WEBVTT 00:00.990 --> 00:09.180 We are going to have a look at what get VPN, what is a VPN, where is it used? 00:12.300 --> 00:16.650 Get VPN is used over private Wan links. 00:18.650 --> 00:21.890 Private van links or private land. 00:23.490 --> 00:28.930 So private van links are the frame relay Mpls atm. 00:29.960 --> 00:31.640 The most famous right now, Mpls. 00:32.630 --> 00:33.070 Right. 00:33.080 --> 00:34.970 But why do we need a VPN for that? 00:36.650 --> 00:38.060 What is the private van do? 00:38.090 --> 00:41.240 It connects two private networks together right across there. 00:41.480 --> 00:42.740 Across the service provider. 00:43.040 --> 00:45.770 The Why do you need protection? 00:47.530 --> 00:53.080 Protect yourself from the service provider when you are on a private command. 00:53.110 --> 00:54.520 You are not on the internet. 00:55.450 --> 00:58.810 You're only going across the service provider to the other side. 01:01.630 --> 01:01.710 Right. 01:01.830 --> 01:05.340 So you have four different sites connected to the service provider. 01:05.580 --> 01:12.030 It's not the Internet through an Mpls cloud and whatever labels or whatever they're using, it's not 01:12.030 --> 01:12.780 up to you. 01:12.780 --> 01:15.000 I mean, for you, it's just a big router in the middle. 01:15.840 --> 01:20.910 You're just connected to one big router which routes your packet from one interface to the other one. 01:21.210 --> 01:23.870 You can use private addresses as I'm using right now. 01:23.870 --> 01:26.670 1921680 across the van. 01:27.120 --> 01:28.350 Then connectivity. 01:28.380 --> 01:31.320 You can run any routing protocol, right? 01:31.320 --> 01:35.850 And your packets will move from your Loopbacks to the loopbacks or from your internal networks to the 01:35.850 --> 01:36.840 internal networks. 01:37.140 --> 01:41.010 This is a prerequisite, right? 01:41.010 --> 01:43.080 You can run routing, you can do anything. 01:43.080 --> 01:47.280 The restriction in Dmvpn that we had was we were on the internet. 01:47.970 --> 01:53.700 Since we were on the Internet, we could not run normal routing between these routers because they were 01:53.700 --> 01:58.320 going through the BGP net cloud, so you couldn't run routing here. 01:58.320 --> 02:01.900 You don't have that restriction since it's all your own network. 02:01.960 --> 02:04.420 The only one alien router here is. 02:07.250 --> 02:08.030 The private one. 02:08.150 --> 02:14.750 You need to make sure that your network is protected across Mpls. 02:14.780 --> 02:20.180 You might hear it's also known as Mpls, VPN, Mpls, VPN. 02:20.390 --> 02:21.860 Does that mean it is secure? 02:22.490 --> 02:23.780 It's not secure. 02:24.620 --> 02:29.870 It's a VPN because there's encapsulations happening, but it is still open. 02:29.870 --> 02:30.500 Text. 02:30.530 --> 02:31.520 Clear text. 02:31.550 --> 02:34.160 If you telnet through, anyone can see what's inside. 02:35.270 --> 02:37.190 If you're using frame relay, same thing. 02:37.550 --> 02:44.030 It is also considered to be an L2 VPN frame relay, but when you send traffic through it again, anyone 02:44.030 --> 02:47.930 who's there at the service provider can just click on it and see what's inside there. 02:50.340 --> 02:50.640 Okay. 02:50.810 --> 02:51.530 This past year. 02:52.900 --> 02:53.580 It is costly. 02:56.160 --> 02:57.640 We use big companies. 02:57.640 --> 02:59.870 They use this because it's more secure. 02:59.890 --> 03:01.960 Also, you're not on the Internet. 03:04.300 --> 03:05.410 That's the best thing. 03:05.740 --> 03:08.260 You're not on the you don't need to be on the Internet. 03:08.440 --> 03:09.940 It's all on your own private cloud. 03:11.260 --> 03:11.620 Right. 03:11.650 --> 03:13.150 Now, the question is. 03:13.750 --> 03:15.010 Now the question. 03:15.370 --> 03:22.930 Another good interesting fact is yesterday we needed to do a lot of work to make the loopback stop here. 03:22.960 --> 03:25.450 Routing protocol done, Communication is successful. 03:27.130 --> 03:29.200 What happens in this case? 03:29.200 --> 03:35.710 How you actually implement this is once you have connectivity between all your internal networks, once 03:35.710 --> 03:40.510 they they're communicating to each other, you also make this guy communicate. 03:41.410 --> 03:46.360 What you could do is you could convert your router, one of your routers into something known as a key 03:46.390 --> 03:46.960 server. 03:50.510 --> 03:54.010 Okay, so what does a key server do? 03:54.020 --> 04:02.080 It the whole the sole purpose of a key server is to manage keys is to manage keys. 04:02.090 --> 04:05.000 You will be creating the same IPsec tunnels. 04:06.710 --> 04:10.360 The ones which we have been talking about for a long time now. 04:10.370 --> 04:11.540 You'll be doing the same. 04:11.570 --> 04:12.650 IPsec Tunnels. 04:15.020 --> 04:22.250 Across the whole thing, but your eyes can remember the ice. 04:22.610 --> 04:27.170 The key exchange will not be between the peers, will not be between the group members. 04:27.200 --> 04:28.430 It will be between whom? 04:29.840 --> 04:32.240 Between the key server and your group members. 04:37.390 --> 04:37.780 And so. 04:37.840 --> 04:38.150 And so. 04:40.870 --> 04:43.060 So the key will be generated. 04:43.060 --> 04:43.300 Where? 04:46.380 --> 04:51.030 And then it will push this key down to all the other group members. 04:53.900 --> 04:56.470 Whenever the group members are coming up, for example, R2. 04:56.960 --> 04:59.840 R2 camp will be between R1 and R2. 05:00.620 --> 05:09.320 They will negotiate on a a session and eventually at the end of that, he will have a session key. 05:09.590 --> 05:13.280 Plus, they will negotiate on not negotiate. 05:13.310 --> 05:14.210 It's called push down. 05:14.750 --> 05:19.850 The configuration will be all configuration will be done where on the server, the access list. 05:20.720 --> 05:22.700 The ACL will be configured on the server. 05:22.730 --> 05:25.670 The set transform set will be configured where? 05:25.820 --> 05:26.690 On the server. 05:27.170 --> 05:31.490 Once the negotiate the IPsec plus the session key. 05:31.520 --> 05:35.990 What the server does is push down the ACL and the transform set to him. 05:36.620 --> 05:43.100 So let's say the transform set says that your encryption should be done based on S and your hashing 05:43.100 --> 05:45.250 should be done based on Sha. 05:46.700 --> 05:54.060 So the key server will push down telling him, listen, do a s and use a s and Sha and this is your 05:54.060 --> 05:54.780 session key. 05:55.320 --> 05:56.010 This black key. 05:56.160 --> 05:57.090 Keep it there. 05:57.480 --> 05:58.260 That's it. 05:59.490 --> 06:00.690 That's all it will do. 06:01.260 --> 06:03.690 Then we'll go to the other guy. 06:03.720 --> 06:05.520 Then R3 will come up and register. 06:07.590 --> 06:17.730 When R3 comes and registers and everything not negotiated, it is only negotiated for the ICM part only 06:17.730 --> 06:18.450 For the first time. 06:19.110 --> 06:24.960 The black key has already been created and it's kept where on the key server. 06:25.350 --> 06:29.130 Whoever comes and registers now will be given which key. 06:30.450 --> 06:31.110 This black key. 06:35.590 --> 06:39.430 And the same transform set and the ACL is. 06:43.190 --> 06:45.200 When both of them have created their tunnels. 06:45.230 --> 06:50.180 Both of them have the same session key because the key server keeps track of it. 06:51.770 --> 06:56.510 The key server keeps track of the key, and it's providing the same key to everybody who's coming and 06:56.510 --> 06:56.990 registering. 06:58.400 --> 07:00.350 So first our two came in. 07:00.350 --> 07:01.430 I gave him one key. 07:01.580 --> 07:03.740 Then our three came in, came in. 07:03.740 --> 07:05.210 I gave him the same key. 07:05.240 --> 07:08.090 The moment I gave both of them the same key, they can communicate. 07:08.490 --> 07:13.490 If they're communicating across themselves, the moment they communicate, it will be encrypted. 07:16.010 --> 07:17.080 Moment because why? 07:17.240 --> 07:18.290 They have the key. 07:18.320 --> 07:19.730 They have the encryption mechanism. 07:19.730 --> 07:21.620 They have the hashing mechanism, both sides. 07:22.130 --> 07:32.180 And plus they also have the ACL is the keying material, the keying material of remember the 3600 seconds, 07:33.650 --> 07:35.510 the session key of 3600 seconds. 07:35.510 --> 07:36.740 That's what's being sent down. 07:39.480 --> 07:39.720 Hey. 07:43.450 --> 07:50.040 To be a part of it, a part of the session. 07:51.190 --> 07:54.310 Remember the whole you have a whole material out of that. 07:54.310 --> 07:57.490 You take out small chunks every 3600 seconds. 07:57.490 --> 07:58.930 You go back and take another chunk. 07:59.500 --> 08:03.850 Then every 36, you go back and change it the same way. 08:04.600 --> 08:06.340 The same one is being sent down. 08:06.340 --> 08:16.270 Now the question arises is if, for example, if now this is your the first day you got stuck at this, 08:16.420 --> 08:19.420 if they're communicating among themselves. 08:19.420 --> 08:19.630 Right. 08:19.630 --> 08:21.810 They're running routing protocols among themselves. 08:21.820 --> 08:31.180 If I push down this key here and I push down and Sha, will he be able to communicate to the others? 08:33.100 --> 08:34.900 I have not joined the other guys. 08:35.890 --> 08:37.450 It will not be able to communicate. 08:37.450 --> 08:37.600 Why? 08:37.630 --> 08:41.450 Because now the traffic which will be leaving this interface will be encrypted. 08:41.450 --> 08:44.210 And when it reaches the other side's it will be encrypted. 08:44.240 --> 08:45.980 The other side's do not have the key. 08:45.980 --> 08:47.480 They have not registered. 08:47.510 --> 08:53.690 They will not be able to do what decryption they are not able to decrypt it. 08:53.690 --> 08:54.470 They don't have the key. 08:54.470 --> 08:56.870 They are not able to understand what you're sending them. 08:57.050 --> 09:02.300 That's why from here, the first time when you're implementing in production, you will apply it only 09:02.300 --> 09:03.410 in inbound direction. 09:07.520 --> 09:12.020 Basically telling it only do decryption do not do encryption. 09:14.360 --> 09:16.280 I will I'll show it to you how to do it. 09:16.910 --> 09:21.890 Now, see, again, the question is a little bit of recap. 09:24.650 --> 09:28.190 What is going to happen is R2 is going to come up and register to whom? 09:29.090 --> 09:33.850 R1 Who is a camp across this camp. 09:34.730 --> 09:36.350 R1 is going to send him what? 09:38.270 --> 09:46.070 The session key of 3600 seconds s and the set transform. 09:46.070 --> 09:46.310 Set. 09:46.340 --> 09:48.380 This will be applied to this interface. 09:50.490 --> 09:52.560 Whichever interface you choose, that's how it registers. 09:52.560 --> 09:55.440 When you choose the interface, it goes and registers itself. 09:55.800 --> 09:57.450 The moment you choose this interface. 09:57.450 --> 10:04.470 Now whatever is going to happen is based on the ACL, based on the access list, which will be from 10:04.470 --> 10:05.550 loopback to loopback. 10:05.580 --> 10:09.270 Whatever traffic is going to be sent will be encrypted and decrypted. 10:09.780 --> 10:14.250 Now usually when you apply the crypto map, it's in both directions inbound and outbound. 10:14.250 --> 10:17.490 Inbound means decryption outbound means encryption. 10:18.540 --> 10:26.460 Now when traffic coming from, say, for example, tend not to will be what encrypted and go out as 10:26.460 --> 10:33.150 encrypted traffic if it reaches this device will R3 understand it because it's encrypted right. 10:33.480 --> 10:36.180 So we applied only in one direction. 10:36.180 --> 10:37.920 We apply it only for decryption. 