WEBVTT 00:01.350 --> 00:01.920 Right. 00:03.140 --> 00:03.860 So. 00:04.960 --> 00:12.550 Our objective is the first objective obviously is end to end connectivity, which as you can see as 00:12.550 --> 00:13.630 per the diagram. 00:15.350 --> 00:20.720 If you go to any of the routers and you do a show IP route, you should be able to see all the networks 00:20.720 --> 00:21.350 in there. 00:23.260 --> 00:25.270 Eight end to end connectivity. 00:25.390 --> 00:26.770 Private connectivity is there. 00:26.770 --> 00:29.080 So I can go to ten .1., which is me. 00:29.170 --> 00:31.090 I should be able to go to 2.2. 00:34.390 --> 00:35.590 Obviously the route is here. 00:35.590 --> 00:39.250 If the network is here, I can go to all of these networks. 00:39.520 --> 00:40.030 Right. 00:40.510 --> 00:43.530 The question is it's going through the service provider. 00:43.540 --> 00:46.990 I need to make sure that the service provider does not sniff. 00:47.640 --> 00:49.430 On the packets that I'm sending through. 00:50.490 --> 00:51.540 What is the solution? 00:51.540 --> 00:53.970 How do I do it using get VPN? 00:54.240 --> 00:54.720 Right. 00:54.720 --> 00:55.770 We did it last time. 00:55.770 --> 00:56.850 We'll do it again. 00:56.970 --> 01:02.240 And the extra thing that I'm going to do today is I'm going to make R7 as a backup server. 01:04.290 --> 01:09.540 I'm going to keep a secondary server which will help the primary server and make sure if the primary 01:09.540 --> 01:12.450 goes down, it comes back and becomes the primary. 01:14.180 --> 01:16.640 Also, we're going to talk about the other type of key. 01:17.060 --> 01:19.000 Last time we only talked about the tech. 01:19.220 --> 01:22.470 We're also going to talk about the new key, which is the key, key. 01:22.880 --> 01:23.990 And how does it work? 01:25.310 --> 01:25.880 Until now. 01:25.880 --> 01:28.310 How did you see the registrations taking place? 01:28.340 --> 01:31.910 We saw that the group members, which are these guys? 01:33.230 --> 01:34.100 Have a time. 01:35.320 --> 01:36.190 Right for the key. 01:36.220 --> 01:37.930 That's 3600 seconds. 01:38.230 --> 01:43.990 5% of the time, less than that, they would go and reregister themselves again and get the new key. 01:46.260 --> 01:49.140 They would go using their own same old protocol. 01:50.340 --> 01:53.540 They would just go up and reregister themselves. 01:53.550 --> 01:55.020 The server would give them a new key. 01:56.800 --> 02:02.710 Okay, let's let's configure it until that part and then let's see what we can add on that. 02:03.620 --> 02:04.640 Let's go to our one. 02:06.450 --> 02:08.190 Sorry, R1 is not the key server. 02:08.220 --> 02:09.090 R6 is. 02:11.250 --> 02:12.210 So what are the commands? 02:12.210 --> 02:13.920 First of all, I can policy. 02:15.540 --> 02:18.450 Encryption three The authentication feature. 02:21.050 --> 02:22.490 Assembly five group. 02:24.100 --> 02:25.360 The A camp key. 02:26.790 --> 02:27.450 Address. 02:30.420 --> 02:34.150 I bet if you had to be more specific, you could specify an address. 02:35.300 --> 02:37.550 But that address would be Which address? 02:41.910 --> 02:43.560 R1 serial interface. 02:45.030 --> 02:50.070 The address when you specifying from R1 will not be the interface which is pointing to it now. 02:50.430 --> 02:52.560 It will be the interface where you apply the crypto map. 02:52.560 --> 02:53.880 That will be this part. 02:55.830 --> 02:59.970 Because the connection will be created from R6 to that interface. 03:00.210 --> 03:02.340 The one which is trying to create the encryption. 03:02.370 --> 03:04.710 The one which is trying to encrypt and decrypt the data. 03:05.110 --> 03:06.840 That'll be the source that will be used. 03:07.860 --> 03:09.510 Okay, We'll see this again later. 03:10.080 --> 03:11.280 Let's also. 03:12.950 --> 03:13.970 Grandma shark is. 03:17.760 --> 03:18.320 Keep it the. 03:19.410 --> 03:22.080 Now two steps down. 03:25.720 --> 03:26.830 What else did I need? 03:29.100 --> 03:30.510 Out of the quiet transform set. 03:36.360 --> 03:42.540 Crypto IPsec transform set to set esp three days esp. 03:45.820 --> 03:50.310 I would need to because I need to push this down along with an ACL. 03:50.320 --> 03:55.390 So I'll say ten 000 going to ten 000. 03:57.850 --> 03:58.230 AP. 04:02.160 --> 04:03.690 Finally to push both of these down. 04:03.690 --> 04:06.140 I push it as a profile. 04:06.150 --> 04:08.760 I set transform. 04:08.760 --> 04:09.060 Set. 04:14.250 --> 04:16.080 So the profile is ready to be pushed down. 04:16.080 --> 04:17.730 The ACL is ready to be pushed down. 04:17.940 --> 04:20.370 I just need to form that group to push it down. 04:25.320 --> 04:26.040 So crypto. 04:30.880 --> 04:31.750 Call it anything. 04:31.750 --> 04:33.820 This is just local, right? 04:33.910 --> 04:36.490 Usually you would call the whole group the same thing. 04:36.610 --> 04:37.780 Most of the times. 04:37.780 --> 04:41.800 So I could say this is the IT department or the sales department. 04:43.670 --> 04:44.510 Sales seven. 04:46.030 --> 04:47.680 The important part is identity. 04:48.310 --> 04:51.430 Now you can also have identity address. 04:52.950 --> 04:53.580 Like before. 04:53.580 --> 04:55.470 So all should point to the same address. 04:55.470 --> 04:58.200 But usually most of the times you would not use that. 04:58.200 --> 05:01.230 You would always use a number which is 150. 05:01.470 --> 05:03.480 Then you need to specify the server. 05:03.510 --> 05:04.380 Is it local? 05:04.380 --> 05:05.400 Yes, it is. 05:05.640 --> 05:10.020 We'll go into the sub configuration mode where you can specify the parameters of the server. 05:10.020 --> 05:11.780 The most important is the address. 05:11.790 --> 05:14.280 Which address are people going to come in and register? 05:15.320 --> 05:15.580 Brass. 05:17.180 --> 05:17.960 1066. 05:17.960 --> 05:18.510 66. 05:18.510 --> 05:18.800 Start. 05:20.970 --> 05:23.090 Also need to configure the last part, which is. 05:24.400 --> 05:28.180 Security Association, which will be pushed down to people who have the same identity number. 05:28.180 --> 05:30.080 So say IPsec. 05:30.100 --> 05:31.870 Just a number ten. 05:32.050 --> 05:36.190 Then match address, IPv4 101. 05:37.000 --> 05:38.590 Profile is called I. 05:42.390 --> 05:43.830 Need to push these two things down. 05:44.340 --> 05:44.990 That's it. 05:45.000 --> 05:45.720 On the server. 05:45.720 --> 05:46.860 I don't configure it. 05:46.860 --> 05:48.690 I don't put it on any interface. 05:48.690 --> 05:50.340 I just need to make sure that. 05:51.550 --> 05:52.660 848 is on. 05:54.560 --> 05:57.560 That it can respond to the requests coming into the port. 05:57.590 --> 05:58.940 UDP 848. 06:00.690 --> 06:01.050 Right. 06:01.110 --> 06:03.150 How do I create those requests? 06:03.300 --> 06:05.430 I'll go to R1, which is my first. 06:06.960 --> 06:07.380 My first. 06:07.380 --> 06:07.770 What? 06:07.800 --> 06:09.150 My first group member. 06:10.770 --> 06:12.510 The this part is the same. 06:18.740 --> 06:19.160 Tiptoe. 06:19.170 --> 06:20.060 Eyecam key. 06:21.430 --> 06:23.230 Cisco address is what? 06:24.910 --> 06:30.160 1066 66 starts because that's where I'm going to create my UDP tunnel. 06:31.220 --> 06:34.880 Then crypto group again. 06:35.390 --> 06:36.290 Sales. 06:38.770 --> 06:41.050 Identity number should match 150. 06:41.500 --> 06:42.790 Server address. 06:42.820 --> 06:50.350 IPv4 1066 60 6.6 Making sure before you do this that you have reachability to. 06:51.860 --> 06:52.580 1066. 06:52.580 --> 06:53.030 66. 06:54.610 --> 06:55.490 Before you go further. 06:55.510 --> 06:55.750 Right. 06:55.990 --> 06:59.590 Then because this is a group I need to apply to an interface. 06:59.590 --> 07:01.900 How do I apply it to an interface using a map? 07:01.900 --> 07:04.120 So I need to bind this to a crypto map. 07:04.120 --> 07:08.200 So I'll say crypto map I map then this is of which kind. 07:12.150 --> 07:12.630 In here. 07:12.630 --> 07:13.620 I'll just call the group. 07:13.620 --> 07:14.190 Set group. 07:15.630 --> 07:16.440 I didn't know. 07:16.440 --> 07:17.090 What was it called? 07:17.100 --> 07:18.000 Sales. 07:20.080 --> 07:22.330 And then I apply this crypto map to the interface. 07:22.330 --> 07:25.450 So I'll say interface serial zero zero crypto map. 07:28.730 --> 07:29.780 Start registration. 07:31.100 --> 07:32.360 Registration complete. 07:32.590 --> 07:33.040 Right. 07:33.050 --> 07:36.020 Show crypto will show me. 07:36.050 --> 07:37.850 What group am I a part of? 07:38.030 --> 07:40.280 What is the server that I'm registering to? 07:40.310 --> 07:41.570 What is the ACL? 07:41.600 --> 07:42.980 That was pushed down to me. 07:43.760 --> 07:44.000 Right. 07:44.240 --> 07:49.850 And your your traffic encryption key is inbound and outbound. 07:49.880 --> 07:51.170 Your lifetime is right here. 07:52.550 --> 07:55.580 And you transform set Anti-replay is disabled right now. 07:55.580 --> 07:57.170 I'll show you how to enable it later. 07:57.410 --> 08:04.280 Right now I will not be able to go to from here obviously, but from source then not one cannot go. 08:04.310 --> 08:04.910 Why? 08:05.420 --> 08:08.150 Because I am encrypted on the other side. 08:08.660 --> 08:11.450 The other guy does not have the key to decrypt this. 08:13.740 --> 08:14.610 The best part. 08:16.240 --> 08:16.780 As you can. 08:16.780 --> 08:17.560 Copy paste. 08:28.710 --> 08:29.730 You didn't do it on all three. 08:31.600 --> 08:32.770 You can also do it on Earth. 08:40.760 --> 08:42.740 Did I not apply it to the interface? 08:44.450 --> 08:45.590 Oh, I did not. 08:45.780 --> 08:47.060 I need to do that in the face. 08:47.090 --> 08:49.560 Serial zero zero Crypto map and map. 08:55.590 --> 08:55.740 Get. 08:58.250 --> 08:58.520 So. 09:09.070 --> 09:09.340 Again. 09:09.340 --> 09:11.590 Interface zero zero Crypto map. 09:28.100 --> 09:28.310 Done. 09:29.420 --> 09:31.610 So the decision is complete for all of them. 09:31.610 --> 09:32.420 So crypto. 09:35.080 --> 09:35.480 DUI. 09:37.160 --> 09:37.980 Nothing to verify. 09:38.000 --> 09:39.500 I'll send things to all of them. 09:42.310 --> 09:43.510 Communicate to our four. 09:44.470 --> 09:46.300 I can communicate to our three. 09:47.430 --> 09:48.960 I can also communicate to. 09:52.070 --> 09:53.300 This is what we did last time. 09:53.570 --> 09:58.100 So crypto IPsec RSA Section gaps. 09:58.800 --> 10:00.270 Same tunnel, right? 10:00.270 --> 10:00.990 One tunnel. 10:01.050 --> 10:01.650 Doesn't matter. 10:01.650 --> 10:02.640 Where am I going? 10:02.820 --> 10:08.130 As long as I have the source and destination as 10.0, I will be encrypting that. 10:08.130 --> 10:12.900 And if the packet is coming with the source of ten and coming to ten, I'll be decrypting that. 10:13.940 --> 10:14.150 Right. 10:14.150 --> 10:16.790 So all that information is where the piece. 10:18.780 --> 10:19.650 Going from ten. 10:19.650 --> 10:21.310 Coming to ten does not matter. 10:21.330 --> 10:22.980 I'll encrypt or decrypt that part. 10:23.220 --> 10:27.010 Now the good thing about this is so crypto guy. 10:27.570 --> 10:33.330 Also one thing to note from last time we saw that this key will be the same on all of them. 10:35.000 --> 10:36.710 So you'll see the timers will match. 10:38.920 --> 10:44.410 This was 27 milliseconds later, this became 13 and even on the first guy. 10:45.040 --> 10:49.630 So crypto you'll see that the key should always be almost around the same. 10:50.620 --> 10:51.400 It is the same. 10:51.580 --> 10:53.470 This is the time it takes for me to shift. 10:55.510 --> 10:55.750 Mate. 10:57.390 --> 10:59.760 So same key on all of them. 11:00.960 --> 11:03.450 A quick recap of how the process takes place. 11:06.520 --> 11:07.240 Is. 11:09.250 --> 11:11.620 I have the server here. 11:12.540 --> 11:13.920 And I have the clients. 11:16.060 --> 11:20.970 The client goes up and registers to him using all the policies and everything. 11:20.980 --> 11:25.360 Instead of the quick mode, though, you have something else here where everybody pushes, everything 11:25.360 --> 11:26.530 is pushed down from the server. 11:27.130 --> 11:30.340 So in quick mode there is negotiations happening for the transform set. 11:30.520 --> 11:34.060 Here there is no negotiation, no ACL, right? 11:34.060 --> 11:38.440 All of this will be pushed down from there, from the server to the client. 11:38.830 --> 11:40.240 It will be installed on the client. 11:41.750 --> 11:43.130 Based on the identity number. 11:43.580 --> 11:46.130 The identity number should match the moment. 11:46.130 --> 11:46.910 It gives you that. 11:46.910 --> 11:49.730 After that, it's supposed to push down a key. 11:50.090 --> 11:54.200 Now, that key is the key that is negotiated between the first and the second peer. 11:54.710 --> 11:59.150 So once the first guy registers itself, the server has something known as. 12:00.500 --> 12:03.500 The t d k traffic encryption key. 12:03.600 --> 12:05.090 Now, it's not just one small key. 12:05.090 --> 12:06.170 It's a big chunk. 