.113.34: bytes=32 time=75ms TTL=253
Reply from 203.0.113.34: bytes=32 time=66ms TTL=253
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 66ms, Maximum = 149ms, Average = 93ms
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C :\>
5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel
H.Office:
H.Office(config)#username test password 0 test
H.Office(config)#aaa new-model
H.Office(config)# aaa authentication login IPSec_VPN local
H.Office(config)# aaa authorization network IPSec_VPN local
H.Office(config)# ip local pool vpn-pool 192.168.1.10 192.168.1.50
H.Office(config)#ip route 192.168.1.0 255.255.255.0 fastEthernet 0/1
H.Office(config)#crypto isakmp policy 10
H.Office(config-isakmp)#encryption des
H.Office(config-isakmp)#hash md5
H.Office(config-isakmp)#authentication pre-share
H.Office(config-isakmp)#group 2
H.Office(config-isakmp)#exit
H.Office(config)#
H.Office(config)# crypto isakmp client configuration group testipsec
H.Office(config-isakmp-group)#key abcde
H.Office(config-isakmp-group)#pool vpn-pool
H.Office(config-isakmp-group)#netmask 255.255.255.0
H.Office(config-isakmp-group)#exit
H.Office(config)#
H.Office(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
H.Office(cfg-crypto-trans)#exit
H.Office(config)#
H.Office(config)#crypto dynamic-map dmap 10
H.Office(config-crypto-map)#set transform-set tset
H.Office(config-crypto-map)#reverse-route
H.Office(config-crypto-map)#exit
H.Office(config)#
H.Office(config)# crypto map smap 10 ipsec-isakmp dynamic dmap
H.Office(config)# crypto map smap isakmp authorization list IPSec_VPN
H.Office(config)# crypto map smap client authentication list IPSec_VPN
H.Office(config)# crypto map smap client configuration address respond
H.Office(config)#interface fastEthernet 0/1
H.Office(config-if)#crypto map smap
H.Office(config-if)#^Z
H.Office#
5.5.7 Step-5 Installing & Setting CISCO IPsec VPN Client
1. Download and run executable file of VPN client. Installation Wizard.
[Figures and tables are omitted from this preview.]
Figure 5.9 CISCO VPN Client Installing Wizard
2. Accept License Agreement and Click Next.
[Figures and tables are omitted from this preview.]
Figure 5.10 License Agreement
3. Select Destination Folder and Click Next
[Figures and tables are omitted from this preview.]
Figure 5.11 Folder Setting
4. Click Next and to Begin Installation
[Figures and tables are omitted from this preview.]
Figure 5.12 Installing Application
5. Installation is Starting
[Figures and tables are omitted from this preview.]
Figure 5.13 Installing
6. The installation has been completed successfully
[Figures and tables are omitted from this preview.]
Figure 5.14 Completed
7. After installing, Open VPN Client
[Figures and tables are omitted from this preview.]
Figure 5.15 VPN Client Interface
8. Select Connection Entries > New
[Figures and tables are omitted from this preview.]
Figure 5.16 New Setting
9. Fill in the details of your new connection and Save
[Figures and tables are omitted from this preview.]
Figure 5.17 Client Disconnect Status
5.5.8 Step-6 Connecting IPsec VPN Client
1. Select the newly created connection and click Connect
[Figures and tables are omitted from this preview.]
Figure 5.18 Connecting
2. Contacting the Security Gateway, if connect, then require authentication
[Figures and tables are omitted from this preview.]
Figure 5.19 Authentication
3. Enter Username & Password, which you configured on Server
[Figures and tables are omitted from this preview.]
Figure 5.20 User Name & Password
4. If Username & Password verified, Status: Connected
[Figures and tables are omitted from this preview.]
Figure 5.21 Connected Status
5.5.9 Step-7 Testing
1. Once the connection is successfully established select Statistics from the Status menu to verify the details of the tunnel
[Figures and tables are omitted from this preview.]
Figure 5.22 Tunnel Details
PC:
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=149ms TTL=253
Reply from 192.168.1.1: bytes=32 time=83ms TTL=253
Reply from 192.168.1.1: bytes=32 time=75ms TTL=253
Reply from 192.168.1.1: bytes=32 time=66ms TTL=253
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 66ms, Maximum = 149ms, Average = 93ms
5.6 Remote Access IPsec VPN with ASA (Easy VPN)
5.6.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure NAT
- Configure IP Routing
- Test Connectivity
- Configure ASA as an IPsec VPN Server
- Install & Configure CISCO IPsec VPN Client
- Connect VPN Client
- Test VPN
5.6.2 Topology
[Figures and tables are omitted from this preview.]
Figure 5.23 Remote Access IPsec VPN Setup
5.6.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces, ASA, and PC as mentioned above in topological diagram 5.23. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface ethernet 0/0
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface ethernet 0/1
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 203.0.113.33 YES manual up up
Ethernet0/1 203.0.113.18 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.32/28 is directly connected, Ethernet0/0
C 203.0.113.16/28 is directly connected, Ethernet0/1
ASA:
ciscoasa>enable
ciscoasa#configure terminal
ciscoasa(config)#interface ethernet 0/0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 203.0.113.34 255.255.255.240
ciscoasa(config-if)#exit
ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 203.0.113.32 255.255.255.240 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
ciscoasa#show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 203.0.113.34 YES manual up up
Ethernet0/1 192.168.2.1 YES manual up up
ciscoasa#
5.6.4 Step-2 Configuring NAT
ciscoasa(config)# nat (inside) 1 192.168.2.0 255.255.255.0
ciscoasa(config)#global (outside) 1 interface
INFO: outside interface address added to PAT pool
ciscoasa(config)#exit
ciscoasa#
ciscoasa#show nat
NAT policies on Interface inside:
match ip inside 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 1 (203.0.113.34 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
ciscoasa#
5.6.5 Step-3 Configuring Static IP Routing
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.33
ciscoasa(config)#access-list 101 permit icmp any any
ciscoasa(config)#access-group 101 in interface outside
ciscoasa(config)#exit
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
C 203.0.113.32 255.255.255.240 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.33, outside
ciscoasa#
5.6.6 Step-4 Testing Connectivity
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=140ms TTL=254
Reply from 203.0.113.34: bytes=32 time=39ms TTL=254
Reply from 203.0.113.34: bytes=32 time=128ms TTL=254
Reply from 203.0.113.34: bytes=32 time=32ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 32ms, Maximum = 140ms, Average = 84ms
C:\>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
5.6.7 Step-5 Configuring ASA as IPsec VPN Server
ciscoasa(config)#group-policy test internal
ciscoasa(config)#group-policy test attributes
ciscoasa(config-group-policy)#exit
ciscoasa(config)#username ahmad password 12345
ciscoasa(config)#username ahmad attributes
ciscoasa(config-username)#exit
ciscoasa(config)#
ciscoasa(config)#isakmp enable outside
ciscoasa(config)#crypto isakmp policy 10
ciscoasa(config-isakmp-policy)#authentication pre-share
ciscoasa(config-isakmp-policy)#encryption des
ciscoasa(config-isakmp-policy)#hash md5
ciscoasa(config-isakmp-policy)#group 2
ciscoasa(config-isakmp-policy)#exit
ciscoasa(config)#
ciscoasa(config)# ip local pool mypool 172.16.1.1-172.16.1.50
ciscoasa(config)#tunnel-group mygroup type ipsec-ra
ciscoasa(config)#tunnel-group mygroup ipsec-attributes
ciscoasa(config-tunnel-ipsec)#pre-shared-key cisco
ciscoasa(config-tunnel-ipsec)#exit
ciscoasa(config)# tunnel-group mygroup general-attributes
ciscoasa(config-tunnel-general)#address-pool mypool
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
ciscoasa(config)# crypto dynamic-map dmap 10 set transform-set tset
ciscoasa(config)# crypto map smap 10 ipsec-isakmp dynamic dmap
ciscoasa(config)#crypto map smap interface outside
ciscoasa(config)#aaa-server myserver protocol tacacs+
ciscoasa(config-aaa-server-group)#exit
ciscoasa(config)# aaa-server myserver (inside) host 192.168.2.2 cisco
ciscoasa(config-aaa-server-host)#exit
ciscoasa(config)#tunnel-group test type ipsec-ra
ciscoasa(config)#tunnel-group test general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group myserver
ciscoasa(config-tunnel-general)#exit
ciscoasa(config)# access-list 110 permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list 110
ciscoasa(config)#exit
ciscoasa#
5.6.8 Step-6 Configuring VPN Client
Configure CISCO VPN client setting such that group name, username and password information according to above mention in step-5 setting. Setting detail is available in previous lab.
