WEBVTT 00:04.010 --> 00:04.250 Right. 00:06.440 --> 00:07.370 So easy VPN. 00:18.950 --> 00:23.340 Until now, what we've seen is whichever kind of VPN that we were dealing with until now. 00:23.360 --> 00:24.380 What did we see? 00:24.410 --> 00:28.640 Site to site VPN, VPN, get VPN will do. 00:28.640 --> 00:30.170 All these VPNs have in common. 00:33.230 --> 00:33.950 They connect. 00:34.760 --> 00:36.460 Different sides of your companies. 00:37.400 --> 00:40.510 Off your company are basically two different sites. 00:42.760 --> 00:42.960 Right. 00:42.960 --> 00:48.750 So you have, let's say, three sites or another one right here connected through the Internet or any 00:48.750 --> 00:49.680 private cloud. 00:51.950 --> 00:57.290 VPN gives you protection when Dmvpn gives you protection using a hub and spoke. 00:57.710 --> 01:02.930 Get VPN gives you the same over a private cloud, but you should have end to end connectivity. 01:02.960 --> 01:06.680 Site to site VPN also can be done using normal GRE tunnels. 01:06.950 --> 01:08.990 These are all site to site VPNs. 01:09.560 --> 01:13.850 Now today what we are going to have a look is at a remote access VPN. 01:14.030 --> 01:15.800 What is a remote access VPN? 01:17.950 --> 01:20.440 Remote access VPN is. 01:21.860 --> 01:23.090 I say this is a company. 01:24.280 --> 01:25.450 Connected to the Internet. 01:27.610 --> 01:27.910 Right. 01:29.370 --> 01:32.640 Nowadays this principle is getting very famous. 01:33.150 --> 01:36.510 This phenomenon that people call it work from home. 01:39.840 --> 01:40.350 It doesn't have. 01:41.580 --> 01:42.780 What is work from home? 01:44.060 --> 01:47.960 But the company will do is give you a laptop and they tell you, okay, go home. 01:48.750 --> 01:50.460 And work from there. 01:51.200 --> 01:51.500 Right. 01:51.500 --> 01:54.470 You connect up to your company's network from home and go there. 01:54.800 --> 01:57.260 You don't have to come to office. 01:57.380 --> 01:59.450 Give you a bunch of work and you're supposed to do it. 01:59.450 --> 02:04.340 But let's say for that work, you would require access to these servers. 02:08.140 --> 02:12.760 You require access to these servers, how will you use them on the Internet? 02:12.970 --> 02:15.820 Making sure that your connection is protected. 02:16.450 --> 02:21.430 Making sure no one can spy on these servers while you're connecting and talking to them. 02:22.170 --> 02:24.660 You use something known as remote access. 02:25.940 --> 02:28.220 VPN that can be accessed remotely. 02:29.160 --> 02:33.660 Now, the biggest thing here is until now, when you saw site to site VPN. 02:36.330 --> 02:40.830 The one thing that was common again was that all of them had IPS that were static. 02:42.670 --> 02:45.300 All of them had static IP addresses, right? 02:45.610 --> 02:47.200 Public IP addresses. 02:48.080 --> 02:50.600 Because they were already connected to the Internet. 02:50.810 --> 02:51.990 That is a prerequisite. 02:52.010 --> 02:52.190 Why? 02:52.220 --> 02:53.820 Because you use a set pair command here. 02:55.200 --> 02:57.450 Set pair and the pairs public address. 02:57.480 --> 02:58.620 What is the public address? 02:58.620 --> 02:59.450 Changes tomorrow. 03:01.120 --> 03:02.780 You need to go in here and change that part. 03:02.810 --> 03:03.010 Right. 03:03.010 --> 03:06.130 You need to change the outside header of where to route the packet. 03:08.970 --> 03:11.550 You understand in remote access VPN. 03:11.580 --> 03:14.250 The best part is that the other peer. 03:15.520 --> 03:18.240 Can have a dynamically changing IP address. 03:19.870 --> 03:22.180 So today it has an IP address of 30 dot zero. 03:22.180 --> 03:24.010 Tomorrow you can have 35.5. 03:25.640 --> 03:28.780 Doesn't really make a difference to you, to the server. 03:28.780 --> 03:29.230 Why? 03:29.260 --> 03:32.590 Because the connection will be initiated from the client side. 03:34.820 --> 03:40.640 So it really does not make any difference if this guy is sitting here working from home in Bangalore 03:40.670 --> 03:46.880 or he goes any part of the world, as long as it has connection, connectivity to the Internet, as 03:46.880 --> 03:48.740 long as he can reach this server. 03:53.270 --> 03:57.170 Right can create a tunnel with it as long as reachability. 03:57.200 --> 04:00.160 Layer three reachability is here with the server. 04:00.170 --> 04:02.150 He can create a tunnel with the server. 04:05.470 --> 04:06.130 Do you understand? 04:08.750 --> 04:10.730 How does it all come together? 04:11.960 --> 04:12.590 Now. 04:13.670 --> 04:15.770 Let's name this as the easy server. 04:22.330 --> 04:30.910 Now what we configure on the server, just like we did on your normal gate VPN, is you configure your 04:30.910 --> 04:31.810 policies. 04:36.580 --> 04:38.530 Now, there's a lot of concepts here coming together. 04:39.130 --> 04:40.690 Policies are configured here. 04:40.720 --> 04:42.520 Transform set is configured here. 04:45.320 --> 04:46.710 Write your ACL. 04:48.110 --> 04:50.000 Is configured here just like before. 04:51.380 --> 04:51.540 Right. 04:51.880 --> 04:53.140 And all of them will be what? 04:54.100 --> 04:55.120 Pushed down. 04:55.900 --> 04:56.500 To the client. 04:58.890 --> 05:01.620 You might ask what to do from the client side. 05:02.250 --> 05:07.140 Earlier in VPN, we used what identity number and all those things on the client side right here. 05:07.140 --> 05:08.490 What do I need to do here? 05:08.490 --> 05:11.010 You don't need much, you just need to enter. 05:12.420 --> 05:13.680 We call it group name. 05:17.320 --> 05:18.070 And password. 05:21.530 --> 05:22.010 That's it. 05:23.490 --> 05:24.720 A group name and a password. 05:25.410 --> 05:27.990 This group name can be anything now. 05:27.990 --> 05:30.240 It can be you can have multiple group names on. 05:31.530 --> 05:33.210 On one European server. 05:33.660 --> 05:34.830 So you could have. 05:35.390 --> 05:36.350 Sales. 05:37.310 --> 05:39.680 As one group, we can have marketing. 05:40.780 --> 05:41.740 Has another group. 05:42.040 --> 05:44.500 You can have it as a third group. 05:45.200 --> 05:46.400 And so on and so forth. 