Anda di halaman 1dari 7

4/17/2017 PacketTracerConfiguringVPNs(Optional)

Thisisthehtmlversionofthefilehttps://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf.
Googleautomaticallygenerateshtmlversionsofdocumentsaswecrawltheweb.

Page1

PacketTracerConfiguringVPNs(Optional)

Topology

AddressingTable

Device Interface IPAddress SubnetMask DefaultGateway

G0/0 192.168.1.1 255.255.255.0 N/A


R1
S0/0/0 10.1.1.2 255.255.255.252 N/A

G0/0 192.168.2.1 255.255.255.0 N/A

R2 S0/0/0 10.1.1.1 255.255.255.252 N/A

S0/0/1 10.2.2.1 255.255.255.252 N/A

G0/0 192.168.3.1 255.255.255.0 N/A


R3
S0/0/1 10.2.2.2 255.255.255.252 N/A

PCA NIC 192.168.1.3 255.255.255.0 192.168.1.1

PCB NIC 192.168.2.3 255.255.255.0 192.168.2.1

PCC NIC 192.168.3.3 255.255.255.0 192.168.3.1

https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 1/7
4/17/2017 PacketTracerConfiguringVPNs(Optional)

2013Ciscoand/oritsaffiliates.Allrightsreserved.ThisdocumentisCiscoPublic. Page1of6

Page2

PacketTracerConfiguringVPNs(Optional)

ISAKMPPhase1PolicyParameters

Parameters R1 R3

Keydistributionmethod ManualorISAKMP ISAKMP ISAKMP

Encryptionalgorithm DES,3DES,orAES AES AES

Hashalgorithm MD5orSHA1 SHA1 SHA1

Authenticationmethod PresharedkeysorRSA preshare preshare

Keyexchange DHGroup1,2,or5 DH2 DH2

IKESALifetime 86400secondsorless 86400 86400

ISAKMPKey cisco cisco

Boldedparametersaredefaults.Otherparametersneedtobeexplicitlyconfigured.

IPsecPhase2PolicyParameters

Parameters R1 R3

TransformSet VPNSET VPNSET

PeerHostname R3 R1

PeerIPAddress 10.2.2.2 10.1.1.2

Networktobeencrypted 192.168.1.0/24 192.168.3.0/24

CryptoMapname VPNMAP VPNMAP

SAEstablishment ipsecisakmp ipsecisakmp

Objectives
Part1:EnableSecurityFeatures

https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 2/7
4/17/2017 PacketTracerConfiguringVPNs(Optional)
Part2:ConfigureIPsecParametersonR1
Part3:ConfigureIPsecParametersonR3

Part4:VerifytheIPsecVPN

Scenario
Inthisactivity,youwillconfiguretworouterstosupportasitetositeIPsecVPNfortrafficflowingfromtheir
respectiveLANs.TheIPsecVPNtrafficwillpassthroughanotherrouterthathasnoknowledgeoftheVPN.
IPsecprovidessecuretransmissionofsensitiveinformationoverunprotectednetworkssuchastheInternet.
IPsecactsatthenetworklayer,protectingandauthenticatingIPpacketsbetweenparticipatingIPsecdevices
(peers),suchasCiscorouters.

Part1:EnableSecurityFeatures

Step1:Activatesecurityk9module.

TheSecurityTechnologyPackagelicensemustbeenabledtocompletethisactivity.

2013Ciscoand/oritsaffiliates.Allrightsreserved.ThisdocumentisCiscoPublic. Page2of6

Page3

PacketTracerConfiguringVPNs(Optional)

Note:BoththeuserEXECandprivilegedEXEXpasswordiscisco.

a.IssuetheshowversioncommandintheuserEXECorprivilegedEXECmodetoverifythattheSecurity
TechnologyPackagelicenseisactivated.