10:37.920 --> 10:41.670 We say, okay, when you're going out, do not encrypt, let it be. 10:42.330 --> 10:46.920 But when you're coming back in, if you have traffic coming back in, which is already encrypted, you 10:46.920 --> 10:49.360 have the permission to decrypt it. 10:49.360 --> 10:53.770 So we only apply in the beginning in production environments in one direction. 10:56.220 --> 10:57.330 Only to decrypt the data. 10:57.690 --> 10:58.030 Right. 10:58.050 --> 10:59.070 We'll see how that is done. 10:59.520 --> 11:01.530 For now, let's do the normal stuff. 11:03.440 --> 11:03.830 Yeah. 11:04.640 --> 11:10.090 So it would be saying will you be the first and Yeah. 11:10.400 --> 11:14.090 Will be exchanged between them once the first guy comes and registers. 11:14.090 --> 11:14.530 Right. 11:14.600 --> 11:16.520 The will be exchanged from that. 11:16.820 --> 11:25.850 I'll find out what the sessions that same session key will be used for everybody else so we can get 11:25.850 --> 11:26.150 the best. 11:26.600 --> 11:27.680 Yeah, yeah. 11:27.950 --> 11:34.610 The thing about get VPN is Wireshark cannot capture get VPNs Exchange doesn't show you Wireshark doesn't 11:34.610 --> 11:38.660 have the capability of it, just shows you data doesn't show anything inside that data. 11:38.660 --> 11:45.320 So since you can capture it can capture what the key cannot be captured. 11:47.990 --> 11:48.680 It is not secure. 11:49.610 --> 11:51.140 Always was never secure. 11:51.170 --> 11:52.040 Even in IPsec. 11:52.040 --> 11:57.770 Remember, the public key was sent from both sides, but it was mixed with the private key. 11:57.770 --> 12:02.770 So even if it's anyone can see it, exchange the secret key right there. 12:02.780 --> 12:05.750 Also, we don't exchange the secret key there. 12:05.760 --> 12:07.260 Also, secret key is not exchanged. 12:07.290 --> 12:09.210 When they're exchanging, they're exchanging the edge. 12:11.340 --> 12:11.940 They're exchanging. 12:11.940 --> 12:12.770 They're exchanging the edge. 12:12.810 --> 12:14.400 First four packets is the same. 12:14.430 --> 12:15.120 The exchange. 12:15.660 --> 12:16.440 You have your key. 12:16.440 --> 12:17.220 I have my key. 12:18.240 --> 12:18.750 Right. 12:18.900 --> 12:20.040 We get the key eventually. 12:20.040 --> 12:21.960 But but, yes, the good question. 12:21.960 --> 12:23.400 I get what you are trying to ask. 12:23.400 --> 12:28.860 What he's saying is first time you get the key right next time when the other guy comes up, I need 12:28.860 --> 12:29.790 to send him this key. 12:30.870 --> 12:35.310 When the other guy comes up, for example, here, I again, I need to send him the same key. 12:35.340 --> 12:36.270 How do I do that? 12:36.270 --> 12:37.770 I don't do it just as it is. 12:37.800 --> 12:44.750 First they negotiate their own section of their own and then the tunnel is protected through this edge 12:44.820 --> 12:46.620 because it's already protected with the other. 12:46.890 --> 12:48.660 I will send this session. 12:50.600 --> 12:56.240 Once attacking only the small amount of sessions after 30/602. 12:56.270 --> 12:57.610 Key server keys. 12:57.620 --> 12:58.520 We call it three keys. 12:58.520 --> 13:01.040 Everybody else that really key. 13:01.040 --> 13:02.690 The group members come and register again. 13:02.690 --> 13:04.490 I'll show you the time, how it happens. 13:08.470 --> 13:08.710 In. 13:11.420 --> 13:11.700 Yeah. 13:12.420 --> 13:12.660 Yeah. 13:15.890 --> 13:20.120 The order of Easter when I create the keys. 13:23.270 --> 13:23.520 Yeah. 13:26.450 --> 13:28.430 Yeah, it is with the Keyserver. 13:28.730 --> 13:30.480 Yes, it is with the Keyserver. 13:30.500 --> 13:34.790 So the key server is the one who keeps on changing the keys, not the group members. 13:34.820 --> 13:37.070 Group members have no control over the keys. 13:37.940 --> 13:41.510 They do not have any control over the keys every 3600 seconds. 13:41.510 --> 13:42.980 Even 5%. 13:42.980 --> 13:45.110 Less than 3600 seconds. 13:45.140 --> 13:52.250 The group members will go to the key server, reregister themselves five seconds 5% of the time before 13:52.340 --> 13:55.490 30/602 will go and reregister themselves. 13:55.520 --> 13:56.480 Get the new key. 13:59.640 --> 14:02.370 Every 30/602 every hour. 14:06.960 --> 14:07.470 Yes. 14:07.470 --> 14:12.600 The create another use that to encrypt the key so the key is sent back to them. 14:14.320 --> 14:14.740 Okay. 14:16.180 --> 14:17.890 Said, Let's see how to do that. 14:17.890 --> 14:20.410 Now, the good thing about this is your transform set. 14:20.710 --> 14:26.950 ACL is configured where on the group members, all you need to configure is your Icap policies. 14:28.000 --> 14:28.900 That's it. 14:29.860 --> 14:32.020 And a little bit about groups. 14:32.200 --> 14:33.040 We'll see that. 14:34.900 --> 14:36.700 Yeah, that's another good question. 14:36.790 --> 14:42.370 The thing is can are to be a key server and a group member himself, just like we did it in Dmvpn. 14:42.370 --> 14:46.330 A hub could participate in routing in gate VPN. 14:46.330 --> 14:47.050 It cannot. 14:48.250 --> 14:49.870 A key server cannot be a group member. 14:49.900 --> 14:51.880 A key server cannot encrypt the data. 14:53.590 --> 14:55.360 It doesn't have the capability of doing it. 14:55.810 --> 14:58.030 It can only because it has the key. 14:58.030 --> 14:59.260 The main key is with him, right? 14:59.260 --> 15:06.270 So we keep him separate, gives out the keys to others, but he itself should be isolated from the others 15:06.310 --> 15:06.600 around. 15:07.100 --> 15:08.290 It can be a router. 15:08.290 --> 15:08.710 Yes. 15:09.340 --> 15:09.610 Right. 15:09.610 --> 15:11.920 Not hard to do. 15:11.950 --> 15:15.470 What if R2 becomes the key server? 15:15.470 --> 15:16.970 It has all the keys. 15:17.390 --> 15:21.560 It's very dangerous to put him out there with everybody else. 15:22.730 --> 15:23.210 Right. 15:23.870 --> 15:28.340 The way they designed it was they kept it as separate, said, okay, this will be separate. 15:28.340 --> 15:32.300 So you could have a firewall in the middle and stuff like that to protect it. 15:32.960 --> 15:34.910 Now it doesn't have to be directly connected. 15:34.940 --> 15:35.960 That's the good part. 15:35.990 --> 15:41.810 A key server can be somewhere across, way ahead, somewhere far doesn't really matter as long as you 15:41.810 --> 15:43.670 have connectivity to the key server. 15:43.670 --> 15:44.660 Everything is good. 15:47.360 --> 15:50.750 Prevent the first criteria is what? 15:50.870 --> 15:55.400 The first thing that I need to make sure of is I should have connectivity across the whole thing. 15:56.330 --> 16:03.320 So I'll be running a routing protocol all across this, which will share my internal networks. 16:04.910 --> 16:11.750 Plus I also need to share which network I run because it's faster and quicker. 16:12.050 --> 16:14.390 I'll run it to share everything. 16:14.390 --> 16:19.490 So by the end of my configuration, everybody should be able to reach anywhere where they want to. 16:20.990 --> 16:22.190 Okay, let's do that. 16:25.040 --> 16:29.400 So it said, right, Let's check from R3. 16:31.190 --> 16:31.940 Try it out. 16:34.330 --> 16:35.440 So routing is done. 16:35.710 --> 16:36.460 10.2. 16:36.490 --> 16:37.150 10.3. 16:37.150 --> 16:37.630 10.4. 16:37.660 --> 16:38.980 10.5, ten. 16:38.980 --> 16:39.220 11. 16:39.220 --> 16:40.390 11 zero is also here. 16:40.390 --> 16:41.050 Which is whom? 16:42.010 --> 16:43.090 My actual server. 16:43.240 --> 16:43.800 The key server. 16:43.810 --> 16:44.920 Can I reach the key server? 16:46.090 --> 16:47.650 I should be able to reach the key server. 16:48.160 --> 16:50.560 I should be able to reach the all the loopbacks. 16:53.050 --> 16:54.550 Even without the VPN being set. 16:54.550 --> 17:00.070 You have to understand that this connectivity should be there and you need to make sure that all of 17:00.070 --> 17:04.990 your group members should be able to reach whom the key server. 17:07.240 --> 17:08.320 Whichever way is possible. 17:08.320 --> 17:11.710 You want to do it on static routes with whatever way you want to do it. 17:11.740 --> 17:15.070 We need to make sure that the group members can reach whom the key. 17:15.100 --> 17:21.070 So when you go to the key server and you start configuring the key server, how do you do that? 17:22.810 --> 17:25.890 The first thing is your policies, because why? 17:25.960 --> 17:29.280 All the group members will come up and register to me through isocarp. 17:29.800 --> 17:31.900 The first time, right. 17:31.960 --> 17:33.790 What are the policies? 17:34.630 --> 17:35.150 Anything. 17:35.970 --> 17:36.640 Encryption. 17:37.480 --> 17:38.300 Same commands. 17:38.320 --> 17:41.650 The first See The first section will always again be the same. 17:44.530 --> 17:48.430 Step one is crypto isotamm policy. 17:48.460 --> 17:51.100 Then encryption. 17:51.100 --> 17:53.710 Three There's authentication. 17:54.460 --> 17:55.600 Pre-sense. 18:05.550 --> 18:06.570 Do I need a key here? 18:08.550 --> 18:09.330 I do need a key. 18:10.140 --> 18:11.130 It's a pre-shared key. 18:11.310 --> 18:12.270 Obviously, I need it. 18:13.650 --> 18:15.850 If I have specified the authentication as pre-shared. 18:15.870 --> 18:17.940 I would require a pre-shared key crypto. 18:19.020 --> 18:23.780 I can Cisco authorize. 18:23.790 --> 18:24.720 What address do I give? 18:26.430 --> 18:36.420 I could specify all my group numbers separately, which I could say 192 160 8.6 20 6.2 and stuff like 18:36.420 --> 18:36.870 that. 18:36.990 --> 18:40.980 Or I could just say production. 18:40.980 --> 18:41.820 What will you do? 18:43.380 --> 18:44.040 See A7. 18:44.700 --> 18:47.440 Will use Luterman. 18:49.310 --> 18:49.730 Okay. 18:50.600 --> 18:52.370 Isaac Sisko Address done. 18:53.360 --> 18:54.110 Two steps are done. 18:54.620 --> 18:55.610 What else do I need? 18:55.640 --> 18:59.480 I need to push down a crypto IPsec. 19:03.120 --> 19:09.720 Step three crypto 96 Transform set. 19:10.490 --> 19:13.590 Set DSP. 19:14.010 --> 19:17.370 Let's set three days DSP 95. 19:21.790 --> 19:26.740 Number four access list one permit IP. 19:27.250 --> 19:30.190 Now, this is a little bit tricky. 19:30.820 --> 19:34.150 What access list do I push down going from which network to which network? 19:35.710 --> 19:40.330 He flew back to Lubeck, but we flew back. 19:41.830 --> 19:43.450 What networks do I specify? 19:43.480 --> 19:48.970 See, the problem is that the same ACL, which I specify here in the keyserver, will be pushed down 19:48.970 --> 19:49.540 to all of them. 19:52.300 --> 19:54.520 If you push down to R2, will you push down to R3? 19:54.760 --> 19:55.390 Goes down to. 19:55.870 --> 19:57.190 All the group members, 20:00.920 --> 20:01.660 right. 20:01.720 --> 20:02.830 If I do, for example. 20:02.830 --> 20:07.180 Ten .2.2.221.3.3.3. 20:07.210 --> 20:09.660 The problem is they will be pushed down here as well as here. 20:09.670 --> 20:11.530 He doesn't have the source of 10.2. 20:11.740 --> 20:12.730 So problem. 20:14.470 --> 20:17.470 If I push it down here, I could make it complicated. 20:17.470 --> 20:20.650 I could say, okay, 10.2 to 10.3, 10.4, 10.5. 20:20.680 --> 20:22.150 Then 10.3 to 10.2. 20:22.150 --> 20:22.870 10.2. 20:22.870 --> 20:25.270 Complicated, not scalable. 20:25.270 --> 20:28.690 So what I do is I summarize it. 20:29.230 --> 20:31.990 I say going from 10.000. 20:35.960 --> 20:42.050 0.255 going to ten .000 20:46.730 --> 20:50.990 and he would be a problem because then it will also encrypt your traffic going to. 20:51.950 --> 20:52.700 Yes. 20:52.730 --> 20:53.810 Your traffic. 20:57.060 --> 20:59.730 But you only want your internal networks to be protected. 