05:47.340 --> 05:49.050 You can have as many as you wish. 05:50.060 --> 05:56.750 And then when this guy connects up, if he puts in the name as sales, the policies which are meant 05:56.750 --> 05:58.310 for sales will be pushed down to him. 06:00.500 --> 06:04.410 Policies for sale if it logs in with the username of Mark. 06:04.430 --> 06:06.070 Mark's policies will be pushed down. 06:09.190 --> 06:09.460 Okay. 06:11.610 --> 06:12.150 Do you understand? 06:14.080 --> 06:14.740 Also. 06:17.200 --> 06:18.460 When you connect up, Right. 06:18.490 --> 06:19.630 Who initiates the connection? 06:19.630 --> 06:20.230 The client. 06:21.280 --> 06:22.870 Initiates the connection up there. 06:23.620 --> 06:27.250 What the server does is it also pushes down. 06:30.530 --> 06:32.000 An IP address. 06:34.860 --> 06:39.600 It pushes down an IP address from the tunnel to the device. 06:42.700 --> 06:45.500 Pushes down an IP address from the tunnel through the device. 06:45.520 --> 06:47.560 This IP address is installed. 06:49.000 --> 06:51.460 On an adapter here known as the VPN. 06:58.200 --> 06:59.040 The VPN adapter. 07:00.200 --> 07:02.330 Whenever you connect your tunnel. 07:03.460 --> 07:06.520 An IP address is going to be pushed down from there from the server. 07:08.810 --> 07:10.430 Why is this IP address important? 07:12.270 --> 07:20.430 Let's say this IP address that has been now you configure it, let's say 192 168 .1.0 slash 24. 07:21.090 --> 07:25.170 You configure it as this pool, you give it a pool, you say, okay, the IP address for the client 07:25.170 --> 07:26.570 should be given out from this pool. 07:28.350 --> 07:28.650 Right. 07:28.650 --> 07:32.200 So when the VPN adapter gets the address, what address does it get? 07:32.220 --> 07:35.220 192.168.1.. 07:35.220 --> 07:35.940 Let's say one. 07:37.210 --> 07:37.390 Ten. 07:38.430 --> 07:39.750 Why is this address important? 07:40.020 --> 07:44.100 Is because the client now makes the decision based on this address. 07:44.460 --> 07:51.720 Anything that will be sourced from the address of 192 168 10.1 will go through the tunnel. 07:56.480 --> 07:56.840 Yeah. 07:59.440 --> 07:59.860 This is. 07:59.860 --> 08:00.220 Yes. 08:00.220 --> 08:01.420 The IP that you get. 08:02.590 --> 08:04.540 It's not profitable like it's. 08:04.570 --> 08:05.150 See? 08:05.170 --> 08:06.370 Remember earlier? 08:07.900 --> 08:12.580 Any traffic, which is going from 10.111 .121.2.2.2. 08:14.050 --> 08:15.220 It was going through the tunnel. 08:15.220 --> 08:19.960 When I say going through the tunnel, it used to have ESP here and then the public address. 08:21.310 --> 08:22.810 30.32 20.3. 08:34.520 --> 08:35.720 You can reach which server. 08:36.960 --> 08:37.410 Yeah. 08:37.650 --> 08:38.190 Through the tunnel. 08:38.220 --> 08:38.420 Right. 08:40.110 --> 08:43.620 True that this was what we did earlier right here. 08:43.620 --> 08:46.080 What's going to happen is a little different here. 08:46.080 --> 08:48.150 It's not based on source and destination. 08:48.150 --> 08:52.710 So if your packet from the PC is originated, from which IP? 08:54.320 --> 08:59.030 192 168 dot ten dot one. 08:59.630 --> 09:02.570 If it is originated from here, going anywhere does not matter where. 09:02.570 --> 09:03.660 This is known as source based. 09:05.320 --> 09:07.360 If it originated from this address. 09:08.550 --> 09:11.010 From the villain from the adapter. 09:11.130 --> 09:18.120 Doesn't matter where it's trying to go, it will be encapsulated and forwarded out. 09:19.590 --> 09:19.920 Through the. 09:24.740 --> 09:28.850 Whatever is originating at this loopback. 09:28.970 --> 09:34.130 Basically, when I say through the tunnel, I'm talking about this tunnel, which takes me where to 09:34.130 --> 09:36.010 R2 and this will be D capsulated. 09:36.020 --> 09:37.400 Where on R2. 09:40.310 --> 09:41.780 This will be encapsulated on R2. 09:41.780 --> 09:43.090 When I say D capsulated. 09:43.140 --> 09:46.250 It'll be opened up and the decision will be made. 09:46.250 --> 09:51.320 So if you're going to ten, 11, 11, 1 or 10, 11, 11, six, R2 will forward the packet to ten, 09:51.320 --> 09:51.680 11, 11. 09:54.120 --> 10:00.750 The whole concept is your policies will be exchanged between these two public addresses. 10:02.050 --> 10:03.980 They will negotiate on the same policies. 10:04.000 --> 10:08.890 They will negotiate on the same transform set on the same same material. 10:08.920 --> 10:10.030 Nothing will change. 10:10.570 --> 10:12.010 And the tunnel will be created. 10:13.270 --> 10:14.540 To give you connectivity between. 10:15.900 --> 10:17.790 Now, the thing is, what do you use as a client? 10:20.010 --> 10:21.120 What do you use as a client? 10:22.170 --> 10:24.260 First of all, we have two things for the client. 10:24.270 --> 10:27.930 One is your VPN is a VPN client. 10:28.930 --> 10:32.500 Cisco's VPN client so you can connect up using this client. 10:33.650 --> 10:35.450 Other one is a router. 10:35.600 --> 10:38.960 You can actually convert a router into an easy VPN client. 10:40.190 --> 10:42.740 Which gives you more options, which we will see later. 10:44.180 --> 10:46.930 It gives you many more options to configure stuff. 10:48.370 --> 10:50.940 Now you can actually convert it later into a site also. 10:53.670 --> 11:00.210 But generally you can have either a router as a client or the VPN client as a client. 11:02.390 --> 11:03.980 Right now for this to work. 11:03.980 --> 11:06.380 Make sure when you're configuring, when you're adding this. 11:09.110 --> 11:10.730 You use? 11:12.070 --> 11:13.750 Our VMware Workstation. 11:14.470 --> 11:15.850 Do not do it with the loopback. 11:16.650 --> 11:17.970 It doesn't work properly with the loop. 11:20.810 --> 11:25.640 It will connect, but the traffic will not go through because it has too many adapters to make the decision 11:25.640 --> 11:25.900 with. 11:27.500 --> 11:31.010 So it's best if you just use, let's say, net zero here. 11:34.560 --> 11:36.240 Put it in the same address range. 11:37.860 --> 11:40.160 151 .3.. 11:45.010 --> 11:46.570 Now check what I'm trying to do. 11:47.290 --> 11:49.420 What I'll do is I'll first configure this. 11:50.380 --> 11:52.130 R2 will be the server. 11:52.150 --> 11:53.950 I will configure the server first. 