12:06.560 --> 12:10.670 Out of that, he keeps on taking small chunks every 3600. 12:11.570 --> 12:11.990 Tickets. 12:12.520 --> 12:14.320 This management of keys is done. 12:14.320 --> 12:14.800 By whom? 12:14.800 --> 12:15.430 The server. 12:15.820 --> 12:19.120 The clients don't know anything about anything. 12:20.300 --> 12:22.730 The client just create an escape tunnel with the server. 12:22.760 --> 12:24.260 The server pushes down the key to the. 12:25.940 --> 12:28.970 Now for the first case, he'll give out this chunk. 12:29.790 --> 12:30.400 So I won. 12:31.050 --> 12:35.310 Then what happens is whatever traffic is coming from R1 cannot reach anywhere else. 12:35.310 --> 12:35.510 Why? 12:35.550 --> 12:42.690 Because it will be encrypted and the other ones are other edges are not partners, are not group members 12:42.690 --> 12:44.730 yet, so they're not able to receive that packet. 12:45.570 --> 12:46.710 What did I do to do that? 12:46.710 --> 12:47.760 I went to R2. 12:48.700 --> 12:50.200 I registered R2 again. 12:51.990 --> 12:53.490 I resisted R2 again. 12:53.490 --> 12:58.740 So what happened was the server gave out the same key which gave out to R1 and gave out the same key 12:58.740 --> 12:59.250 to. 13:05.270 --> 13:08.300 At the end of which R1 and R2 have the same key. 13:08.330 --> 13:09.650 Symmetrical key. 13:09.680 --> 13:10.400 Same key. 13:10.430 --> 13:11.390 Remember this? 13:13.510 --> 13:16.150 It does do the but to protect the isochem. 13:19.040 --> 13:20.840 To protect because he's going to send him the key. 13:20.870 --> 13:21.320 Right. 13:21.770 --> 13:23.480 The key server is going to send him the key. 13:24.550 --> 13:26.290 He sent ya after first packet. 13:26.440 --> 13:27.610 It sends him the key. 13:29.430 --> 13:29.950 Colonize. 13:31.060 --> 13:32.970 Just you noise. 13:34.010 --> 13:38.380 It is a part of Isochem because it works the same principle policies. 13:40.430 --> 13:46.750 Because you still love show crypto camp shows you are idle, but it's still Isaac Campus. 13:48.190 --> 13:48.430 Okay. 13:49.590 --> 13:50.520 Any questions? 13:54.100 --> 13:55.360 The which one? 13:56.530 --> 14:01.630 Now, see, first time when you negotiate between these two, the negotiate. 14:01.930 --> 14:02.350 Right. 14:03.570 --> 14:04.410 The edge protects. 14:04.440 --> 14:06.450 The edge Has I told you three variations? 14:07.790 --> 14:10.040 The first one is used to protect the first tunnel. 14:11.090 --> 14:11.480 Isaac. 14:14.170 --> 14:16.030 The second one is used to protect the quick. 14:17.320 --> 14:18.380 After the camp. 14:19.730 --> 14:21.920 The third variation is used for your actual session. 14:30.080 --> 14:31.070 The edge has many. 14:31.100 --> 14:33.220 It's not one, only one key. 14:33.230 --> 14:33.560 It's. 14:33.560 --> 14:36.560 I told you a keying material right out of that. 14:37.160 --> 14:37.610 Yeah. 14:37.640 --> 14:38.110 These are behind. 14:38.210 --> 14:38.810 These are behind. 14:38.840 --> 14:42.920 What happens is so these are these are known as set of keys. 14:42.920 --> 14:47.440 These are called I think one is called a one is called D, one is called E. 14:47.930 --> 14:50.720 The sets of keys used to protect the ice. 14:51.020 --> 14:53.360 Part D is used to protect something like that. 14:53.640 --> 14:57.560 I might have missed the words here, but it's somewhere around the same part. 14:57.890 --> 14:59.090 Set of keys. 15:00.010 --> 15:00.280 Right. 15:00.280 --> 15:02.410 So we will protect the simulator. 15:02.530 --> 15:05.440 The same thing happens when your ice cap takes place. 15:05.440 --> 15:06.190 Between whom? 15:06.400 --> 15:08.440 Between R6 and R1. 15:08.440 --> 15:14.080 So when they are negotiating, the first part will be used to protect the escape tunnel for the exchanges. 15:14.080 --> 15:14.560 Right. 15:14.680 --> 15:15.400 Pre-shared key. 15:15.400 --> 15:17.260 And all those things are also protected. 15:18.600 --> 15:24.450 Also, once they negotiate on that, this third part of the key, the one which will be used as the 15:24.450 --> 15:27.840 session key, your traffic encryption key is generated. 15:27.840 --> 15:28.350 Right. 15:29.310 --> 15:30.760 Is generated on R6. 15:30.780 --> 15:32.250 The first guy receives it. 15:32.840 --> 15:36.190 The first guy uses the same, but because it's GDI. 15:36.410 --> 15:41.030 So the way it works is R6 directs that this is the key which you're using. 15:42.190 --> 15:43.770 The whole mechanism. 15:43.780 --> 15:45.130 The exchange is protected. 15:45.130 --> 15:45.760 By whom? 15:46.090 --> 15:46.450 The. 15:48.280 --> 15:50.260 A different variation of the same dish. 15:50.560 --> 15:53.860 Now, once he gets it, what happens with the second guy? 15:55.810 --> 15:58.090 When I create the tunnel with, for example, R3. 15:58.120 --> 15:58.990 What happens then? 16:00.840 --> 16:02.280 It has its own variation of. 16:03.830 --> 16:09.040 But this, the one which they negotiate between themselves, will not be used for anything else. 16:09.050 --> 16:10.970 Rather than protecting only this tunnel. 16:14.400 --> 16:15.900 This edge will protect this tunnel. 16:16.220 --> 16:20.430 The tunnel through which your key will be sent. 16:20.640 --> 16:22.080 This key is which one? 16:23.720 --> 16:26.030 The one which was negotiated with the first guy. 16:26.150 --> 16:27.950 The session key with the first guy. 16:29.850 --> 16:30.560 Yes. 16:30.570 --> 16:34.230 Session key and the tech traffic encryption key are the same. 16:35.410 --> 16:40.840 So through this, the PH between them will only be used to protect the to protect this exchange. 16:41.420 --> 16:45.800 But the that will be used, the one which was negotiated with the first payer. 16:47.640 --> 16:47.970 Big. 16:49.120 --> 16:49.960 They'll be pushed down. 16:52.460 --> 16:54.230 But this is quite dangerous. 16:54.740 --> 16:56.650 This is considered to be quite dangerous. 16:56.660 --> 16:56.840 Why? 16:56.870 --> 17:03.530 Because when your camp is protecting the tunnel, it's only protecting the tunnel At layer seven, it's 17:03.530 --> 17:07.130 doing a little bit of encryption on layer seven, so you cannot see inside the packet. 17:07.340 --> 17:10.510 It's not like IPsec, which protects you from layer three onwards. 17:12.740 --> 17:13.400 It is safe. 17:13.400 --> 17:19.940 I'm not saying it's not safe, but still, I mean, layer seven protection, it's not as good as layer 17:19.940 --> 17:20.510 three protection. 17:22.350 --> 17:22.650 Okay. 17:23.460 --> 17:26.520 So for that, what have we done? 17:26.550 --> 17:30.120 We haven't get VPN has a different variation, we call it. 17:30.860 --> 17:32.220 K e. 17:32.390 --> 17:32.690 K. 17:38.080 --> 17:39.580 Instilled in only leurs. 17:43.820 --> 17:44.090 Seven. 17:47.810 --> 17:47.980 He. 17:48.350 --> 17:50.030 The encrypted part is which one? 17:51.020 --> 17:52.280 I might have an exchange here. 18:04.500 --> 18:05.920 See, this is your VPN, right? 18:08.880 --> 18:10.440 Ledford is visible to you. 18:10.740 --> 18:11.490 There she is. 18:11.490 --> 18:12.420 Visible to you. 18:13.260 --> 18:15.320 Layer to layer one is visible to you. 18:15.330 --> 18:16.740 But if you go to layer seven. 18:17.920 --> 18:18.670 What do you see? 18:19.240 --> 18:19.990 Encryption. 18:24.210 --> 18:24.540 ESP. 18:25.070 --> 18:25.550 Yeah. 18:25.580 --> 18:27.860 ESP from here onwards, you don't see anything. 18:27.860 --> 18:29.360 It's not visible to you. 18:29.900 --> 18:35.750 In Isaac camp until layer seven, you can see, then you can open the packet at layer seven. 18:35.750 --> 18:38.180 But inside there you won't be able to see because it's encrypted. 18:38.210 --> 18:40.040 The data in layer seven is encrypted. 18:42.390 --> 18:42.630 Okay. 18:42.750 --> 18:43.650 This part. 18:47.790 --> 18:55.800 So that's why what we have done is there's another protocol in the same variation of get VPN. 18:57.030 --> 19:01.170 There you push down another key known as the key encryption key. 19:02.440 --> 19:03.910 Now, this is a little different. 19:04.950 --> 19:06.150 Then your normal process. 19:06.150 --> 19:06.750 Why? 19:06.780 --> 19:14.010 Because now what we'll do is we'll generate a pair of asymmetrical RSA keys. 19:15.710 --> 19:18.680 Of at least 1024 bits. 19:20.470 --> 19:23.950 Now you all know how important asymmetrical keying is. 19:24.340 --> 19:25.270 It's secure. 19:26.340 --> 19:33.270 I showed you last time that video of how difficult it is to break 2048 keys 1024 is still very, very, 19:33.270 --> 19:36.240 very good in terms of encryption. 19:36.780 --> 19:41.730 So what they have done, they said, okay, since this exchange is a little different, difficult. 19:42.950 --> 19:43.190 Right. 19:43.190 --> 19:45.350 You're pushing down through the ice cap. 19:46.000 --> 19:47.350 Using the material. 19:47.350 --> 19:51.640 And anyone can just, you know, because it's layer seven, anyone can just spy on it. 19:52.630 --> 19:55.000 Although it hasn't been, but it's a little dangerous. 19:55.360 --> 19:57.160 So what they've done is they said, okay. 19:58.270 --> 20:03.270 While the first is exchanging between R6 and R1, the first the first time it's happening. 20:04.900 --> 20:10.630 When he's sending down the symmetrical key, he will not it will not send down the. 20:12.480 --> 20:14.250 The tea will not be sent out. 20:16.090 --> 20:18.010 Instead of that. 20:18.570 --> 20:23.520 What he's going to do is he's going to send down first of all, he's going to create a set of private 20:23.520 --> 20:24.630 and public keys. 20:27.360 --> 20:27.960 Private. 20:28.920 --> 20:29.760 And public. 20:31.610 --> 20:34.370 So a set of private and public keys is going to be generated. 20:34.370 --> 20:34.610 Where? 20:34.620 --> 20:36.470 On our six. 20:37.630 --> 20:42.880 When the exchange is being done through the first tunnel, it's going to send down. 20:42.880 --> 20:43.300 What? 20:45.630 --> 20:46.410 The public key. 20:47.450 --> 20:47.680 Throughout. 20:52.660 --> 20:53.920 Now R1 has the public. 20:53.950 --> 20:56.100 It does not have the traffic encryption key. 20:56.140 --> 20:57.370 It has the public key. 20:57.400 --> 20:59.860 This public key will not be used for encryption at all. 21:00.010 --> 21:01.540 This is your wish. 21:01.620 --> 21:02.100 Key. 21:02.520 --> 21:03.160 Key K. 21:05.760 --> 21:07.020 This is your key encryption. 21:09.700 --> 21:09.970 Okay. 21:11.440 --> 21:13.240 What do you think this will be used for? 21:16.840 --> 21:18.580 Decrypting, encrypting the packets. 21:22.460 --> 21:23.090 Exactly. 21:24.190 --> 21:25.580 I do need to send the tech. 21:27.180 --> 21:30.480 I still do need to send because the actual encryption decryption will be done. 21:30.480 --> 21:30.900 With what? 21:31.890 --> 21:33.540 But now be careful here. 21:34.140 --> 21:35.940 When I'm sending down the TC. 21:37.930 --> 21:38.770 I will encrypt it. 21:38.770 --> 21:39.580 Using what? 21:41.180 --> 21:41.960 The private key. 21:45.780 --> 21:47.310 I will encrypt as a separate. 21:47.340 --> 21:48.780 Now, this is going to be a separate tunnel. 21:51.080 --> 21:53.540 This is known as Qi Qi. 21:53.690 --> 21:56.060 This time a separate tunnel will be created. 22:01.970 --> 22:02.630 Through this tunnel. 22:03.770 --> 22:05.750 I will encrypt it using the private key. 22:05.780 --> 22:07.370 It will go to the other side. 22:09.020 --> 22:11.060 Will I be able to decrypt this? 22:11.720 --> 22:12.800 He has the public key. 22:12.830 --> 22:15.200 He will decrypt it to get the same black material. 22:20.260 --> 22:20.620 Private. 22:20.620 --> 22:21.100 With public. 22:21.100 --> 22:22.000 Public with private. 22:23.050 --> 22:23.890 Runs both ways. 22:25.440 --> 22:27.870 We encrypt using one half, you can decrypt using the other. 22:28.650 --> 22:29.380 There is no excuse for. 22:30.590 --> 22:31.160 There is no. 22:32.410 --> 22:33.310 Exchange. 22:35.910 --> 22:38.340 Ivan receives one key, then he receives another key. 22:38.370 --> 22:40.260 Uses the first key to solve the other key. 22:40.290 --> 22:41.640 Gets the actual. 22:42.420 --> 22:47.790 You have to understand your job here is to do nothing is just to receive this black key. 22:48.630 --> 22:52.020 Now, earlier we used to receive it through the first tunnel, which was well and good. 22:52.050 --> 22:55.890 Now what we are doing is we are receiving it as a separate tunnel. 22:57.630 --> 23:03.720 It is protected using a private key, and I'm receiving it as the private key, but I'm decrypting it 23:03.720 --> 23:08.190 using the public to get the same key, the same key that I'll be using. 23:10.000 --> 23:10.540 Is it clear? 23:17.950 --> 23:18.820 Yes. 23:18.850 --> 23:20.860 Now will be received through a different. 