21:00.000 --> 21:04.950 I know that all my internal networks are on the ten subnet, so I say anything going from ten networks 21:04.950 --> 21:07.490 to ten networks should be encrypted. 21:10.090 --> 21:10.300 Right. 21:11.980 --> 21:13.710 What about two? 21:14.850 --> 21:16.310 Perfect that one. 21:16.980 --> 21:18.030 Why do we need to do that? 21:18.960 --> 21:19.770 Control traffic. 21:19.770 --> 21:20.050 Right. 21:20.100 --> 21:22.350 I actually want to protect my data. 21:23.640 --> 21:25.290 My data that will be sent across. 21:25.290 --> 21:27.090 I want to protect that, not the control. 21:27.630 --> 21:28.350 Control is okay. 21:28.380 --> 21:28.710 It's just. 21:32.180 --> 21:32.760 Can I do that? 21:33.480 --> 21:33.730 Yeah. 21:34.160 --> 21:34.510 Yeah. 21:34.520 --> 21:38.240 Then you'll do encryption for everything from any to any. 21:38.390 --> 21:39.440 Anything going out. 21:39.440 --> 21:40.190 Anything coming up. 21:40.220 --> 21:40.580 Should be. 21:40.610 --> 21:41.210 Should be in. 21:41.810 --> 21:44.030 Yeah, it's more safer, but more overhead. 21:46.100 --> 21:49.520 Also more because you'll see five seconds, a lot of packets going through. 21:49.640 --> 21:52.040 Every five seconds packets will be going out. 21:53.660 --> 21:54.980 This is more efficient. 21:56.210 --> 21:56.280 Good. 21:56.330 --> 21:56.810 Back to you. 21:56.810 --> 21:56.980 Back. 21:57.650 --> 21:58.850 This will be pushed down. 21:58.850 --> 22:07.340 The thing about your group is that when it's pushed down, it's not pushed down as an IPsec transform 22:07.340 --> 22:07.550 set. 22:07.580 --> 22:12.650 It'll be pushed down as a profile, just like you apply a profile to a tunnel. 22:14.000 --> 22:14.840 Same thing here. 22:14.840 --> 22:17.690 When you're pushing it down, you push it down as what? 22:18.170 --> 22:18.920 As a profile. 22:20.870 --> 22:22.340 Push it down as a profile. 22:22.340 --> 22:24.110 So you need to configure it as a profile. 22:24.110 --> 22:25.910 You say same thing. 22:26.510 --> 22:31.920 Crypto IPsec Profile, high profile set. 22:36.240 --> 22:37.170 What is coming in. 22:37.170 --> 22:37.680 Access list. 22:38.710 --> 22:40.080 Fail open and fail close. 22:40.680 --> 22:41.380 What is that? 22:46.990 --> 22:57.130 You can configure it any access here and get the same inbound and outbound same which we are going to 22:57.130 --> 22:57.550 do. 22:57.580 --> 23:00.940 There's something known as receive only receive only. 23:01.090 --> 23:07.240 When you apply that list to a device, you will only receive that it will only decrypt the traffic. 23:07.570 --> 23:12.220 It will not encrypt for the amount of time that you apply to all of them. 23:12.640 --> 23:17.770 Then at one single time you will change it to both ways. 23:21.060 --> 23:22.140 To open. 23:22.140 --> 23:23.520 I have not heard of those terms. 23:23.730 --> 23:25.110 Let's let's have a look at it. 23:26.280 --> 23:26.730 Of what? 23:26.730 --> 23:31.110 Of the terms which I have heard is receive only inbound and outbound fail open. 23:32.130 --> 23:32.880 No, it's okay. 23:33.060 --> 23:34.080 We have the Cisco Docs. 23:34.080 --> 23:34.450 Right? 23:34.500 --> 23:34.980 Fail open. 23:34.980 --> 23:35.220 Fail. 23:35.220 --> 23:38.760 Close access. 23:49.500 --> 23:49.840 Yeah. 24:07.030 --> 24:11.500 Since the failed close function can also be investigated in the traffic passing through, the group 24:11.500 --> 24:16.090 members will be sent in clear text until registered with the case. 24:16.390 --> 24:21.340 This is because the crypto ACL is configured on the case and will get information only after registration 24:21.340 --> 24:22.180 is successful. 24:23.410 --> 24:28.570 If fail close feature is configured, all the traffic passing through the GM will be dropped until the 24:28.570 --> 24:30.280 GM is registered successfully. 24:33.100 --> 24:38.120 So basically the GM will not be able to communicate as long as he doesn't register himself. 24:38.140 --> 24:39.880 Right now, they are communicating, right? 24:40.960 --> 24:44.830 Right now, the group members are communicating even though they have not registered themselves to the 24:44.830 --> 24:45.460 keyserver. 24:46.150 --> 24:52.000 But what you could do is you could change it and keep it as a fail close mode where they will not be 24:52.000 --> 24:55.060 able to communicate as long as they don't come up and register. 24:55.390 --> 24:58.060 We'll have a look at it later in advanced features. 25:00.020 --> 25:03.470 No group member is group member. 25:03.500 --> 25:05.240 CS is keyserver. 25:06.650 --> 25:10.010 There's only two things key server and group members. 25:12.450 --> 25:16.240 So coming back to the ACLs, I've configured my ACLs. 25:16.260 --> 25:18.500 I've configured my profile. 25:18.510 --> 25:20.210 I need to paste it. 25:20.240 --> 25:20.490 So. 25:25.750 --> 25:29.440 It says it doesn't exist and copy it from here. 25:33.520 --> 25:35.080 So run section. 25:41.320 --> 25:42.730 Ah, this is good. 25:42.940 --> 25:44.080 Transform set is fine. 25:44.140 --> 25:44.680 D set. 25:45.060 --> 25:47.920 I am setting transform set as D set. 25:48.100 --> 25:48.460 Correct. 25:48.970 --> 25:50.230 What do I need to do now? 25:51.250 --> 25:52.330 I need to apply it. 25:53.290 --> 25:57.130 I need to configure it in something known as a get group. 25:59.540 --> 26:05.840 That group and that group will be pushed down to people who register. 26:06.410 --> 26:15.470 How do you create a so-called crypto gdoi group and you call this group something Gdoi is the protocol 26:17.180 --> 26:18.950 just like Isakmp is the protocol. 26:20.030 --> 26:24.820 Gdoi is also a protocol, but it's nothing but an extension of ICANN. 26:27.170 --> 26:29.030 It is an extension of ISoc. 26:29.180 --> 26:34.520 When the group members come and register, I'll show you how it is an extension of the ICP. 26:35.000 --> 26:36.140 It works. 26:36.170 --> 26:44.450 It works on UDP port numbers 500 Gdoi works on UDP port numbers 848848. 26:54.700 --> 26:57.640 UDP 848. 26:59.470 --> 26:59.770 Yeah. 27:00.130 --> 27:01.900 Nat doesn't have Nat? 27:01.930 --> 27:02.770 Private networks. 27:04.360 --> 27:05.620 Private private communication. 27:06.730 --> 27:07.450 That would go back. 27:07.480 --> 27:07.750 Yeah. 27:07.780 --> 27:08.770 To 4500. 27:09.100 --> 27:10.870 That works the same for Nat. 27:10.900 --> 27:11.680 Works the same for all. 27:15.790 --> 27:16.480 Good enough. 27:17.840 --> 27:19.030 Crypto group. 27:19.030 --> 27:20.080 Call the group anything. 27:20.080 --> 27:21.310 The name is local. 27:21.340 --> 27:23.560 The name does not make a difference. 27:23.560 --> 27:25.420 But yes, production. 27:25.420 --> 27:26.890 You will try to keep the name. 27:26.890 --> 27:30.640 Same on all the group members as well as the key servers. 27:30.940 --> 27:35.140 So let's say this is for my IT department, so I'll call it group ID. 27:37.030 --> 27:38.290 The name doesn't matter. 27:38.290 --> 27:39.370 Let me just change it. 27:41.350 --> 27:42.310 I'll call it it. 27:42.640 --> 27:43.570 It's. 27:45.760 --> 27:50.650 IP on the server just to make sure you understand that the group name doesn't have to be the same. 27:51.790 --> 27:52.930 What has to be the same? 27:52.930 --> 27:55.990 What has to match is identity number. 27:58.880 --> 28:02.030 Just exactly like your network ID. 28:02.420 --> 28:04.160 Exactly like your. 28:04.790 --> 28:06.200 Autonomous system number. 28:06.740 --> 28:09.650 Identity number should match on all of them. 28:09.650 --> 28:15.170 And this is how they see if they belong to the same group or not based on your identity number. 28:16.010 --> 28:21.410 Now, this number could be anything between 0 to 2 1 million, just like your loopback. 28:21.440 --> 28:23.000 You can choose anything that you want. 28:23.960 --> 28:25.190 Let's choose 150. 28:26.390 --> 28:27.290 A random number. 28:30.600 --> 28:31.110 Okay. 28:32.580 --> 28:34.620 Simple stuff until now, right? 28:34.950 --> 28:38.700 He added a group and assigned it a identity number. 28:39.240 --> 28:42.570 What else I could do is I have certain other features here. 28:42.600 --> 28:46.800 The only one option that you have available to you is you need to configure the server. 28:48.630 --> 28:53.070 Now, depending upon who's the server, who's the server right now, R1 is the server. 28:53.070 --> 28:55.380 So when I use the server command, what do I specify? 29:00.100 --> 29:02.140 The server is local. 29:02.650 --> 29:05.230 Once you do server local, you'll have to configure it. 29:05.500 --> 29:08.010 If it was some other guy, you wouldn't have to configure it. 29:08.380 --> 29:09.340 Server is this guy. 29:10.570 --> 29:12.430 But since here the server is local. 29:12.430 --> 29:19.240 When you click, when you press enter here, you will go into the configuration of server sub configuration 29:19.240 --> 29:19.690 of server. 29:23.680 --> 29:27.820 You're inside the server, right, guys? 29:29.530 --> 29:30.190 So. 29:35.880 --> 29:36.990 848 is. 29:39.420 --> 29:42.930 Right, then you need to configure the server. 29:42.930 --> 29:44.820 Now, there's a lot of things that you can do here. 29:45.240 --> 29:47.420 The most important one is the first one. 29:47.430 --> 29:48.570 Do not forget that 29:51.870 --> 29:52.710 address. 29:53.280 --> 29:57.330 You need to specify what address should people come up and register to me as. 29:59.550 --> 29:59.790 Yeah. 29:59.790 --> 30:05.820 Now if you have a loopback if R1 had a loopback which was also routing, you could choose that also. 30:05.820 --> 30:06.920 But right now I don't. 30:06.930 --> 30:08.280 I'll use that in dual hub. 30:08.670 --> 30:10.950 Right now I'll just say ten 1111 dot. 30:15.420 --> 30:16.410 Physical address. 30:16.890 --> 30:17.450 This is. 30:17.460 --> 30:18.780 This is the physical address. 30:19.800 --> 30:22.620 1011 one is my address on my interface. 30:23.070 --> 30:27.360 This interface, that's what I'm using, right? 30:28.710 --> 30:32.570 So I specify the address of how people are going to come up and register to me. 30:32.610 --> 30:34.230 What else do I have right now? 30:34.260 --> 30:35.540 Don't need anything like that. 30:35.550 --> 30:36.210 Redundancy. 30:36.240 --> 30:37.650 No need registration. 30:37.650 --> 30:39.180 No need Rekeying. 30:39.180 --> 30:39.720 No need. 30:40.860 --> 30:41.460 The first. 30:41.940 --> 30:46.800 I'm talking about the most basic kind of VPN, which is very little secure, very less secure. 30:47.730 --> 30:48.210 Right? 30:48.300 --> 30:53.640 The we configure what security association which should be pushed down. 30:54.150 --> 30:59.520 What should you push down if people come up to you, if they use your server's address, which is ten, 30:59.520 --> 31:04.020 11, 11, 11, if they have the same identity number as you, then everything matches. 31:04.590 --> 31:07.350 If it's matching, what should you push down to them? 31:07.560 --> 31:13.890 I say, I say, then receive only is right here. 31:13.890 --> 31:18.150 If I choose receive only, then I'm only pushing down the receive only part of it. 31:19.770 --> 31:22.320 The decryption part, not the encryption part. 31:22.350 --> 31:27.000 If you're using IPsec, you're putting it down, pushing down the complete inbound and outbound. 31:27.930 --> 31:31.080 If you're pushing down, receive only you're only pushing down inbound. 31:31.110 --> 31:39.480 First, let's do the IPsec, then we'll see the receive only part and I have a different one for encrypting 31:39.480 --> 31:45.500 and for encrypting different or different key for encryption and decryption for encrypting different. 31:45.870 --> 31:51.420 You can can do that because once the guy will encrypt decrypt using three days, the other side should 31:51.420 --> 31:52.740 decrypt also using three days. 31:52.740 --> 31:53.160 Right. 