11:55.730 --> 11:59.390 I will configure the server and we'll see each step one step at a time. 11:59.420 --> 12:00.260 What does it do now? 12:00.260 --> 12:03.110 There's nine steps to configure the server. 12:03.140 --> 12:04.610 More than that, actually. 12:05.330 --> 12:05.720 Right. 12:05.750 --> 12:10.250 We'll have to go through each of them and understand what each of them does. 12:11.050 --> 12:11.300 Okay. 12:11.590 --> 12:13.660 Before we do that, let's configure it. 12:15.600 --> 12:15.870 Right. 12:16.200 --> 12:20.610 So before I do anything, I need to check if our phone has connectivity to R2. 12:21.210 --> 12:22.170 How do I do that? 12:23.010 --> 12:23.460 Stepping. 12:26.370 --> 12:32.040 1.2.2 is the server's address, so I do have reachability to the server. 12:32.460 --> 12:34.760 Now we'll go ahead, go to R2. 12:45.540 --> 12:46.210 Let's start with that. 12:53.680 --> 12:54.700 Lazy VPN server. 12:54.700 --> 12:56.350 And then we'll start with steps. 12:56.710 --> 12:58.300 What do you think the first step is? 13:00.780 --> 13:01.440 Step one. 13:06.670 --> 13:10.300 Step one is crypto as a policy. 13:10.480 --> 13:10.900 Then. 13:12.040 --> 13:12.940 Encryption. 13:13.580 --> 13:14.110 Three days. 13:15.460 --> 13:16.450 Authentication. 13:16.450 --> 13:19.600 You can use core server also if you want to. 13:20.420 --> 13:22.370 Cliché hash. 13:22.400 --> 13:28.010 Now remember hashing the VPN client, the one which you have does not support Sha. 13:29.450 --> 13:31.490 It only supports MD5. 13:31.520 --> 13:34.760 Let me write it clear and big so that you don't make this mistake. 13:34.790 --> 13:38.300 It only supports MD5. 13:40.070 --> 13:41.930 The easy VPN client does not support. 13:42.990 --> 13:44.550 Make sure you don't make that mistake. 13:45.260 --> 13:47.650 Make sure it is MD5. 13:55.050 --> 13:57.750 Where they say no, then that time you don't have to share. 13:57.780 --> 13:59.040 You can use RSA signature. 13:59.220 --> 14:00.300 You don't need the key. 14:02.290 --> 14:02.680 Here. 14:03.220 --> 14:05.200 No authentication RSA signature. 14:06.460 --> 14:09.810 I say if you leave it as it is by default, it is RSA. 14:10.080 --> 14:11.460 If you don't put anything. 14:13.090 --> 14:13.360 Right. 14:13.720 --> 14:15.100 So the first step is done. 14:18.910 --> 14:19.900 On the server side. 14:22.670 --> 14:23.300 Step to. 14:25.700 --> 14:26.150 Step. 14:27.090 --> 14:32.040 Step two Now do the question is, do you have a pre-shared key here or not? 14:33.180 --> 14:35.010 We do not use a pre-shared key. 14:35.580 --> 14:36.240 Why? 14:36.270 --> 14:38.310 Because I told you we are doing authentication. 14:38.310 --> 14:39.180 Based on what? 14:41.190 --> 14:42.270 Based on a group. 14:43.700 --> 14:44.240 Name. 14:45.540 --> 14:45.940 Thank. 14:47.540 --> 14:47.840 Yeah. 14:49.020 --> 14:50.990 Sometimes you can do it based on a server. 14:51.010 --> 14:52.260 Also, you can do it. 14:53.240 --> 14:54.260 Yeah, you can. 14:54.380 --> 14:55.880 That's what we'll be doing next. 14:55.880 --> 14:56.630 I'll show you how. 14:58.540 --> 14:59.080 Yes. 14:59.080 --> 14:59.740 Yes. 15:00.100 --> 15:05.320 So you can check the group name and password from the Ldap server also that the tacacs server will do 15:05.320 --> 15:05.770 for you. 15:06.040 --> 15:07.090 You can do that too. 15:07.420 --> 15:09.010 Right now we'll be doing it locally. 15:11.610 --> 15:15.570 Will be authenticating based on what a group name and a key not appreciate. 15:18.940 --> 15:20.680 But the basics. 15:20.680 --> 15:21.160 I'll show you. 15:21.160 --> 15:24.670 I'll tell you what that is The ones that you need, the one the information that you need. 15:25.830 --> 15:33.390 So the first thing I need to do is before I configure the group name and key, I need to configure a 15:33.390 --> 15:34.680 pool of addresses. 15:35.950 --> 15:36.550 So. 15:38.100 --> 15:39.060 Configure a pool. 15:40.720 --> 15:43.930 Of addresses that will be. 15:44.810 --> 15:45.410 Push down. 15:47.620 --> 15:48.910 To the client. 15:50.920 --> 15:52.000 Our clients. 15:53.490 --> 15:54.360 How do you do it? 15:55.020 --> 15:55.800 Local pool. 15:56.100 --> 15:56.880 You call it anything? 15:56.880 --> 15:58.230 I'll call it sales pool. 16:00.450 --> 16:02.820 And let's say the address is 192 168. 16:04.100 --> 16:05.600 Ten dot ten. 16:06.670 --> 16:09.850 282.168 .1.. 16:12.050 --> 16:13.610 That is the pool that I'm creating. 16:14.950 --> 16:16.150 I've not called it anywhere. 16:24.690 --> 16:25.020 Okay. 16:26.080 --> 16:27.280 So I created a pool. 16:28.630 --> 16:30.380 Saying this is the pool for sale. 16:30.400 --> 16:31.930 I have not found it anywhere yet. 16:32.950 --> 16:35.440 Now I need to configure my group name and key. 16:36.130 --> 16:38.080 The way you do it is crypto. 16:38.470 --> 16:39.160 I am. 16:40.790 --> 16:42.040 Client configuration group. 16:44.340 --> 16:45.360 And you name the group. 16:45.360 --> 16:46.440 What is the name of the group? 16:48.270 --> 16:49.110 Sales. 16:51.230 --> 16:52.130 What is the key? 16:53.520 --> 16:54.060 This is the score. 16:54.070 --> 16:54.750 One, two, three. 16:55.410 --> 16:56.340 What is the pool? 16:59.470 --> 17:00.100 That's it. 17:08.180 --> 17:11.570 So after this, the next step is. 17:12.550 --> 17:13.240 Specify. 17:14.730 --> 17:15.810 The group name. 17:17.650 --> 17:19.210 And the key. 17:20.400 --> 17:21.390 Used by the client. 17:23.110 --> 17:23.800 Connect. 17:24.620 --> 17:26.060 Up to the. 17:28.210 --> 17:29.070 So I really do it. 17:29.670 --> 17:33.850 Crypto is a camp client configuration. 17:33.900 --> 17:35.340 Now it's not icy camp key. 17:36.880 --> 17:38.620 Usually used to have crypto key. 17:38.680 --> 17:41.740 Right now it's crypto account client configuration group. 17:42.890 --> 17:44.210 What is the name of that group? 17:44.900 --> 17:45.770 Sales. 17:46.700 --> 17:49.880 The key that he should provide is one, two, three. 17:49.910 --> 17:52.730 If it does provide, the key is one, two, three. 17:52.760 --> 17:54.590 Give him an address from the pool. 17:57.350 --> 17:57.730 Sales. 18:00.220 --> 18:01.630 That guy should be given an address. 