23:26.560 --> 23:31.870 First the first time the game takes place, the key is created through this. 23:31.870 --> 23:33.220 Also, the public key is sent. 23:34.970 --> 23:35.710 For the k k. 23:35.720 --> 23:36.860 The public key is sent to me. 23:37.950 --> 23:39.270 Once I received that public key. 23:39.300 --> 23:40.320 Now I have it. 23:40.350 --> 23:43.050 Now, when he sends the packet, he will send it as what? 23:43.080 --> 23:43.890 Encrypted. 23:43.890 --> 23:44.970 Using the private key. 23:45.000 --> 23:46.340 He will just send one key. 23:46.380 --> 23:47.250 That's all he'll do. 23:47.910 --> 23:51.690 It will just send one encrypted using the private key. 23:51.720 --> 23:52.770 It will come down to me. 23:52.770 --> 23:53.460 Encrypt it. 23:53.460 --> 23:54.150 Anybody? 23:54.150 --> 23:55.110 Everybody. 23:55.140 --> 23:59.470 Whoever comes in, in the middle tries to see it will not be able to get in there. 23:59.490 --> 24:01.400 It's 1024 bit encryption. 24:01.410 --> 24:03.420 If you want, you can take it to 2048. 24:04.730 --> 24:06.410 Which I think will be too much. 24:07.680 --> 24:08.610 Right for our case. 24:08.610 --> 24:09.900 1024 is more than enough. 24:11.690 --> 24:11.800 Right. 24:11.900 --> 24:14.930 And you're not just protecting yourself from the service provider. 24:15.850 --> 24:19.630 So encrypt it and you will decrypt it using your public key. 24:21.190 --> 24:22.240 Any questions? 24:22.930 --> 24:23.390 The same. 24:24.920 --> 24:25.490 Simulated. 24:26.850 --> 24:27.090 Same. 24:27.390 --> 24:28.200 It's called Gdoi. 24:28.230 --> 24:29.180 Key exchange. 24:29.190 --> 24:29.940 We'll see it. 24:31.050 --> 24:32.040 Let's see the exchange. 24:32.620 --> 24:32.860 Kid. 24:36.100 --> 24:36.700 All of them. 24:40.840 --> 24:41.230 Yeah. 24:41.800 --> 24:42.050 Okay. 24:43.840 --> 24:44.830 Who can decrypt it. 24:47.040 --> 24:47.880 That's the thing. 24:47.880 --> 24:50.340 The public key is sent at the end of what? 24:50.580 --> 24:52.050 Your camp exchange. 24:54.860 --> 24:55.250 For that. 24:55.250 --> 24:58.830 Your identity number should match your Pre-shared key should match. 24:58.850 --> 25:00.830 Your policies should match. 25:01.250 --> 25:04.700 Once all of that matches at the end of the exchange, it sends the public key. 25:05.210 --> 25:07.640 If you don't have that, you can't create that exchange, right? 25:11.290 --> 25:13.680 Look, it was a good question, but do you understand? 25:13.690 --> 25:18.180 What if you don't have those parameters, you won't be able to create that tunnel. 25:18.190 --> 25:21.040 If you're not able to create that tunnel, you won't receive the public. 25:23.600 --> 25:24.710 Any more questions? 25:26.290 --> 25:27.390 Let's see this. 25:27.400 --> 25:28.860 Let's configure it and see. 25:28.870 --> 25:30.070 Let's go to R6. 25:32.590 --> 25:39.700 The way you the first thing that you have to do is crypto key generate RSA modulus 1024. 25:40.420 --> 25:41.350 I'll label them. 25:42.530 --> 25:45.620 As get keys also. 25:46.320 --> 25:47.970 I'm going to make them exportable. 25:49.220 --> 25:50.540 I'll explain why later. 25:53.380 --> 25:54.820 I'm going to make them exportable. 25:55.620 --> 25:56.440 Remember this? 25:57.890 --> 25:58.370 Okay. 25:59.010 --> 26:01.980 Now I'll go back to crypto group. 26:02.010 --> 26:02.760 What was it called? 26:02.760 --> 26:04.800 Sales s. 26:06.650 --> 26:08.570 I'll go back to serve Rogue Local. 26:08.720 --> 26:09.590 Here. 26:09.680 --> 26:11.670 I've used essay. 26:12.170 --> 26:13.790 I've used a dress. 26:15.470 --> 26:16.550 I can now. 26:16.550 --> 26:18.950 For k k, I'll be configuring. 26:18.950 --> 26:20.930 What key? 26:23.410 --> 26:25.960 Kaga is known as Reki, so I'll say Reki. 26:26.290 --> 26:28.420 Now you have certain options available to you. 26:29.260 --> 26:32.740 We'll configure all of them and we'll make sure that we understand each one of them. 26:34.600 --> 26:39.790 First of all, you have to address now this rekeying can be done two ways. 26:41.420 --> 26:46.220 When I say Ricky, I'm also talking about the every 30/602. 26:46.220 --> 26:47.600 The key is going to be sent again. 26:47.600 --> 26:48.050 Right. 26:48.260 --> 26:49.880 That is also known as Ricky. 26:50.090 --> 26:54.650 Now, that will also be done not from the first tunnel, but from the second tunnel. 26:56.720 --> 26:58.310 From the public and private key. 26:58.400 --> 26:59.540 Now, this key. 27:00.940 --> 27:02.200 There are two ways of doing it. 27:02.200 --> 27:06.220 One, the server sends it to a multicast. 27:10.990 --> 27:12.580 Sends it to a multicast address. 27:12.760 --> 27:18.640 What is the what is the what is the good part about that is at the same time, all of the peers will 27:18.640 --> 27:19.450 receive the key. 27:21.960 --> 27:24.780 Because all of them will be part of the same multicast group. 27:24.780 --> 27:26.880 So when it sends out a multicast. 27:27.760 --> 27:31.270 Sends out the key to the multicast address, all of them will receive it. 27:31.300 --> 27:34.360 The only one bad thing about it is there is no acknowledgement. 27:37.210 --> 27:40.480 So the server has no way of knowing if the clients received it or not. 27:40.750 --> 27:44.170 If the client doesn't receive it, it will come and reregister itself again. 27:44.930 --> 27:46.610 Which is okay, but not efficient. 27:48.840 --> 27:50.580 If you have a lot of spokes. 27:51.210 --> 27:55.050 Then this is good because one shot, all of them get refreshed. 27:55.320 --> 28:02.820 If you have a smaller environment, although what you will do is unicast where it will individually 28:02.820 --> 28:03.900 go to each of them. 28:04.730 --> 28:08.450 And send them a Reiki on their address. 28:08.480 --> 28:10.370 The one address which they have registered with. 28:12.840 --> 28:15.310 So two ways multicast and unicast. 28:15.330 --> 28:17.220 We'll be working with Unicast right now. 28:18.070 --> 28:22.390 So when you have multicast, you specify that address here. 28:24.200 --> 28:25.400 In an access list. 28:28.050 --> 28:28.430 No, no. 28:28.440 --> 28:31.710 You can use any, any that you use from here. 28:31.710 --> 28:38.010 Anything after 224, any address, everybody will come up and register to that address for the multicast. 28:38.740 --> 28:40.720 By default, it is multicast. 28:40.750 --> 28:43.130 Right now I'm going to use what unicast. 28:43.150 --> 28:45.010 I need to change that using key. 28:47.530 --> 28:48.040 Transport. 28:49.200 --> 28:51.450 And you say transport should be done using. 28:53.760 --> 28:55.870 My should be sent down using unicast. 28:55.890 --> 28:59.620 By default, it uses multicast, so you have to specify that address. 29:00.790 --> 29:01.810 Now I change it to. 29:03.910 --> 29:04.330 To done. 29:05.830 --> 29:06.700 What else do I have? 29:08.160 --> 29:08.580 Ricky. 29:10.390 --> 29:11.170 Authentication. 29:12.580 --> 29:13.930 Rekey authentication. 29:15.220 --> 29:15.820 Now. 29:15.850 --> 29:16.060 What? 29:16.090 --> 29:18.880 Are you using a key from outside or are you using a local key? 29:18.910 --> 29:19.870 I'm using a local key. 29:19.870 --> 29:20.800 So my pub key. 29:20.940 --> 29:21.240 RSA. 29:21.250 --> 29:22.510 What is the name of that key? 29:25.340 --> 29:25.610 Get. 29:27.110 --> 29:27.950 This is my key. 29:28.210 --> 29:28.580 Kay. 29:28.580 --> 29:28.760 Kay. 29:29.510 --> 29:34.310 I'm specifying it that the key that I want to use is get keys. 29:36.800 --> 29:37.190 Okay. 29:38.520 --> 29:39.510 What else do I need? 29:41.670 --> 29:44.160 Algorithm, you can specify which algorithm do you want to use? 29:44.160 --> 29:45.510 I'll leave it as default. 29:45.540 --> 29:46.470 Lifetime. 29:46.920 --> 29:48.210 Lifetime is important. 29:50.130 --> 29:55.150 By default, the lifetime of a key is 86,400 seconds. 29:56.620 --> 29:57.280 By default. 29:59.170 --> 30:03.340 Cisco recommends that this key should be. 30:04.540 --> 30:05.740 Three times your. 30:07.710 --> 30:08.310 How much is the. 30:09.180 --> 30:10.560 30/602. 30:10.680 --> 30:12.000 Three times it would be. 30:12.000 --> 30:12.630 How much? 30:12.900 --> 30:14.780 10,800 seconds. 30:17.290 --> 30:17.800 10,000. 30:17.800 --> 30:18.760 Cisco recommends that. 30:18.760 --> 30:19.030 Why? 30:19.150 --> 30:20.500 What is this lifetime? 30:20.500 --> 30:21.820 This lifetime is. 30:23.500 --> 30:26.740 Now, see, by default, it's 86,400 seconds. 30:26.770 --> 30:28.240 Do you remember your camp? 30:28.780 --> 30:29.070 Yes. 30:29.170 --> 30:30.520 What is the lifetime of that? 30:30.730 --> 30:32.200 86,400 seconds. 30:32.210 --> 30:38.020 So basically what he's saying is every 86,400 seconds since this will be recreated again. 30:39.410 --> 30:41.900 Along the same time, you'll get the public key again, right? 30:42.530 --> 30:44.710 So your other tunnel will also be refreshed. 30:44.720 --> 30:45.410 Both of them. 30:47.910 --> 30:51.690 Cisco recommends you should change it to 86 three times your. 30:52.930 --> 30:55.900 Villages is 110 800. 30:56.230 --> 30:56.650 Why? 30:56.680 --> 30:59.980 Because you'll be receiving the tech through the same tunnel. 31:01.280 --> 31:03.730 You will receive it once you receive it twice. 31:04.460 --> 31:05.810 You receive it the third time. 31:07.520 --> 31:10.060 Then it asks you to get the public key again. 31:11.800 --> 31:17.890 So at that time the R6 will send back the public key again to R1 through the first. 31:21.010 --> 31:21.690 The public. 31:23.460 --> 31:25.050 The cake is sent again. 31:25.290 --> 31:29.330 So next time when you send the tech, it'll be encrypted again and again and again. 31:31.420 --> 31:34.300 The good thing about this is all the group members will get it. 31:35.280 --> 31:36.270 At the same time. 31:36.960 --> 31:41.670 That's the best part about this synchronization is they're all the group members come up and register 31:41.670 --> 31:42.690 themselves again. 31:42.690 --> 31:47.970 So that's why when you specify this lifetime, you can specify it in 300 seconds. 31:47.970 --> 31:50.760 I'll do it 300, because I want to show you the key process. 31:51.770 --> 31:54.620 Now, when you do it less than you, it does show some problems. 31:55.930 --> 31:57.750 Should not be less than the obviously. 31:59.040 --> 32:00.270 What do I mean by that? 32:00.370 --> 32:06.630 He has 3600 seconds, so you're still valid, but you're going to get your public key again and again 32:06.630 --> 32:10.520 and again and again, which makes no sense because your tech will come after 3600 seconds. 32:12.830 --> 32:15.560 The traffic encryption key will come after 3600 seconds. 32:15.560 --> 32:17.900 So in this case, you will see some problems. 32:17.900 --> 32:24.320 You will see a lot of inbound outbound essays because you'll have the older key and you'll be getting 32:24.320 --> 32:25.160 a new key. 32:25.280 --> 32:26.360 You'll be getting it again. 32:26.390 --> 32:27.980 You'll be going up and down, up and down. 32:27.980 --> 32:31.760 Not recommended, but just to show you the process, I'll keep it as 300. 32:33.660 --> 32:34.080 Okay. 32:34.500 --> 32:36.660 Save it, then, Ricky. 32:36.690 --> 32:37.470 What else do I need? 32:37.500 --> 32:38.550 Authentication is done. 32:38.550 --> 32:39.270 Retransmit. 32:41.880 --> 32:46.140 Retransmit means once I send the key, if I don't receive the acknowledgement. 32:46.170 --> 32:47.490 Do I transmit it again? 32:48.240 --> 32:50.120 I say yes every if. 32:50.130 --> 32:51.360 Wait for 10s. 32:51.390 --> 32:53.400 You don't get the acknowledgement, send it again. 32:53.430 --> 32:56.460 Then he says, okay, how many times do you want me to try sending the key? 32:57.120 --> 32:58.290 By default, it's two. 32:58.290 --> 32:58.770 I'll keep it. 32:58.800 --> 32:59.580 Take it to three. 33:01.070 --> 33:04.550 So if you don't get a response, send the key back again after 10s. 33:05.210 --> 33:07.190 Do this three times. 33:07.520 --> 33:09.830 If this doesn't happen, then stop it. 33:09.830 --> 33:11.630 The group member may be down. 33:12.350 --> 33:12.680 Right? 33:12.680 --> 33:15.050 So crypto show run. 33:17.010 --> 33:18.000 Section crypto. 33:19.980 --> 33:21.120 That's all I need to do. 33:29.630 --> 33:30.920 For unicast. 33:30.920 --> 33:31.820 There is multicast. 33:31.820 --> 33:32.210 There is. 33:36.100 --> 33:37.000 All is configured. 33:37.420 --> 33:40.960 Now, the good thing about get VPN also is when you do your show running configuration, if something 33:40.960 --> 33:46.690 is missing, it will show you here you have not configured this part or that part or this is missing 33:46.690 --> 33:49.360 or that is missing Right now, everything seems okay. 33:49.360 --> 33:57.220 So let's go to our one clear crypto guy and say, yes, we'll go and register itself again. 33:57.220 --> 33:59.440 Everything is fine, but you also have what? 34:03.320 --> 34:06.680 Group sales transitioned toward unicast. 