31:53.460 --> 31:54.900 You cannot encrypt using three days. 31:54.900 --> 31:58.770 The other side is decrypting using as the algorithms don't match. 31:58.980 --> 32:05.160 The only point of doing it is to escape them to make sure that the connections don't go down. 32:05.760 --> 32:10.880 Because in production environment, if you're supposed to deploy it, you know you don't have time down 32:10.920 --> 32:11.220 time. 32:12.420 --> 32:16.900 You want to make sure you have as little as possible, so you deploy it for everybody first. 32:17.260 --> 32:23.350 Once it is already deployed in receive only direction, then you go to the server and change it to both. 32:23.470 --> 32:25.870 So automatically go to all of them and change it to both. 32:26.440 --> 32:32.380 So whereas the Spy, whereas here you don't have to worry about that. 32:33.550 --> 32:35.890 We'll see when you can revert the tunnels. 32:35.890 --> 32:38.800 When you see the tunnels, you'll see how many tunnels will be created. 32:39.940 --> 32:40.240 Right. 32:40.300 --> 32:42.820 For right now I'm choosing IPsec ten. 32:42.850 --> 32:45.730 You have to just like crypto maps have sequence numbers. 32:45.730 --> 32:46.090 Right? 32:46.660 --> 32:47.860 Ten, 20, 30, 40. 32:47.890 --> 32:51.850 Just choose any sequence number here and then specify. 32:54.100 --> 32:56.140 The profile that is supposed to be pushed down. 32:56.650 --> 33:02.290 What is the name of that profile and what else should we push down? 33:05.780 --> 33:08.030 Match address. 33:08.060 --> 33:08.920 IPv4. 33:08.930 --> 33:09.800 What is the number? 33:09.800 --> 33:10.250 One zero. 33:13.020 --> 33:13.250 No. 33:14.770 --> 33:15.340 Again 33:18.520 --> 33:19.780 after I do this. 33:20.380 --> 33:21.520 Step five would be what? 33:22.510 --> 33:27.460 Crypto gdoi group name it anything called it. 33:27.490 --> 33:28.660 It is. 33:29.140 --> 33:30.940 The important part is the address. 33:31.270 --> 33:33.730 IPv4 is 1011, 11.1. 33:36.010 --> 33:47.110 Again, the most important part is identity number 150 Then we go to server is local inside server local. 33:47.590 --> 33:51.880 I specify this should have been done here. 33:54.890 --> 33:55.610 The address is here. 33:57.140 --> 33:59.630 Then say IPsec. 34:00.200 --> 34:01.550 Then the sequence number. 34:02.060 --> 34:08.810 Profile is off and match address. 34:09.740 --> 34:12.110 IPv4 one zero. 34:14.000 --> 34:14.690 That's it. 34:15.920 --> 34:16.430 You're done. 34:16.550 --> 34:19.160 You don't need to apply it to an interface. 34:19.160 --> 34:19.580 You don't. 34:19.670 --> 34:20.870 You just need to keep it there. 34:20.900 --> 34:23.120 848 should be open, which it is. 34:23.150 --> 34:24.860 Now a request coming on UDP. 34:24.890 --> 34:28.490 848 you will reply to it when you give an IP. 34:28.730 --> 34:29.900 It's bidirectional. 34:30.470 --> 34:31.160 Is bidirectional. 34:31.220 --> 34:32.030 So it wouldn't work. 34:32.210 --> 34:36.020 It wouldn't work when somebody else is sending the traffic. 34:37.100 --> 34:37.310 It's. 34:39.160 --> 34:39.580 What do you mean? 34:39.910 --> 34:43.960 You said we need to apply the description for the first year. 34:44.110 --> 34:44.580 Yes. 34:44.590 --> 34:45.180 No, for the. 34:45.180 --> 34:45.910 For the first case. 34:45.910 --> 34:46.990 I'll apply it both ways. 34:48.550 --> 34:51.720 Then we'll do it one way right now. 34:51.730 --> 34:55.150 Otherwise I'll have to use a receive only. 34:57.470 --> 35:04.280 As they only receive one and send it down, he said For the first time, I said in production environment, 35:04.280 --> 35:06.390 when we're doing it, we'll use receive only. 35:06.410 --> 35:08.320 But here I want to show you the first tunnel. 35:08.330 --> 35:11.180 Come up first to make you understand the other concepts. 35:11.210 --> 35:15.020 Then we'll go back and see this concept of receive only how it works. 35:15.500 --> 35:19.220 Because right now you still have to key the key, how the key comes and registers how the group members 35:19.220 --> 35:21.410 come and register and those things. 35:22.810 --> 35:23.080 Okay. 35:24.250 --> 35:27.700 Is this clear of what I've done right? 35:27.730 --> 35:34.090 So now the only criteria that should match from the group side is they should have the same identity 35:34.120 --> 35:34.660 number. 35:34.990 --> 35:41.020 They should be pointing to the same server and their policies should match. 35:41.020 --> 35:41.620 That's it. 35:43.510 --> 35:45.310 And their policies match. 35:47.100 --> 35:48.540 Everything is okay. 35:51.870 --> 35:53.640 I can do this? 35:54.450 --> 35:55.020 Yes. 35:57.460 --> 35:57.670 One? 35:58.150 --> 35:58.420 Yes. 36:02.060 --> 36:12.560 I would think when football you that I will have to change the groups then I will get out on the group 36:12.560 --> 36:13.190 members. 36:14.550 --> 36:16.790 I will have to on the groups you can have. 36:16.820 --> 36:21.590 But that will be cumbersome because if you have, for example, 50 groups, you have to go to each of 36:21.590 --> 36:22.400 them to configure. 36:23.540 --> 36:29.180 If you just do receive only from your key server, then it's easier because you send it to 50 members 36:29.180 --> 36:29.780 altogether. 36:31.360 --> 36:31.550 Right. 36:31.610 --> 36:32.690 That will also work. 36:32.690 --> 36:36.830 But if you have a lot a bigger design, then it'll be too much work. 36:36.980 --> 36:37.760 Yes. 36:38.230 --> 36:38.430 Yes. 36:38.870 --> 36:41.620 This way is much easier if you just do it from the key server side. 36:41.630 --> 36:43.820 But yes, we do use different groups. 36:45.050 --> 36:50.660 If you have the same key server managing two different domains, we have one five routers here which 36:50.660 --> 36:55.280 are a part of one company and five routers here which are a part of another company. 36:55.400 --> 36:59.210 I can have only one key server, but two different identity numbers. 36:59.390 --> 37:01.190 One identity number for this company. 37:01.290 --> 37:03.420 One identity number for the other company. 37:03.660 --> 37:08.040 So I'll have separate set of policies and down here a separate set of policies and they will not be 37:08.040 --> 37:13.200 able to communicate to each other, which is okay, because these are two separate, separate companies 37:13.950 --> 37:14.490 companies. 37:15.780 --> 37:19.310 Each server is each server can be. 37:19.320 --> 37:20.070 It depends. 37:20.100 --> 37:21.060 It depends on how you do it. 37:21.100 --> 37:25.830 Maybe two different branches of your same company, but you don't want to communicate to each other, 37:25.830 --> 37:27.420 but you want connectivity between them. 37:28.230 --> 37:30.570 So you want connectivity like that, right? 37:30.570 --> 37:31.590 But you are in the middle. 37:31.620 --> 37:33.450 The same key server handling two different. 37:36.010 --> 37:36.220 Yeah. 37:39.290 --> 37:40.700 Guys, we will do it for you. 37:42.620 --> 37:44.870 But Keyservers should be managed by you, right? 37:48.260 --> 37:49.420 To make. 37:51.670 --> 37:51.970 Yeah. 37:55.290 --> 37:59.280 The hosting, but I think Key server is your character. 37:59.760 --> 38:00.450 It's local. 38:00.450 --> 38:05.880 It should be locally on the company because if they have the key server, you lose the whole point of 38:05.880 --> 38:10.050 it because whoever has the key server has full information about the network. 38:10.710 --> 38:15.810 So you can go to the key server, take out the private keys and do a lot of stuff, right? 38:15.840 --> 38:17.940 Right now we have not gone to high security mode. 38:17.940 --> 38:19.110 This is low security mode. 38:20.460 --> 38:21.090 So there is a. 38:22.610 --> 38:23.780 It's not now. 38:23.780 --> 38:24.410 Not right now. 38:24.410 --> 38:24.740 Right now. 38:24.740 --> 38:27.530 I'm using a simple mode right now. 38:27.530 --> 38:28.160 It's symmetrical. 38:28.160 --> 38:28.400 Yeah. 38:29.030 --> 38:36.590 Tomorrow or on Monday, we'll see asymmetrical portion of VPN where we'll add more security on it using 38:36.620 --> 38:37.880 asymmetrical keys. 38:38.270 --> 38:40.130 So we'll have double encryption happening. 38:40.550 --> 38:42.770 The same key will be encrypted twice. 38:44.470 --> 38:48.030 She was not with the car with the key. 38:48.040 --> 38:50.290 So we'll see how that is done. 38:51.580 --> 38:52.360 It's very good. 38:54.190 --> 38:54.310 And. 38:55.670 --> 38:56.230 In the middle. 38:56.240 --> 38:56.600 Yes. 38:57.080 --> 38:58.340 I'll add another key. 39:00.440 --> 39:01.490 Not IPsec. 39:01.700 --> 39:07.370 You see the the encryption key where I'm using the session key when I'm pushing down the session key. 39:07.400 --> 39:11.690 Right now it's not as secure because it's going through the edges. 39:11.690 --> 39:16.580 But if anyone has access to that session key, we'll have access to the whole VPN domain. 39:17.030 --> 39:20.840 So I want to have another key, not the data. 39:20.900 --> 39:26.960 IPsec I'll use the same session key, but while the key server is sending it down at that time, I'll 39:27.050 --> 39:30.830 use another key to encrypt it again so that no one can see it. 39:32.810 --> 39:37.340 The original key will be the same, but it'll be encrypted twice to protect it. 39:37.580 --> 39:39.230 We'll see that right. 39:39.230 --> 39:42.740 For now, let's bring it up from the group member side. 39:43.010 --> 39:44.540 The server side is set. 39:44.660 --> 39:45.770 Let's go to the group members. 39:45.770 --> 39:47.360 What do I need on the group members? 39:47.900 --> 39:52.100 First step, do I need my policies? 39:52.640 --> 39:54.920 Why do I need my policies? 39:54.920 --> 39:58.790 Because I need to create the tunnel with the right. 39:59.570 --> 40:01.400 I need my second policies. 40:01.430 --> 40:04.950 What else do I need money for? 40:06.590 --> 40:14.030 Crypto to crypto key Cisco address is what? 40:16.690 --> 40:18.500 It's 710, one one. 40:18.930 --> 40:20.070 This is the concept. 40:21.030 --> 40:25.170 It's not zero because they will only be creating it with whom they serve. 40:27.580 --> 40:29.290 The keys will only be exchanged with the. 40:29.590 --> 40:30.850 So then what do I need? 40:30.880 --> 40:32.110 Do I need a transform set? 40:32.410 --> 40:34.510 No, I don't need a transform set. 40:35.500 --> 40:39.070 Do I need an ACL will be pushed down to me. 40:40.090 --> 40:41.020 What do I need then? 40:43.360 --> 40:46.780 Dynamic is the only multipoint VPN multipoint IP. 40:46.780 --> 40:49.540 So everything? 40:49.540 --> 40:49.840 Yeah. 40:51.680 --> 40:56.900 Yes, everything will be pushed down to the profile, but I need to form that group. 40:56.900 --> 40:57.580 Where will be? 40:57.590 --> 40:58.670 Will it be pushed down? 40:59.240 --> 41:05.510 It will be pushed down to crypto Gdoi Group it alcoholic. 41:06.620 --> 41:07.790 The name does not matter. 41:11.240 --> 41:17.510 The only thing that matters is identity number is 150 should match. 41:20.760 --> 41:21.870 Let me show you that part. 41:24.360 --> 41:26.610 So let's go to R2, for example. 41:29.970 --> 41:34.800 Paste it here then server cuz my server. 41:36.210 --> 41:43.140 It's not local, it's not local server has an address which is IPv4 ten. 41:44.490 --> 41:46.980 That is exactly why you need reachability to the server. 41:48.090 --> 41:49.560 Do I need to configure the server? 41:49.590 --> 41:52.160 No, I just need to point to him. 41:52.170 --> 41:53.330 Identity number is done. 41:53.340 --> 41:55.080 My work here is done. 41:58.070 --> 41:58.910 My work here is. 41:59.840 --> 42:02.210 But you notice that it has not registered itself yet. 42:03.110 --> 42:03.740 Why? 42:05.240 --> 42:07.130 I need to apply it to an interface. 42:07.910 --> 42:10.070 I need to apply this group to an interface. 