18:01.630 --> 18:02.400 From which pool? 18:02.610 --> 18:02.710 The. 18:04.820 --> 18:05.970 Easy until now. 18:07.850 --> 18:08.030 Right? 18:08.420 --> 18:09.170 Nothing different. 18:10.200 --> 18:10.820 Simple stuff. 18:11.920 --> 18:12.580 Step four. 18:12.610 --> 18:13.450 Can you guess? 18:19.580 --> 18:20.480 Transform set. 18:21.360 --> 18:21.960 He said. 18:25.330 --> 18:29.530 DSP three does DSP MD five. 18:32.140 --> 18:32.770 Step five. 18:36.160 --> 18:36.520 Yeah. 18:44.020 --> 18:45.330 I have the transform set. 18:47.610 --> 18:48.570 As the transform set. 18:48.570 --> 18:49.500 I have the pool. 18:51.060 --> 18:51.390 Right. 18:51.510 --> 18:53.220 Have the group name and group key. 18:54.510 --> 19:02.380 I would need see, as said just now that we can do this group name and right now sales and key. 19:02.400 --> 19:04.560 I've stored it where locally. 19:06.000 --> 19:07.740 I have stored it locally. 19:07.740 --> 19:08.400 Locally where? 19:09.150 --> 19:10.590 On the VPN server. 19:11.310 --> 19:15.300 I could also do it on a Ldap server or a tacacs server. 19:15.810 --> 19:19.560 I have to myself go in here and tell him listen, I'm doing it locally. 19:21.740 --> 19:28.310 I have to tell my I can process that the key and the group name is stored where locally on this server. 19:29.560 --> 19:30.340 How do I do it? 19:30.340 --> 19:33.580 For that, you have to enable this new model called the Triple A. 19:34.360 --> 19:36.550 If you're not done it, it's nothing different. 19:36.550 --> 19:37.720 It's nothing special. 19:37.720 --> 19:38.740 It's very simple. 19:39.750 --> 19:45.690 Triple A new model enables those services of triple A, which means authentication, authorization and 19:45.690 --> 19:50.640 accounting from from all of those services you're using authorization. 19:52.640 --> 19:55.280 You're using authorization, you're saying triple A. 19:57.080 --> 19:58.280 Authorization network. 20:00.790 --> 20:02.710 You need to call this list something. 20:03.300 --> 20:04.920 This list has to have a name. 20:04.920 --> 20:07.050 Now, this list can have any name that you want. 20:09.250 --> 20:10.180 I'll call it shock. 20:11.740 --> 20:12.880 Let me show it to you here. 20:13.390 --> 20:14.410 Triple A new model. 20:15.850 --> 20:18.340 Triple A authorization. 20:19.100 --> 20:21.050 And then authorization of what? 20:21.640 --> 20:22.060 Network. 20:22.060 --> 20:23.770 This is known as network authorization. 20:24.610 --> 20:27.010 The group name and key is stored here. 20:27.010 --> 20:27.420 Right. 20:27.430 --> 20:29.470 Plus, I'm also pushing down a pool. 20:31.240 --> 20:32.500 I'm also pushing down the pool. 20:32.500 --> 20:33.010 From where? 20:33.010 --> 20:36.130 From locally, from this server. 20:36.460 --> 20:38.860 So I have to specify that network authorization. 20:39.650 --> 20:41.870 Has to be done based on a name, I'll call it. 20:42.920 --> 20:44.420 It is done based on what? 20:44.600 --> 20:46.730 Server group, which means an Ldap server. 20:46.730 --> 20:47.900 Or is it done locally? 20:52.370 --> 20:53.450 It's done locally. 20:58.000 --> 20:58.600 So is the name. 21:00.270 --> 21:00.980 So it's just a name. 21:10.750 --> 21:11.260 There's no need. 21:12.370 --> 21:13.540 You can use them separately. 21:13.720 --> 21:18.670 What I'm basically saying network authorization means authorization. 21:18.670 --> 21:19.900 What does authorization mean? 21:20.650 --> 21:25.780 It means once a user comes in, once a user comes in, what can he do? 21:27.770 --> 21:29.580 Is he allowed full access of the network? 21:29.600 --> 21:30.590 Is he allowed half? 21:31.100 --> 21:31.590 Right. 21:32.910 --> 21:36.120 Those features are configured where? 21:36.910 --> 21:37.420 Here. 21:38.620 --> 21:41.930 I'm saying when this user comes in with the user name of group. 21:41.950 --> 21:43.210 Give him this pool. 21:43.840 --> 21:45.820 Later I can add another ACL there. 21:45.820 --> 21:48.190 I can say, okay, when he comes in, give him this ACL. 21:49.930 --> 21:55.450 Do not let him a full access to the network given this ACL so he can only access this part of the network. 21:56.770 --> 21:58.420 That is authorization of authorization. 21:58.540 --> 21:59.890 I'm authorizing the client. 22:00.760 --> 22:06.190 That's why here I'm saying, okay, the authorization of the list will be done locally. 22:06.190 --> 22:07.970 I have not applied this anywhere. 22:07.990 --> 22:11.770 Wherever I apply this Sha, that authorization will be done locally. 22:12.640 --> 22:13.210 We'll see how. 22:13.210 --> 22:19.470 Right now I just created a list with the list says wherever I applied I will do the authorization. 22:19.480 --> 22:19.690 How? 22:23.080 --> 22:23.380 Then. 22:24.890 --> 22:25.190 Correct? 22:25.190 --> 22:25.400 Right. 22:26.920 --> 22:28.090 Once you do this. 22:29.500 --> 22:30.730 Once this part is done. 22:31.990 --> 22:37.390 Now you need to create a crypto map because you apply it to the interface. 22:37.390 --> 22:42.550 Now, there's two ways of doing this either using crypto maps or we have something known as virtual 22:42.550 --> 22:43.510 tunnel interfaces. 22:46.000 --> 22:49.990 Either using crypto maps or what we are doing now. 22:49.990 --> 22:52.330 What we are going to do now is crypto maps. 22:52.480 --> 22:54.190 Now first of all, you tell me. 22:57.510 --> 22:59.070 When you have a crypto map applied, right? 22:59.070 --> 22:59.670 Crypto map. 22:59.670 --> 23:00.100 Let's say I. 23:02.210 --> 23:03.620 What is the first command that you use? 23:03.620 --> 23:03.900 Match. 23:03.920 --> 23:04.490 Address. 23:04.520 --> 23:06.680 Then what set up here? 23:06.830 --> 23:08.150 Can I use set pair here? 23:09.690 --> 23:10.500 I cannot use that. 23:10.500 --> 23:10.850 Period. 23:10.860 --> 23:11.340 Why? 23:12.980 --> 23:13.740 Because this IP. 23:13.760 --> 23:14.360 I don't know. 23:16.330 --> 23:17.140 I don't know this I. 23:20.430 --> 23:20.790 Giving. 23:20.790 --> 23:21.120 What? 23:22.410 --> 23:22.800 This guy? 23:22.800 --> 23:23.850 No, this guy. 23:23.850 --> 23:25.380 I don't have any control over this guy. 23:25.800 --> 23:27.360 I only have control over the server. 