34:08.070 --> 34:09.450 So crypto. 34:12.710 --> 34:14.840 I have my tech, which is fine. 34:14.870 --> 34:15.740 I also have. 34:15.740 --> 34:16.220 What? 34:23.200 --> 34:23.770 I also have a. 34:25.760 --> 34:26.450 Unicast. 34:29.020 --> 34:29.530 It is. 34:30.500 --> 34:32.510 And he doesn't want you to. 34:33.580 --> 34:34.180 I'll explain. 34:35.540 --> 34:36.590 The second tunnel. 34:36.590 --> 34:38.360 I told you, it comes down through a second tunnel. 34:38.360 --> 34:40.580 Right through a second tunnel. 34:40.610 --> 34:41.660 The second tunnel. 34:42.990 --> 34:44.130 Is also encrypted. 34:46.160 --> 34:47.670 You are sending the TC along? 34:47.700 --> 34:49.980 Yes, the TC is. 34:52.870 --> 34:54.850 The data is encrypted using the public key. 34:54.850 --> 34:56.920 But you're sending it through a tunnel, right? 34:57.160 --> 34:59.680 This tunnel, in turn, is also protected. 35:03.650 --> 35:05.180 Using an algorithm which you choose. 35:05.180 --> 35:06.470 I left it at default. 35:06.470 --> 35:08.480 So the algorithm that was chosen was what? 35:09.140 --> 35:09.560 Three days. 35:09.560 --> 35:10.370 192. 35:12.410 --> 35:15.290 You can change that because these are two different tunnels now. 35:15.530 --> 35:16.560 There's one for Isaac. 35:17.000 --> 35:18.620 There's another one for this. 35:18.980 --> 35:21.860 You can see it using show crypto. 35:22.870 --> 35:23.510 I said camp. 35:26.060 --> 35:31.550 So you have a guy idle which is using your three days and MD5. 35:31.850 --> 35:37.040 Then you have your key, which is using the default three days and 192. 35:42.000 --> 35:43.590 Like two different tunnels. 35:43.980 --> 35:45.990 This tunnel lifetime is how much? 35:46.950 --> 35:48.330 Don't think if it shows you that. 35:50.850 --> 35:52.500 No, it doesn't show the lifetime of this key. 35:52.710 --> 35:55.160 The second one, c three doesn't show. 35:57.910 --> 35:58.780 It's a separate tunnel. 35:59.320 --> 36:04.840 So crypto I can see the lifetime here is only 300 seconds. 36:04.960 --> 36:08.920 So you will see after 300 seconds a separate tunnel will come. 36:10.210 --> 36:14.500 A separate tunnel with the public key that you'll be sending will be the same. 36:14.500 --> 36:18.190 Remember, you will still be sending the same public key. 36:18.220 --> 36:20.710 What is going to be different between these two tunnels? 36:23.280 --> 36:25.740 Why do I send it again if I'm sending the same public again? 36:32.070 --> 36:33.930 What is not the key. 36:34.170 --> 36:34.980 But. 36:37.350 --> 36:39.240 When I'm sending it for the first time. 36:40.380 --> 36:41.520 I'm sending it through this tunnel. 36:41.520 --> 36:41.760 Right. 36:41.760 --> 36:42.750 It's encrypted. 36:44.100 --> 36:45.090 The second tunnel. 36:47.230 --> 36:48.370 Is encrypted again. 36:49.640 --> 36:51.440 The difference doesn't come in the public. 36:51.590 --> 36:53.780 The difference comes in this encryption. 36:57.650 --> 36:59.630 The difference comes in this encryption. 37:02.860 --> 37:03.090 The key. 37:03.190 --> 37:03.850 This is. 37:06.460 --> 37:06.850 Ricky. 37:09.120 --> 37:10.190 This is the first leaky tunnel. 37:10.200 --> 37:11.430 This is the second tricky tunnel. 37:12.150 --> 37:16.110 I told you this right now it's using the default three days and. 37:16.770 --> 37:17.070 Sir. 37:18.220 --> 37:18.670 She doesn't. 37:20.880 --> 37:21.450 What is it? 37:21.570 --> 37:23.340 Which key does it use to protect this tunnel? 37:23.910 --> 37:24.600 Your key. 37:26.170 --> 37:28.450 The key between R1 and R6. 37:31.010 --> 37:32.650 No, this is I'm talking about the second time. 37:32.670 --> 37:34.310 This is the tunnel, not the tunnel. 37:36.300 --> 37:37.140 Let me explain. 37:37.470 --> 37:41.700 There are two types of tunnels that will be exchanged between R1 and R6. 37:41.730 --> 37:42.930 The first tunnel. 37:44.070 --> 37:46.140 Is going to be a normal idol. 37:47.200 --> 37:51.400 Through which Ricerca will be solved at the end of which you will have a session key. 37:53.280 --> 37:56.280 The thing is, that session I won't be using for anything. 37:56.670 --> 37:58.670 I will only be using it for protecting. 37:58.680 --> 37:59.760 First of all, this tunnel. 38:02.450 --> 38:03.410 Protecting this tunnel. 38:03.740 --> 38:06.980 Plus, I will also be using it to protect the second tunnel. 38:09.780 --> 38:11.190 The the the. 38:16.230 --> 38:16.450 With. 38:16.500 --> 38:16.800 No. 38:18.040 --> 38:20.380 We will only be used for encryption of data. 38:23.150 --> 38:25.400 We are protecting the exchange using the. 38:26.930 --> 38:30.110 Your own your own variation or not the key. 38:31.180 --> 38:32.260 Not the actual T.K.. 38:32.290 --> 38:33.940 The T.K. will stay with the server. 38:34.960 --> 38:40.150 See, when you negotiate R1 and R6 when you're negotiating, you will have a session key also. 38:40.150 --> 38:40.330 Right. 38:40.330 --> 38:41.800 Both of the sides have a session key. 38:42.700 --> 38:46.240 The part of the session key is kept by the server. 38:46.480 --> 38:48.640 It is with him also, but he doesn't use it. 38:48.670 --> 38:50.110 It's kept by the server. 38:51.010 --> 38:52.090 It's not pushed down. 38:52.750 --> 38:53.080 Right. 38:53.110 --> 38:58.990 Then the remaining part of the what I'll do with it is first of all, I'll protect my camp, which is 38:58.990 --> 38:59.560 done already. 38:59.590 --> 39:03.070 Then I'll use some of it to protect the other part of the tunnel. 39:03.100 --> 39:04.840 The other tunnel which is coming later. 39:07.750 --> 39:09.190 The second tunnel that is coming. 39:09.190 --> 39:15.400 What is coming through that second tunnel might not the public key public key have already received 39:15.400 --> 39:15.910 from here? 39:17.810 --> 39:18.370 In the first. 39:19.710 --> 39:20.670 In the first tunnel. 39:20.670 --> 39:22.170 I've already received the public. 39:24.020 --> 39:24.460 Right. 39:27.660 --> 39:30.060 I'll explain it slowly, real slow and real realize. 39:31.150 --> 39:31.420 Right. 39:32.850 --> 39:35.730 The full process between R6 and R1. 39:36.330 --> 39:39.120 First thing that happens is. 39:39.880 --> 39:41.290 They start negotiating. 39:43.030 --> 39:44.050 In the first tunnel. 39:44.050 --> 39:45.250 Which tunnel is this? 39:46.940 --> 39:52.160 Oilton where policies are exchanged then is exchanged by the end of this. 39:52.160 --> 39:53.330 Both of the sides have. 39:58.060 --> 40:00.850 By the end of this exchange, not full exchange. 40:00.850 --> 40:02.850 By the end of the third and the fourth packet they have there. 40:03.610 --> 40:05.800 Then they'll use this to protect this tunnel. 40:05.800 --> 40:06.310 Correct? 40:09.320 --> 40:10.130 Protect this tunnel. 40:10.670 --> 40:12.260 And then they will negotiate. 40:12.260 --> 40:13.010 On what? 40:13.770 --> 40:17.490 On the policies which will be pushed down from the server to the client. 40:19.100 --> 40:21.320 Also along the same time what will be pushed down. 40:23.790 --> 40:25.440 The public key will flow. 40:27.880 --> 40:28.450 To this side. 40:29.840 --> 40:31.790 So now one has two things. 40:31.820 --> 40:36.650 One, he has his own material, not the tech. 40:36.950 --> 40:38.540 This is not the tech. 40:38.570 --> 40:39.830 The tech is with whom? 40:41.970 --> 40:42.840 It's still with server. 40:44.480 --> 40:46.580 The this black material is still with the. 40:48.530 --> 40:49.520 The actual encryption. 40:51.130 --> 40:57.820 You have a small variation of PH, which you negotiated with R1, plus you have the public key, correct 40:57.820 --> 40:58.390 or not? 40:58.780 --> 40:59.680 Any doubts here? 41:00.440 --> 41:01.930 Definitely the capability. 41:02.420 --> 41:03.620 Right now, it's not encrypted. 41:03.620 --> 41:04.730 It's open free. 41:05.360 --> 41:06.650 The public key is open. 41:08.720 --> 41:09.790 Yes, That part. 41:09.800 --> 41:10.040 Yes. 41:10.570 --> 41:12.210 It's the tunnel. 41:12.430 --> 41:15.510 The public is also the seventh part. 41:15.520 --> 41:16.790 It is encrypted at that part. 41:16.810 --> 41:17.170 Correct. 41:17.170 --> 41:17.650 You're right. 41:18.280 --> 41:19.600 Right now. 41:21.280 --> 41:22.620 To send down this key. 41:24.460 --> 41:27.580 What the server does, it creates another tunnel. 41:32.270 --> 41:32.870 It creates. 41:32.900 --> 41:35.300 It creates a new kind of a tunnel. 41:38.940 --> 41:41.100 This tunnel, first of all, is encrypted. 41:43.090 --> 41:45.730 It is encrypted using word that is the question, right? 41:46.840 --> 41:50.360 It is encrypted using the between R1 and R6. 41:50.380 --> 41:56.830 The material that is left, it will use that to encrypt this part and this side will use it to decrypt 41:56.830 --> 41:57.370 that part. 41:58.920 --> 42:00.480 The material that is left. 42:01.890 --> 42:03.520 R1 has only two resources. 42:03.540 --> 42:05.270 The public key and the material. 42:05.880 --> 42:08.990 That material it will use to encrypt and decrypt this. 42:10.650 --> 42:11.100 Correct. 42:11.340 --> 42:13.030 Now, this tunnel is also protected. 42:13.050 --> 42:14.930 What policies do you use here? 42:14.940 --> 42:17.920 That depends on what you have specified on R6 already. 42:19.320 --> 42:20.700 I left it at default. 42:20.700 --> 42:22.230 So right now it's three days and. 42:27.240 --> 42:28.190 When it is. 42:28.200 --> 42:31.220 I mean, where do we use this to protect the sun? 42:35.440 --> 42:38.090 The key using which algorithm. 42:38.540 --> 42:42.920 Three days and shuffle the material using which algorithm. 42:42.950 --> 42:43.970 These two algorithms. 42:45.150 --> 42:45.530 Right. 42:45.710 --> 42:47.000 What do you need for encryption? 42:47.030 --> 42:48.740 What kind of algorithm are you using? 42:48.740 --> 42:49.430 And the key. 42:50.300 --> 42:51.050 You have both. 42:52.680 --> 42:53.850 Yes, yes, yes. 42:54.000 --> 42:54.510 No, here. 42:54.510 --> 42:55.230 It's not right now. 42:55.230 --> 42:57.150 I'm not talking about asymmetrical at all. 43:00.280 --> 43:02.950 The edge is the exchange is symmetrical. 43:02.950 --> 43:04.330 Finally, the key is symmetrical. 43:06.050 --> 43:10.460 Remember, the exchange is asymmetrical, but the final key, which you use for encryption decryption 43:10.460 --> 43:11.250 is symmetrical. 43:11.270 --> 43:12.470 Right now it's symmetrical. 43:12.650 --> 43:14.330 Both of them have the same brown key. 43:16.450 --> 43:18.590 Both of the sides have the same brown key, right? 43:21.300 --> 43:26.120 Okay, Now what is going to happen is the only one thing happens through this. 43:26.130 --> 43:26.640 What? 43:27.860 --> 43:29.150 He's going to send me this black key. 43:30.480 --> 43:35.400 He could have just sent it to me as it is, but that would be the same as before sending it through 43:35.400 --> 43:35.820 the tunnel. 43:36.300 --> 43:37.530 It's not going to do that. 43:37.530 --> 43:38.970 What is the server going to do? 43:39.000 --> 43:40.920 It's going to encrypt this. 43:43.140 --> 43:44.520 Using the private key. 43:47.040 --> 43:48.000 Double encryption. 43:48.810 --> 43:49.560 That's the thing. 43:50.100 --> 43:50.910 Double encryption. 43:50.910 --> 43:56.550 Once it's going to encrypt it using the private key, then send it across the tunnel where it is going 43:56.550 --> 43:57.930 to be encrypted using the tunnel. 43:59.760 --> 44:00.780 Which is using the edge. 44:01.160 --> 44:03.180 It reaches the other side. 44:04.310 --> 44:05.420 As encrypted. 44:06.260 --> 44:07.370 The other side already has. 44:07.370 --> 44:07.810 What? 44:07.820 --> 44:08.900 The private key. 44:08.930 --> 44:12.470 It uses that private key to decrypt this to finally find out. 44:13.780 --> 44:19.300 It has a public uses the public key to decrypt this part again to get what? 44:20.990 --> 44:21.350 So. 44:23.590 --> 44:24.700 To get the actual. 44:26.690 --> 44:27.010 Session. 44:27.080 --> 44:27.440 You are the. 44:30.320 --> 44:31.190 To get the actual. 44:32.470 --> 44:34.860 So this traffic is protected two times. 44:36.380 --> 44:40.710 One using the PH, which is negotiated between R1 and R6. 44:40.730 --> 44:42.980 Second by the public and the private. 44:47.310 --> 44:48.000 Is this clear? 44:50.220 --> 44:50.390 Clear. 44:50.850 --> 44:53.040 Now, I'll ask you if this is clear. 44:53.610 --> 44:54.690 I'll ask you some stuff. 44:55.050 --> 44:55.320 Okay. 44:55.320 --> 44:55.890 I understand. 44:55.890 --> 44:57.210 Between R1 and R6. 44:57.240 --> 44:59.400 Let's say R1 R6 exchange is done. 44:59.640 --> 45:01.410 R6 has the key already. 45:04.550 --> 45:05.380 We have negotiated. 45:05.390 --> 45:06.120 R6 has the key. 45:06.140 --> 45:08.060 They have their own set of keys. 45:08.210 --> 45:10.370 The R6 keeps the. 45:12.400 --> 45:16.360 Tell me, how is the exchange going to happen between R2 and R6? 