42:10.400 --> 42:13.860 Once I apply it to that interface, it will go and register itself. 42:13.880 --> 42:16.250 Now, group cannot be directly applied to an interface. 42:16.250 --> 42:18.320 It can only be applied through a crypto map. 42:20.360 --> 42:21.820 It can only be applied through crypto map. 42:21.830 --> 42:29.090 So I'll say crypto map I map ten of which type is not binding. 42:29.090 --> 42:32.120 IPsec To escape it's binding. 42:35.180 --> 42:36.530 And what is the group name? 42:39.770 --> 42:40.100 IP. 42:40.810 --> 42:41.120 IP. 42:47.650 --> 42:48.490 Let me do this again. 42:52.210 --> 42:53.650 The first nine packets in everything. 42:54.130 --> 42:55.090 Not nine packets. 42:55.120 --> 43:00.030 Now, this is a completely separate protocol, although it has the same policies. 43:00.070 --> 43:01.530 It will not have those nine packets. 43:01.540 --> 43:02.620 That's why it's called Gdoi. 43:02.650 --> 43:03.550 It's not a scam. 43:04.420 --> 43:06.130 It's not running on UDP 500. 43:07.360 --> 43:09.580 It's a separate protocol, but it's an extension. 43:10.240 --> 43:15.820 When I say extension, I mean to say it still uses the same policy, still uses the same, but in a 43:16.030 --> 43:17.230 slightly different way. 43:18.000 --> 43:18.580 And why did we. 43:20.600 --> 43:22.100 By extension. 43:22.100 --> 43:22.630 That's what I'm saying. 43:22.640 --> 43:23.340 Extension. 43:23.360 --> 43:27.200 Of Isfahan when we use the same parameters. 43:27.200 --> 43:29.120 But the way it exchanges them is different. 43:30.440 --> 43:34.250 There's an exchange that we're saying, no, not nine. 43:35.840 --> 43:36.890 We'll see the exchange. 43:37.550 --> 43:37.970 Right? 43:38.540 --> 43:39.410 Crypto map. 43:39.590 --> 43:42.800 Since I need to apply to the interface, I'll call it I map ten. 43:42.830 --> 43:44.570 It is not Isakmp IPsec. 43:44.570 --> 43:47.140 It's Gdoi Set group. 43:49.370 --> 43:50.330 What is the name of the group? 43:50.370 --> 43:50.630 It. 43:53.860 --> 43:55.860 I'll go to the interface serial zero zero. 43:55.990 --> 43:56.920 The outside interface. 43:56.920 --> 43:59.710 Because I want encryption to be done on the outside interface. 44:01.340 --> 44:02.330 As a crypto map. 44:03.890 --> 44:05.120 Now see what's going to happen. 44:05.120 --> 44:13.640 The moment I apply this map to the interface crypto map is going to be called in the crypto map, what 44:13.640 --> 44:14.290 do I call? 44:16.340 --> 44:17.510 It's going to go to the group. 44:18.590 --> 44:25.850 On the group, it says Identity number is 150 and your server address IPv4 is ten 1111 dot. 44:26.390 --> 44:30.050 The moment it sees that it's going to try to create a session. 44:30.050 --> 44:30.500 With whom? 44:32.510 --> 44:35.000 What session is a session? 44:35.120 --> 44:38.210 The first tunnel, the control session. 44:38.600 --> 44:43.400 And when it goes there, first of all, to create that session, he requires the same set of policies. 44:44.060 --> 44:45.920 So the policy should match. 44:46.400 --> 44:48.350 It requires the key, the pre-shared key. 44:48.350 --> 44:49.460 The key should match. 44:50.630 --> 44:59.720 Once all of that matches, it goes about and tells him, listen, my identity number is 150 and policies 44:59.720 --> 45:01.320 are matching my identity. 45:01.350 --> 45:04.710 Number is 150 and I'm pointing to ten, 1111 one. 45:05.010 --> 45:06.630 What is the server going to do? 45:07.380 --> 45:14.540 The server will check its group, set the identity number of the server address also matches. 45:14.550 --> 45:22.380 So he pushes down the policies, the access list and the key doesn't listen. 45:22.380 --> 45:26.460 These are the three parameters which you will need and gives it to R1, R2. 45:26.910 --> 45:27.660 R2 will use it. 45:27.660 --> 45:31.440 Then he has the ACL, he has the key. 45:31.980 --> 45:33.840 He knows what mechanisms to use. 45:33.870 --> 45:34.770 It's finished. 45:35.610 --> 45:36.870 That's all you will have to do. 45:37.260 --> 45:38.880 Let's try and see if this is working. 45:42.930 --> 45:43.290 Start. 45:43.290 --> 45:43.860 Registration. 45:43.860 --> 45:44.010 Two. 45:44.010 --> 45:44.190 Ten. 45:44.190 --> 45:44.430 11. 45:44.430 --> 45:44.880 11. 45:45.090 --> 45:45.720 Registration. 45:45.720 --> 45:45.870 Two. 45:45.870 --> 45:46.050 Ten. 45:46.050 --> 45:46.290 11. 45:46.290 --> 45:46.560 11. 45:46.560 --> 45:59.160 One is complete for group item using the address of 192 168 26.2 y 26.2 Because I applied the map to 46:00.810 --> 46:11.280 I'm doing so the packet that was created when it went to create the tunnel was 190 2.1 68 dot 20 6.2 46:11.280 --> 46:12.030 going to. 46:15.650 --> 46:16.460 Using UDP 46:19.340 --> 46:20.870 8482848. 46:25.750 --> 46:27.490 You can have a look at it too, if you want to. 46:28.640 --> 46:31.990 Number and identity number is encrypted. 46:32.140 --> 46:33.340 This is your exchange. 46:37.110 --> 46:37.740 Fun facts. 46:40.640 --> 46:41.530 Is your exchange. 46:41.570 --> 46:48.440 The first four packets look identical policies because the two packets look the same. 46:48.440 --> 46:48.770 Right? 46:50.600 --> 46:56.210 After that is the policy is being sent down the IPsec profile. 46:56.210 --> 47:02.870 So it's not like your traditional IP cameras in traditional Cam IPsec is negotiated using the quick 47:02.870 --> 47:04.190 mode here. 47:04.190 --> 47:05.420 It won't be negotiated. 47:05.450 --> 47:11.150 The negotiations only last until the fourth packet, but you apply the interface going down. 47:11.300 --> 47:11.780 Going down. 47:12.410 --> 47:13.670 Why did I apply going down? 47:13.670 --> 47:16.490 Because I want encryption to happen when traffic is leaving from here. 47:17.170 --> 47:19.520 Now how is hard to communicate? 47:19.880 --> 47:20.840 It doesn't communicate. 47:20.850 --> 47:21.980 It just sends the packet. 47:22.280 --> 47:25.850 It just sends the packet from this interface to this interface. 47:28.130 --> 47:28.940 Routing is done. 47:30.620 --> 47:31.490 Routing is set right. 47:31.520 --> 47:33.080 R1 goes knows this network. 47:35.480 --> 47:38.450 The R1 has the network 47:41.510 --> 47:41.930 find. 47:45.210 --> 47:48.510 Yeah, that would be a problem if there was no routing if they were on the same network. 47:48.550 --> 47:49.140 R1 Nos. 47:49.140 --> 47:52.830 The network R1 nos in his table. 47:52.830 --> 48:02.730 If you check your IPsec, if you check your routing table, our Nos 26 not directly through three. 48:05.460 --> 48:05.730 Right. 48:06.540 --> 48:11.460 It knows all of these networks so it can send packet to any interface R1 wants. 48:11.460 --> 48:15.270 You can send it to this interface, this interface, this interface, this this. 48:15.270 --> 48:17.250 Any one which you choose, it should be able to send. 48:17.550 --> 48:19.470 This would be a problem on an RSA. 48:20.610 --> 48:22.950 An RSA doesn't let packets come in like that. 48:23.730 --> 48:26.220 So packet coming to the RSA is outside interface. 48:26.220 --> 48:27.660 Going back is not allowed. 48:28.500 --> 48:29.130 It's stuck. 48:32.310 --> 48:34.110 RSA doesn't let return traffic come in. 48:35.840 --> 48:39.330 Yes, they will not let it come back again. 48:39.450 --> 48:46.650 Return traffic is not allowed on the AC for security purposes, but here it's fine. 48:46.650 --> 48:47.640 You can come in like that. 48:49.650 --> 48:49.890 Right? 48:50.880 --> 48:53.070 The policies will be applied to this interface now. 48:56.150 --> 48:57.690 You look at it? 48:58.170 --> 48:58.530 Yeah. 48:58.800 --> 49:01.710 That has no see, that has no correlation to anything. 49:01.710 --> 49:04.590 When you apply to the interface, the packet will look like this. 49:04.680 --> 49:05.620 It will not be encrypted. 49:05.640 --> 49:06.900 This is not IPsec packets. 49:07.710 --> 49:09.230 This is UDP packets. 49:09.240 --> 49:13.050 192 168 dot 20 6.2 going to. 49:16.530 --> 49:17.520 Will this not go? 49:19.500 --> 49:20.670 It's UDP eight for eight. 49:20.730 --> 49:22.770 That's that's exactly how the packet looks like. 49:25.500 --> 49:26.580 That's supposed to go from the. 49:28.290 --> 49:28.620 Why? 49:29.530 --> 49:30.910 Queen consort Frederick. 49:31.540 --> 49:32.720 Yeah, but the crypto map. 49:32.740 --> 49:33.960 Where do you apply the crypto map? 49:33.970 --> 49:34.720 That is the question. 49:35.200 --> 49:36.490 You apply my crypto map here. 49:38.380 --> 49:44.560 If you don't apply, then how do you form that negotiation between whom you see? 49:44.560 --> 49:49.660 Wherever you apply the crypto map, that interface will go and register itself wherever you apply the 49:49.660 --> 49:52.990 crypto map and you have to see where do you apply? 49:52.990 --> 49:55.300 I will apply it here because I want encryption to happen. 49:55.300 --> 49:57.040 When this guy wants to go out. 49:57.370 --> 49:58.180 I cannot do it here. 49:58.180 --> 49:58.570 Right? 49:59.020 --> 50:00.400 Do not apply the crypto map here. 50:02.290 --> 50:04.750 Then how does how to exchange policy? 50:05.890 --> 50:11.950 It is also R1 R2 interface 26.2 is also R2 interface is in it. 50:12.130 --> 50:12.520 Yeah. 50:13.090 --> 50:13.900 R2 is interface. 50:13.900 --> 50:15.490 So R2 is another interface is going. 50:15.490 --> 50:17.140 It is still communicating to R2. 50:17.590 --> 50:23.830 When the guy replies, he is replying to this interface, but this interface belongs to whom it still 50:23.830 --> 50:24.670 belongs to R2. 50:26.720 --> 50:32.990 Feeling it is because the crypto see, for example here, when you apply the crypto map, here he goes 50:32.990 --> 50:34.730 and registers using which interface? 50:35.240 --> 50:35.990 No, that's correct. 50:36.710 --> 50:37.400 Exactly. 50:37.400 --> 50:38.690 I mean that's that's the rule. 50:39.740 --> 50:46.590 The whichever interface you apply, the crypto map to that interface will go and register itself with 50:46.610 --> 50:50.070 the keys of whichever interface you apply the crypto map to find the words. 50:50.480 --> 50:53.480 It doesn't have to find it's not you're not applying it globally. 50:55.220 --> 50:57.200 You get VPN, you're not applying it globally. 50:57.200 --> 51:00.590 If you have applied it globally, then it will check in his routing table, whichever is the closest 51:00.590 --> 51:00.920 one. 51:00.960 --> 51:03.500 So you're statically binding the crypto map here. 51:03.680 --> 51:06.350 You're telling him this is the only part of you get VPN. 51:08.270 --> 51:10.220 This interface should participate in get VPN. 51:10.220 --> 51:11.000 Not this. 51:11.720 --> 51:13.160 It has nothing to do with get VPN. 51:14.810 --> 51:15.470 Do you understand? 51:17.700 --> 51:23.640 How does R2 has to establish this second channel with with item? 51:23.660 --> 51:23.930 Yeah. 51:24.830 --> 51:29.390 If I apply the download now because routing is done. 51:30.080 --> 51:33.950 This is see this is which interface 26 dot. 51:34.040 --> 51:35.210 It is a downward interface. 51:35.210 --> 51:35.660 Yes. 51:35.660 --> 51:37.520 But interface still belongs to whom? 51:39.440 --> 51:44.930 When he pushes down his policies, when he pushes down his policies, his policies are meant for which 51:44.960 --> 51:49.370 interface the serial he doesn't want to push down. 51:49.370 --> 51:54.260 He doesn't want to push down interfaces from 10.2 because 10.2 when it goes to 10.3, which interface 51:54.260 --> 51:56.060 will it go down from this interface? 51:56.240 --> 52:02.690 Whichever interface you are applying the crypto map on, remember when you apply crypto map somewhere, 52:03.380 --> 52:09.110 then interesting traffic matters, then you're interesting traffic hits that interface encryption starts 52:09.110 --> 52:09.620 to happen. 52:10.930 --> 52:11.080 Right? 