5.6.9 Step-7 Connecting VPN Client
Now, try to connect VPN client and enter username and password according to defined in this lab.
5.6.10 Step-8 Testing
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=149ms TTL=253
Reply from 203.0.113.34: bytes=32 time=83ms TTL=253
Reply from 203.0.113.34: bytes=32 time=75ms TTL=253
Reply from 203.0.113.34: bytes=32 time=66ms TTL=253
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 66ms, Maximum = 149ms, Average = 93ms
C:\>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=90ms TTL=254
Reply from 203.0.113.34: bytes=32 time=105ms TTL=254
Reply from 203.0.113.34: bytes=32 time=90ms TTL=254
Reply from 203.0.113.34: bytes=32 time=90ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 90ms, Maximum = 105ms, Average = 93ms
C:\>
1. Once the connection is successfully established select Statistics from the Status menu to verify the details of the tunnel
[Figures and tables are omitted from this preview.]
Figure 5.24 Tunnel Details
6 GRE VPN
Generic Routing Encapsulation (GRE) is a generic and point-to-point tunnel. It is developed by CISCO systems. It is a static tunnel. Generic means, it allows many other protocols to be encapsulated in IP [16]. It works at the network layer of the OSI reference model. Its specification was described in RFC 2784.
6.1 GRE Security
GRE provides a stateless, private connection. It is not considered a secure protocol because it does not use encryption like the IP Security (IPsec). It works with other protocol to provide security. The IPsec protocol is often used with GRE to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as IPsec over GRE. When GRE traffic is passed through a firewall then the firewall will block this type of traffic by default. A network administrator needs to open protocol type 47 datagrams which are coming or going to the remote tunnel endpoints.
6.2 Encapsulation
A GRE header causes an extra overhead of 8 to 16 bytes. In the first phase, the payload is encapsulated in a GRE header as it is shown in the Fig. 6.1. In the second phase, the resulting GRE packet once again encapsulated in some other protocol (IPv4) header then it is forwarded. The outer protocol header is also called delivery protocol. GRE sets 47 value in the protocol field of IPv4 header. Both endpoints are pre-configured. The source and destination IPv4 addresses of the tunnel are defined during configuration.
[Figures and tables are omitted from this preview.]
Figure 6.1 GRE Encapsulation
6.3 Site-to-Site IPsec over GRE VPN
6.3.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Configure NAT
- Test Connectivity
- Configure IPsec over GRE VPN Tunnel on both sides
- Test VPN
6.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 6.2 Site-to-Site IPsec over GRE VPN Setup
6.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PCs as mentioned above in topological diagram 6.2. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.33 YES manual up up
FastEthernet0/1 203.0.113.18 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.16/28 is directly connected, FastEthernet0/1
C 203.0.113.32/28 is directly connected, FastEthernet0/0
Branch-1:
Branch-1>enable
Branch-1#configure terminal
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)# ip address 203.0.113.17 255.255.255.240
Branch-1(config-if)#no shutdown
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)# ip address 192.168.1.1 255.255.255.0
Branch-1(config-if)#no shutdown
Branch-1(config-if)#^Z
Branch-1#
Branch-1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.17 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Branch-1#
Branch-2:
Branch-2>enable
Branch-2#configure terminal
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)# ip address 203.0.113.34 255.255.255.240
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0
Branch-2(config-if)#no shutdown
Branch-2(config-if)#^Z
Branch-2#
Branch-2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.1 YES manual up up
FastEthernet0/1 203.0.113.34 YES manual up up
Branch-2#
6.3.4 Step-2 Configuring Static IP Routing
Branch-1:
Branch-1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.18
Branch-1(config)#exit
Branch-1#
Branch-1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.18 to network 0.0.0.0
C 203.0.113.16/28 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 203.0.113.18
Branch-1#
Branch-2:
Branch-2(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
Branch-2(config)#exit
Branch-2#
Branch-2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
C 192.168.2.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
Branch-2#
6.3.5 Step-3 Configuring NAT
Branch-1:
Branch-1(config)# ip nat inside source route-map nat interface fastEthernet 0/0 overload
Branch-1(config)#ip access-list extended 110
Branch-1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Branch-1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any
Branch-1(config-ext-nacl)#exit
Branch-1(config)#
Branch-1(config)#route-map nat permit 10
Branch-1(config-route-map)#match ip address 110
Branch-1(config-route-map)#exit
Branch-1(config)
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)#ip nat outside
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)#ip nat inside
Branch-1(config-if)#^Z
Branch-1#
Branch-2:
Branch-2(config)# ip nat inside source route-map nat interface fastEthernet 0/1 overload
Branch-2(config)#ip access-list extended 110
Branch-2(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Branch-2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any
Branch-2(config-ext-nacl)#exit
Branch-2(config)#
Branch-2(config)#route-map nat permit 10
Branch-2(config-route-map)#match ip address 110
Branch-2(config-route-map)#exit
Branch-2(config)#
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)#ip nat outside
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)#ip nat inside
Branch-2(config-if)#^Z
Branch-2#
6.3.6 Step-4 Testing Connectivity
Branch-1:
Branch-1#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/75/96 ms
Branch-1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Branch-1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.17:512 192.168.1.1:512 203.0.113.34:512 203.0.113.34:512
Branch-1#
6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel
Branch-1:
Branch-1(config)#crypto isakmp policy 10
Branch-1(config-isakmp)#encryption des
Branch-1(config-isakmp)#hash md5
Branch-1(config-isakmp)#authentication pre-share
Branch-1(config-isakmp)#group 2
Branch-1(config-isakmp)#exit
Branch-1(config)# crypto isakmp key testkey address 203.0.113.34
Branch-1(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
Branch-1(cfg-crypto-trans)#exit
Branch-1(config)#crypto map smap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-1(config-crypto-map)#set peer 203.0.113.34
Branch-1(config-crypto-map)#set transform-set tset
Branch-1(config-crypto-map)#match address 101
Branch-1(config-crypto-map)#exit
Branch-1(config)#ip access-list extended 101
Branch-1(config-ext-nacl)# permit gre host 203.0.113.17 host 203.0.113.34
Branch-1(config-ext-nacl)#exit
Branch-1(config)#interface tunnel 0
Branch-1(config-if)#ip address 172.16.1.1 255.255.0.0
Branch-1(config-if)#tunnel source 203.0.113.17
Branch-1(config-if)#tunnel destination 203.0.113.34
Branch-1(config-if)#tunnel mode gre ip
Branch-1(config-if)#crymto map smap
Branch-1(config-if)#no shutdown
Branch-1(config-if)#exit
Branch-1(config)#ip access-list extended 105
Branch-1(config-ext-nacl)#permit gre host 203.0.113.34 host 203.0.113.17
Branch-1(config-ext-nacl)#permit esp host 203.0.113.34 host 203.0.113.17
Branch-1(config-ext-nacl)#permit udp host 203.0.113.34 eq isakmp host 203.0.113.17
Branch-1(config-ext-nacl)#deny ip any any log
Branch-1(config-ext-nacl)#exit
Branch-1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)#crypto map smap
Branch-1(config-if)#ip access-group 105 in
Branch-1(config-if)#^Z
Branch-1#
Branch-2:
Branch-2(config)#crypto isakmp policy 20
Branch-2(config-isakmp)#encryption des
Branch-2(config-isakmp)#hash md5
Branch-2(config-isakmp)#authentication pre-share
Branch-2(config-isakmp)#group 2
Branch-2(config-isakmp)#exit
Branch-2(config)# crypto isakmp key testkey address 203.0.113.17
Branch-2(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
Branch-2(cfg-crypto-trans)#exit
Branch-2(config)#crypto map smap 20 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-2(config-crypto-map)#set peer 203.0.113.17
Branch-2(config-crypto-map)#set transform-set tset
Branch-2(config-crypto-map)#match address 102
Branch-2(config-crypto-map)#exit
Branch-2(config)#ip access-list extended 102
Branch-2(config-ext-nacl)# permit gre host 203.0.113.34 host 203.0.113.17
Branch-2(config-ext-nacl)#exit
Branch-2(config)#interface tunnel 0
Branch-2(config-if)#ip address 172.16.1.2 255.255.0.0