45:19.820 --> 45:20.630 First of all. 45:22.000 --> 45:22.350 I seek. 45:24.150 --> 45:25.110 The first iSight camera. 45:29.040 --> 45:30.600 Who that negotiating on what? 45:31.960 --> 45:32.380 --. 45:33.010 --> 45:33.430 Remember? 45:35.340 --> 45:35.980 The edge here. 45:36.250 --> 45:37.000 The edge here. 45:37.690 --> 45:39.280 My team will not be touched. 45:40.530 --> 45:40.710 The. 45:42.650 --> 45:45.740 Exchange policies and everything else eventually send him. 45:45.740 --> 45:46.250 What? 45:48.460 --> 45:49.120 Send him. 45:50.210 --> 45:50.900 The public. 45:53.590 --> 45:54.880 A different set of obligations. 45:55.780 --> 45:56.190 No, no, no. 45:56.200 --> 45:57.220 The public is the same. 45:57.400 --> 45:58.460 The public is the same. 45:58.480 --> 45:59.680 The PH is different. 46:01.140 --> 46:03.070 The age is different because two different peers, right? 46:03.090 --> 46:05.870 The public will be the same, always same public. 46:05.880 --> 46:06.880 You will be sent to everybody. 46:07.840 --> 46:08.080 Okay. 46:08.080 --> 46:09.940 This is encrypted using some part of this. 46:11.330 --> 46:14.210 Now you have the public key, You have the key. 46:14.450 --> 46:16.340 Then another key will be sent. 46:16.430 --> 46:18.170 Another exchange will be done. 46:19.820 --> 46:24.650 Encrypted using the which you have which is the same. 46:27.060 --> 46:29.580 Through which it will send you. 46:31.360 --> 46:32.170 Encrypted key. 46:33.940 --> 46:35.290 Which you will decrypt to get. 46:37.510 --> 46:39.850 This is now our one has the session key. 46:39.880 --> 46:40.690 You have the session key. 46:40.720 --> 46:41.830 You'll be able to communicate to each. 46:45.090 --> 46:45.510 Okay. 46:46.650 --> 46:47.370 Good enough. 46:47.580 --> 46:52.980 Now, when you see is every 300 seconds, this key will be renegotiated again. 46:53.910 --> 46:56.340 The second tunnel will be renegotiated again, which. 46:58.350 --> 47:01.560 Every 300 seconds because I've kept the timer at 300 seconds. 47:01.590 --> 47:03.900 This will change. 47:04.510 --> 47:08.980 The material will remain the same, but they will shift and use some other part of the. 47:10.100 --> 47:13.540 Every 300 seconds, this tunnel will be coming back again and again. 47:13.540 --> 47:13.990 And again. 47:13.990 --> 47:14.440 And again. 47:14.440 --> 47:14.800 And again. 47:17.060 --> 47:20.210 The bad part is that my TC will only come down. 47:20.450 --> 47:24.110 The new TC will come down after 3600 seconds. 47:24.110 --> 47:28.280 So what I'm basically doing is after 300 seconds, I'm getting the same key again and again. 47:28.280 --> 47:28.730 And again. 47:28.730 --> 47:29.450 And again and again. 47:30.690 --> 47:33.790 That's why it's recommended to keep it three times the peak. 47:36.400 --> 47:37.120 The second tunnel. 47:37.150 --> 47:42.370 The tunnel that will cause problems which will see right now, if you go R1, you will have received 47:42.700 --> 47:43.900 a lot of times already. 47:45.950 --> 47:47.750 So crypto. 47:50.600 --> 47:51.770 The registers itself. 47:51.770 --> 47:52.600 That's okay too. 47:52.610 --> 47:54.200 Rickies have already come to me. 47:55.340 --> 47:55.580 Right. 47:56.000 --> 47:56.780 So. 47:57.590 --> 47:58.210 What do you have on? 48:00.720 --> 48:02.090 He dies eight years. 48:05.510 --> 48:06.340 Yeah, sure. 48:06.350 --> 48:07.510 Crypto I. 48:12.100 --> 48:12.700 There was one. 48:13.900 --> 48:15.190 Then there was another one. 48:16.420 --> 48:18.220 Check out the connection ID 1005. 48:18.250 --> 48:18.660 Right. 48:19.600 --> 48:20.830 1006. 48:22.730 --> 48:24.740 A new connection created every time. 48:27.050 --> 48:27.220 Okay. 48:29.710 --> 48:30.130 Decay. 48:30.400 --> 48:32.710 Decay is the first time it takes place, right? 48:32.950 --> 48:33.790 The first time. 48:34.060 --> 48:39.710 Out of that, he will take the three separate keyeh1. 48:39.790 --> 48:41.420 The other ones will be used to encrypt the tunnel. 48:41.440 --> 48:42.970 The actual one will be saved. 48:43.300 --> 48:44.740 The one which is saved for the data. 48:46.360 --> 48:46.960 They'll be safe. 48:48.440 --> 48:48.650 Right. 48:50.850 --> 48:51.230 It has. 48:53.890 --> 48:55.760 The other one should be three times right now. 48:55.780 --> 48:58.150 Configured it to be only 300 seconds. 49:02.110 --> 49:03.010 You will be changed, right? 49:03.100 --> 49:04.300 The key will be changed from the server. 49:06.230 --> 49:07.280 He has to work with these. 49:08.480 --> 49:08.750 See. 49:08.930 --> 49:09.440 Yes. 49:11.840 --> 49:12.290 It's not. 49:12.290 --> 49:13.640 That's why it has to be synchronized. 49:15.100 --> 49:16.630 That he has to be synchronized. 49:16.670 --> 49:18.100 See, there's another thing. 49:18.220 --> 49:19.270 So crypto. 49:22.250 --> 49:23.480 What is the size left? 49:23.510 --> 49:24.740 1086. 49:26.000 --> 49:26.990 You also have. 49:29.840 --> 49:31.030 Re registers itself. 49:32.040 --> 49:37.140 The group member will still after when it's about to go to 3600 seconds, he'll go back and reregister 49:37.140 --> 49:39.720 itself again, go through change. 49:39.960 --> 49:40.650 At that time. 49:40.680 --> 49:44.580 He'll get the same new new variations of that has to happen. 49:48.060 --> 49:48.570 For the second. 49:48.690 --> 49:49.980 That's why it says three times. 49:51.120 --> 49:52.200 Just to keep it safe. 49:53.320 --> 49:54.130 Says three times. 49:55.460 --> 49:55.840 Right. 49:55.880 --> 49:58.010 Because the second time. 49:58.430 --> 49:58.600 Right. 49:58.670 --> 50:00.290 Someone might be sniffing on it. 50:00.680 --> 50:03.470 Then because the PH will remain the same forever. 50:03.620 --> 50:05.390 That is not really feasible. 50:06.260 --> 50:06.970 To remain safe. 50:06.980 --> 50:08.600 That's why they keep on changing that. 50:08.600 --> 50:11.030 So the other guy cannot collect a lot of data. 50:11.750 --> 50:16.090 Although it is still protected two times, but still for safety, three times is enough. 50:16.100 --> 50:17.720 By default, it's 24 hours. 50:19.230 --> 50:19.710 By default. 50:19.710 --> 50:22.950 It's when the whole GDP goes down and comes back up again. 50:22.980 --> 50:25.490 The same time, your other tunnel also comes back up again. 50:26.270 --> 50:29.210 But for extra high security, they say three times. 50:29.420 --> 50:30.530 Three times three hours. 50:31.760 --> 50:32.620 Ten more days. 50:32.710 --> 50:32.810 We. 50:34.110 --> 50:34.650 After time. 50:34.650 --> 50:37.920 Out of which one time out of. 50:40.240 --> 50:47.480 You know, this doesn't happen just like at the end of your 3600 seconds in a normal IPsec tunnel. 50:47.550 --> 50:48.760 This doesn't happen again. 50:48.770 --> 50:53.030 But what the other two peers do is they just shift their keying material. 50:53.390 --> 50:54.710 The keying material is the same. 50:54.710 --> 50:56.600 They just use a different block out of it. 50:58.010 --> 51:00.170 The material because they don't have just the key. 51:00.200 --> 51:01.820 They have a full material, Right? 51:02.920 --> 51:05.020 They have a full keying material out of that. 51:05.020 --> 51:06.070 They'll use the other part. 51:06.100 --> 51:07.570 The other part the other part. 51:07.750 --> 51:12.010 After your lifetime is done, then they'll use a different key. 51:15.310 --> 51:19.000 84,000 after after the after 24 hours. 51:19.630 --> 51:20.470 Everything changes. 51:20.470 --> 51:22.400 Your keying material changes and everything changes. 51:22.420 --> 51:23.950 Now you have the new king material. 51:23.950 --> 51:25.570 From that, you'll use different keys. 51:25.990 --> 51:30.010 Until then, you'll just be shifting three, three, three hours every three hours. 51:30.010 --> 51:31.090 You'll keep on changing your. 51:32.140 --> 51:32.650 Yeah. 51:33.400 --> 51:37.090 After 24, after changes every 30/602. 51:38.110 --> 51:40.690 But the material remains the same. 51:41.020 --> 51:42.730 Keying material remains the same. 51:43.150 --> 51:45.610 Is again, a smaller block out of the same material. 51:45.730 --> 51:48.460 After 24 hours, the complete thing is refreshed. 51:51.270 --> 51:51.530 Right. 51:51.870 --> 51:52.860 Remember these things? 51:52.900 --> 51:55.570 TC 3600 seconds. 51:55.590 --> 51:57.360 You don't change the material. 51:57.360 --> 51:58.710 You don't change the full material. 51:58.750 --> 52:01.650 You're just taking another block from the same material. 52:02.310 --> 52:05.040 The material is usually 1024 bits out of that. 52:05.040 --> 52:08.000 You're just taking 128 bits here, 128 bits here. 52:08.010 --> 52:09.720 You're just reshuffling the bits. 52:10.530 --> 52:15.630 Every 3600 seconds, every one hour until 24 hours. 52:15.630 --> 52:20.010 After 24 hours, your whole icy camp is torn down, brought back up again. 52:21.310 --> 52:24.940 So what you get is newer, fresher material for TK. 52:24.970 --> 52:28.480 Then you again start taking out smaller chunks of keys from the same key. 52:30.720 --> 52:31.260 From the same. 52:34.730 --> 52:36.590 You know, minimum is 300 cents. 52:36.950 --> 52:37.700 Oh, that one. 52:37.850 --> 52:38.300 The. 52:38.870 --> 52:39.860 You can bring it down. 52:41.860 --> 52:48.520 A would, but that would mean 100 seconds is way too less and seconds is way too less for every hundred 52:48.520 --> 52:50.160 seconds changing the key. 52:50.170 --> 52:50.740 It's. 52:51.440 --> 52:52.270 Every 300. 52:54.480 --> 52:57.570 The same key to every 3600 seconds. 52:59.190 --> 52:59.580 Unstable. 53:00.400 --> 53:00.700 Its. 53:00.720 --> 53:01.650 It is unstable. 53:01.650 --> 53:02.520 Yes. 53:02.670 --> 53:04.800 I'll show you the instability that it brings. 53:06.510 --> 53:07.710 No, right now it's not. 53:07.860 --> 53:08.670 Later, I'll show you. 53:08.670 --> 53:09.840 It shows a lot of essays. 53:11.810 --> 53:13.280 And essays out essays. 53:13.280 --> 53:16.490 Right now you have 86 800 and 60s left. 53:17.710 --> 53:18.460 Off the tiki. 53:19.390 --> 53:22.640 The tiki will come back in 86 eight 60s. 53:22.660 --> 53:23.590 We'll have a look at that. 53:23.590 --> 53:24.160 Until then. 53:24.160 --> 53:26.560 Until then, what we'll do is we'll register others. 53:27.340 --> 53:27.940 Clear Crypto. 53:28.660 --> 53:29.500 Yes, please. 53:31.610 --> 53:31.880 Right. 53:32.240 --> 53:35.930 So crypto same concept, same things will be pushed down here. 53:35.930 --> 53:38.660 Also inbound outbound, same things. 53:38.900 --> 53:39.920 So crypto. 53:41.490 --> 53:43.890 I use the same two tunnels, which you'll see. 53:45.850 --> 53:46.560 Three key tunnels. 53:46.570 --> 53:47.380 Coming from where? 53:49.480 --> 53:50.260 1066. 53:50.440 --> 53:50.950 66. 53:51.130 --> 53:51.910 66. 53:52.150 --> 53:53.470 Let's do it for all of them. 53:53.470 --> 53:54.310 Clear crypto. 53:59.090 --> 53:59.750 Played crypto. 54:06.060 --> 54:07.530 Tricky has been received. 54:12.120 --> 54:14.190 He has been crypto as. 54:19.460 --> 54:22.790 RSA public and private RSA is a set of keys. 54:24.490 --> 54:25.450 But the key part is. 54:26.720 --> 54:27.290 Whiskey bark. 54:28.820 --> 54:29.150 That's all. 54:29.360 --> 54:29.840 That's all. 54:30.680 --> 54:31.920 We still have also. 54:31.940 --> 54:32.450 Yes. 54:32.450 --> 54:33.320 You use everything. 54:33.320 --> 54:34.910 Everything that you used to use before. 54:34.910 --> 54:35.630 You're using that. 54:35.630 --> 54:39.350 It's just that you're using to protect from the top. 54:39.500 --> 54:42.170 Encrypt at the bottom, encrypt at the top, Decrypt at the bottom. 54:43.130 --> 54:44.680 Because everything else is the same. 54:44.960 --> 54:45.830 Things are related to the. 54:46.940 --> 54:47.740 Give me everything. 54:48.190 --> 54:48.510 It's still. 54:50.310 --> 54:50.910 It's still the. 54:52.460 --> 54:52.730 Okay. 54:52.820 --> 54:55.610 Now, what you'll see from R1 is not R1. 54:55.610 --> 54:57.800 R6 is astonishing. 54:57.800 --> 55:00.500 Why you say so, crypto guy? 55:03.170 --> 55:04.430 So crypto I can. 55:07.710 --> 55:09.220 I still see a lot of keys. 55:09.370 --> 55:10.270 A lot of. 55:14.810 --> 55:15.110 Right. 55:15.320 --> 55:21.950 There's one icy camp with the first one, the second one, the third one, the third one and the fourth 55:21.950 --> 55:22.220 one. 55:23.800 --> 55:27.880 Now, the moment you send out three keys, you see three keys. 55:27.910 --> 55:29.230 A lot of keys also here. 55:29.650 --> 55:32.590 Now, this idol is there for a long time. 55:34.910 --> 55:35.960 23 hours. 55:35.990 --> 55:40.430 The other guy has nothing to do with this, so let's wait for the Reiki. 55:42.240 --> 55:43.050 So crypto. 55:50.190 --> 55:51.570 How much time do you have left? 55:52.960 --> 55:53.660 With the. 55:56.550 --> 55:57.000 Give it time. 55:57.870 --> 55:58.660 So crypto. 56:01.940 --> 56:05.720 So now you should be able to this should at least work, right? 