52:11.510 --> 52:17.210 That's why I need to apply it here, because the access that will be pushed down, that will be pushed 52:17.210 --> 52:22.310 down, should be applied to this interface so that when the interesting traffic hits this interface, 52:22.820 --> 52:23.660 it will be. 52:26.930 --> 52:29.240 It will go and register with this interface only. 52:29.720 --> 52:35.620 The thing about get VPN is your full routing is done so you don't have to worry about that one. 52:35.690 --> 52:38.240 As long as that one has the route to this network, it will go and register. 52:40.720 --> 52:41.800 Right now. 52:41.800 --> 52:45.460 The question is right now will our to be able to communicate to anybody else. 52:48.880 --> 52:51.950 Ten, ten, three, three, three with the source of 10 to 2. 52:53.950 --> 52:55.540 Communication of R2 is lost. 52:56.800 --> 53:00.850 It's not able to communicate to everybody else. 53:01.450 --> 53:04.630 So R1 it can because it's not protected. 53:06.980 --> 53:09.650 If I use the source and try to go anywhere, 53:12.890 --> 53:15.830 I will be able to because that won't be encrypted. 53:16.580 --> 53:19.160 Yes, whatever you pushed down. 53:19.160 --> 53:24.380 But now your internal networks, because these in real life would be your internal networks, all of 53:24.380 --> 53:26.750 them will lose connectivity to everybody else. 53:28.860 --> 53:29.990 Which you are not supposed to do. 53:31.110 --> 53:31.210 Right. 53:32.070 --> 53:34.530 Let's go ahead and go ahead and register our three. 53:41.180 --> 53:41.600 Okay. 53:43.930 --> 53:44.950 Them to fall back on. 53:45.910 --> 53:46.690 You can do that. 53:46.960 --> 53:47.620 You can do that. 53:47.620 --> 53:49.750 But again, on the second cloud also. 53:49.920 --> 53:52.090 They should be running on both of them. 53:54.280 --> 53:56.920 You're doing load balancing between this and the cloud. 53:57.310 --> 54:00.880 You have two links and you're doing load balancing between the clouds. 54:01.060 --> 54:09.490 So are you using it as two separate links, two different IP addresses, but the same ISP, but two 54:09.490 --> 54:14.320 different IP addresses on two different links, two different IPS at that time. 54:14.320 --> 54:15.580 You will have to apply it on both. 54:16.930 --> 54:17.440 On both? 54:18.940 --> 54:19.960 Yes, you can. 54:20.000 --> 54:20.560 You can. 54:20.590 --> 54:25.900 Two different interfaces will attach themselves and register themselves separately because it's interface 54:25.900 --> 54:26.290 based. 54:27.220 --> 54:30.530 But if it's the same IP, then you just need to apply it 54:33.920 --> 54:35.690 as a multi link. 54:35.740 --> 54:35.950 What? 54:38.320 --> 54:40.750 Only one if you're bundling it. 54:40.960 --> 54:45.080 If you're bundling links together, then you just apply it to the bundle, not separately. 54:45.100 --> 54:45.580 Yes. 54:45.610 --> 54:47.050 Not individual links. 54:51.470 --> 54:51.630 --. 54:52.560 --> 54:52.910 Yeah. 54:54.160 --> 54:55.100 It doesn't make any sense. 54:55.460 --> 54:59.810 See, it's a layer three character crypto map is a layer three character. 54:59.810 --> 55:03.320 So when you're applying it on an interface, you're applying it on layer three. 55:03.320 --> 55:09.230 So if whichever thing has whatever has an IP address, whatever thing, whatever physical interface, 55:09.230 --> 55:13.820 you can supply an IP address, even if it's a virtual interface, but you're giving it an IP address. 55:13.850 --> 55:19.980 If it can be given an IP address, it can the map can be applied to that one IP will go and register 55:19.980 --> 55:22.480 it as one IP, Right? 55:24.340 --> 55:27.570 Back in between here you have a port channel. 55:27.580 --> 55:28.510 No, no problems. 55:28.510 --> 55:29.740 The port channel has one IP. 55:30.670 --> 55:32.860 I'll go through that based on the IP. 55:34.390 --> 55:34.900 Okay. 55:35.080 --> 55:38.550 Now I'll go and register room R3. 55:38.590 --> 55:39.550 What do I need to do? 55:39.580 --> 55:41.200 What do I need to change on R3? 55:42.070 --> 55:43.390 Do I need to change this? 55:43.780 --> 55:44.740 This. 55:46.080 --> 55:47.010 This? 55:48.360 --> 55:48.870 Nothing. 55:49.620 --> 55:50.940 I don't need to change anything. 55:52.020 --> 55:53.070 The same characters. 55:53.460 --> 55:55.350 You could change the group name if you want to. 55:55.350 --> 55:56.070 Group number one. 55:56.070 --> 55:56.700 Group number two. 55:56.700 --> 55:57.420 Group number three. 55:57.420 --> 55:59.220 But really, no need to. 55:59.700 --> 56:00.870 Let's copy this. 56:01.980 --> 56:02.910 Go to all of them. 56:04.660 --> 56:11.070 R2 is already registered as registered R3 starting. 56:13.170 --> 56:15.210 No, we have not talked about ESP yet. 56:18.180 --> 56:20.700 In fact, it's the first package. 56:20.700 --> 56:21.870 Yes, those were eight for eight. 56:21.900 --> 56:23.070 Now, I have the key. 56:23.070 --> 56:24.980 But I want you to understand this. 56:24.990 --> 56:27.360 Check your first IPsec essay on R2. 56:27.360 --> 56:29.400 I created it about five minutes ago. 56:29.760 --> 56:35.400 So Crypto IPsec going from ten 0 to 10 zero will be encrypted. 56:35.790 --> 56:36.960 Origin is ACL. 56:36.990 --> 56:39.920 You have endpoints, right? 56:39.930 --> 56:40.650 Remote endpoints. 56:40.650 --> 56:43.020 You don't have any remote endpoint because it can be anything. 56:43.020 --> 56:44.070 It's a multi point tunnel. 56:44.460 --> 56:47.850 Local endpoint will be 192 one 6820 6.2. 56:47.880 --> 56:48.990 But check this out. 56:49.110 --> 56:50.280 What is the key? 56:52.020 --> 56:54.780 What is the key length lifetime left? 56:55.110 --> 56:56.370 2950. 56:56.490 --> 57:01.500 If you go to the other one show Crypto IPsec and you use your show Crypto IPsec. 57:02.040 --> 57:06.360 Although it was just created, this was just created, right? 57:07.560 --> 57:09.300 The key is 2900. 57:10.350 --> 57:12.930 Yes, same key. 57:14.400 --> 57:20.470 The thing is we have to understand the same key that was pushed down five minutes ago to R2. 57:20.500 --> 57:21.820 It has been pushed down. 57:21.820 --> 57:24.670 To me, the key has not changed. 57:25.630 --> 57:34.180 So now if you will go register for although the time event, not eventually the timer should be if you 57:34.180 --> 57:35.980 register a new key, right. 57:36.010 --> 57:38.380 The timer should be what, 3600 seconds. 57:39.250 --> 57:50.590 But if you check show crypto IPsec it's also the same key, the same key on all of them. 57:50.590 --> 57:54.940 So our five also register this only shows you what. 57:58.360 --> 58:00.940 Show you that all of them now have the same key. 58:00.970 --> 58:04.330 This is the only IPsec MultiPoint VPN outfit. 58:05.350 --> 58:09.070 When I say IPsec MultiPoint, they're not creating a gap between them. 58:10.360 --> 58:13.150 They're not even creating the second tunnel between them. 58:14.110 --> 58:18.040 The second tunnel is being dictated by the key server. 58:19.990 --> 58:23.860 Key server tells the group numbers Listen from here to here, encrypt from here to here. 58:23.860 --> 58:25.150 Encrypt all of them. 58:25.420 --> 58:32.440 Right now, if you check one, three, three, three going from ten, four, four four, we will encrypt 58:33.070 --> 58:36.430 show crypto IPsec section gaps. 58:38.370 --> 58:41.430 Encryption is taking place even if I go to $10. 58:44.560 --> 58:45.220 What does that say? 58:47.420 --> 58:49.650 What they say is already there. 58:50.670 --> 58:51.820 The Keyserver is there. 58:51.840 --> 58:52.950 All of them have the key. 58:52.980 --> 58:53.820 Same key. 59:00.900 --> 59:02.170 No, no, no, no. 59:03.030 --> 59:03.720 Directly. 59:04.230 --> 59:07.710 Whenever I send a packet to from 10.2 to 10.3, What? 59:07.710 --> 59:09.150 The traffic will come here. 59:09.330 --> 59:12.090 It'll get encrypted using the key. 59:12.120 --> 59:12.490 Right. 59:13.080 --> 59:14.010 Get encrypted. 59:14.040 --> 59:16.940 It will have a public header, not a public header. 59:16.950 --> 59:22.020 The outside header which will guide it to 10.3 for 10.3 to decrypt it requires the key. 59:22.050 --> 59:22.740 Does it have the key? 59:22.770 --> 59:23.490 Yes, it has the key. 59:23.520 --> 59:25.590 It will decrypt it to receive the. 59:30.610 --> 59:34.450 IPsec tunnels between between R2, R3, R4. 59:37.690 --> 59:39.520 Is going on ESPN. 59:39.880 --> 59:47.410 It uses the same esp if you verify if you want to verify, the second tunnel is exactly the same. 59:49.910 --> 59:52.490 The second tunnel is exactly as it is. 59:52.790 --> 59:54.170 No problems with that. 59:58.600 --> 59:59.260 Check this out. 59:59.380 --> 1:00:01.540 This is going clear text. 1:00:06.990 --> 1:00:07.650 This is what? 1:00:09.490 --> 1:00:09.970 Yes people. 1:00:12.780 --> 1:00:13.470 Think about it. 1:00:15.660 --> 1:00:17.160 Can you put it in transport? 1:00:20.910 --> 1:00:24.660 So think about how the encryption is taking place. 1:00:27.810 --> 1:00:29.310 From, let's say, our three to our five. 1:00:30.090 --> 1:00:36.030 Your traffic, when you bring you're bringing from ten .3.3. going to. 1:00:40.180 --> 1:00:42.300 What do you protect it using? 1:00:46.120 --> 1:00:48.040 What is the outside header that you use? 1:00:50.340 --> 1:00:52.410 192 or do you just use. 1:00:55.080 --> 1:00:55.340 Another. 1:00:58.200 --> 1:00:59.670 You don't need to use the private IP. 1:00:59.920 --> 1:01:02.550 The 192 we can use. 1:01:03.570 --> 1:01:05.040 You can use the transport. 1:01:06.720 --> 1:01:07.920 Do you understand why? 1:01:08.340 --> 1:01:09.150 Because. 1:01:09.150 --> 1:01:10.950 Why do I not need the outside IP? 1:01:11.070 --> 1:01:13.080 Because the routing is already done for me. 1:01:15.410 --> 1:01:17.500 Get VPN routing is already done. 1:01:17.510 --> 1:01:22.970 Earlier, I needed the outside IP because I couldn't route through the internet, so I needed the public 1:01:22.970 --> 1:01:25.760 IP to take me across the internet here. 1:01:26.210 --> 1:01:29.210 The inside and the outside headers are the same. 1:01:31.770 --> 1:01:32.070 Inside. 1:01:32.370 --> 1:01:33.650 You can see that in BioShock. 1:01:33.660 --> 1:01:37.110 Also, when you open Wireshark, you see that your ESP packets. 1:01:37.800 --> 1:01:44.700 So for a normal side to side, if I use a routing protocol instead of the default routing everything, 1:01:45.180 --> 1:01:46.830 can I still use the transport? 1:01:47.490 --> 1:01:52.980 If you use routing, you cannot use routing protocol then because you are connected you on the internet. 1:01:53.370 --> 1:01:56.610 How you run routing on the internet for the lab. 1:01:57.240 --> 1:01:59.460 For the lab, you can use the transport. 1:02:00.760 --> 1:02:05.650 If you are running routing already, you could do that here. 1:02:05.700 --> 1:02:07.650 See you check what this is. 1:02:09.120 --> 1:02:10.380 What is your question again? 1:02:10.950 --> 1:02:15.390 Like you have a site to site a normal a normal site to site VPN. 1:02:15.810 --> 1:02:16.410 Yes. 1:02:16.500 --> 1:02:20.430 We use the static default routing to encrypt to the one. 1:02:20.470 --> 1:02:20.850 Yes. 1:02:20.850 --> 1:02:21.360 Yes. 1:02:21.390 --> 1:02:22.680 We use a routing protocol there. 1:02:23.130 --> 1:02:24.150 Can I use the transport? 1:02:24.330 --> 1:02:26.910 So you have to understand that all depends on your set here. 1:02:28.050 --> 1:02:29.160 What is your set here? 1:02:30.090 --> 1:02:31.570 Because that will be your outside header. 1:02:32.770 --> 1:02:33.510 That is the outside. 1:02:33.520 --> 1:02:40.890 If it is the same as inside, you can't if you use the set as the loopback, you can write. 1:02:40.900 --> 1:02:44.320 As long as you have reachability to the loopback, you can say set pair as the loopback. 