Site To Site VPN

5 steps to configure an IPSec site-to-site VPN using a pre-share Key 1.
Define what parameters will be used for the IKE phase 1 tunnel (ISAKMP tunnel ) 2. Define what parameters will be used for the IKE phase 2 tunnel (IPSec tunnel) 3. Create an ACL to identify "interseting" traffic 4. Create a crypto map and apply to the appropriate interface 5. optionally, create an ACL to block non-interesting traffic ============================================================================= Step 1: Router_A(config)#crypto isakmp poli Router_A(config)#crypto isakmp policy 1 Router_A(config-isakmp)#authentication pre-share Router_A(config-isakmp)#hash ? md5 Message Digest 5 sha Secure Hash Standard Router_A(config-isakmp)#hash sha Router_A(config-isakmp)#encryption aes ? 128 128 bit keys. 192 192 bit keys. 256 256 bit keys. <cr> Router_A(config-isakmp)#encryption aes 128 Router_A(config-isakmp)#group ? 1 Diffie-Hellman group 1 2 Diffie-Hellman group 2 5 Diffie-Hellman group 5 Router_A(config-isakmp)#group 2 Router_A(config-isakmp)#lifetime 86400 exit Router_A(config)#crypto isakmp key cisco address 172.16.1.2 Step 2: Router_A(config)#crypto ipsec transform-set myset esp-aes esp-sha Router_A(cfg-crypto-trans)#exit Step 3: Router_A(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0. 255
Router_A(config)#crypto map Router_A_to_Router_B 10 ipse Router_A(config)#crypto map Router_A_to_Router_B 10 ipsec-is Router_A(config)#crypto map Router_A_to_Router_B 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router_A(config-crypto-map)#set pee Router_A(config-crypto-map)#set peer 172.16.1.2
Router_A(config-crypto-map)#mat Router_A(config-crypto-map)#match add Router_A(config-crypto-map)#match address 101 Router_A(config-crypto-map)#set transf Router_A(config-crypto-map)#set transform-set myset Router_A(config-crypto-map)#end *Mar 1 00:19:17.675: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router_A#
Router B ------Router_B(config)#crypto isakmp policy 1 Router_B(config-isakmp)#authentication pre-share Router_B(config-isakmp)#hash sha Router_B(config-isakmp)#encryption aes 128 Router_B(config-isakmp)#group 2 Router_B(config-isakmp)#lifetime 86400 Router_B(config)#crypto isakmp key cisco address 172.16.1.1 Router_B(config)#crypto ipsec transform-set myset esp-aes esp-sha Router_B(config)#access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0. 255 Router_B(config)#crypto map Router_B_to_Router_A 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router_B(config-crypto-map)# Router_B(config-crypto-map)#set peer 172.16.1.1 Router_B(config-crypto-map)#match address 101 Router_B(config-crypto-map)#set transform-set myset Router_B(config-crypto-map)#end Router_B#config t Enter configuration commands, one per line. End with CNTL/Z. Router_B(config)#int s0/0 Router_B(config-if)#crypto isk Router_B(config-if)#crypto isa Router_B(config-if)#crypto map Router_B_to_Router_A Router_B(config-if)# *Mar 1 00:30:52.775: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router_B(config-if)#end ====================== TESTING ======================= Host_A#traceroute 10.0.1.2 Type escape sequence to abort. Tracing the route to 10.0.1.2 1 192.168.1.1 184 msec 60 msec 116 msec 2 10.0.1.2 292 msec 216 msec *
Host_A# ========================= Host_B#traceroute 192.168.1.2 Type escape sequence to abort. Tracing the route to 192.168.1.2 1 10.0.1.1 128 msec 100 msec 120 msec 2 192.168.1.2 228 msec 232 msec * Host_B# ============================== Router_A#show access-lists Extended IP access list 101 10 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 (13119 matches) Router_A# =========================== Router_B#show access-lists Extended IP access list 101 10 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (13082 matches) Router_B# ========================== Router_A#show crypto map interface s0/0 Crypto Map "Router_A_to_Router_B" 10 ipsec-isakmp Peer = 172.16.1.2 Extended IP access list 101 access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 Current peer: 172.16.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ myset, } Interfaces using crypto map Router_A_to_Router_B: Serial0/0 ================================

Site To Site VPN

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Site To Site VPN

Diunggah oleh

Hak Cipta:

Format Tersedia

5 steps to configure an IPSec site-to-site VPN using a pre-share Key 1.

Anda mungkin juga menyukai