TechnologyTechnologypackage Technologypackage
CurrentType Nextreboot

ipbase ipbasek9Permanentipbasek9
securityNone None None
uc None None None
data None None None

Configurationregisteris0x2102

b.Ifnot,activatethesecurityk9moduleforthenextbootoftherouter,acceptthelicense,savethe
configuration,andreboot.
R1(config)#licensebootmodulec2900technologypackagesecurityk9
R1(config)#end
R1#copyrunningconfigstartupconfig
R1#reload

c.Afterthereloadingiscompleted,issuetheshowversionagaintoverifytheSecurityTechnology
Packagelicenseactivation.
TechnologyPackageLicenseInformationforModule:'c2900'


TechnologyTechnologypackage Technologypackage
CurrentType Nextreboot

https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 3/7
4/17/2017 PacketTracerConfiguringVPNs(Optional)

ipbase ipbasek9Permanentipbasek9
securitysecurityk9Evaluationsecurityk9
uc None None None
data None None None

d.RepeatSteps1ato1cwithR3.

Part2:ConfigureIPsecParametersonR1

Step1:Testconnectivity.

PingfromPCAtoPCC.

Step2:IdentifyinterestingtrafficonR1.

ConfigureACL110toidentifythetrafficfromtheLANonR1totheLANonR3asinteresting.Thisinteresting
trafficwilltriggertheIPsecVPNtobeimplementedwheneverthereistrafficbetweenR1toR3LANs.All
othertrafficsourcedfromtheLANswillnotbeencrypted.Rememberthatduetotheimplicitdenyany,thereis
noneedtoaddthestatementtothelist.
R1(config)#accesslist110permitip192.168.1.00.0.0.255192.168.3.0
0.0.0.255

2013Ciscoand/oritsaffiliates.Allrightsreserved.ThisdocumentisCiscoPublic. Page3of6

Page4

PacketTracerConfiguringVPNs(Optional)

Step3:ConfiguretheISAKMPPhase1propertiesonR1.

ConfigurethecryptoISAKMPpolicy10propertiesonR1alongwiththesharedcryptokeycisco.Refertothe
ISAKMPPhase1tableforthespecificparameterstoconfigure.Defaultvaluesdonothavetobeconfigured
thereforeonlytheencryption,keyexchangemethod,andDHmethodmustbeconfigured.
R1(config)#cryptoisakmppolicy10
R1(configisakmp)#encryptionaes
R1(configisakmp)#authenticationpreshare
R1(configisakmp)#group2
R1(configisakmp)#exit
R1(config)#cryptoisakmpkeyciscoaddress10.2.2.2

Step4:ConfiguretheISAKMPPhase2propertiesonR1.

CreatethetransformsetVPNSETtouseesp3desandespshahmac.ThencreatethecryptomapVPN
MAPthatbindsallofthePhase2parameterstogether.Usesequencenumber10andidentifyitasanipsec
isakmpmap.

R1(config)#cryptoipsectransformsetVPNSETesp3desespshahmac
R1(config)#cryptomapVPNMAP10ipsecisakmp
R1(configcryptomap)#descriptionVPNconnectiontoR3
R1(configcryptomap)#setpeer10.2.2.2
R1(configcryptomap)#settransformsetVPNSET
R1(configcryptomap)#matchaddress110

https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 4/7
4/17/2017 PacketTracerConfiguringVPNs(Optional)
R1(configcryptomap)#exit

Step5:Configurethecryptomapontheoutgoinginterface.

Finally,bindtheVPNMAPcryptomaptotheoutgoingSerial0/0/0interface.Note:Thisisnotgraded.

R1(config)#interfaceS0/0/0
R1(configif)#cryptomapVPNMAP

Part3:ConfigureIPsecParametersonR3

Step1:ConfigurerouterR3tosupportasitetositeVPNwithR1.

NowconfigurereciprocatingparametersonR3.ConfigureACL110identifyingthetrafficfromtheLANonR3
totheLANonR1asinteresting.
R3(config)#accesslist110permitip192.168.3.00.0.0.255192.168.1.0
0.0.0.255

Step2:ConfiguretheISAKMPPhase1propertiesonR3.

ConfigurethecryptoISAKMPpolicy10propertiesonR3alongwiththesharedcryptokeycisco.
R3(config)#cryptoisakmppolicy10
R3(configisakmp)#encryptionaes
R3(configisakmp)#authenticationpreshare
R3(configisakmp)#group2
R3(configisakmp)#exit
R3(config)#cryptoisakmpkeyciscoaddress10.1.1.2

2013Ciscoand/oritsaffiliates.Allrightsreserved.ThisdocumentisCiscoPublic. Page4of6

Page5

PacketTracerConfiguringVPNs(Optional)

Step3:ConfiguretheISAKMPPhase2propertiesonR1.