1:02:45.770 --> 1:02:48.570 Then if you have reachability in real life you wouldn't. 1:02:48.580 --> 1:02:49.990 But you want to do it on the lab, right? 1:02:50.530 --> 1:02:55.470 You will run routing after routing you will have reachability so you can set the site as blue-black. 1:02:55.990 --> 1:02:57.250 So you'll go from shabtis. 1:02:57.910 --> 1:03:01.900 But practically it's you don't use it side to side practically. 1:03:01.900 --> 1:03:02.620 You wouldn't use it. 1:03:03.430 --> 1:03:05.620 See what is the outside header? 1:03:05.920 --> 1:03:07.120 10.3 to 10 dot. 1:03:07.210 --> 1:03:10.360 It just copies the header from the inside and outside. 1:03:10.390 --> 1:03:12.550 It's very easy for this guy to encrypt it. 1:03:13.630 --> 1:03:18.340 Get VPN is the simplest one out there for the guy. 1:03:18.340 --> 1:03:24.520 Whoever is encrypted for these routers, why, All he has to do is he gets a inside header, he has 1:03:24.520 --> 1:03:31.330 the key, he uses the key to encrypt it, copies the header on the outside and forwards it on. 1:03:31.330 --> 1:03:32.440 Routing is already done. 1:03:32.440 --> 1:03:34.030 Everything is already set. 1:03:34.300 --> 1:03:36.070 You want to use the transport mode. 1:03:36.100 --> 1:03:40.300 All you need to do is change it on the key server. 1:03:41.530 --> 1:03:50.850 I'll say crypto IPsec transform set te set DSP esp three days, DSP edgemoor. 1:03:51.390 --> 1:03:52.510 I'll say mode is. 1:03:53.320 --> 1:03:57.310 But yes, when you do that you need to make sure that all of them reregistered themselves. 1:03:57.520 --> 1:03:58.180 How do you do that? 1:03:58.180 --> 1:03:59.170 The command is clear. 1:04:00.220 --> 1:04:01.300 Crypto GDI. 1:04:01.810 --> 1:04:02.650 Yes. 1:04:05.070 --> 1:04:05.790 Player crypto. 1:04:20.530 --> 1:04:20.790 Right. 1:04:21.270 --> 1:04:22.170 So you. 1:04:27.730 --> 1:04:29.500 Now, if you check, they're already registered. 1:04:29.710 --> 1:04:32.110 I'll send the same thing again from R3 to R5. 1:04:35.360 --> 1:04:36.200 So my advice to. 1:04:38.440 --> 1:04:39.100 Yes. 1:04:40.540 --> 1:04:41.470 I said the same thing. 1:04:41.500 --> 1:04:43.510 The size was 156 before. 1:04:46.640 --> 1:04:47.630 Let's exercise now. 1:04:47.870 --> 1:04:48.590 It's still 150. 1:04:51.180 --> 1:05:00.030 Has it moved So crypto IPsec se the more digital tunnel it has not moved. 1:05:00.510 --> 1:05:06.010 I need to yes I need to clear it from the group on the server also gdoi. 1:05:08.970 --> 1:05:10.290 I need to clear it from the server. 1:05:14.350 --> 1:05:14.770 IPsec. 1:05:15.720 --> 1:05:15.990 I see. 1:05:16.070 --> 1:05:16.340 Campus. 1:05:17.610 --> 1:05:19.890 Where in where? 1:05:23.510 --> 1:05:23.770 Yeah. 1:05:23.830 --> 1:05:25.000 I will be here. 1:05:25.010 --> 1:05:27.470 I told you, it's an extension of the same thing. 1:05:27.470 --> 1:05:27.860 Right. 1:05:27.950 --> 1:05:28.590 If you check. 1:05:28.730 --> 1:05:30.190 But it will not be idle. 1:05:30.200 --> 1:05:31.760 We don't call it idle. 1:05:32.270 --> 1:05:32.660 It's called. 1:05:37.120 --> 1:05:38.440 It's not the same. 1:05:38.450 --> 1:05:39.920 The first control plane tunnel. 1:05:40.700 --> 1:05:41.810 It is the control plane tunnel. 1:05:41.810 --> 1:05:41.990 Right. 1:05:41.990 --> 1:05:43.320 The ten packet exchange. 1:05:43.340 --> 1:05:47.270 Since two different tunnels are being created, it is getting transferred. 1:05:47.450 --> 1:05:48.230 That is called. 1:05:48.230 --> 1:05:48.520 What? 1:05:51.110 --> 1:05:54.350 Not your normal escape tunnel is a tunnel. 1:05:55.370 --> 1:05:55.850 Right. 1:05:56.120 --> 1:05:57.120 Let's reregister again. 1:05:57.140 --> 1:05:57.770 Our three. 1:06:11.580 --> 1:06:11.880 Right. 1:06:13.140 --> 1:06:18.630 So what do we see more transport now is. 1:06:20.890 --> 1:06:22.090 Now let's bring again. 1:06:25.680 --> 1:06:26.640 And check the size. 1:06:27.660 --> 1:06:33.750 The size is 140, which is which is not right. 1:06:35.640 --> 1:06:36.240 Right. 1:06:36.270 --> 1:06:39.720 We figured this out last time is 20 is four byte IP. 1:06:39.960 --> 1:06:42.830 This IP header should be 20 bytes. 1:06:44.300 --> 1:06:45.630 Should be 20 bytes. 1:06:45.660 --> 1:06:46.890 20 bytes should have been required. 1:06:47.700 --> 1:06:48.510 But that's okay. 1:06:48.510 --> 1:06:53.850 I mean, you understand that transcode mode is reducing the overhead in your packets? 1:06:55.260 --> 1:06:55.620 Correct. 1:06:57.840 --> 1:06:58.380 Any questions? 1:06:58.380 --> 1:06:59.070 Until now. 1:07:00.310 --> 1:07:03.270 So here is the protocol used for replicating. 1:07:03.780 --> 1:07:04.290 Yes. 1:07:04.670 --> 1:07:09.090 This is for replication policy to be replicating the policy. 1:07:09.270 --> 1:07:10.180 What do you mean by replicating? 1:07:11.130 --> 1:07:15.270 Pushing down the policy that is done by the group is the key. 1:07:15.810 --> 1:07:16.650 The whole protocol. 1:07:16.970 --> 1:07:18.210 See, it's a different protocol. 1:07:18.210 --> 1:07:22.080 It's not like I say, can I say you need to do everything on both sides? 1:07:22.350 --> 1:07:24.190 Here you do everything on the server? 1:07:26.590 --> 1:07:27.120 Yes. 1:07:27.630 --> 1:07:28.800 As a protocol does that. 1:07:30.240 --> 1:07:34.140 What happens between R1 and between R1 and R2? 1:07:34.170 --> 1:07:34.650 Yeah. 1:07:34.830 --> 1:07:35.910 Let's have a look at that. 1:07:37.530 --> 1:07:40.830 See between R1 and R2, let's say, when it's coming and registering itself. 1:07:40.830 --> 1:07:41.310 Right. 1:07:42.270 --> 1:07:51.060 R2 is the one who will send the request and the request will be all camp policies, right? 1:07:51.600 --> 1:07:55.530 First packet r4 R1 will reply back with his policies. 1:07:56.410 --> 1:07:57.660 The set of policies. 1:07:57.660 --> 1:07:59.700 By the way, I forgot to show you this. 1:08:02.290 --> 1:08:09.970 The small issue with this is if you open it, you're not able to see anything from the first packet 1:08:09.970 --> 1:08:10.720 onwards. 1:08:11.020 --> 1:08:13.360 It's not just it was visible, right? 1:08:13.360 --> 1:08:19.960 Policies and all of those things I would is hard to send something to because it's not applied to that. 1:08:20.980 --> 1:08:25.420 It is applied to which interface for you to send the policy. 1:08:25.420 --> 1:08:28.980 So it should be applied to the Ethernet interface of R2. 1:08:28.990 --> 1:08:29.200 Right? 1:08:29.650 --> 1:08:33.010 Not this interface doesn't go, this interface goes and registers to itself. 1:08:35.490 --> 1:08:37.040 The other interface doesn't go registered. 1:08:37.620 --> 1:08:39.570 I'm telling you, it's not R2 as R2 going. 1:08:40.380 --> 1:08:41.820 You've applied it to this interface. 1:08:41.820 --> 1:08:42.990 So this interface is going. 1:08:45.210 --> 1:08:45.480 Right. 1:08:45.480 --> 1:08:48.720 So again, 192, 168 whatever, dot, whatever. 1:08:49.950 --> 1:08:58.680 If we check right now, who's going 192 168 .26.2 is going ten 1111 R2 is not going. 1:09:00.270 --> 1:09:00.620 Right. 1:09:00.630 --> 1:09:03.480 So when it goes up, what does it say? 1:09:03.480 --> 1:09:08.700 It says, I have these policies, I have this set of policies and we have a normal side to side between 1:09:09.240 --> 1:09:09.990 R1, R2. 1:09:10.470 --> 1:09:15.660 And can I apply this to some map so we can do another loopback crypto map. 1:09:15.700 --> 1:09:18.650 You apply to the loopback depending upon your set pair condition will go. 1:09:18.660 --> 1:09:19.380 Yes you can. 1:09:19.620 --> 1:09:20.650 It would still work. 1:09:20.670 --> 1:09:24.000 It doesn't have to, but that will be a problem because you'll be encrypting from this side. 1:09:24.000 --> 1:09:25.470 You will not be encrypting from this side. 1:09:25.950 --> 1:09:27.240 You will not be facing each other. 1:09:27.240 --> 1:09:27.650 Right. 1:09:28.110 --> 1:09:29.640 That's the same problem we have here. 1:09:29.850 --> 1:09:31.560 It's not encryption. 1:09:31.860 --> 1:09:33.600 See, the problem with that? 1:09:33.700 --> 1:09:36.310 The one which you are talking about is you have to. 1:09:36.310 --> 1:09:36.820 Right. 1:09:37.120 --> 1:09:39.400 You need to apply it here because encryption should be this way. 1:09:39.400 --> 1:09:40.630 Encryption should be this way. 1:09:41.350 --> 1:09:43.030 That's why you apply it on that side. 1:09:43.120 --> 1:09:44.740 You can apply it this way. 1:09:45.010 --> 1:09:48.490 The problem is you'll be encrypting from this side, encrypting from this side. 1:09:48.610 --> 1:09:49.960 We will decrypt this traffic. 1:09:51.760 --> 1:09:52.120 Here. 1:09:52.120 --> 1:09:59.530 The problem is that encryption should be this way, but your issue is on the opposite direction. 1:10:02.660 --> 1:10:06.590 And now am I applying anywhere in Auburn? 1:10:06.920 --> 1:10:11.330 Am I applying to the Internet in the IRA and I don't apply it anywhere in R1. 1:10:11.330 --> 1:10:16.100 I just keep h48 open so that it responds to the request. 1:10:16.100 --> 1:10:17.690 I don't apply to any interface. 1:10:19.040 --> 1:10:19.850 And how does it work? 1:10:20.870 --> 1:10:22.790 It knows that the request should come to. 1:10:25.600 --> 1:10:31.420 If a request comes to ten 1121 add code number 848 it will reply I showed you the port. 1:10:31.420 --> 1:10:32.710 848 is open, right. 1:10:33.880 --> 1:10:40.060 So if a request comes to 848 destined to the address of 1011 which you specified in the server address, 1:10:40.390 --> 1:10:41.380 it will reply. 1:10:44.430 --> 1:10:50.280 The moment you talk it in three or 4 or 5, it will they will send the request. 1:10:50.670 --> 1:10:52.110 Or should I send an interesting. 1:10:52.360 --> 1:10:53.550 No, no, you don't have to. 1:10:53.580 --> 1:10:58.710 The moment you apply the crypto map to an interface, it goes and registers itself to the case. 1:10:59.460 --> 1:11:01.530 What is what it is doing right now? 1:11:02.160 --> 1:11:02.340 Right. 1:11:02.340 --> 1:11:05.370 So it goes with its policies, right? 1:11:05.370 --> 1:11:08.820 What does the server respond with this set of policies that he's choosing? 1:11:09.060 --> 1:11:11.040 So you can set 20 policies here. 1:11:11.040 --> 1:11:14.700 Out of that, only the server side will choose the one which has the highest priority. 1:11:15.030 --> 1:11:16.230 So we'll come back. 1:11:17.400 --> 1:11:19.860 Then the will be exchanged between the two. 1:11:20.580 --> 1:11:27.060 If it is the first guy, if it is the first device which is registering the session key that will be 1:11:27.060 --> 1:11:30.660 created will be used as the session key for everybody else. 1:11:32.160 --> 1:11:32.550 Yes. 1:11:32.820 --> 1:11:34.140 The first guy who registered. 1:11:34.530 --> 1:11:36.450 So they register themselves. 1:11:36.450 --> 1:11:40.800 They save the session key between our two and ours. 1:11:41.700 --> 1:11:42.970 That's what I'm showing you. 1:11:43.390 --> 1:11:43.610 I see. 1:11:43.630 --> 1:11:45.540 Camel, this is Cam. 1:11:46.300 --> 1:11:48.820 Packet number three and four are exchanging right. 1:11:48.970 --> 1:11:51.160 At the end of the day, the keying material is saved. 1:11:51.160 --> 1:11:51.670 Where? 1:11:52.330 --> 1:11:58.570 On R1 and plus, it also saves a little bit of it because it needs to protect this tunnel first. 1:12:01.160 --> 1:12:04.070 And this to say protect this tunnel first. 1:12:04.400 --> 1:12:06.390 Remember, the key material is different points. 1:12:06.410 --> 1:12:08.520 One part is used to protect the tunnel. 1:12:08.540 --> 1:12:11.120 One part is used to protect the IPsec Tunnel. 1:12:12.800 --> 1:12:14.750 Those key sets are known as Adi. 1:12:15.140 --> 1:12:19.650 There are different names for that also, but not really important for you guys right now. 1:12:19.670 --> 1:12:21.800 What it's important is it protects that tunnel. 