23:30.070 --> 23:30.850 That is the pool. 23:32.340 --> 23:35.310 So it doesn't matter what the public IP is, the pool is always be pushed down. 23:37.870 --> 23:39.400 I only have control over my pool. 23:40.750 --> 23:42.400 Doesn't matter who comes and registers. 23:42.400 --> 23:45.610 If he uses the same key and password, I will give him the pool. 23:48.020 --> 23:48.710 That's what I'm saying. 23:48.920 --> 23:50.390 Anybody can come and register. 23:51.850 --> 23:55.450 Anyone can come, any address out there will come and register for me. 23:56.080 --> 23:58.210 The thing with me is I don't know who's going to come. 24:02.920 --> 24:03.880 Any public address. 24:04.360 --> 24:09.370 The pool, if you if you see the pool that I use, the pool is a private address. 24:11.590 --> 24:12.820 You'll see how this is used. 24:13.180 --> 24:14.440 It will come together. 24:15.600 --> 24:15.990 Right now. 24:15.990 --> 24:19.980 The question is the VPN client cannot come up to me. 24:20.010 --> 24:20.790 It will come up to me. 24:20.790 --> 24:22.820 I don't know what address is he going to come up with. 24:22.830 --> 24:25.650 So here I cannot use a static crypto map. 24:31.530 --> 24:32.550 I cannot use the static. 24:34.650 --> 24:37.670 I'll use something called a dynamic format. 24:37.950 --> 24:38.910 Why dynamic? 24:38.910 --> 24:41.040 Because I will not use the set command. 24:42.970 --> 24:44.020 I will not use it. 24:44.050 --> 24:46.030 How will I to use? 24:46.060 --> 24:50.200 How will you get the spear from the guy who comes up and registers? 25:03.360 --> 25:03.570 Yeah. 25:07.990 --> 25:08.320 First. 25:08.320 --> 25:09.150 You always hit this. 25:12.170 --> 25:17.000 After the physical address of this guy, then he can do routing and then through routing he can go and 25:17.870 --> 25:20.300 yeah, the first one is the easy VPN server. 25:20.450 --> 25:24.710 After that, there can be a proxy server here, there can be another server here, another server here. 25:24.710 --> 25:28.280 So you can go through that will be done purely based on routing from our three. 25:29.530 --> 25:30.670 Your job is to hit home. 25:30.700 --> 25:31.180 The server. 25:33.050 --> 25:33.290 Right. 25:33.440 --> 25:36.020 So my job right now is to configure the server. 25:37.540 --> 25:39.640 Do you understand the problem of crypto maps? 25:39.670 --> 25:42.860 I don't have the pier, so I'll use a dynamic crypto map. 25:42.880 --> 25:47.140 How will it work when R4 comes and registers itself for this tunnel? 25:47.170 --> 25:53.020 He'll use the set pair as 150 .1.4.4 because R4 came up with that address When. 25:53.280 --> 25:59.710 When the PC comes up and registers, I will use the set pair as 150 .1.3.3. 25:59.710 --> 26:01.800 So I'll keep on changing that dynamically. 26:02.770 --> 26:03.520 Based on the pier. 26:04.000 --> 26:05.740 A different pier, A different address. 26:13.670 --> 26:14.180 No, no, no. 26:14.720 --> 26:15.470 They will know. 26:15.830 --> 26:17.480 The clients will know the address. 26:17.660 --> 26:20.450 When you connect up to your company's network, you know the public IP. 26:23.130 --> 26:23.820 The client. 26:23.850 --> 26:24.990 See when you go here. 26:28.050 --> 26:29.910 The server doesn't know the client segments. 26:29.940 --> 26:34.260 The client knows the server's address because the connection will be initiated from the client. 26:35.220 --> 26:36.630 In remote access VPN. 26:36.660 --> 26:38.970 The connection is always initiated from the client. 26:39.000 --> 26:41.330 The server is just waiting for someone to come. 26:41.340 --> 26:43.740 The moment someone comes, he takes the source address. 26:43.920 --> 26:44.970 You are my SAT peer. 26:45.510 --> 26:47.880 He takes the source address from here you are my SAT peer. 26:50.560 --> 26:56.650 When you create this map on your VPN server, the way you do it is crypto. 26:58.110 --> 26:59.340 Dynamic map. 27:00.980 --> 27:02.030 Call it anything. 27:03.780 --> 27:10.170 And then again an entry just like crypto map I map ten, 20, 30, stuff like that. 27:10.710 --> 27:13.080 In here you have many different things that you can do. 27:13.110 --> 27:15.270 The only thing that you do is set, transform. 27:15.270 --> 27:15.780 Set. 27:18.400 --> 27:19.270 Do you give an ACL? 27:19.540 --> 27:20.050 No. 27:20.320 --> 27:21.760 Do you give a set peer command? 27:21.790 --> 27:22.330 No. 27:22.480 --> 27:24.240 This is the only thing that you give, right? 27:24.250 --> 27:24.750 Set. 27:24.790 --> 27:25.300 Transform. 27:25.300 --> 27:25.510 Set. 27:27.260 --> 27:28.550 Anyone can come and register. 27:28.880 --> 27:29.720 Yes. 27:31.550 --> 27:32.220 Anyone can. 27:34.070 --> 27:35.990 They know they need group name and password. 27:37.640 --> 27:38.120 They just. 27:39.590 --> 27:40.880 If they don't have the group name. 27:42.110 --> 27:42.860 They cannot come up. 27:44.200 --> 27:44.400 Right. 27:45.580 --> 27:48.280 So created the dynamic crypto map. 27:48.310 --> 27:52.390 The problem with dynamic crypto maps is they cannot be applied directly to interfaces. 27:53.110 --> 27:55.420 You have to apply when you apply a dynamic crypto map. 27:55.420 --> 27:56.620 You have to bind it to what? 27:57.130 --> 27:57.990 A static crypto. 27:59.980 --> 28:01.270 Otherwise you won't be able to apply them. 28:01.750 --> 28:03.520 So you do have to create what? 28:05.360 --> 28:06.860 I mapped it still again. 28:08.720 --> 28:10.310 You have to create one. 28:13.900 --> 28:14.650 Dynamic. 28:16.200 --> 28:17.310 You bind them together. 28:17.680 --> 28:21.060 The crypto map I mapped ten IPsec Isakmp. 28:22.080 --> 28:23.010 Dynamic. 28:27.990 --> 28:29.700 So you're binding the two together? 28:29.700 --> 28:30.150 How? 28:33.400 --> 28:33.960 Might know. 28:35.020 --> 28:35.590 Step six. 28:36.460 --> 28:37.000 The step six. 28:37.000 --> 28:37.930 You say crypto. 28:39.260 --> 28:41.630 Dynamic map. 28:41.780 --> 28:43.520 Call it d y n ten. 28:44.510 --> 28:45.500 Then you say set. 28:47.240 --> 28:48.170 Transform set. 28:50.970 --> 28:51.150 Said. 28:53.960 --> 28:55.700 And then you bind it to a static entry. 28:55.700 --> 29:01.280 Crypto Map iMap ten IPsec Isakmp Dynamic. 