Branch-2(config-if)#tunnel source 203.0.113.34
Branch-2(config-if)#tunnel destination 203.0.113.17
Branch-2(config-if)#tunnel mode gre ip
Branch-2(config-if)#crymto map smap
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#ip access-list extended 105
Branch-2(config-ext-nacl)#permit gre host 203.0.113.17 host 203.0.113.34
Branch-2(config-ext-nacl)#permit esp host 203.0.113.17 host 203.0.113.34
Branch-2(config-ext-nacl)#permit udp host 203.0.113.17 eq isakmp host 203.0.113.34
Branch-2(config-ext-nacl)#deny ip any any log
Branch-2(config-ext-nacl)#exit
Branch-2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)#crypto map smap
Branch-2(config-if)#ip access-group 105 in
Branch-2(config-if)#^Z
Branch-2#
6.3.8 Step-6 Testing
PC:
C:\>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Reply from 192.168.2.1: bytes=32 time=332ms TTL=254
Reply from 192.168.2.1: bytes=32 time=100ms TTL=254
Reply from 192.168.2.1: bytes=32 time=109ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 100ms, Maximum = 332ms, Average = 180ms
Branch-1:
Branch-1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/173/608 ms
Branch-1#
Branch-2:
Branch-2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/92/168 ms
Branch-2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: smap, local addr. 203.0.113.34
local ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/47/0)
current_peer: 203.0.113.17
PERMIT, flags={origin_is_acl,parent_is_transport,}
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest 17
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify 17
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 203.0.113.34, remote crypto endpt.: 203.0.113.17
path mtu 1514, media mtu 1514
current outbound spi: 277182E8
inbound esp sas:
spi: 0x71E0A045(1910546501)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: smap
sa timing: remaining key lifetime (k/sec): (4607999/3451)
IV size: 8 bytes
[Output omitted]
Branch-2#show crypto isakmp sa
dst src state conn-id slot
203.0.113.17 203.0.113.34 QM_IDLE 1 0
Branch-2#show crypto ipsec transform-set
Transform set tset: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
Branch-2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
C 172.16.0.0/16 is directly connected, Tunnel0
S 192.168.1.0/24 [1/0] via 172.16.1.1
C 192.168.2.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
Branch-2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.1 YES manual up up
FastEthernet0/1 203.0.113.34 YES manual up up
Tunnel0 172.16.1.2 YES manual up up
Branch-2#show interface tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.1.2/16
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 203.0.113.34, destination 203.0.113.17
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Last input 00:07:04, output 00:07:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
17 packets input, 1828 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17 packets output, 1828 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Branch-2#show ip access-lists
Extended IP access list 102
permit gre host 203.0.113.34 host 203.0.113.17 (34 matches)
Extended IP access list 105
permit gre host 203.0.113.17 host 203.0.113.34 (17 matches)
permit esp host 203.0.113.17 host 203.0.113.34 (17 matches)
permit udp host 203.0.113.17 eq isakmp host 203.0.113.34 (10 matches)
deny ip any any log
Extended IP access list 110
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
6.4 Site-to-Site IPsec over GRE VPN (Behind ASA)
6.4.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Configure NAT
- Test Connectivity
- Configure IPsec over GRE VPN Tunnel on both sides
- Test VPN
6.4.2 Topology
[Figures and tables are omitted from this preview.]
Figure 6.3 Site-to-Site IPsec over GRE VPN Setup
6.4.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces, ASA and PCs as mentioned above in topological diagram 6.3. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface Ethernet 1/1
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.18 YES NVRAM up up
Ethernet1/1 203.0.113.33 YES NVRAM up up
Internet#
Internet#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
203.0.113.0/28 is subnetted, 2 subnets
C 203.0.113.32 is directly connected, Ethernet1/1
C 203.0.113.16 is directly connected, FastEthernet0/0
Internet#
Branch-1:
Branch-1>enable
Branch-1#configure terminal
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)# ip address 203.0.113.17 255.255.255.240
Branch-1(config-if)#no shutdown
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)# ip address 192.168.1.1 255.255.255.0
Branch-1(config-if)#no shutdown
Branch-1(config-if)#^Z
Branch-1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.17 YES NVRAM up up
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Branch-1#show ip route connected
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.16 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
Branch-1#
ASA:
ciscoasa>enable
ciscoasa#configure terminal
ciscoasa(config)#interface ethernet 0/0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 203.0.113.34 255.255.255.240
ciscoasa(config-if)#exit
ciscoasa(config)#interface ethernet 0/1
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 203.0.113.65 255.255.255.240
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 203.0.113.32 255.255.255.240 is directly connected, outside
C 203.0.113.64 255.255.255.240 is directly connected, inside
ciscoasa#show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 203.0.113.34 YES manual up up
Ethernet0/1 203.0.113.65 YES manual up up
ciscoasa#
Branch-2:
Branch-2>enable
Branch-2#configure terminal
Branch-2(config)#interface Ethernet 0/0
Branch-2(config-if)# ip address 203.0.113.66 255.255.255.240
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 1/0
Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0
Branch-2(config-if)#no shutdown
Branch-2(config-if)#^Z
Branch-2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 203.0.113.66 YES NVRAM up up
FastEthernet1/0 192.168.2.1 YES NVRAM up up
Branch-2#show ip route connected
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.64 is directly connected, Ethernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0
Branch-2#
6.4.4 Step-2 Configuring Static IP Routing
Branch-1:
Branch-1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.18
Branch-1(config)#exit
Branch-1#
Branch-1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.18 to network 0.0.0.0
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.16 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 203.0.113.18
Branch-1#
Branch-2:
Branch-2(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.65
Branch-2(config)#exit
Branch-2#
Branch-2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.65 to network 0.0.0.0
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.64 is directly connected, Ethernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 203.0.113.65
Branch-2#
ASA:
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.33
ciscoasa(config)#exit
ciscoasa#
ciscoasa#show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
C 203.0.113.32 255.255.255.240 is directly connected, outside
C 203.0.113.64 255.255.255.240 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.33, outside
ciscoasa#
Internet:
Internet(config)# ip route 203.0.113.64 255.255.255.240 203.0.113.34
Internet(config-if)#exit
Internet#
6.4.5 Step-3 Configuring NAT
Branch-1:
Branch-1 (config)# ip nat inside source list 10 interface fastEthernet 0/0 overload
Branch-1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)#ip nat outside
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)#ip nat inside
Branch-1(config-if)#^Z
Branch-1#
Branch-2:
Branch-2 (config)# ip nat inside source list 10 interface Ethernet 0/0 overload
Branch-2(config)# access-list 10 permit 192.168.2.0 0.0.0.255
Branch-2(config)#interface Ethernet 0/0
Branch-2(config-if)#ip nat outside
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 1/0
Branch-2(config-if)#ip nat inside
Branch-2(config-if)#^Z
Branch-2#
ASA:
ciscoasa(config)#nat (inside) 0 0 0
ciscoasa(config)#access-list 101 permit icmp any any
ciscoasa(config)#access-group 101 in interface outside
ciscoasa(config)#exit
ciscoasa#
6.4.6 Step-4 Testing Connectivity
Branch-1:
Branch-1#ping 203.0.113.66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/81/136 ms
Branch-1#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
6.4.7 Step-5 Configuring IPsec over GRE
Branch-1:
Branch-1(config)#crypto isakmp policy 10
Branch-1(config-isakmp)#encryption des
Branch-1(config-isakmp)#hash md5
Branch-1(config-isakmp)#authentication pre-share
Branch-1(config-isakmp)#group 2
Branch-1(config-isakmp)#exit
Branch-1(config)# crypto isakmp key testkey address 203.0.113.66
Branch-1(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
Branch-1(cfg-crypto-trans)#exit