1:12:22.160 --> 1:12:27.260 Once that is protected, then the key server, then this client will go to this key server and tell 1:12:27.260 --> 1:12:30.080 him what my identity number is. 1:12:30.110 --> 1:12:33.500 150 Please give me everything that you have for 150. 1:12:34.280 --> 1:12:41.930 The server sees the identity number checks the IPsec, which corresponds to that identity number, pushes 1:12:41.930 --> 1:12:44.180 it down, pushes down. 1:12:44.180 --> 1:12:50.120 The ACL is basically pushing down the transform set and the ACL Back to whom? 1:12:50.450 --> 1:12:51.290 Back to what? 1:12:51.320 --> 1:12:51.920 Sorry. 1:12:51.920 --> 1:12:56.420 Before that happens, the Pre-shared key is also used in the fifth and the sixth packet. 1:12:56.450 --> 1:12:58.160 The Pre-shared key is also exchanged. 1:12:58.190 --> 1:13:04.850 Then earlier in the seventh, eighth, ninth packet, what used to happen quick mode instead of quick 1:13:04.850 --> 1:13:07.370 mode happening, I send the identity number. 1:13:08.690 --> 1:13:14.780 He sends me downward all the policies that are supposed to be sent down. 1:13:19.290 --> 1:13:22.290 R2 and R1, the first control traffic tunnel. 1:13:25.580 --> 1:13:25.940 Yeah, 1:13:29.550 --> 1:13:32.860 he was not participating in anything, just routing. 1:13:33.460 --> 1:13:35.920 So it wouldn't have it will not have an AC. 1:13:36.430 --> 1:13:37.480 It is just routing. 1:13:38.290 --> 1:13:40.710 Just routing, right. 1:13:40.770 --> 1:13:46.660 USA is you have to understand that your tunnel is complete between R2 and R1, but based on which interface 1:13:47.490 --> 1:13:52.330 this interface from the other end, there is no problem because the interface that is registering is 1:13:52.330 --> 1:13:57.430 also the one which is encrypting and it is also the one which is facing R1. 1:13:58.750 --> 1:14:00.340 So they will do the same thing. 1:14:01.570 --> 1:14:05.830 Pre-shared key after Pre-shared key instead of quick mode is easy mode. 1:14:06.070 --> 1:14:07.270 What do you mean by that? 1:14:07.300 --> 1:14:08.980 The policies will not be exchanged. 1:14:08.980 --> 1:14:09.790 It will be sent down. 1:14:10.660 --> 1:14:13.090 The only thing that will be exchanged is the identity number. 1:14:13.330 --> 1:14:17.650 I'll tell him the identity number exchanges won't know. 1:14:18.280 --> 1:14:20.680 It will be from packet number four onwards. 1:14:21.780 --> 1:14:23.320 It doesn't have any other side. 1:14:24.220 --> 1:14:25.520 It has an essay From this end. 1:14:25.520 --> 1:14:31.250 Write encryption happens on which layer in cam less seven. 1:14:31.640 --> 1:14:31.910 Okay. 1:14:32.390 --> 1:14:34.430 It doesn't happen on the on the IP header. 1:14:34.790 --> 1:14:39.470 The IP header will still be as it is UDP 848 will still be as it is. 1:14:40.250 --> 1:14:43.310 Encryption in ice cap happens where in the actual data. 1:14:44.420 --> 1:14:53.090 So that has nothing to do with this which interface you're using, which they have. 1:14:53.570 --> 1:14:54.050 No, no. 1:14:54.050 --> 1:14:59.660 Every one hour now you'll see I have to show you another command on the key group members. 1:14:59.690 --> 1:15:01.440 It's known as show cryptography. 1:15:03.990 --> 1:15:06.060 So crypto shows you everything. 1:15:06.060 --> 1:15:06.270 What? 1:15:06.270 --> 1:15:06.900 Everything. 1:15:06.900 --> 1:15:08.490 What was downloaded? 1:15:10.680 --> 1:15:11.730 Who is your group server? 1:15:13.170 --> 1:15:13.590 Right. 1:15:14.400 --> 1:15:15.270 How many keys? 1:15:15.300 --> 1:15:17.670 Three keys means the new keys have you received until now? 1:15:17.700 --> 1:15:20.700 The identity number is 150. 1:15:21.870 --> 1:15:25.050 Also your de-registering yourself in. 1:15:28.440 --> 1:15:29.130 Your key. 1:15:30.060 --> 1:15:30.630 The key. 1:15:30.660 --> 1:15:33.060 Time left is 2987. 1:15:33.450 --> 1:15:41.040 You are reregistering yourself in 2948 5% less than the key expiry. 1:15:41.160 --> 1:15:46.800 So when you have 5% of the time left on the key to expire, the group members will go and register themselves 1:15:46.800 --> 1:15:51.660 again, get the new key and all of them will do this at the same time. 1:15:52.590 --> 1:15:53.640 That is the beauty of it. 1:15:55.270 --> 1:15:57.250 It keeps the advantage. 1:15:57.920 --> 1:15:58.680 Yes. 1:15:59.380 --> 1:16:05.680 On these seven noted that it would use what the key the key will get. 1:16:05.710 --> 1:16:10.340 See, the key key has a time thousand 600 seconds the moment it receives the key. 1:16:10.360 --> 1:16:15.220 The timer keeps on going down right the moment the timer goes to. 1:16:15.250 --> 1:16:19.420 How much is the time difference between the 248 and 87? 1:16:19.660 --> 1:16:24.940 That is 55, six, 37, 38, 39 seconds. 1:16:25.030 --> 1:16:31.630 Right now it's 39 seconds before 10s, before 39 seconds of the key expiring. 1:16:31.750 --> 1:16:39.270 It will go back, register itself again, get the new key of 30/602, but it won't use it until it. 1:16:39.310 --> 1:16:39.820 No, no, no. 1:16:39.820 --> 1:16:45.400 It'll use replace it it replace the old one He replace the old one with the new one. 1:16:46.900 --> 1:16:55.480 This key that we are talking about right now, the session key in get VPN is known as tech traffic encryption 1:16:55.510 --> 1:16:55.810 key. 1:16:56.590 --> 1:17:00.980 Remember this term traffic encryption key will need this. 1:17:03.690 --> 1:17:03.900 What? 1:17:04.260 --> 1:17:05.190 Traffic encryption. 1:17:07.140 --> 1:17:09.450 The IPsec is known as Typekit traffic encryption. 1:17:13.840 --> 1:17:14.140 Right. 1:17:14.410 --> 1:17:17.950 So all the group members will receive the key and they'll start working with it. 1:17:19.480 --> 1:17:21.990 The good thing is it's very easy on the group members. 1:17:22.000 --> 1:17:26.170 They don't need to do much register to get the key and start encrypting, register, get the key and 1:17:26.170 --> 1:17:27.550 start encrypting. 1:17:29.540 --> 1:17:30.560 They don't think much. 1:17:32.060 --> 1:17:32.810 Good enough. 1:17:37.280 --> 1:17:41.030 Let's go through it. 1:17:41.930 --> 1:17:48.960 S sip server Local sip ten. 1:17:49.650 --> 1:17:50.070 No. 1:17:50.070 --> 1:17:50.430 Sorry. 1:17:59.430 --> 1:18:00.330 As they receive only. 1:18:08.140 --> 1:18:10.120 Profile of match. 1:18:17.000 --> 1:18:18.360 Showed on section. 1:18:24.760 --> 1:18:26.230 The essay is only receive only. 1:18:27.370 --> 1:18:28.300 This is receive only. 1:18:28.300 --> 1:18:28.510 Right. 1:18:29.080 --> 1:18:30.150 Let me go back here. 1:18:30.160 --> 1:18:32.200 You'll see some other stuff here which you have not configured. 1:18:32.200 --> 1:18:33.190 These are default values. 1:18:33.190 --> 1:18:34.540 We'll talk about it tomorrow. 1:18:37.290 --> 1:18:37.500 Yeah. 1:18:38.880 --> 1:18:39.720 You should be pushed down. 1:18:39.720 --> 1:18:44.040 I have to specify what to push down, but when you're pushing it down, only apply it in one direction. 1:18:45.450 --> 1:18:45.850 Right? 1:18:46.770 --> 1:18:47.160 Clear? 1:18:50.940 --> 1:18:51.620 Yes. 1:18:52.440 --> 1:18:57.420 Go back to all the Scopes and group members, not the scopes. 1:18:59.400 --> 1:19:00.000 So register. 1:19:00.180 --> 1:19:03.330 Registration is complete, right? 1:19:03.360 --> 1:19:05.400 What I'll do is I'll go to the other ones. 1:19:08.370 --> 1:19:09.840 Interface 000. 1:19:09.840 --> 1:19:11.720 No crypto map imap. 1:19:11.730 --> 1:19:12.540 I'll remove the map. 1:19:17.220 --> 1:19:19.710 So three has no encryption happening. 1:19:20.160 --> 1:19:21.510 R2 is already registered. 1:19:26.270 --> 1:19:29.020 I is registered, right? 1:19:29.960 --> 1:19:30.980 R3 is not. 1:19:33.370 --> 1:19:34.310 No, IPsec is here. 1:19:35.900 --> 1:19:44.180 So if I go to R2, so crypto IPsec direction is inbound. 1:19:44.870 --> 1:19:47.030 If I ping ten .3.3.3. 1:19:49.540 --> 1:19:53.380 I can think of three is not encrypting. 1:19:53.380 --> 1:19:59.140 R3 has no key, but I can still go from here to the other side. 1:20:02.180 --> 1:20:03.830 So that's what you usually do. 1:20:03.920 --> 1:20:09.740 Now, if you see your whole when you're doing it, everybody has not registered themselves. 1:20:10.790 --> 1:20:12.140 They have not registered themselves. 1:20:12.290 --> 1:20:15.980 So when you register one, it will lose connectivity to the others. 1:20:16.070 --> 1:20:21.110 To do that, to stop that from happening, you use receive only only in inbound direction. 1:20:21.110 --> 1:20:22.760 You'll apply get VPN to all of them. 1:20:24.680 --> 1:20:28.430 So when you apply it to this guy, he will still have connectivity to the others. 1:20:28.460 --> 1:20:30.590 We'll do it on all the group members one by one. 1:20:30.770 --> 1:20:38.450 Once everybody has got the key, you'll go back there, remove the receive only register them again. 1:20:39.350 --> 1:20:42.380 All right, let's do that first. 1:20:42.380 --> 1:20:43.550 I'll clear it on all of them. 1:20:43.580 --> 1:20:44.660 So, crypto guy. 1:20:46.930 --> 1:20:54.640 Of the interface serial zero zero crypto map and map R4. 1:20:56.610 --> 1:21:03.350 Claire Crypto Show Crypto inbound only. 1:21:10.840 --> 1:21:17.030 Not only right now, when you have done it, when everybody is in inbound only direction, you go back 1:21:17.030 --> 1:21:26.630 to your server crypto group, it's server local A receive only. 1:21:26.810 --> 1:21:29.800 You just do not receive. 1:21:30.260 --> 1:21:32.450 Then go to this guy. 1:21:32.480 --> 1:21:35.600 Clear crypto IPsec Sorry, Layer Crypto. 1:21:36.260 --> 1:21:41.530 The good thing about this is when it registers itself again, it can still talk to. 1:21:43.130 --> 1:21:43.530 Why? 1:21:43.580 --> 1:21:44.840 Because this side is encrypted. 1:21:44.840 --> 1:21:46.430 But the other side has inbound. 1:21:47.330 --> 1:21:49.210 That means he can decrypt. 1:21:52.520 --> 1:21:52.800 Right? 1:21:52.850 --> 1:21:53.900 This is for migration. 1:21:54.800 --> 1:22:00.800 So I am encrypting the other side can decrypt because it has the IPsec applied in the inbound direction. 1:22:00.800 --> 1:22:06.530 So I'm not losing connectivity for even for a very small amount of time. 1:22:06.710 --> 1:22:10.590 The only amount of time when it goes and registers itself, which is some seconds. 1:22:20.980 --> 1:22:22.300 Then register themselves again. 1:22:22.300 --> 1:22:24.820 And now your connectivity is still there. 1:22:27.790 --> 1:22:28.360 Is it clear? 1:22:30.340 --> 1:22:31.600 Get VPN with single hub. 1:22:32.200 --> 1:22:37.960 There is still a lot in here, but if this part will be clear again, you have a full weekend to practice 1:22:37.990 --> 1:22:39.100 your DM and get. 1:22:40.060 --> 1:22:45.910 I would suggest you do that because next week is going to be how do I say this? 1:22:45.940 --> 1:22:49.810 You have easy VPN in there, you have a server in there and you have great VPN. 1:22:50.320 --> 1:22:52.960 So one of the most what do you call it? 1:22:54.430 --> 1:22:58.270 You have to do a lot of hard work next week. 1:22:58.390 --> 1:23:00.880 You have to work a lot for that. 1:23:00.880 --> 1:23:06.580 You have to again, I say this every time for this, you have to finish your whatever we have done until 1:23:06.580 --> 1:23:07.960 now on this weekend. 1:23:09.130 --> 1:23:12.340 I say this out of ten only to follow. 1:23:12.580 --> 1:23:13.990 And you see on Monday. 1:23:14.020 --> 1:23:15.250 Today how many people. 1:23:15.430 --> 1:23:15.790 12. 1:23:15.820 --> 1:23:16.240 Right. 1:23:16.270 --> 1:23:18.130 We'll go down to eight. 1:23:18.160 --> 1:23:19.940 I think it's just prediction. 1:23:20.210 --> 1:23:21.260 Not really sure. 1:23:22.960 --> 1:23:25.060 Yeah, earlier it was 21. 1:23:25.540 --> 1:23:28.060 Now it's down to 11. 1:23:28.510 --> 1:23:29.110 No, 12. 1:23:30.820 --> 1:23:31.600 You need to go back. 1:23:33.490 --> 1:23:33.690 So.