29:01.460 --> 29:02.600 The name is De. 29:05.310 --> 29:05.580 By. 29:09.540 --> 29:10.830 This is not enough, though. 29:11.100 --> 29:14.370 You still have not bound other things to the crypto map. 29:15.150 --> 29:16.280 I've only said Set. 29:16.320 --> 29:16.770 Transform. 29:16.770 --> 29:17.030 Set. 29:17.130 --> 29:18.570 Have I bound the group? 29:19.290 --> 29:20.940 Have I bound the pool? 29:21.840 --> 29:23.190 The authorization list? 29:23.220 --> 29:23.730 No. 29:24.770 --> 29:27.200 If you look at it, these are two separate modules. 29:27.440 --> 29:30.270 I've just created a crypto map where I set, set, transform, set. 29:30.290 --> 29:30.650 That's it. 29:30.680 --> 29:32.720 Have I bound it to all these steps? 29:33.470 --> 29:34.250 I have not. 29:35.280 --> 29:36.240 I have to bind it to them. 29:39.570 --> 29:40.930 The way you do it is what? 29:40.950 --> 29:41.600 It's simple. 29:41.610 --> 29:44.070 We have never tried this part before. 29:44.070 --> 29:45.810 But if you look here. 29:47.580 --> 29:50.100 In iMap, you have something known as. 29:50.990 --> 29:51.380 Isaac. 29:52.500 --> 29:53.310 So you could say a. 29:55.590 --> 29:58.320 Then you have authorization list. 29:58.350 --> 29:59.760 What is the name of that list? 30:04.480 --> 30:08.140 I'm seeing my ice camp, which will begin from this crypto map. 30:08.680 --> 30:13.060 That ice camp should be authorized based on what Sha sha means. 30:13.060 --> 30:13.510 What? 30:14.240 --> 30:14.810 Local. 30:19.160 --> 30:21.260 I pointed it to the local database earlier. 30:21.260 --> 30:21.440 Right. 30:21.440 --> 30:24.920 If you remember Sha Sha was pointing to the local database. 30:24.920 --> 30:28.880 So here, I'm not saying anything special, I'm just saying crypto. 30:29.620 --> 30:30.160 Map. 30:32.240 --> 30:35.040 Whenever I apply, I map whatever I see. 30:35.060 --> 30:36.560 Camp is initiated from there. 30:38.060 --> 30:39.560 It should be authorized. 30:40.350 --> 30:41.460 Based on the list. 30:43.180 --> 30:46.330 She is pointing where to the local database. 30:46.630 --> 30:50.770 So I'm saying authorization for Isakmp should be done based on the local database. 30:53.560 --> 30:54.370 Do you understand this? 30:54.370 --> 30:55.390 But this is the only thing. 30:55.400 --> 30:58.840 This this part is the only thing where people get confused. 30:58.900 --> 31:00.100 You understand this? 31:13.900 --> 31:17.530 It doesn't give out a pre-shared key, the client, the client. 31:17.550 --> 31:22.270 When you're asked for authentication, right, the client will just give a group name and a key. 31:22.300 --> 31:23.050 That's it. 31:24.180 --> 31:26.310 In the beginning, you have extended authentication. 31:26.310 --> 31:27.060 That's later. 31:27.420 --> 31:29.340 You won't do that now, right? 31:29.400 --> 31:33.060 We are doing the basic bare minimum that we need for the tunnel to come up. 31:33.360 --> 31:34.470 He will give it out. 31:34.470 --> 31:34.910 To whom? 31:34.920 --> 31:35.580 To the server. 31:36.630 --> 31:40.770 The server will check it now it needs to know does it check it against the local database? 31:40.800 --> 31:42.360 Does it check it against the. 31:44.190 --> 31:45.570 Against a Ldap server. 31:46.080 --> 31:46.960 How does he do it? 31:46.980 --> 31:48.180 You've already specified it. 31:48.180 --> 31:48.540 You said. 31:48.540 --> 31:53.220 Okay, listen, based on this crypto map, because the first thing that it hits is the crypto map. 31:53.370 --> 31:57.340 You're saying authorization of this should be done based on Sha? 31:57.360 --> 31:58.830 And where is Sha pointing to? 31:59.780 --> 32:01.460 So it should be done locally, basically. 32:01.460 --> 32:02.330 That's what you're saying. 32:02.690 --> 32:06.860 Group name key and the pool and everything that is going to be pushed down should be done. 32:06.860 --> 32:08.060 How locally? 32:09.100 --> 32:09.870 Where is that local? 32:09.880 --> 32:11.260 You've already configured it local. 32:14.250 --> 32:15.690 If you had a different server. 32:16.500 --> 32:22.500 If you had a different server, what you would do is this pool and all of this would be configured on 32:22.530 --> 32:23.340 that server. 32:24.870 --> 32:28.200 On a different server and your list would be pointing to that server. 32:32.610 --> 32:34.360 Do you understand the difference between the two? 32:38.210 --> 32:43.160 You'll be pointing to that server and all these configuration group key and everything will be configured 32:43.160 --> 32:44.090 on that server. 32:46.990 --> 32:48.760 Yes, five different groups. 32:48.760 --> 32:51.100 So all those five groups would be created where? 32:51.550 --> 32:52.780 On that server. 32:53.350 --> 32:56.260 Now, that's how you usually do it because you don't have one group. 32:56.440 --> 32:57.550 You have a lot of groups. 32:59.420 --> 33:00.500 As many as you can. 33:02.310 --> 33:04.890 As long as you have the enough addresses in the. 33:06.730 --> 33:08.350 Of all the users in this group. 33:09.660 --> 33:12.840 At maximum, you can have as many addresses as you have specified. 33:13.610 --> 33:14.880 Ten at one time. 33:17.000 --> 33:18.920 Right, because address will be pushed down from the pool. 33:19.930 --> 33:20.950 Now check it out. 33:21.490 --> 33:22.090 I've done this. 33:22.090 --> 33:23.920 There's also one more command that I need to. 33:23.980 --> 33:28.930 It's called crypto map iMap client configuration. 33:28.930 --> 33:29.740 Address this. 33:33.200 --> 33:35.480 Why is this by default? 33:35.840 --> 33:36.650 By default. 33:36.650 --> 33:38.690 I told you the server is going to push down a pool. 33:38.690 --> 33:39.000 Right? 33:40.340 --> 33:42.030 He's going to push down an address from the pool. 33:42.050 --> 33:44.570 By default, it does not have the authorization to do that. 33:46.120 --> 33:48.460 You have to use this command to enable that feature. 33:49.520 --> 33:54.410 Basically what you're saying is when the client asks for an address, respond, give him an address. 33:58.330 --> 34:00.670 Okay, so what is the command? 34:01.840 --> 34:04.240 Crypto client. 34:05.350 --> 34:06.180 Little Matt by Matt. 34:09.020 --> 34:10.300 Client configuration. 34:11.340 --> 34:12.090 Address. 