Branch-1(config)#crypto map smap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-1(config-crypto-map)#set peer 203.0.113.66
Branch-1(config-crypto-map)#set transform-set tset
Branch-1(config-crypto-map)#match address 101
Branch-1(config-crypto-map)#exit
Branch-1(config)#ip access-list extended 101
Branch-1(config-ext-nacl)# permit gre host 203.0.113.17 host 203.0.113.66
Branch-1(config-ext-nacl)#exit
Branch-1(config)#interface tunnel 0
Branch-1(config-if)#ip address 172.16.1.1 255.255.0.0
Branch-1(config-if)#tunnel source 203.0.113.17
Branch-1(config-if)#tunnel destination 203.0.113.66
Branch-1(config-if)#tunnel mode gre ip
Branch-1(config-if)#crymto map smap
Branch-1(config-if)#no shutdown
Branch-1(config-if)#exit
Branch-1(config)#ip access-list extended 105
Branch-1(config-ext-nacl)#permit gre host 203.0.113.66 host 203.0.113.17
Branch-1(config-ext-nacl)#permit esp host 203.0.113.66 host 203.0.113.17
Branch-1(config-ext-nacl)#permit udp host 203.0.113.66 eq isakmp host 203.0.113.17
Branch-1(config-ext-nacl)#exit
Branch-1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)#crypto map smap
Branch-1(config-if)#ip access-group 105 in
Branch-1(config-if)#^Z
Branch-1#
Branch-2:
Branch-2(config)#crypto isakmp policy 10
Branch-2(config-isakmp)#encryption des
Branch-2(config-isakmp)#hash md5
Branch-2(config-isakmp)#authentication pre-share
Branch-2(config-isakmp)#group 2
Branch-2(config-isakmp)#exit
Branch-2(config)# crypto isakmp key testkey address 203.0.113.17
Branch-2(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac
Branch-2(cfg-crypto-trans)#exit
Branch-2(config)#crypto map smap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-2(config-crypto-map)#set peer 203.0.113.17
Branch-2(config-crypto-map)#set transform-set tset
Branch-2(config-crypto-map)#match address 101
Branch-2(config-crypto-map)#exit
Branch-2(config)#ip access-list extended 101
Branch-2(config-ext-nacl)# permit gre host 203.0.113.66 host 203.0.113.17
Branch-2(config-ext-nacl)#exit
Branch-2(config)#interface tunnel 0
Branch-2(config-if)#ip address 172.16.1.2 255.255.0.0
Branch-2(config-if)#tunnel source 203.0.113.66
Branch-2(config-if)#tunnel destination 203.0.113.17
Branch-2(config-if)#tunnel mode gre ip
Branch-2(config-if)#crymto map smap
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#ip access-list extended 105
Branch-2(config-ext-nacl)#permit gre host 203.0.113.17 host 203.0.113.66
Branch-2(config-ext-nacl)#permit esp host 203.0.113.17 host 203.0.113.66
Branch-2(config-ext-nacl)#permit udp host 203.0.113.17 eq isakmp host 203.0.113.66
Branch-2(config-ext-nacl)#exit
Branch-2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1
Branch-2(config)#interface Ethernet 0/0
Branch-2(config-if)#crypto map smap
Branch-2(config-if)#ip access-group 105 in
Branch-2(config-if)#^Z
Branch-2#
ASA:
ciscoasa(config)# access-list 101 permit udp host 203.0.113.17 eq isakmp host 203.0.113.66 eq isakmp
ciscoasa(config)# access-list 101 permit esp host 203.0.113.17 host 203.0.113.66
ciscoasa(config)#exit
6.4.8 Step-6 Testing
Branch-2:
Branch-2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/95/164 ms
Branch-2#show crypto isakmp sa
dst src state onn-id slot
203.0.113.17 203.0.113.66 QM_IDLE 1 0
Branch-2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: smap, local addr. 203.0.113.66
local ident (addr/mask/prot/port): (203.0.113.66/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/47/0)
current_peer: 203.0.113.17
PERMIT, flags={origin_is_acl,parent_is_transport,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 203.0.113.66, remote crypto endpt.: 203.0.113.17
path mtu 1500, media mtu 1500
current outbound spi: 45541C21
7 DMVPN
Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a VPN. It is configured almost on all brands of IOS-based routers. It works as a hub & spokes. The spokes are connected with hub over a public network. It is said to be a partial mesh. The DMVPN uses Next Hop Resolution Protocol (NHRP) as a signaling mechanism over the hub & spokes tunnels to trigger the spokes to discover each other and build dynamic tunnels [17]. In a hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. Each spoke has a permanent tunnel to the hub. Each spoke is registered as a client of the NHRP server. When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the destination (target) spoke. However, spoke-to-spoke tunnel is built over the multipoint GRE interface. The spoke-to-spoke links are established on the demand whenever there is traffic between the spokes. It provides scalability in a large network. Routing protocols are configured in large-scale networks to complete routing dynamically and quickly.
7.1 DMVPN Security
DMVPN uses GRE with IPsec security architecture to provide strong authentication, confidentiality, and integration.
7.2 Encapsulation
All data traffic, NHRP frames and other control traffic are needed to be protected in DMVPN. In order to efficiently support Layer 2 based protocols, all packets and frames must be encapsulated in GRE first; the resulting GRE packet then must be protected by IPsec as it is displayed in the Fig. 7.1. Usually, transport mode of the IPsec is used.
[Figures and tables are omitted from this preview.]
Figure 7.1 GRE Encapsulation
7.3 Dynamic Multipoint VPN (Hub & Spokes)
7.3.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Test Connectivity
- Configure DMVPN Tunnels
- Test VPN
7.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 7.2 DMVPN Setup
7.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces as mentioned above in topological diagram 7.2. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 1/0
Internet(config-if)# ip address 203.0.113.65 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.33 YES manual up up
FastEthernet0/1 203.0.113.18 YES manual up up
FastEthernet1/0 203.0.113.65 YES manual up up
Internet#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
203.0.113.0/28 is subnetted, 3 subnets
C 203.0.113.32 is directly connected, FastEthernet0/0
C 203.0.113.16 is directly connected, FastEthernet0/1
C 203.0.113.64 is directly connected, FastEthernet1/0
Internet#
HQ;
HQ>enable
HQ#configure terminal
HQ(config)#interface fastEthernet 0/0
HQ(config-if)#ip address 203.0.113.17 255.255.255.240
HQ(config-if)#no shutdown
HQ(config-if)#exit
HQ(config)#interface fastEthernet 0/1
HQ(config-if)#ip address 192.168.1.1 255.255.255.0
HQ(config-if)#no shutdown
HQ(config-if)#^Z
HQ#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.17 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
HQ#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.16 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
HQ#
Branch-1:
Branch-1>enable
Branch-1#configure terminal
Branch-1(config)#interface fastEthernet 0/1
Branch-1(config-if)# ip address 203.0.113.34 255.255.255.240
Branch-1(config-if)#no shutdown
Branch-1(config-if)#exit
Branch-1(config)#interface fastEthernet 0/0
Branch-1(config-if)# ip address 192.168.2.1 255.255.255.0
Branch-1(config-if)#no shutdown
Branch-1(config-if)#^Z
Branch-1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.1 YES manual up up
FastEthernet0/1 203.0.113.34 YES manual up up
Branch-1#show ip route connected
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.32 is directly connected, FastEthernet0/1
C 192.168.2.0/24 is directly connected, FastEthernet0/0
Branch-1#
Branch-2:
Branch-2>enable
Branch-2#configure terminal
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)# ip address 203.0.113.66 255.255.255.240
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)# ip address 192.168.3.1 255.255.255.0
Branch-2(config-if)#no shutdown
Branch-2(config-if)#^Z
Branch-2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.66 YES manual up up
FastEthernet0/1 192.168.3.1 YES manual up up
Branch-2#show ip route connected
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.64 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, FastEthernet0/1
Branch-2#
7.3.4 Step-2 Configuring Static IP Routing
HQ:
HQ(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.18
HQ(config)#exit
HQ#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.18 to network 0.0.0.0
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.16 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 203.0.113.18
HQ#
Branch-1:
Branch-1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
Branch-1(config)#exit
Branch-2:
Branch-2(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.65
Branch-2(config)#exit
Branch-2#
7.3.5 Step-3 Testing Connectivity
HQ:
HQ#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 20/120/264 ms
HQ#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
HQ#
7.3.6 Step-4 Configuring DMVPN Tunnel
HQ:
HQ(config)#crypto isakmp policy 10
HQ(config-isakmp)#encryption 3des
HQ(config-isakmp)#hash md5