LikeyoudidonR1,createthetransformsetVPNSETtouseesp3desandespshahmac.Thencreatethe
cryptomapVPNMAPthatbindsallofthePhase2parameterstogether.Usesequencenumber10and
identifyitasanipsecisakmpmap.

R3(config)#cryptoipsectransformsetVPNSETesp3desespshahmac
R3(config)#cryptomapVPNMAP10ipsecisakmp
R3(configcryptomap)#descriptionVPNconnectiontoR1
R3(configcryptomap)#setpeer10.1.1.2
R3(configcryptomap)#settransformsetVPNSET
R3(configcryptomap)#matchaddress110
R3(configcryptomap)#exit

Step4:Configurethecryptomapontheoutgoinginterface.

Finally,bindtheVPNMAPcryptomaptotheoutgoingSerial0/0/1interface.Note:Thisisnotgraded.

R3(config)#interfaceS0/0/1
R3(configif)#cryptomapVPNMAP

https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 5/7
4/17/2017 PacketTracerConfiguringVPNs(Optional)

Part4:VerifytheIPsecVPN
Step1:Verifythetunnelpriortointerestingtraffic.

IssuetheshowcryptoipsecsacommandonR1.Noticethatthenumberofpacketsencapsulated,
encrypted,decapsulatedanddecryptedareallsetto0.
R1#showcryptoipsecsa

interface:Serial0/0/0
Cryptomaptag:VPNMAP,localaddr10.1.1.2

protectedvrf:(none)
localident(addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(192.168.3.0/255.255.255.0/0/0)
current_peer10.2.2.2port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:0,#pktsencrypt:0,#pktsdigest:0
#pktsdecaps:0,#pktsdecrypt:0,#pktsverify:0
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors0,#recverrors0

localcryptoendpt.:10.1.1.2,remotecryptoendpt.:10.2.2.2
pathmtu1500,ipmtu1500,ipmtuidbSerial0/0/0
currentoutboundspi:0x0(0)
<outputomitted>

Step2:Createinterestingtraffic.

PingPCCfromPCA.

2013Ciscoand/oritsaffiliates.Allrightsreserved.ThisdocumentisCiscoPublic. Page5of6

Page6

PacketTracerConfiguringVPNs(Optional)

Step3:Verifythetunnelafterinterestingtraffic.

OnR1,reissuetheshowcryptoipsecsacommand.Nownoticethatthenumberofpacketsismorethan0
indicatingthattheIPsecVPNtunnelisworking.
R1#showcryptoipsecsa

interface:Serial0/0/0
Cryptomaptag:VPNMAP,localaddr10.1.1.2

protectedvrf:(none)
localident(addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)
remoteident(addr/mask/prot/port):(192.168.3.0/255.255.255.0/0/0)
current_peer10.2.2.2port500
PERMIT,flags={origin_is_acl,}
#pktsencaps:3,#pktsencrypt:3,#pktsdigest:0
https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 6/7
4/17/2017 PacketTracerConfiguringVPNs(Optional)

#pktsdecaps:3,#pktsdecrypt:3,#pktsverify:0
#pktscompressed:0,#pktsdecompressed:0
#pktsnotcompressed:0,#pktscompr.failed:0
#pktsnotdecompressed:0,#pktsdecompressfailed:0
#senderrors1,#recverrors0

localcryptoendpt.:10.1.1.2,remotecryptoendpt.:10.2.2.2
pathmtu1500,ipmtu1500,ipmtuidbSerial0/0/0
currentoutboundspi:0x0A496941(172583233)
<outputomitted>

Step4:Createuninterestingtraffic.

PingPCBfromPCA.

Step5:Verifythetunnel.

OnR1,reissuetheshowcryptoipsecsacommand.Finally,noticethatthenumberofpacketshasnot
changedverifyingthatuninterestingtrafficisnotencrypted.

2013Ciscoand/oritsaffiliates.Allrightsreserved.ThisdocumentisCiscoPublic. Page6of6

https://webcache.googleusercontent.com/search?q=cache:qoCHLlEZ6wJ:https://courses.cs.ut.ee/MTAT.08.004/2016_spring/uploads/Main/37_1.pdf+&cd=2&hl= 7/7