34:14.180 --> 34:17.600 So what you're basically saying is when the client asks for an address, do respond. 34:17.600 --> 34:19.880 If you don't use this command, the pool will not be pushed down. 34:23.870 --> 34:24.290 Okay. 34:24.560 --> 34:25.610 One last. 34:26.610 --> 34:31.350 Let's have one last review of this from the beginning of what what did we do in all the steps? 34:31.830 --> 34:32.790 Step one. 34:34.200 --> 34:35.000 Policies. 34:36.100 --> 34:41.080 Step two configure a pool of addresses which will be pushed down. 34:41.800 --> 34:42.940 Step three is what? 34:44.510 --> 34:48.380 The group name, the key and the pool that is supposed to be pushed down. 34:48.380 --> 34:50.930 How Crypto client configuration group. 34:51.080 --> 34:54.640 And then you specify the key and the pool that should be pushed out. 34:55.950 --> 34:56.090 You. 34:58.610 --> 35:00.980 And as the server, you will not use a pre-shared key here. 35:02.910 --> 35:03.390 That's it. 35:03.390 --> 35:04.320 That's the only difference. 35:06.820 --> 35:07.090 Cisco. 35:07.090 --> 35:07.660 One, two, three. 35:07.900 --> 35:12.570 Even this even the group name and key even that you will not use this. 35:12.580 --> 35:16.720 You will have it configured here, but from the client side, you will present to you a certificate. 35:16.720 --> 35:17.260 Right? 35:17.980 --> 35:19.900 You will not present a username password. 35:19.900 --> 35:21.580 He will not write down a group name or key. 35:22.870 --> 35:29.860 It will be taken from the certificate, the certificates, or you will be taken as the group name and 35:29.860 --> 35:30.040 key. 35:30.040 --> 35:30.880 You have to specify. 35:33.060 --> 35:33.990 You'll have an option. 35:34.420 --> 35:35.160 Choose an option. 35:36.540 --> 35:36.750 Right. 35:38.150 --> 35:38.920 No, actually not. 35:38.930 --> 35:40.240 You don't have to specify the key. 35:40.250 --> 35:44.480 Even the key is for X or you just have to present the certificate with the same group name. 35:46.380 --> 35:47.670 Because it's a certificate, right? 35:47.670 --> 35:48.840 It's already verified. 35:50.640 --> 35:54.660 If you verify the certificate, then it goes to only group names should match. 35:54.690 --> 36:00.360 If group name is the same as the organizational identifier unit for you, it will go through. 36:00.630 --> 36:02.840 We'll see that you have to do that with the AC. 36:06.130 --> 36:08.190 RSA token you could use with here. 36:08.200 --> 36:11.160 Also you can use it, you could use the RSA token here. 36:11.170 --> 36:17.000 Then the client configuration group, you will be doing it where authorization based on the RSA Securid 36:17.020 --> 36:17.410 server. 36:18.520 --> 36:22.360 So it'll be pointing to the secure ID server and the configuration will be done there. 36:24.550 --> 36:25.900 It's a useful piece. 36:29.380 --> 36:34.660 It's something like that, but mostly used for it's mostly used for RSA tokens. 36:34.990 --> 36:38.350 Access Control server does not support Https For that. 36:38.350 --> 36:42.850 To support OTP, you have to link it to Microsoft servers, then create OTP from there. 36:42.850 --> 36:45.670 But secure server gives you OTP functionality. 36:47.350 --> 36:48.040 By default. 36:50.760 --> 36:51.240 Not here. 36:51.540 --> 36:52.540 You wouldn't be using that. 36:52.560 --> 36:54.360 You'll be hooking it up to that server. 36:54.540 --> 36:55.590 Using what? 36:56.280 --> 36:57.300 Authorization list. 36:58.360 --> 37:01.540 Give the server's address in a network list pointing to that server. 37:01.570 --> 37:04.980 Everything will be done that the authorization part will be done from the server. 37:06.480 --> 37:08.340 Okay, Now if this is done. 37:09.860 --> 37:11.360 Then what did we do next? 37:11.450 --> 37:12.570 We can figure this. 37:12.590 --> 37:15.320 Then we said, okay, this is the transform set that should be pushed down. 37:17.070 --> 37:17.340 Right. 37:17.340 --> 37:19.890 I just created the transform set then. 37:21.040 --> 37:26.500 Step five, I created a network list which was pointing to the local database. 37:26.500 --> 37:27.760 I did not apply it anywhere. 37:27.760 --> 37:31.840 I just created the network list which is pointing to the local database. 37:31.990 --> 37:35.290 Then I went down to my crypto dynamic dynamic map. 37:35.500 --> 37:35.710 Why? 37:35.740 --> 37:36.940 Because the peer's address? 37:36.940 --> 37:37.420 I don't know. 37:37.420 --> 37:40.570 So I said a dynamic map transform set. 37:40.570 --> 37:41.900 I bound it, he said. 37:42.800 --> 37:43.690 Then I said okay. 37:45.920 --> 37:49.940 This dynamic map should be statically bound to crypto map. 37:50.190 --> 37:52.910 Map because on an interface you can only apply a static map. 37:53.690 --> 37:54.790 The last two commands. 37:54.800 --> 37:58.880 First, I bind my camp to the list, which is pointing to the local database. 37:58.880 --> 38:01.550 So binding all of this from top to bottom together. 38:01.970 --> 38:07.580 Also one more command which says which enables my crypto map to push down the IP address. 38:08.210 --> 38:10.190 Otherwise it will not be able to push down the. 38:12.030 --> 38:16.130 That is all you need to do on the server side in crypto maps. 38:17.440 --> 38:18.130 And you're using. 38:19.760 --> 38:20.810 Now we'll go with side. 38:22.550 --> 38:23.270 The client side. 38:23.600 --> 38:25.130 Let's see what to do on the client. 38:44.720 --> 38:45.260 Another thing. 38:45.260 --> 38:46.850 The most important part was what? 38:48.150 --> 38:48.640 Interface. 38:48.660 --> 38:51.030 56780001, I think. 38:52.370 --> 38:54.000 Crypto map. 38:54.880 --> 38:55.540 Applied to the. 39:02.370 --> 39:02.790 Right. 39:03.570 --> 39:03.890 Let's go. 39:03.910 --> 39:05.220 XP should be up by now. 39:06.850 --> 39:08.950 I have a VPN client here already installed. 39:15.760 --> 39:16.410 Would I go there? 39:16.420 --> 39:17.090 Let's see if. 39:18.070 --> 39:19.030 I can communicate. 39:26.190 --> 39:29.100 151 .3. 25. 39:29.880 --> 39:32.460 150 .1.3. 20. 39:34.600 --> 39:35.380 The Internet. 39:47.600 --> 39:47.990 Colors. 39:56.480 --> 39:57.050 Kidnapping. 40:00.190 --> 40:00.720 The Detroit. 