HQ(config-isakmp)#authentication pre-share
HQ(config-isakmp)#group 2
HQ(config-isakmp)#exit
HQ(config)#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
HQ(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac
HQ(cfg-crypto-trans)#exit
HQ(config)#crypto ipsec profile dmvpn
HQ(ipsec-profile)#set transform-set tset
HQ(ipsec-profile)#exit
HQ(config)#interface tunnel 0
HQ(config-if)#ip address 172.16.1.1 255.255.255.0
HQ(config-if)#tunnel mode gre multipoint
HQ(config-if)#tunnel source 203.0.113.17
HQ(config-if)#ip nhrp map multicast dynamic
HQ(config-if)#ip nhrp network-id 1
HQ(config-if)#ip nhrp authentication DMVPN
HQ(config-if)# no ip next-hop-self eigrp 1 HQ(config-if)#no ip split-horizon eigrp 1
HQ(config-if)#tunnel protection ipsec profile dmvpn
HQ(config-if)#exit
HQ(config)#router eigrp 1
HQ(config-router)#no auto-summary
HQ(config-router)#network 172.16.1.0 0.0.0.255
HQ(config-router)#network 192.168.1.0 0.0.0.255
HQ(config-router)#^Z
HQ#
Branch-1:
Branch-1(config)#crypto isakmp policy 10
Branch-1(config-isakmp)#encryption 3des
Branch-1(config-isakmp)#hash md5
Branch-1(config-isakmp)#authentication pre-share
Branch-1(config-isakmp)#group 2
Branch-1(config-isakmp)#exit
Branch-1(config)#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
Branch-1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac
Branch-1(cfg-crypto-trans)#exit
Branch-1(config)#crypto ipsec profile dmvpn
Branch-1(ipsec-profile)#set transform-set tset
Branch-1(ipsec-profile)#exit
Branch-1(config)#interface tunnel 0
Branch-1(config-if)#ip address 172.16.1.2 255.255.255.0
Branch-1(config-if)#tunnel mode gre multipoint
Branch-1(config-if)#tunnel source 203.0.113.34
Branch-1(config-if)#ip nhrp map 172.16.1.1 203.0.113.17
Branch-1(config-if)#ip nhrp map multicast 203.0.113.17
Branch-1(config-if)#ip nhrp nhs 172.16.1.1
Branch-1(config-if)#ip nhrp network-id 1
Branch-1(config-if)#ip nhrp authentication DMVPN
Branch-1(config-if)# no ip next-hop-self eigrp 1 Branch-1(config-if)#no ip split-horizon eigrp 1
Branch-1(config-if)# tunnel protection ipsec profile dmvpn
Branch-1(config-if)#exit
Branch-1(config)#router eigrp 1
Branch-1(config-router)#no auto-summary
Branch-1(config-router)#network 172.16.1.0 0.0.0.255
Branch-1(config-router)#network 192.168.2.0 0.0.0.255
Branch-1(config-router)#^Z
Branch-1#
Branch-2:
Branch-2(config)#crypto isakmp policy 10
Branch-2(config-isakmp)#encryption 3des
Branch-2(config-isakmp)#hash md5
Branch-2(config-isakmp)#authentication pre-share
Branch-2(config-isakmp)#group 2
Branch-2(config-isakmp)#exit
Branch-2(config)#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
Branch-2(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac
Branch-2(cfg-crypto-trans)#exit
Branch-2(config)#crypto ipsec profile dmvpn
Branch-2(ipsec-profile)#set transform-set tset
Branch-2(ipsec-profile)#exit
Branch-2(config)#interface tunnel 0
Branch-2(config-if)#ip address 172.16.1.3 255.255.255.0
Branch-2(config-if)#tunnel mode gre multipoint
Branch-2(config-if)#tunnel source 203.0.113.66
Branch-2(config-if)#ip nhrp map 172.16.1.1 203.0.113.17
Branch-2(config-if)#ip nhrp map multicast 203.0.113.17
Branch-2(config-if)#ip nhrp nhs 172.16.1.1
Branch-2(config-if)#ip nhrp network-id 1
Branch-2(config-if)#ip nhrp authentication DMVPN
Branch-2(config-if)# no ip next-hop-self eigrp 1 Branch-2(config-if)#no ip split-horizon eigrp 1
Branch-2(config-if)# tunnel protection ipsec profile dmvpn
Branch-2(config-if)#exit
Branch-2(config)#router eigrp 1
Branch-2(config-router)#no auto-summary
Branch-2(config-router)#network 172.16.1.0 0.0.0.255
Branch-2(config-router)#network 192.168.3.0 0.0.0.255
Branch-2(config-router)#^Z
Branch-2#
7.3.7 Step-5 Testing
HQ:
HQ#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.17 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Tunnel0 172.16.1.1 YES manual up up
HQ#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/100/124 ms
HQ#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/88/108 ms
HQ#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 203.0.113.18 to network 0.0.0.0
203.0.113.0/28 is subnetted, 1 subnets
C 203.0.113.16 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
D 192.168.2.0/24 [90/297270016] via 172.16.1.2, 00:00:04, Tunnel0
D 192.168.3.0/24 [90/297270016] via 172.16.1.3, 00:00:04, Tunnel0
S* 0.0.0.0/0 [1/0] via 203.0.113.18
HQ#show crypto isakmp sa
dst src state conn-id slot status
203.0.113.17 203.0.113.34 QM_IDLE 3 0 ACTIVE
203.0.113.17 203.0.113.66 QM_IDLE 4 0 ACTIVE
HQ#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 203.0.113.17
protected vrf: (none)
local ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/47/0)
current_peer 203.0.113.34 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 135, #pkts encrypt: 135, #pkts digest: 135
#pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Branch-2:
Branch-2#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/191/224 ms
Branch-2#
8 SSL VPN
Secure Socket Layer VPN is proposed by IETF. It is used with a standard web browser. It does not require any special client software installation on the end user's computer. It allows remote users to access web applications, client-server applications and internal network connections over the public network (Internet) without any special client software. SSL VPN offers adaptability, ease of use and granular control for a range of users on a variety of computers accessing resources through many locations. The primary goal of the SSL protocol is to provide privacy and reliability between two communicating applications. The protocol is composed of two layers [18]. One is transport layer and second is application layer. Its specification was described in RFC 6101. The SSL record protocol is used for encapsulation of various higher level protocols. One advantage of SSL is that it is an application protocol independent. There are two major types of SSL VPN.
1. SSL Portal VPN
2. SSL Tunnel VPN
In SSL portal VPN, the end user can access multiple network services securely through a single SSL connection to a website. The site is called a portal because it has only one door for multiple resources. The remote user can access VPN gateway using any modern web browser for authentication defined by the gateway.
In SSL tunnel VPN, the end user can access multiple network services including applications and protocols securely that are not web-based through a tunnel.
8.1 SSL Security
SSL provides strong encryption, authentication and integrity services. Initially, a handshake process is done to define a secret key then after encryption is used. Symmetric or asymmetric cryptographic techniques are used to ensure the data encryption. DES or 3DES are symmetric encryption algorithms in which the same key is used for encryption or decryption. In asymmetric encryption type, RSA algorithm and a key pair are used for encryption or description. Peer authentication is also based on the symmetric or asymmetric. The few third-party certificates are also used to peer authentication. Message transport includes a message integrity check using a key Message Authentication Code (MAC). Secure hash functions (e.g., SHA & MD5) are used for MAC computations.
8.2 SSL Encapsulation
In SSL VPN, the application data is received in chunks or blocks. The Message Authentication Code (MAC) is attached with blocks and is encapsulated into an object called record as it is displayed in Fig 8.1 below. The record consists of 5 bytes long header.
[Figures and tables are omitted from this preview.]
Figure 8.1 SSL Encapsulation
8.3 Router as an SSL VPN Gateway
8.3.1 Lab Objectives
- Assign IP addresses according to topology
- Configure IP Routing
- Configure Router as a DNS Server
- Test Connectivity
- Configure Router as a Self-Signed Certificate
- Configure Router as an SSL VPN Gateway
- Test VPN
8.3.2 Topology
[Figures and tables are omitted from this preview.]
Figure 8.2 SSL VPN Setup
8.3.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 8.2. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.18 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.18 YES manual up up
FastEthernet0/1 203.0.113.33 YES manual up up
Internet#
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.16/28 is directly connected, FastEthernet0/0
C 203.0.113.32/28 is directly connected, FastEthernet0/1
Branch:
Branch>enable
Branch#configure terminal
Branch(config)#interface fastEthernet 0/0
Branch(config-if)# ip address 203.0.113.34 255.255.255.240
Branch(config-if)#no shutdown
Branch(config-if)#exit
Branch(config)#interface fastEthernet 0/1
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#no shutdown
Branch(config-if)#^Z
Branch#
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.1.1 YES manual up up
Branch#
PC:
[Figures and tables are omitted from this preview.]