56:06.080 --> 56:08.150 I mean, that's all we are doing all of this for. 56:14.610 --> 56:15.840 Everything is the same. 56:16.770 --> 56:18.030 Nothing changes after that. 56:18.030 --> 56:19.470 Your IPsec tunnel is the same. 56:21.160 --> 56:26.140 The only thing you're doing is you're making strong the process of sending down the team. 56:26.830 --> 56:28.210 That's all you're doing. 56:28.420 --> 56:30.370 You're just making the process stronger. 56:32.500 --> 56:33.160 Nothing else. 56:35.200 --> 56:35.440 There. 56:38.240 --> 56:38.490 Good. 56:40.020 --> 56:43.170 The last thing that you have to do is in this. 56:44.150 --> 56:44.960 Do I still have time? 56:44.960 --> 56:46.160 I can check in from the server. 56:46.160 --> 56:46.510 Sure. 56:55.870 --> 56:59.800 585 VMs will come up and register themselves in five 85 seconds. 57:03.040 --> 57:03.790 You gotta take the time. 57:12.170 --> 57:13.400 Anyways, let's wait for it. 57:14.110 --> 57:17.170 What you have to do is you need redundancy. 57:19.440 --> 57:20.760 We need redundancy. 57:20.880 --> 57:24.930 Let me explain to you a little bit about redundancy, how it works with get VPN. 57:25.950 --> 57:26.880 In get VPN. 57:28.780 --> 57:32.170 The way it works is you have a key server. 57:33.570 --> 57:34.250 He's over one. 57:35.800 --> 57:37.870 I'll have another key server which will be key server. 57:40.610 --> 57:41.840 Key server one and key server. 57:43.890 --> 57:46.470 The moment I set up the relationship between them. 57:46.470 --> 57:49.500 This relationship is known as co-op. 57:50.680 --> 57:50.860 Who? 57:53.350 --> 57:54.250 It's called co-op. 57:55.390 --> 57:56.860 They will communicate to each other. 57:57.910 --> 58:00.400 The two servers will communicate to each other. 58:00.640 --> 58:02.500 One of them will be the primary. 58:02.920 --> 58:05.800 Everybody else will be the second of the group. 58:07.720 --> 58:08.620 What does this mean? 58:08.650 --> 58:09.550 Can you guess? 58:13.150 --> 58:15.720 First of all, one goes down, the other comes up, that's fine. 58:15.730 --> 58:20.500 But the role that is important, what is the role of the primary? 58:20.530 --> 58:21.820 What is the role of the others? 58:23.910 --> 58:28.110 The role of the primary is only to keep track of the key. 58:28.470 --> 58:29.250 That's it. 58:31.960 --> 58:35.330 The rule of the primary is only to keep track of what the key. 58:35.350 --> 58:36.880 That's all it needs. 58:39.260 --> 58:41.200 What it does is the key is with whom? 58:41.480 --> 58:42.170 This guy. 58:43.280 --> 58:46.220 When R6 and R7 are creating their relationship. 58:46.250 --> 58:49.040 R6 will also send a copy of the key to our. 58:52.440 --> 58:54.060 We'll send a copy of the key to our server. 58:54.480 --> 59:00.450 So what people will do is whenever they come up and register themselves, they'll always they can register 59:00.450 --> 59:01.650 with either him or. 59:02.980 --> 59:05.710 Since R7 also has the key, it can push down that key. 59:09.930 --> 59:10.160 Sorry. 59:10.170 --> 59:10.430 Sorry. 59:10.740 --> 59:14.520 Seven will not have the key or seven will register them. 59:16.000 --> 59:17.070 Seven will register them. 59:17.070 --> 59:18.840 First time we will give them the key. 59:19.590 --> 59:22.770 Every key after that will be done. 59:22.770 --> 59:23.210 By whom? 59:24.650 --> 59:25.430 The primary. 59:26.600 --> 59:28.940 The primary job is to. 59:31.010 --> 59:33.230 You can go and register yourself anywhere. 59:34.460 --> 59:39.020 You can go register yourself anywhere you want, But you, Ricky, will be done. 59:39.020 --> 59:39.560 By whom? 59:40.790 --> 59:41.420 The prime. 59:43.520 --> 59:47.720 You see a small little flaw of something else that we need to do. 59:50.260 --> 59:53.090 Let's say I register to R7, right? 59:55.520 --> 59:57.970 Let's say I'm here and I register to R7. 1:00:00.640 --> 1:00:01.870 Then my will be done. 1:00:01.870 --> 1:00:02.320 By whom? 1:00:02.620 --> 1:00:03.320 Asks. 1:00:04.920 --> 1:00:06.150 Is there something missing here? 1:00:09.720 --> 1:00:10.410 The private. 1:00:12.830 --> 1:00:14.000 The public and the private. 1:00:14.990 --> 1:00:16.220 The private and the public. 1:00:16.220 --> 1:00:17.000 Key is with whom? 1:00:18.230 --> 1:00:21.290 Before Arsic sends me a I would require that public. 1:00:22.530 --> 1:00:24.030 Because he will encrypt it. 1:00:24.030 --> 1:00:25.350 I will need to decrypt it. 1:00:27.620 --> 1:00:28.220 Do you understand? 1:00:30.570 --> 1:00:37.710 Because when he sends the TC to me as a rookie, I would need to decrypt that for me to be able to decrypt 1:00:37.710 --> 1:00:38.290 that. 1:00:38.310 --> 1:00:39.870 I would need the public key. 1:00:39.900 --> 1:00:42.360 Now, if I had registered to R6. 1:00:42.390 --> 1:00:47.520 R6 would have given me that public key in the exchange, but I've registered to R7. 1:00:48.940 --> 1:00:52.960 I cannot create a separate set of keys on R7 because that would not match. 1:00:54.780 --> 1:00:57.030 R6 will use a separate set of keys. 1:00:57.180 --> 1:00:59.610 R7 will use a separate set of keys. 1:00:59.640 --> 1:01:03.690 That's why when I created the keys here, if you remember, I created them. 1:01:03.690 --> 1:01:04.290 As what? 1:01:09.230 --> 1:01:09.800 Exportable. 1:01:10.070 --> 1:01:11.570 And now I'll export them. 1:01:13.010 --> 1:01:20.540 I'll export the public and the private key from here and put it there on our side so that anybody registers 1:01:20.570 --> 1:01:22.400 it will get the same public key. 1:01:23.380 --> 1:01:25.270 That it would have received from our. 1:01:26.970 --> 1:01:30.660 Now, this is very, very, very dangerous. 1:01:31.290 --> 1:01:33.990 You have to make sure that this key is secure. 1:01:34.590 --> 1:01:35.790 One way or another. 1:01:39.150 --> 1:01:42.150 Crypto key export RSA, whichever is the name of that key. 1:01:42.990 --> 1:01:44.010 Get keys. 1:01:45.890 --> 1:01:47.670 The type of file is PM. 1:01:47.750 --> 1:01:49.110 How do you want to export it? 1:01:49.130 --> 1:01:52.320 You can use it using a URL so you have a server somewhere. 1:01:52.340 --> 1:01:54.770 You export it to the server and something like that. 1:01:54.800 --> 1:01:55.820 Here I'll use what. 1:01:56.090 --> 1:01:57.230 Copy paste. 1:01:58.920 --> 1:02:00.630 He says, encrypted locally. 1:02:02.560 --> 1:02:06.550 Format dot ppm of the exported key. 1:02:07.830 --> 1:02:08.130 Okay. 1:02:08.370 --> 1:02:15.240 Then he says terminal here is only supporting one, so meiosis will support a lot of them and all of 1:02:15.240 --> 1:02:16.500 them got one to. 1:02:17.660 --> 1:02:22.020 So here I'm saying I'll do it using cut and paste. 1:02:22.040 --> 1:02:23.570 It says, okay, encrypted locally. 1:02:24.460 --> 1:02:28.060 Using either three days or I'll use Cisco one, two, three to encrypt. 1:02:28.630 --> 1:02:31.390 I will need the same key on the other side to decrypt it. 1:02:32.650 --> 1:02:33.730 This is not the complete key. 1:02:33.760 --> 1:02:34.540 This is the actual key. 1:02:34.540 --> 1:02:36.640 Encrypted using the three days I just used. 1:02:37.620 --> 1:02:37.890 Right. 1:02:38.040 --> 1:02:39.690 I need to paste this on the other side. 1:02:39.690 --> 1:02:41.370 The first thing I'll do is I'll copy it. 1:02:42.840 --> 1:02:45.960 Starting from the first dash until the last dash. 1:02:45.960 --> 1:02:46.350 Remember? 1:02:46.350 --> 1:02:47.220 Dash two dash. 1:02:49.290 --> 1:02:50.160 Pasted where? 1:02:51.990 --> 1:02:52.980 On the notepad. 1:02:54.380 --> 1:02:55.430 Go to R7. 1:02:56.240 --> 1:02:59.000 Use what command crypto key import. 1:03:01.040 --> 1:03:04.280 I'll say the least, is okay, what is the local label? 1:03:04.280 --> 1:03:05.540 What do you want to label them here? 1:03:05.540 --> 1:03:06.710 I'll label them the same. 1:03:08.220 --> 1:03:10.500 Do you want them to be exportable from here to. 1:03:10.500 --> 1:03:12.090 No, I don't want them to be exportable. 1:03:12.090 --> 1:03:13.940 I want them to stay here. 1:03:13.950 --> 1:03:15.450 How are you importing them? 1:03:17.610 --> 1:03:18.360 Using terminal. 1:03:18.750 --> 1:03:21.600 What is the password that they are encrypted with? 1:03:25.110 --> 1:03:28.500 Says space the public, not the private, only the public part of it. 1:03:28.500 --> 1:03:29.850 Again, dash to dash. 1:03:30.980 --> 1:03:32.390 The public is. 1:03:33.570 --> 1:03:34.710 From this dash to. 1:03:37.030 --> 1:03:40.090 It says Begin public. 1:03:40.660 --> 1:03:41.170 Public. 1:03:41.350 --> 1:03:41.620 Okay. 1:03:41.620 --> 1:03:41.920 Sorry. 1:03:41.920 --> 1:03:42.220 Yeah. 1:03:42.640 --> 1:03:43.750 Public to public. 1:03:45.930 --> 1:03:46.740 I'll paste it here. 1:03:46.740 --> 1:03:47.580 Press the enter key. 1:03:50.490 --> 1:03:51.690 He says now face the. 1:03:52.850 --> 1:03:53.140 David. 1:03:54.220 --> 1:03:55.090 Dash to dash. 1:03:55.510 --> 1:03:56.410 End of private. 1:03:58.110 --> 1:03:58.710 Copy it. 1:04:00.530 --> 1:04:01.280 Paste it. 1:04:02.440 --> 1:04:02.830 Press. 1:04:02.830 --> 1:04:03.850 Q To quit. 1:04:05.480 --> 1:04:06.530 Quit siding type. 1:04:06.550 --> 1:04:06.940 Quit. 1:04:07.350 --> 1:04:07.670 Quit. 1:04:10.630 --> 1:04:12.100 All right, I'll do it again. 1:04:12.100 --> 1:04:15.700 Crypto zeroize RSA. 1:04:15.730 --> 1:04:18.640 I might have made a mistake with the queue, so I'll copy it again. 1:04:24.280 --> 1:04:24.640 Again. 1:04:24.670 --> 1:04:26.590 Crypto key import. 1:04:28.190 --> 1:04:28.670 Odyssey. 1:04:30.890 --> 1:04:31.220 Right. 1:04:31.220 --> 1:04:36.110 I want the name to be get keys and using terminal. 1:04:36.350 --> 1:04:38.120 The password is Cisco. 1:04:39.510 --> 1:04:40.710 There is the public part. 1:04:49.050 --> 1:04:49.770 Press the enter key. 1:04:50.540 --> 1:04:51.200 Twice. 1:04:53.060 --> 1:04:53.660 The private. 1:05:00.520 --> 1:05:00.850 Quit. 1:05:02.280 --> 1:05:07.440 He puts a succeeded show crypto key my pub key. 1:05:12.130 --> 1:05:12.760 You have the kid. 1:05:12.760 --> 1:05:17.890 I did the same private and public key that you have on the other side is the one which you have. 1:05:20.210 --> 1:05:21.410 Now let's do the configs. 1:05:23.300 --> 1:05:25.700 Now this is going to be another server, right? 1:05:26.090 --> 1:05:27.560 How do you configure the server? 1:05:28.770 --> 1:05:31.110 First of all, the policies, do they remain the same? 1:05:31.140 --> 1:05:33.870 Obviously, yes, I did. 1:05:33.870 --> 1:05:34.920 I removed everything. 1:05:34.920 --> 1:05:37.140 So I'll just copy everything from this side. 1:05:37.410 --> 1:05:39.840 Do show run section. 1:06:04.690 --> 1:06:05.400 And there you go. 1:06:06.480 --> 1:06:13.140 So crypto, if you see it, has gone and registered himself again. 1:06:14.060 --> 1:06:16.010 So you'll see a new key has come. 1:06:16.010 --> 1:06:16.760 He's using this key. 1:06:16.790 --> 1:06:20.240 He still has the old one because he goes 5% less than that. 1:06:20.240 --> 1:06:21.650 Time to go up and register itself. 1:06:21.650 --> 1:06:21.950 Right. 1:06:22.160 --> 1:06:26.210 So what you see here is the second key, the one which you have received, which you're using for encryption 1:06:26.210 --> 1:06:26.750 decryption. 1:06:26.780 --> 1:06:28.160 This has not been used. 1:06:28.190 --> 1:06:31.610 This will time out after the amount of time. 1:06:33.660 --> 1:06:34.470 Our six. 1:06:35.130 --> 1:06:36.360 What do I need to copy? 1:06:36.360 --> 1:06:37.290 I need to copy this. 1:06:37.290 --> 1:06:38.760 I need to copy this, this. 1:06:38.760 --> 1:06:39.720 This right here. 1:06:40.590 --> 1:06:41.000 Same. 1:06:41.060 --> 1:06:41.590 Same. 1:06:41.590 --> 1:06:42.160 Same. 1:06:42.160 --> 1:06:42.680 Same. 1:06:42.680 --> 1:06:42.980 Same. 1:06:42.980 --> 1:06:43.260 Same. 1:06:43.260 --> 1:06:43.740 Same. 1:06:45.800 --> 1:06:48.830 Everything is the same except for the address. 1:06:53.560 --> 1:06:54.550 Address is what? 1:06:55.480 --> 1:06:58.870 Server address is 1077 77. 1:06:58.870 --> 1:07:00.580 That address? 1:07:05.980 --> 1:07:06.550 So run. 1:07:08.310 --> 1:07:08.850 Section. 1:07:14.440 --> 1:07:15.690 Something is incomplete here. 1:07:15.700 --> 1:07:16.970 What address? 1:07:17.020 --> 1:07:17.400 Access. 1:07:17.410 --> 1:07:18.440 This is not created. 1:07:19.750 --> 1:07:20.050 Okay. 1:07:20.230 --> 1:07:21.970 Now, this is important. 1:07:23.250 --> 1:07:24.450 This is important. 1:07:24.450 --> 1:07:25.560 What is important? 1:07:25.590 --> 1:07:27.720 Everything that you configure on one server. 1:07:29.500 --> 1:07:30.910 Should be the same on the other side. 1:07:31.420 --> 1:07:31.990 Why? 1:07:32.020 --> 1:07:36.760 Because when they're trying to communicate to each other, they will exchange and see. 1:07:37.360 --> 1:07:38.470 The characters. 1:07:38.980 --> 1:07:43.300 If the characters don't match, they will not become co-op. 1:07:43.960 --> 1:07:45.610 They will not co-op cooperate. 