Figure 8.3 Client IP Addressing
8.3.4 Step-2 Configuring Static IP Routing
Branch:
Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33
Branch(config)#exit
Branch#
Branch#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.33
C 192.168.1.0/24 is directly connected, FastEthernet0/1
C 203.0.113.32/28 is directly connected, FastEthernet0/0
Branch#
8.3.5 Step-3 Configuring Router as a DNS Server
Internet:
Internet(config)#ip dns server
Internet(config)#ip name-server 203.0.113.18
Internet(config)#ip host mysslvpn.com 203.0.113.34
Internet(config)#no ip domain-lookup
Internet(config)#exit
Internet#
Internet#show ip dns view
DNS View default parameters:
Logging is off
DNS Resolver settings:
Domain lookup is disabled
Default domain name:
Domain search list:
Lookup timeout: 3 seconds
Lookup retries: 2
Domain name-servers:
203.0.113.18
DNS Server settings:
Forwarding of queries is disabled
Forwarder timeout: 3 seconds
Forwarder retries: 2
Forwarder addresses:
8.3.6 Step-4 Testing Connectivity
PC:
C:\>ping 203.0.113.34
Pinging 203.0.113.34 with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=333ms TTL=254
Reply from 203.0.113.34: bytes=32 time=242ms TTL=254
Reply from 203.0.113.34: bytes=32 time=338ms TTL=254
Reply from 203.0.113.34: bytes=32 time=265ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 242ms, Maximum = 338ms, Average = 294ms
C:\>ping mysslvpn.com
Pinging mysslvpn.com [203.0.113.34] with 32 bytes of data:
Reply from 203.0.113.34: bytes=32 time=148ms TTL=254
Reply from 203.0.113.34: bytes=32 time=213ms TTL=254
Reply from 203.0.113.34: bytes=32 time=191ms TTL=254
Reply from 203.0.113.34: bytes=32 time=220ms TTL=254
Ping statistics for 203.0.113.34:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 148ms, Maximum = 220ms, Average = 193ms
C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Reply from 203.0.113.18: Destination host unreachable.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Branch:
Branch#ping 203.0.113.17
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms
Branch#
Internet:
Internet#show ip dns statistics
DNS requests received = 2 ( 2 + 0 )
DNS requests dropped = 0 ( 0 + 0 )
DNS responses replied = 2 ( 2 + 0 )
Forwarder queue statistics:
Current size = 0
Maximum size = 5
Drops = 0
8.3.7 Step-5 Configuring Self-Signed Certificates
Branch(config)#ip domain-name mysslvpn.com
Branch(config)# crypto key generate rsa general-keys modulus 2048 label mykey exportable
The name for the keys will be: mykey
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...
%SSH-5-ENABLED: SSH 1.99 has been enabled
Branch(config)#crypto pki trustpoint mytpoint
Branch(ca-trustpoint)#enrollment selfsigned
Branch(ca-trustpoint)# subject-name O=Test, CN=www.mysslvpn.com
Branch(ca-trustpoint)#revocation-check none
Branch(ca-trustpoint)#rsakeypair mykey
Branch(ca-trustpoint)#exit
Branch(config)#crypto pki enroll mytpoint
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
Branch#wr
Building configuration...
%SYS-5-CONFIG_I: Configured from console by test on console
[OK]
Branch#dir nvram:
Directory of nvram:/
120 -rw- 1271 <no date> startup-config
121 ---- 3574 <no date> private-config
122 -rw- 1271 <no date> underlying-config
1 ---- 34 <no date> persistent-data
2 -rw- 4 <no date> rf_cold_starts
3 -rw- 0 <no date> ifIndex-table
4 -rw- 910 <no date> Branchmysslv#1.cer
129016 bytes total (120023 bytes free)
Branch#show crypto pki certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: General Purpose
Issuer:
hostname=Branch.mysslvpn.com
o=Test
cn=www.mysslvpn.com
Subject:
Name: Branch.mysslvpn.com
hostname=Branch.mysslvpn.com
o=Test
cn=www.mysslvpn.com
Validity Date:
start date: 09:14:40 UTC Dec 8 2017
end date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: mytpoint
Branch#show crypto pki trustpoints
Trustpoint mytpoint:
Subject Name:
hostname=Branch.mysslvpn.com
o=Test
cn=www.mysslvpn.com
Serial Number: 01
Persistent self-signed certificate trust point
Branch#show crypto key mypubkey rsa
% Key pair was generated at: 09:05:01 UTC Dec 8 2017
Key name: mykey
Storage Device: private-config
Usage: General Purpose Key
Key is exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C27356 1DBEC35E 9AD93A92 1D7F900B F6191658 B33A48C4 7CFE0260 7320BBD8
3DDF0352 2D81800A 0A3186EE 38D2E194 40C209FF A9A36196 C5E96042 22D94614
A5B16CA0 A4C71156 AEDD4B05 CF241A6E 8130BE77 183FCA7A 912AC410 D0D0F6D6
63C038D7 2A96607D CD5996EC E9849279 968B49B9 A39478AC 44E8FED5 C9FEB2F2
49E7BBAB 5646741E C8175D3D 3A536887 A58340DD A30FC1DC 716FC383 88850C3A
C59CA025 11CD6594 ADE15C7C 7D2AA5EE 29AF9A24 E2BB8E6A 8357BFE2 0650AC0F
81BD83C1 C15F3060 39C4BEE6 AE0742E6 1D486F35 676E5AD8 CEED3EBC 469AC530
F568ED80 310807CA C9140D5F 6CA2795C DBA56A64 923FA546 F74E6E71 3DAB903E
73020301 0001
% Key pair was generated at: 09:05:04 UTC Dec 8 2017
Key name: mykey.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C72948 9A3F5CB4
E6E466A4 E8B07977 FE68505C BCF1635A C8E601EC 4964D226 4F896D3E 0E638C24
0CF8C33A 4149B5E9 195CFE74 413EFDAC 03C2C4C7 58DA54BB CE7BC235 50F85210
36DAA02A 36827059 514C511B A0269AFF 82F1FBFC B779C8C3 03020301 0001
8.3.8 Step-6 Configuring SSL VPN Gateway
Branch:
Branch(config)#aaa new-model
Branch(config)#username test password 0 test
Branch(config)#aaa authentication login default local
Branch(config)#webvpn gateway mysslgateway
Branch(config-webvpn-gateway)# ip address 203.0.113.34 port 443
Branch(config-webvpn-gateway)#http-redirect port 80
Branch(config-webvpn-gateway)#ssl trustpoint mytpoint
Branch(config-webvpn-gateway)#inservice
Branch(config-webvpn-gateway)#exit
Branch(config)#webvpn context mycontext
Branch(config-webvpn-context)#gateway mysslgateway
Branch(config-webvpn-context)# ssl authenticate verify all
Branch(config-webvpn-context)#max-users 100
Branch(config-webvpn-context)#inservice
%SSLVPN-5-UPDOWN: sslvpn context : mycontext changed state to UP
Branch(config-webvpn-context)# login-message "Welcome to mysslvpn.com"
Branch(config-webvpn-context)# policy group mydefaultpolicy
Branch(config-webvpn-group)#url-list "Clientless VPN"
Branch(config-webvpn-group)#exit
Branch(config-webvpn-context)# default-group-policy mydefaultpolicy
Branch(config-webvpn-context)# url-list "Clientless VPN"
Branch(config-webvpn-url)#heading "Clientless VPN"
Branch(config-webvpn-url)# url-text "Web Server" url-value “ http://203.0.113.34”
Branch(config-webvpn-url)#exit
8.3.9 Step-7 Testing
PC:
[Figures and tables are omitted from this preview.]
Figure 8.4 before Certificate
[Figures and tables are omitted from this preview.]
Figure 8.5 after Certificate
Branch:
Branch#show webvpn gateway
Gateway Name Admin Operation
------------ ----- ---------
mysslgateway up up
Branch#show webvpn context
Codes: AS - Admin Status, OS - Operation Status
VHost - Virtual Host
Context Name Gateway Domain/VHost VRF AS OS
------------ ------- ------------ ------- ---- --------
mycontext mysslgat - - up up
Branch#
9 High Availability VPN
High availability VPN is a feature that enables a device (router) to avoid single point of failure. It provides redundancy in the network. It provides continuously processing and forwarding packets if one point is failed. Multiple links are used in parallel to provide high availability. One link works as active or primary while the second link works as standby or backup. Standby link immediately works as active automatically if active link goes down. This feature is most valuable in the corporate sector. These two links may also work together for load balancing. There are several high availability service provider protocols, such as:
1. HSRP
2. VRRP
3. GLBP
9.1 HSRP
Hot Standby Router Protocol (HSRP) is a CISCO proprietary redundancy protocol. It allows two or more routers to work together to represent a single IP address for a particular network. It is not a routing protocol. It allows for almost immediate failover to a secondary interface when the primary interface is not available. The virtual IP address is used as a gateway for hosts in the network. The host that uses the HSRP address as a gateway never knows the actual physical IP or MAC address of the routers in the group. Only the virtual IP address that was created within the HSRP configuration along with a virtual MAC address is known to other hosts on the network. Its specification was described in RFC 2281 [19]. It has two versions.
In HSRP, a group of routers is configured as a standby group. This group is based on a single virtual IP address. In this standby group, one router is active and second is standby. Selection of active router is based upon priority. High priority router will win the election. By default, priority is 100. If the priority is same on all routers then, the selection is based upon IP addresses. With highest IP address will win the election. This election process is consists of 6 different states (Initial, Learn, Listen, Speak, Standby & Active). HSRP uses UDP with port number 1985 for messages. It uses multicast address 224.0.0.2 with TTL 1. If active router fails, standby router will become active. If first primary router comes back up and returns to service, standby will continue to stay active. There are times when you may always want the first primary to be in an active state in the HSRP group. CISCO provides a way for users to control this by using the preempt command. Preempt forces a router to be active after recovering from a failure.
RRI (Reverse Router Injection) is a feature designed to simplify network design for VPNs which requires redundancy and routing. When routes are created, they are injected into any dynamic routing protocol and distributed to surrounding devices. RRI works with both dynamic and static crypto maps.
9.2 VRRP
The Virtual Router Redundancy Protocol (VRRP) is also a redundancy protocol. It is an open standard and described in RFC 3768 by IETF [20]. It provides a function similar to the proprietary protocols "Hot Standby Router Protocol" and "IP Standby Protocol". That’s why, CISCO claims that a similar protocol with essentially the same facility is patented and licensed. It uses multicast address 224.0.0.18 and IP protocol number 112. It creates virtual routers which are an abstract representation of multiple routers, i.e. master and backup routers, acting as a group. The default priority is 100 in this protocol. In the group, one router is master and second is back up. Election of the master router is based upon priority. With highest priority router will win the election.
9.3 GLBP
Gateway Load Balancing Protocol (GLBP) is a CISCO proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality. By default, GLBP load balance is in round-robin style. GLBP elects one AVG (Active Virtual Gateway) for each group. The second best AVG is placed in the standby state and all other members are placed in the listening state. By default, GLBP router uses the multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP port number 3222.
9.4 Site-to-Site IPsec High Availability VPN with HSRP
9.4.1 Lab Objectives
- Assign IP addresses according to the topology
- Configure IP Routing
- Test Connectivity
- Configure HSRP
- Configure Site-to-Site IPsec VPN
- Testing
9.4.2 Topology
[Figures and tables are omitted from this preview.]
Figure 9.1 Site-to-Site IPsec High Availability VPN Setup
9.4.3 Step-1 IP Addressing
Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 9.1. Interfaces must be enabled in UP & running state.
Internet:
Internet>enable
Internet#configure terminal
Internet(config)#interface fastEthernet 0/0
Internet(config-if)# ip address 203.0.113.33 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#exit
Internet(config)#interface fastEthernet 0/1
Internet(config-if)# ip address 203.0.113.19 255.255.255.240
Internet(config-if)#no shutdown
Internet(config-if)#^Z
Internet#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.33 YES manual up up
FastEthernet0/1 203.0.113.19 YES manual up up
Internet#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
C 203.0.113.32/28 is directly connected, FastEthernet0/0
C 203.0.113.16/28 is directly connected, FastEthernet0/1
PC:
[Figures and tables are omitted from this preview.]
Figure 9.2 Client IP Addresing
Primary:
Primary>enable
Primary#configure terminal
Primary(config)#interface fastEthernet 0/0
Primary(config-if)# ip address 192.168.1.2 255.255.255.0
Primary(config-if)#no shutdown
Primary(config-if)#exit
Primary(config)#interface fastEthernet 0/1
Primary(config-if)# ip address 203.0.113.17 255.255.255.240
Primary(config-if)#no shutdown
Primary(config-if)#^Z
Primary#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.2 YES manual up up
FastEthernet0/1 203.0.113.17 YES manual up up
Primary#
Secondary:
Secondary>enable
Secondary#configure terminal
Secondary(config)#interface fastEthernet 0/0
Secondary(config-if)# ip address 192.168.1.3 255.255.255.0
Secondary(config-if)#no shutdown
Secondary(config-if)#exit
Secondary(config)#interface fastEthernet 0/1
Secondary(config-if)# ip address 203.0.113.18 255.255.255.240
Secondary(config-if)#no shutdown
Secondary(config-if)#^Z
Secondary#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.3 YES manual up up
FastEthernet0/1 203.0.113.18 YES manual up up
Secondary#
Branch-2:
Branch-2>enable
Branch-2#configure terminal
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)# ip address 203.0.113.34 255.255.255.240
Branch-2(config-if)#no shutdown
Branch-2(config-if)#exit
Branch-2(config)#interface fastEthernet 0/1
Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0
Branch-2(config-if)#no shutdown
Branch-2(config-if)#^Z
Branch-2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 203.0.113.34 YES manual up up
FastEthernet0/1 192.168.2.1 YES manual up up
Branch-2#
9.4.4 Step-2 Configuring Static IP Routing
Branch-2:
Branch-2(config)# ip route 203.0.113.16 255.255.255.240 203.0.113.33
Branch-2(config)#exit
Branch-2#
Branch-2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.33 to network 0.0.0.0
C 203.0.113.32/28 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 203.0.113.16/28 [1/0] via 203.0.113.33
Branch-2#
Primary:
Primary(config)# ip route 203.0.113.32 255.255.255.240 203.0.113.19
Primary(config)#exit
Primary#
Primary#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.19 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 203.0.113.16/28 is directly connected, FastEthernet0/1
S* 203.0.113.32/28 [1/0] via 203.0.113.19
Primary#
Secondary:
Secondary(config)# ip route 203.0.113.32 255.255.255.240 203.0.113.19
Secondary(config)#exit
Secondary#
Secondary#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 203.0.113.19 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 203.0.113.16/28 is directly connected, FastEthernet0/1
S* 203.0.113.32/28 [1/0] via 203.0.113.19
Secondary#
9.4.5 Step-3 Testing Connectivity
Primary:
Primary#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/75/96 ms
Primary#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Secondary:
Secondary#ping 203.0.113.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/75/96 ms
Secondary#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
9.4.6 Step-4 Configuring HSRP
Primary:
Primary(config)#interface fastEthernet 0/0
Primary(config-if)#standby 1 ip 192.168.1.5
Primary(config-if)#standby 1 priority 200
Primary(config-if)#standby 1 preempt
Primary(config-if)#standby 1 name inside
Primary(config-if)# standby 1 track fastEthernet 0/0 110
Primary(config-if)#exit
Primary(config)#interface fastEthernet 0/1
Primary(config-if)#standby 2 ip 203.0.113.20
Primary(config-if)#standby 2 priority 200
Primary(config-if)#standby 2 preempt
Primary(config-if)#standby 2 name HAVPN
Primary(config-if)# standby 2 track fastEthernet 0/1 110
Primary(config-if)#exit
Primary(config)#
Secondary:
Secondary(config)#interface fastEthernet 0/0
Secondary(config-if)#standby 1 ip 192.168.1.5
Secondary(config-if)#standby 1 preempt
Secondary(config-if)#standby 1 name inside
Secondary(config-if)#exit
Secondary(config)#interface fastEthernet 0/1
Secondary(config-if)#standby 2 ip 203.0.113.20
Secondary(config-if)#standby 2 preempt
Secondary(config-if)#standby 2 name HAVPN
Secondary(config-if)#exit
Secondary(config)#
Primary:
Primary#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:03:20