1:07:46.850 --> 1:07:49.670 They will not become part of the same cooperative group. 1:07:49.670 --> 1:07:53.210 As long as everything matches, it's all right because they will tally. 1:07:54.100 --> 1:07:54.490 Okay. 1:07:54.490 --> 1:07:55.060 Here. 1:07:55.060 --> 1:07:55.900 Something is missing. 1:07:55.900 --> 1:08:02.290 I need to create the access list 101 permit traffic from ten zero zero 0 to 10 000. 1:08:04.930 --> 1:08:05.890 Forgot the IP again. 1:08:08.960 --> 1:08:10.880 Show on section crypto. 1:08:12.790 --> 1:08:13.990 See if everything is okay. 1:08:15.310 --> 1:08:16.460 Everything is correct. 1:08:16.480 --> 1:08:17.500 Everything matches. 1:08:17.500 --> 1:08:17.860 Address. 1:08:17.860 --> 1:08:19.850 The same identity number is the same. 1:08:19.870 --> 1:08:21.640 The name does not really matter. 1:08:21.670 --> 1:08:22.000 Right? 1:08:22.030 --> 1:08:22.720 300 seconds. 1:08:22.900 --> 1:08:23.380 Key transcript. 1:08:23.380 --> 1:08:23.740 Everything. 1:08:27.360 --> 1:08:27.870 That's the thing. 1:08:27.870 --> 1:08:29.460 I have not configured that part yet. 1:08:29.940 --> 1:08:31.290 I'll configure that now. 1:08:33.790 --> 1:08:34.300 Crypto. 1:08:34.300 --> 1:08:36.630 I am already in here, but let me show you from here. 1:08:36.640 --> 1:08:38.560 Crypto Gdoi Group. 1:08:39.560 --> 1:08:40.430 Sales. 1:08:40.520 --> 1:08:41.040 S. 1:08:42.250 --> 1:08:43.480 Server is local. 1:08:45.180 --> 1:08:45.900 It's called. 1:08:49.380 --> 1:08:50.100 A redundancy. 1:08:51.090 --> 1:08:53.020 Not a lot of things that you have to configure here. 1:08:53.040 --> 1:08:54.070 Only two things. 1:08:54.090 --> 1:08:55.110 One is. 1:08:56.050 --> 1:08:57.370 What is the address? 1:09:00.080 --> 1:09:01.400 What is the pier's address here? 1:09:03.470 --> 1:09:08.810 The pair who I'm creating my redundancy with is 1077 70 7.7. 1:09:09.680 --> 1:09:11.060 There's also another thing called. 1:09:13.750 --> 1:09:14.800 Local priority. 1:09:16.570 --> 1:09:17.940 This is what matters. 1:09:17.950 --> 1:09:24.400 This is what makes you the primary or the secondary better the priority, the better your chances. 1:09:24.400 --> 1:09:26.110 I'll keep the priority here as. 1:09:32.700 --> 1:09:36.510 Crypto GDI group also the same. 1:09:37.010 --> 1:09:37.370 See? 1:09:37.380 --> 1:09:37.980 What does he say? 1:09:38.220 --> 1:09:40.560 Contact from unauthorized source. 1:09:41.500 --> 1:09:44.080 Possible misconfiguration of PIR or local address. 1:09:44.440 --> 1:09:46.360 Because from here I have not configured it. 1:09:46.390 --> 1:09:48.220 The other guy is trying to contact me. 1:09:48.250 --> 1:09:51.670 They are not able to communicate, so I need to configure the same things here. 1:09:51.670 --> 1:09:54.880 I'll say server local redundancy. 1:09:56.290 --> 1:09:57.220 Local priority. 1:09:57.220 --> 1:09:58.120 I'll keep it 50. 1:09:59.280 --> 1:10:00.380 Address here. 1:10:00.390 --> 1:10:01.170 Address? 1:10:01.990 --> 1:10:03.340 IPv4 is what? 1:10:06.500 --> 1:10:07.040 66. 1:10:07.040 --> 1:10:07.580 66. 1:10:08.380 --> 1:10:08.710 Six. 1:10:09.070 --> 1:10:13.360 Cass is entering what election mode in the group sales. 1:10:13.660 --> 1:10:15.490 In the election they will choose. 1:10:16.520 --> 1:10:17.960 Who's going to be the primary. 1:10:18.020 --> 1:10:19.340 Who's going to be the secondary? 1:10:21.030 --> 1:10:22.380 The good thing is. 1:10:31.660 --> 1:10:35.590 I already have a gdoi idol between the first and the second. 1:10:35.740 --> 1:10:37.360 But have they entered? 1:10:38.050 --> 1:10:38.680 Yes. 1:10:38.680 --> 1:10:40.510 This guy has already transitioned. 1:10:40.510 --> 1:10:40.930 To what? 1:10:42.580 --> 1:10:44.350 10.6 has transitioned to. 1:10:46.710 --> 1:10:48.930 Then that six has transitioned to prime. 1:10:50.210 --> 1:10:51.020 Which is the other guy. 1:10:51.470 --> 1:10:55.100 Not seven is me, so my campus is fine. 1:10:55.100 --> 1:10:56.330 I have received the public key. 1:10:57.700 --> 1:10:58.360 From the guy. 1:10:58.660 --> 1:10:59.560 Everything is okay. 1:10:59.590 --> 1:11:00.370 So crypto. 1:11:03.540 --> 1:11:06.600 IPsec is Sha Chau Crypto. 1:11:09.960 --> 1:11:11.370 Check out the information in my. 1:11:11.610 --> 1:11:14.340 You will be amazed how much these two talk. 1:11:15.250 --> 1:11:20.320 How much the two servers talk to each other, why the other server even told him how many group members 1:11:20.320 --> 1:11:21.220 have registered. 1:11:21.940 --> 1:11:24.880 The other server told him that he's alive. 1:11:24.910 --> 1:11:27.700 The lifetime remaining lifetime in the group. 1:11:27.710 --> 1:11:29.080 Ricky is also here. 1:11:30.100 --> 1:11:32.500 They're actually talking to each other all the time. 1:11:35.130 --> 1:11:35.650 Stay tuned. 1:11:35.670 --> 1:11:36.270 See that? 1:11:36.960 --> 1:11:39.570 Time is the retransmit period is here. 1:11:39.600 --> 1:11:41.790 This should match on both of them, by the way. 1:11:41.790 --> 1:11:43.740 If it doesn't match, they will not create neighbors. 1:11:43.770 --> 1:11:45.480 They will not talk to each other. 1:11:45.600 --> 1:11:46.020 I see. 1:11:46.440 --> 1:11:47.830 Lifetime is 30, 60. 1:11:48.090 --> 1:11:49.890 Time is 30/602. 1:11:49.890 --> 1:11:50.450 Right? 1:11:50.520 --> 1:11:54.420 Is a remaining lifetime on all the pairs is 2099. 1:11:56.050 --> 1:11:59.170 Write the access list that is being pushed down as 101. 1:12:00.950 --> 1:12:03.200 Write all of this information also. 1:12:04.860 --> 1:12:09.440 There's also another command show Crypto graphics co-op. 1:12:11.270 --> 1:12:13.370 It shows you the keepalives between the two. 1:12:15.310 --> 1:12:17.740 This keep allows every 30s. 1:12:19.010 --> 1:12:20.030 Out of that right now. 1:12:20.060 --> 1:12:21.230 13 seconds are left. 1:12:22.040 --> 1:12:26.240 They'll keep on sending Keepalives from one side to the other side to make sure they are communicating 1:12:26.240 --> 1:12:26.870 to each other. 1:12:27.140 --> 1:12:28.890 Right then, Anti-replay. 1:12:28.910 --> 1:12:30.500 I'll talk about that later. 1:12:31.600 --> 1:12:32.620 What do you have? 1:12:32.860 --> 1:12:33.460 The peer. 1:12:33.490 --> 1:12:34.180 Who's my peer? 1:12:34.210 --> 1:12:35.500 The pair is 10.6. 1:12:35.500 --> 1:12:36.520 He is the primary. 1:12:37.150 --> 1:12:38.890 Its priority is ten. 1:12:38.920 --> 1:12:39.970 Sorry, 100. 1:12:40.700 --> 1:12:42.620 Ake has been established with him. 1:12:43.400 --> 1:12:48.590 I've established my session with him already and we have certain packets which have been sent and dropped. 1:12:48.620 --> 1:12:53.060 Nothing has been dropped until now in my communication with the peer. 1:12:53.060 --> 1:12:54.380 So this is for troubleshooting. 1:12:56.640 --> 1:12:58.910 This part is for your troubleshooting between the thing. 1:12:58.920 --> 1:13:02.670 The good thing here is what I can do. 1:13:06.440 --> 1:13:09.450 From my router side, from the client side. 1:13:09.470 --> 1:13:11.120 Right now they're pointing to whom? 1:13:12.940 --> 1:13:14.320 1066. 1:13:14.500 --> 1:13:15.720 I'll go to the group. 1:13:20.690 --> 1:13:21.740 Address. 1:13:23.200 --> 1:13:24.010 Server. 1:13:24.250 --> 1:13:24.500 Sorry. 1:13:24.520 --> 1:13:25.690 First I'll remove this. 1:13:29.230 --> 1:13:30.340 Then I'll put the address. 1:13:30.340 --> 1:13:31.000 As what? 1:13:34.490 --> 1:13:34.820 Senate. 1:13:34.870 --> 1:13:36.190 7777. 1:13:38.780 --> 1:13:41.960 I'll configure not only one, but the other one also. 1:13:51.480 --> 1:13:52.270 So crypto. 1:14:03.610 --> 1:14:07.120 Doing for show run section. 1:14:07.960 --> 1:14:09.010 Something is missing here. 1:14:12.420 --> 1:14:12.930 Policy. 1:14:12.930 --> 1:14:13.980 Ten camp? 1:14:14.010 --> 1:14:14.910 Yes. 1:14:18.260 --> 1:14:22.550 The Pre-shared key is not pointing towards the right crypto Isakmp key. 1:14:23.270 --> 1:14:28.100 Cisco address is 1077 77 dot. 1:14:29.000 --> 1:14:29.840 Try to find it out. 1:14:29.870 --> 1:14:31.250 Point it also clear crypto. 1:14:31.880 --> 1:14:32.480 Yes please. 1:14:35.320 --> 1:14:36.490 Legislation complete. 1:14:38.100 --> 1:14:38.670 Legislation. 1:14:38.670 --> 1:14:39.540 Complete with whom? 1:14:40.870 --> 1:14:41.740 R7. 1:14:42.370 --> 1:14:44.380 I'm registering myself with R7. 1:14:46.060 --> 1:14:49.330 If you check show crypto Aisaa Campsie. 1:14:52.800 --> 1:14:54.480 The first Reiki was given to me. 1:14:54.480 --> 1:14:54.930 My home. 1:14:57.420 --> 1:14:58.310 Also are 70. 1:14:59.450 --> 1:15:00.860 Because I created with him. 1:15:00.860 --> 1:15:03.280 He gives me the key, the tech. 1:15:04.340 --> 1:15:06.810 The remaining keys will be coming from where? 1:15:08.980 --> 1:15:09.700 From the band's. 1:15:12.240 --> 1:15:13.380 All the remaining keys. 1:15:13.380 --> 1:15:16.020 The keys will be coming in from the secondary server. 1:15:16.020 --> 1:15:17.490 I'll do the same exact thing here. 1:15:18.030 --> 1:15:19.730 Crypto Ice Cap Key. 1:15:19.770 --> 1:15:21.450 Cisco Address. 1:15:24.350 --> 1:15:25.100 So. 1:15:27.490 --> 1:15:31.240 I did the same exact thing on how to show crypto. 1:15:31.510 --> 1:15:36.240 If you check the gdoi here, you'll see that active group server is home. 1:15:36.760 --> 1:15:39.130 1077 70 7.7. 1:15:39.850 --> 1:15:41.320 How many servers in my list? 1:15:42.350 --> 1:15:44.480 Two because locally I specified both. 1:15:44.480 --> 1:15:44.670 Right. 1:15:44.720 --> 1:15:46.690 Server 10.7. 1:15:46.700 --> 1:15:48.530 Server 10.6. 1:15:48.560 --> 1:15:51.110 Then I registered myself back in. 1:15:53.200 --> 1:15:54.520 20/402. 1:15:54.800 --> 1:15:59.200 Ricky received two minutes, 44 seconds. 1:15:59.200 --> 1:16:01.420 Then the other stuff is the same. 1:16:02.260 --> 1:16:05.550 Inbound direction, outbound direction show crypto campus. 1:16:05.700 --> 1:16:08.920 If you check right now, everything that I've received is from where? 1:16:10.140 --> 1:16:10.920 10.7. 1:16:11.940 --> 1:16:14.580 Check out our one show, Crypto Campus. 1:16:16.200 --> 1:16:18.750 Where did it receive the latest Reiki from? 1:16:23.710 --> 1:16:24.520 From the primary. 1:16:26.610 --> 1:16:34.800 So in get VPN, if you have as many number of servers, you have as much as ever, but you want to have 1:16:35.070 --> 1:16:39.600 the clients or the group members can register themselves. 1:16:40.410 --> 1:16:42.690 They can register themselves to any one of them. 1:16:43.350 --> 1:16:48.510 But in the whole system, the keys will only be managed by one of the servers. 1:16:49.330 --> 1:16:54.850 Which periodically, with the remaining lifetime, will always keep on reaching the group members. 1:16:55.790 --> 1:16:58.380 Depending upon its time, the one which you have set. 1:16:58.430 --> 1:17:00.890 The key will always be done by the primary. 1:17:01.550 --> 1:17:02.840 Always by the primary. 1:17:04.530 --> 1:17:09.810 Right now in the primary goes down, the secondary will take over as the primary. 1:17:09.840 --> 1:17:12.270 It already has the information that it reads. 1:17:12.300 --> 1:17:13.200 It already has. 1:17:13.200 --> 1:17:16.590 The set of private and public key doesn't need anything else. 1:17:17.440 --> 1:17:21.760 Uses that information to become the primary, then handle the keys henceforth. 1:17:24.740 --> 1:17:26.000 And luggage henceforth. 1:17:29.130 --> 1:17:30.210 The Reiki request. 1:17:31.930 --> 1:17:33.880 Did you know it's managed by the server? 1:17:35.940 --> 1:17:36.650 Yes. 1:17:36.660 --> 1:17:38.480 The key timer is kept by the server. 1:17:40.890 --> 1:17:42.870 The clients are just dumb terminals here. 1:17:43.290 --> 1:17:44.540 They just receive the key. 1:17:44.550 --> 1:17:46.710 They encrypt and decrypt, encrypt and decrypt. 1:17:46.890 --> 1:17:49.190 The job is just to receive the key and start encrypting. 1:17:49.950 --> 1:17:51.120 That absolutely done. 1:17:51.730 --> 1:17:57.240 See, I wanted to check on our to show crypto icecap this Ricky here is also coming from. 1:17:59.920 --> 1:18:00.130 In. 1:18:02.660 --> 1:18:05.510 And six for the first time they register. 1:18:05.510 --> 1:18:06.770 The key is given by the server. 1:18:06.770 --> 1:18:10.850 But since they are talking to each other, they exchange what they're talking so they know what key 1:18:10.850 --> 1:18:11.840 is being sent down. 1:18:11.870 --> 1:18:13.760 They send the same key down from the other side. 1:18:15.460 --> 1:18:15.820 Right. 1:18:17.960 --> 1:18:20.870 So price of campus are six. 1:18:22.930 --> 1:18:24.460 So crypto scam here. 1:18:30.160 --> 1:18:31.480 Idol with all these people. 1:18:33.930 --> 1:18:34.350 Okay. 1:18:37.110 --> 1:18:39.900 All right, Now, how do I check all of this? 1:18:39.900 --> 1:18:43.380 I will turn off what my main server. 1:18:44.280 --> 1:18:47.490 Before I do that, there's another command which you need to check. 1:18:47.520 --> 1:18:49.860 It's called show crypto. 1:18:50.370 --> 1:18:53.250 CSS members. 