Virtual IP address is 192.168.1.5
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.276 secs
Preemption enabled, min delay 0 sec, sync delay 0 sec
Active router is local
Standby router is 192.168.1.3, priority 100 (expires in 7.676 sec)
Priority 200 (configured 200)
Group name is "inside" (cfgd)
FastEthernet0/1 - Group 2
State is Active
2 state changes, last state change 00:02:44
Virtual IP address is 203.0.113.20
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.268 secs
Preemption enabled, min delay 0 sec, sync delay 0 sec
Active router is local
Standby router is 203.0.113.18, priority 100 (expires in 8.132 sec)
Priority 200 (configured 200)
Group name is "HAVPN" (cfgd)
Primary#
Secondary:
Secondary#show standby
FastEthernet0/0 - Group 1
State is Standby
1 state change, last state change 00:00:30
Virtual IP address is 192.168.1.5
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.052 secs
Preemption enabled, min delay 0 sec, sync delay 0 sec
Active router is 192.168.1.2, priority 200 (expires in 7.792 sec)
Standby router is local
Priority 100 (default 100)
Group name is "inside" (cfgd)
FastEthernet0/1 - Group 2
State is Standby
1 state change, last state change 00:00:05
Virtual IP address is 203.0.113.20
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.464 secs
Preemption enabled, min delay 0 sec, sync delay 0 sec
Active router is 203.0.113.17, priority 200 (expires in 7.780 sec)
Standby router is local
Priority 100 (default 100)
Group name is "HAVPN" (cfgd)
Secondary#
9.4.7 Step-5 Configuring IPsec VPN over HSRP
Primary:
Primary(config)#crypto isakmp policy 10
Primary(config-isakmp)#encryption 3des
Primary(config-isakmp)#hash md5
Primary(config-isakmp)#authentication pre-share
Primary(config-isakmp)#group 2
Primary(config-isakmp)#exit
Primary(config)# crypto isakmp key 0 testhaipsecvpn address 0.0.0.0
Primary(config)# crypto ipsec transform-set tset esp-3des esp-md5-hmac
Primary(cfg-crypto-trans)#exit
Primary(config)#crypto dynamic-map dmap 10
Primary(config-crypto-map)#set transform-set tset
Primary(config-crypto-map)#match address 101
Primary(config-crypto-map)#reverse-route
Primary(config-crypto-map)#exit
Primary(config)#
Primary(config)#ip access-list extended 101
Primary(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
Primary(config-ext-nacl)#exit
Primary(config)# ip route 192.168.2.0 255.255.255.0 203.0.113.19
Primary(config)# crypto map smap 10 ipsec-isakmp dynamic dmap
Primary(config)#interface fastEthernet 0/1
Primary(config-if)#crypto map smap redundancy HAVPN
Primary(config-if)#^Z
Primary#
Secondary:
Secondary(config)#crypto isakmp policy 10
Secondary(config-isakmp)#encryption 3des
Secondary(config-isakmp)#hash md5
Secondary(config-isakmp)#authentication pre-share
Secondary(config-isakmp)#group 2
Secondary(config-isakmp)#exit
Secondary(config)# crypto isakmp key 0 testhaipsecvpn address 0.0.0.0
Secondary(config)# crypto ipsec transform-set tset esp-3des esp-md5-hmac
Secondary(cfg-crypto-trans)#exit
Secondary(config)#crypto dynamic-map dmap 10
Secondary(config-crypto-map)#set transform-set tset
Secondary(config-crypto-map)#match address 101
Secondary(config-crypto-map)#reverse-route
Secondary(config-crypto-map)#exit
Secondary(config)#
Secondary(config)#ip access-list extended 101
Secondary(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
Secondary(config-ext-nacl)#exit
Secondary(config)# ip route 192.168.2.0 255.255.255.0 203.0.113.19
Secondary(config)# crypto map smap 10 ipsec-isakmp dynamic dmap
Secondary(config)#interface fastEthernet 0/1
Secondary(config-if)#crypto map smap redundancy HAVPN
Secondary(config-if)#^Z
Secondary#
Branch-2:
Branch-2(config)#crypto isakmp policy 10
Branch-2(config-isakmp)#encryption 3des
Branch-2(config-isakmp)#hash md5
Branch-2(config-isakmp)#authentication pre-share
Branch-2(config-isakmp)#group 2
Branch-2(config-isakmp)#exit
Branch-2(config)# crypto isakmp key 0 testhaipsecvpn address 203.0.113.20
Branch-2(config)# crypto ipsec transform-set tset esp-3des esp-md5-hmac
Branch-2(cfg-crypto-trans)#exit
Branch-2(config)#crypto map smap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch-2(config-crypto-map)#set peer 203.0.113.20
Branch-2(config-crypto-map)#set transform-set tset
Branch-2(config-crypto-map)#match address 102
Branch-2(config-crypto-map)#exit
Branch-2(config)#ip access-list extended 102
Branch-2(config-ext-nacl)# permit ip any 192.168.1 .0 0.0.0.255
Branch-2(config-ext-nacl)#exit
Branch-2(config)# ip route 192.168.1.0 255.255.255.0 203.0.113.33
Branch-2(config)#interface fastEthernet 0/0
Branch-2(config-if)#crypto map smap
Branch-2(config-if)#^Z
Branch-2#
9.4.8 Step-6 Testing
C:\>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=72ms TTL=254
Reply from 192.168.2.1: bytes=32 time=78ms TTL=254
Reply from 192.168.2.1: bytes=32 time=78ms TTL=254
Reply from 192.168.2.1: bytes=32 time=78ms TTL=254
Ping statistics for 192.168.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 72ms, Maximum = 78ms, Average = 76ms
Branch-2:
Branch-2#show crypto isakmp sa
dst src state conn-id slot
203.0.113.20 203.0.113.34 QM_IDLE 1 0
Branch-2#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: smap, local addr. 203.0.113.34
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.0.113.20
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: 203.0.113.34, remote crypto endpt.: 203.0.113.20
path mtu 1500, media mtu 1500
current outbound spi: 5F896143
Branch-2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/88/136 ms
Branch-2#
References:
[1] G. De Laet and G. Schauwers, “Network security fundamentals”, Cisco Press, 2005.
[2] K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, and G. Zorn, "Point-to-point tunneling protocol (PPTP)," 2070-1721, RFC 2637, 1999.
[3] G. Zorn and G. S. Pall, "Microsoft Point-to-Point Encryption (MPPE) Protocol", RFC 3078, 2001.
[4] http://www.h-online.com/security/news/item/Microsoft-says-don-t-use-PPTP-and-MS-CHAP-1672257.html
[5] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, and B. Palter, "Layer two tunneling protocol (L2TP)", 2070-1721, RFC 2661, 1999.
[6] J. Lau, M. Townsley, and I. Goyret, "Layer Two Tunneling Protocol-Version 3 (L2TPv3)", Network Working Group, RFC 3931, 2005.
[7] B. Patel, B. Aboba, W. Dixon, G. Zorn, and S. Booth, "Securing L2TP using IPsec", 2070-1721, RFC 3193, 2001.
[8] R. Atkinson, "Security Architecture for the Internet Protocol”, Obsoleted by RFC 2401 [KA98a]. Status: PROPOSED STANDARD, RFC 1825, 1995.
[9] B. Aboba and W. Dixon, "IPsec-network address translation (NAT) compatibility requirements", RFC 3715, 2004.
[10] S. E. Deering and R. Hinden, "Internet protocol, version 6 (IPv6) specification," RFC 2460, 1998.
[11] S. Kent, R. Atkinson, and I. A. Header, "IP Authentication Header”, RFC 2402, 1998.
[12] G. De Laet and G. Schauwers, “Network security fundamentals”, Cisco Press, 2005.
[13] S. Kent, "IP encapsulating security payload (ESP)", RFC 4303, 2005.
[14] D. Maughan, M. Schertler, M. Schneider, and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)”, RFC 2408, 1998.
[15] C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)”, RFC 5996, 2010.
[16] D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina, "Generic Routing Encapsulation (GRE)", IETF, RFC 2784, 2000.
[17] F. Detienne, M. Kumar, and M. Sullenberger, “Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00”, CISCO, 2013.
[18] A. Freier, P. Karlton, and P. Kocher, "The secure sockets layer (SSL) protocol version 3.0," 2011.
[19] D. Li, P. Morton, T. Li, and B. Cole, "Cisco Hot Standby Router Protocol (HSRP)", RFC, 2281, 1998.
[20] R. Hinden, "Virtual Router Redundancy Protocol (VRRP)", RFC, 3768, 2004.
- Arbeit zitieren
- Zeeshan Ashraf (Autor:in), 2018, Virtual Private Networks in Theory and Practice, München, GRIN Verlag, https://www.grin.com/document/417385
Ähnliche Arbeiten
Kostenlos Autor werden
Kommentare