1:18:55.100 --> 1:18:57.710 Very good command, very good for troubleshooting. 1:18:58.250 --> 1:19:01.610 Show crypto key server members. 1:19:02.990 --> 1:19:03.800 Shows you. 1:19:04.630 --> 1:19:07.390 Which group members are registered to which key server. 1:19:07.420 --> 1:19:09.970 Because in production you can have many key servers, right? 1:19:09.970 --> 1:19:14.710 But any one you can go to any one of the key server and check from there who is registered to whom. 1:19:14.740 --> 1:19:20.500 Here it's telling you 25.2 is registered to 10.6 plus the characters which it has. 1:19:20.530 --> 1:19:22.360 How many keys has he received? 1:19:22.390 --> 1:19:23.980 How many has he acknowledged? 1:19:26.670 --> 1:19:28.590 35.3 is also registered to. 1:19:32.170 --> 1:19:37.270 45.4 is registered to right now, only 15.1 is registered to. 1:19:38.830 --> 1:19:39.830 10.77. 1:19:40.420 --> 1:19:41.980 It shows you that information. 1:19:41.980 --> 1:19:47.460 You can check it from R7, also show crypto CSS. 1:19:49.630 --> 1:19:53.620 15.1 is to me, 25.2 is to 66. 1:19:53.890 --> 1:19:55.690 35.3 is to 66. 1:19:55.720 --> 1:19:57.850 45.4 is to 66. 1:20:00.920 --> 1:20:02.030 The same information. 1:20:02.480 --> 1:20:04.340 Both of them will share. 1:20:04.670 --> 1:20:07.280 15.1 is with 77 only from here. 1:20:07.280 --> 1:20:09.710 Also 15.1 is with 77. 1:20:11.140 --> 1:20:12.790 The shows that they communicate to each other. 1:20:14.640 --> 1:20:17.370 How do you how do you check the redundancy? 1:20:20.170 --> 1:20:20.590 Stop. 1:20:20.860 --> 1:20:23.710 Now, you might ask that the time is a lot. 1:20:23.740 --> 1:20:26.020 30s plus the retry and all those things. 1:20:26.020 --> 1:20:26.890 The time is a lot. 1:20:26.920 --> 1:20:31.300 It really is not a lot because you already have 3600 seconds on your tech. 1:20:32.560 --> 1:20:38.110 So by the time your tech is expiring, first of all, you have five seconds left. 1:20:38.110 --> 1:20:39.910 5% of the time less than that. 1:20:40.270 --> 1:20:43.000 Even if you can't reach your server, you have 5% of the time. 1:20:43.000 --> 1:20:47.430 That's more than 90s for you to work around with that key. 1:20:48.670 --> 1:20:53.620 So even if the server is down, 30s is more than enough for them to make the shift to the other side. 1:20:54.530 --> 1:20:54.890 Right. 1:20:54.920 --> 1:20:57.290 You will see when the other side comes. 1:20:57.290 --> 1:20:59.360 Up until now, the key was done. 1:20:59.360 --> 1:20:59.750 By whom? 1:20:59.780 --> 1:21:01.010 1066. 1:21:03.750 --> 1:21:04.170 Right. 1:21:04.940 --> 1:21:07.310 That was always done by 10.66. 1:21:07.310 --> 1:21:10.460 You will see when 10.7 becomes the primary. 1:21:10.820 --> 1:21:12.410 The key will be done by. 1:21:15.200 --> 1:21:17.080 I have seven will send out the recordings. 1:21:18.110 --> 1:21:19.730 And so how do you check it? 1:21:19.910 --> 1:21:20.760 Show crypto. 1:21:22.600 --> 1:21:23.220 What is the command? 1:21:27.690 --> 1:21:28.400 Kscope. 1:21:31.590 --> 1:21:32.520 He tries to. 1:21:34.260 --> 1:21:36.420 The third time, I'll consider him dead. 1:21:38.460 --> 1:21:39.210 Five. 1:21:41.130 --> 1:21:41.550 To. 1:21:43.320 --> 1:21:43.650 Zero. 1:21:45.560 --> 1:21:46.550 The Ricky is dead. 1:21:46.700 --> 1:21:47.060 Sorry. 1:21:47.060 --> 1:21:48.260 The server is dead. 1:21:49.990 --> 1:21:52.690 I'm transitioning toward primary. 1:21:53.200 --> 1:21:53.770 I'm sending. 1:21:53.770 --> 1:21:54.130 What? 1:21:56.270 --> 1:21:58.640 All of them will now receive their keys. 1:21:58.640 --> 1:21:59.300 From whom? 1:22:01.950 --> 1:22:03.180 The secondary server. 1:22:06.370 --> 1:22:08.560 They will receive their keys from the secondary server. 1:22:09.910 --> 1:22:10.690 Is this clear? 1:22:12.310 --> 1:22:13.060 The concept. 1:22:13.740 --> 1:22:15.150 You'll have to practice. 1:22:15.720 --> 1:22:18.120 If you remember, I warned you about this week. 1:22:18.420 --> 1:22:19.590 This is just the beginning. 1:22:21.910 --> 1:22:22.240 Okay. 1:22:22.570 --> 1:22:23.420 Tomorrow is a light day. 1:22:23.440 --> 1:22:25.760 Tomorrow you have not much to do. 1:22:25.780 --> 1:22:28.510 Practice this until we reach easy VPN. 1:22:29.560 --> 1:22:30.070 Finish it off. 1:22:34.870 --> 1:22:35.080 Only. 1:22:36.660 --> 1:22:40.600 Light one big and a small one to cover it today. 1:22:41.990 --> 1:22:46.940 Now, another thing that I have to show you is if you check your crypto IPsec right now, you'll see 1:22:46.940 --> 1:22:49.520 that Anti-replay protection support is there. 1:22:51.410 --> 1:22:52.790 The support is there. 1:22:54.770 --> 1:22:56.450 But if you check your crypto. 1:23:00.190 --> 1:23:02.200 You'll see that MTV plays disabled. 1:23:04.170 --> 1:23:05.580 And you'll see two keys here. 1:23:06.690 --> 1:23:07.080 Two keys. 1:23:07.080 --> 1:23:10.140 Because this was the old key which came down from the previous server. 1:23:10.170 --> 1:23:12.750 Now, that server died, but the key is still here. 1:23:14.270 --> 1:23:18.320 Now I'm using the key from the second server, the one which I just received, and this is a new key 1:23:18.320 --> 1:23:19.310 which was just generated. 1:23:21.120 --> 1:23:22.530 Right now. 1:23:22.530 --> 1:23:23.450 MTV play. 1:23:23.460 --> 1:23:25.200 What is what is play? 1:23:25.230 --> 1:23:26.010 You know. 1:23:28.160 --> 1:23:30.400 Distinguishing whether you have already got the package. 1:23:32.050 --> 1:23:33.970 Of that sequence number if you've already got it. 1:23:34.000 --> 1:23:37.540 So if you have two hosts, even if they are running IPsec. 1:23:39.340 --> 1:23:40.540 But I said something. 1:23:41.080 --> 1:23:45.040 There's something known as a sequence number attack, Which a person can do is it can take a packet. 1:23:46.680 --> 1:23:46.920 Right. 1:23:47.310 --> 1:23:52.630 Based on the sequence number, he'll keep on sending the same packet again and again and again. 1:23:52.650 --> 1:23:53.010 Replay. 1:23:53.010 --> 1:23:53.280 Attack. 1:23:54.480 --> 1:23:55.850 The same packet will be sent again. 1:23:55.860 --> 1:23:57.900 He'll replicate it and send it again. 1:23:57.930 --> 1:24:03.360 Since the other guy will accept it because it's part of the number matches and all the other things 1:24:03.360 --> 1:24:06.180 match, it will accept the packet again and again and again. 1:24:08.690 --> 1:24:09.070 Right. 1:24:09.140 --> 1:24:10.670 Replay Attack an IPsec. 1:24:10.700 --> 1:24:17.120 No one can tamper the data, But they can do is they can take a part of the data and start transmitting 1:24:17.120 --> 1:24:18.800 it again and again and again. 1:24:20.160 --> 1:24:21.570 To protect this from happening. 1:24:22.760 --> 1:24:26.840 You have anti sequence, you have two ways of doing it. 1:24:27.200 --> 1:24:31.100 One by default, if you check is enabled on your VPN. 1:24:31.550 --> 1:24:34.670 If you go to show run section crypto. 1:24:39.170 --> 1:24:39.500 Sorry. 1:24:39.500 --> 1:24:39.950 Not here. 1:24:40.190 --> 1:24:40.670 The server. 1:24:48.090 --> 1:24:52.920 If you check your crypto, you'll see that by default it's counter based. 1:24:52.950 --> 1:24:55.470 Window size is 64. 1:24:55.560 --> 1:24:56.610 Counter based. 1:24:56.640 --> 1:24:58.020 Sequence number based. 1:24:59.170 --> 1:25:00.820 It keeps track of sequence numbers. 1:25:00.820 --> 1:25:02.050 So I send this sequence number. 1:25:02.050 --> 1:25:03.640 I should receive this sequence number. 1:25:03.640 --> 1:25:04.870 I send this sequence number. 1:25:04.870 --> 1:25:08.230 I should keep track of this sequence number, which is dangerous. 1:25:10.220 --> 1:25:14.330 Which is dangerous, should not be based on sequence number, should be based on time. 1:25:15.480 --> 1:25:16.920 We call this T bar. 1:25:18.360 --> 1:25:20.250 Time based anti-replay detection. 1:25:21.000 --> 1:25:22.260 How do you enable it? 1:25:22.290 --> 1:25:23.100 It's pretty simple. 1:25:23.100 --> 1:25:26.070 You just go crypto gdoi group. 1:25:26.780 --> 1:25:28.070 Sales s. 1:25:29.290 --> 1:25:30.430 So the local. 1:25:32.560 --> 1:25:35.350 You have a IPsec ten. 1:25:37.070 --> 1:25:37.580 We play. 1:25:38.720 --> 1:25:43.400 Not counter based using sequence numbers, but time based. 1:25:45.250 --> 1:25:45.990 Window size. 1:25:46.000 --> 1:25:49.060 Now for the time, you can set the window size in seconds. 1:25:49.180 --> 1:25:51.130 I could say, for example, 10s. 1:25:53.290 --> 1:25:56.590 And you clear it from the servers, Clear crypto. 1:25:57.220 --> 1:26:03.430 What this does is now it will keep a track of time when I send a packet. 1:26:04.030 --> 1:26:06.760 I'll increase the counter for 10s. 1:26:08.130 --> 1:26:11.870 I should receive a reply within 10s. 1:26:13.190 --> 1:26:17.600 If I'm sending a sequence number, the next sequence number should be coming back in 10s. 1:26:17.720 --> 1:26:20.960 If I don't receive it in 10s, I'll consider this packet to be lost. 1:26:23.560 --> 1:26:24.070 Which is good. 1:26:24.080 --> 1:26:29.020 Why anyone who is replicating your packets, it will take time for him to replicate the packets. 1:26:33.240 --> 1:26:33.630 The. 1:26:36.610 --> 1:26:37.900 And that's replay. 1:26:38.710 --> 1:26:41.590 Yeah, that's replays and replays to protect against that. 1:26:41.590 --> 1:26:42.480 Protect against that. 1:26:42.910 --> 1:26:44.020 That's what we are doing right now. 1:26:44.380 --> 1:26:46.960 First, it was based on sequence numbers, which was dangerous. 1:26:47.920 --> 1:26:49.390 Now we're doing it based on time. 1:26:49.390 --> 1:26:53.290 So we are keeping a time frame that he cannot replicate it within this amount of time. 1:26:54.440 --> 1:26:56.090 On because I already have. 1:26:57.280 --> 1:27:02.290 So with that amount of if he doesn't because if it comes back, if the packet comes back after that 1:27:02.290 --> 1:27:04.660 amount of time, do not accept that packet. 1:27:06.440 --> 1:27:06.800 Okay. 1:27:07.040 --> 1:27:08.890 So I'm expecting a sequence number. 1:27:08.900 --> 1:27:13.040 I'm expecting it within five seconds if I don't get it within five seconds. 1:27:13.860 --> 1:27:14.180 He's. 1:27:14.190 --> 1:27:19.380 I'm supposed to send the previous sequence number again because there is a chance that someone has someone 1:27:19.380 --> 1:27:21.630 is trying to replicate it and send it back to me again. 1:27:21.630 --> 1:27:23.160 So show crypto. 1:27:23.190 --> 1:27:24.240 I just did it. 1:27:24.240 --> 1:27:25.860 So if you do your IPsec. 1:27:27.220 --> 1:27:28.780 The support is on show. 1:27:28.780 --> 1:27:34.500 Crypto guy will show you that your anti-replay is not the first one. 1:27:34.510 --> 1:27:36.340 The second one the first one is the old key. 1:27:37.870 --> 1:27:39.340 This is the actual one which you're using. 1:27:43.520 --> 1:27:44.180 Time based. 1:27:45.490 --> 1:27:47.050 Your replaced time based. 1:27:50.260 --> 1:27:50.560 No, no. 1:27:50.580 --> 1:27:52.080 I cleared it from here. 1:27:52.080 --> 1:27:53.040 I said clear crypto. 1:27:53.580 --> 1:27:54.740 It went and registered. 1:27:54.750 --> 1:27:55.290 That's why. 1:27:55.290 --> 1:27:57.420 Now you see a third side, three sets of keys. 1:27:59.080 --> 1:28:00.160 One, two and three. 1:28:00.190 --> 1:28:01.510 This is from the old one. 1:28:01.750 --> 1:28:03.460 This is because I cleared midway. 1:28:03.460 --> 1:28:05.700 So it had these ones were still left. 1:28:05.710 --> 1:28:10.390 So because I cleared, I got another one from the server side. 1:28:14.520 --> 1:28:16.380 Clear all you have to. 1:28:16.410 --> 1:28:17.490 Yes, you can do that. 1:28:17.490 --> 1:28:21.900 You have to remove the crypto map first and you have to create it from the server side because he's 1:28:21.900 --> 1:28:23.280 the one who keeps track of the keys. 1:28:23.460 --> 1:28:28.800 So you have to clear it from clear crypto, from the server, then from each of the clients, then register 1:28:28.800 --> 1:28:28.920 it. 1:28:32.050 --> 1:28:32.290 Right? 1:28:32.290 --> 1:28:33.250 Because clients. 1:28:33.250 --> 1:28:34.090 I told you are dumb. 1:28:34.630 --> 1:28:36.100 Everything is done by the server. 1:28:37.330 --> 1:28:37.840 The client. 1:28:37.930 --> 1:28:39.240 You cannot just clear from the client. 1:28:39.250 --> 1:28:40.860 You also have to clear from the server side. 1:28:43.380 --> 1:28:44.100 Is this clear? 1:28:44.520 --> 1:28:45.430 This is your gateway. 1:28:46.230 --> 1:28:51.000 Now, I know that right now there's a lot of information in here. 1:28:52.380 --> 1:28:53.370 A lot of it. 1:28:53.460 --> 1:28:54.910 You have keys going on. 1:28:54.930 --> 1:28:56.190 You have co op happening. 1:28:56.190 --> 1:28:57.390 So many different things. 1:28:57.390 --> 1:28:59.430 But try it once. 1:29:01.260 --> 1:29:02.790 Try it once and then. 1:29:02.790 --> 1:29:03.240 Let's see. 1:29:05.880 --> 1:29:06.330 One minute. 1:29:06.330 --> 1:29:06.990 30s. 1:29:06.990 --> 1:29:07.710 That's not much.