40:02.520 --> 40:03.390 Should be able to do. 40:11.460 --> 40:13.380 Let's check if it is bound to be zero. 40:19.070 --> 40:20.460 Let me check my addresses. 40:22.640 --> 40:23.880 Here's one 51.30. 40:23.900 --> 40:27.020 I just need to bind the XP also to pm0. 40:30.110 --> 40:30.410 Now. 40:30.410 --> 40:31.010 It should work. 40:36.820 --> 40:39.310 Then I should also be able to go where? 40:39.760 --> 40:41.170 20.2, which is important. 40:43.210 --> 40:45.820 Rented out to why that is my easy VPN. 40:45.940 --> 40:46.630 So. 40:47.980 --> 40:50.320 So my client can reach the VPN server. 40:51.310 --> 40:53.920 If it can reach the VPN server on layer three. 40:53.950 --> 40:56.110 It should be able to create the connection with these. 40:57.780 --> 40:58.290 And we remove. 40:58.290 --> 40:59.660 These are from the old ones. 41:03.260 --> 41:03.460 Now. 41:03.470 --> 41:03.680 Check. 41:03.860 --> 41:04.310 Check out. 41:04.340 --> 41:05.550 What do you do on the VPN client? 41:05.570 --> 41:06.800 You create a new connection. 41:07.310 --> 41:08.840 The entry here does not matter. 41:08.840 --> 41:11.470 I can call it sales anything. 41:11.480 --> 41:12.320 This is just a name. 41:13.460 --> 41:14.260 Host address. 41:14.270 --> 41:15.500 What is the host address? 41:17.050 --> 41:19.060 151 .2.2. 41:19.090 --> 41:25.930 The Router's address the Router's public address so the client does have to know what is the public 41:25.930 --> 41:28.750 address of the server because that's how he creates that connection. 41:29.350 --> 41:30.160 Group name. 41:32.960 --> 41:33.710 Sales. 41:37.620 --> 41:38.580 Password is. 41:41.700 --> 41:42.420 That's it. 41:43.490 --> 41:44.570 That's all you need to do. 41:45.760 --> 41:46.930 That is exactly. 41:46.930 --> 41:48.250 I mean, that's finished. 41:48.250 --> 41:49.600 That's all on the client. 41:49.940 --> 41:51.550 You just double click to create the content. 41:54.750 --> 41:55.980 You are already connected. 41:58.560 --> 42:00.340 Just double click on the VPN client. 42:00.360 --> 42:00.920 That's it. 42:00.930 --> 42:01.500 You're connected. 42:01.500 --> 42:02.460 Your connection is up. 42:02.940 --> 42:04.140 Check this out. 42:04.320 --> 42:05.400 What is this? 42:07.310 --> 42:08.090 VPN adapter. 42:10.320 --> 42:11.510 It was disabled until now. 42:11.520 --> 42:12.240 Now it's enabled. 42:12.240 --> 42:14.550 What address do you think will be enabled here? 42:16.480 --> 42:17.590 From the pool. 42:18.460 --> 42:19.840 He'll be pushed down from the. 42:22.160 --> 42:24.890 192 168 dot 10.10. 42:26.210 --> 42:27.740 Push down to this client. 42:29.120 --> 42:30.770 To this client from where? 42:31.070 --> 42:32.960 From the server through the tunnel. 42:33.230 --> 42:34.670 Now, between them, if you. 42:34.670 --> 42:36.200 If you can. 42:37.620 --> 42:38.610 Capture the traffic. 42:57.800 --> 42:58.550 That's something else. 42:58.550 --> 42:59.540 I'll explain that later. 43:00.740 --> 43:03.920 When you connect through the VPN tunnel, you lose the connectivity to the internet. 43:05.210 --> 43:09.370 You're only connected to your company unless you make certain changes by default. 43:09.400 --> 43:10.810 You're only connected to your company. 43:12.940 --> 43:13.290 The needs. 43:13.300 --> 43:14.260 We call it a split tunnel. 43:16.570 --> 43:21.610 So right now, do you think from here when? 43:21.610 --> 43:22.090 I think. 43:24.030 --> 43:24.570 Ten. 43:24.570 --> 43:25.200 11. 43:25.200 --> 43:26.100 11.1. 43:27.210 --> 43:28.470 Do you think this should go through? 43:29.610 --> 43:31.050 It should, but it's not. 43:33.050 --> 43:33.470 It is. 43:34.420 --> 43:34.840 It is. 43:36.010 --> 43:37.840 And two 10.6. 43:38.390 --> 43:38.780 It is. 43:39.730 --> 43:42.420 Let me check if there is a route already installed here. 43:46.780 --> 43:47.620 When it comes back. 43:47.650 --> 43:48.080 So. 43:50.000 --> 43:50.690 Leipzig. 43:55.320 --> 43:56.100 Taking the wrong road. 43:58.360 --> 43:59.080 I choose the server. 43:59.080 --> 43:59.480 Right. 44:00.230 --> 44:01.260 So IP route. 44:03.080 --> 44:04.610 Static route is not installed. 44:05.330 --> 44:07.690 So Crypto IPsec is. 44:12.960 --> 44:14.400 Yeah, it should. 44:16.540 --> 44:17.320 Let me tell you why. 44:18.520 --> 44:21.580 Check this out from the client side. 44:22.820 --> 44:25.220 I told you from the client side, it's a source based. 44:27.040 --> 44:29.770 It's a sauce based on see what's happening now. 44:31.300 --> 44:33.780 So, yeah, we need to install it. 44:34.320 --> 44:35.490 There's another command for that. 44:36.140 --> 44:37.250 That's what I was checking. 44:37.730 --> 44:38.300 Show. 44:39.280 --> 44:39.730 Crypto. 44:42.050 --> 44:45.110 If you check your crypto map, you have iMap. 44:45.380 --> 44:47.150 What peer address are you using? 44:49.010 --> 44:52.580 It's a dynamic market dynamically created. 44:52.580 --> 44:54.710 This is the first dynamic entry which was created. 44:54.710 --> 44:56.660 So 30.25 came up. 44:57.750 --> 44:58.170 Right. 44:58.980 --> 44:59.700 Check this out. 45:04.470 --> 45:14.490 An automatic seal was used, which says traffic going from anywhere to 192 168.1. ten should be encrypted. 45:18.040 --> 45:20.440 Traffic going from anywhere to 190 to 168. 45:20.470 --> 45:21.220 1010. 45:21.250 --> 45:28.150 If you really think about it and you have a look at it here, what I'm what I've done is pretty genius. 45:28.210 --> 45:30.520 I have given out an address. 45:30.520 --> 45:31.480 Which address? 45:33.940 --> 45:38.430 A pool address, which is a private address, and the crypto map is applied over here. 45:39.220 --> 45:43.240 Here I'm saying anything when the traffic hits this crypto map. 45:43.720 --> 45:49.960 If the destination of the packet is 192168.1. ten it should be encrypted. 45:51.900 --> 45:53.010 It should be encrypted. 45:53.010 --> 45:53.600 With what? 45:53.610 --> 45:54.600 Peer address? 45:59.330 --> 46:00.260 Remember crypto maps. 46:00.260 --> 46:01.100 How do they work? 46:01.130 --> 46:02.590 They apply to an interface. 46:02.600 --> 46:06.920 Then when the interesting traffic hits, it gets encrypted. 46:07.630 --> 46:10.780 From the server side, it's destination based. 46:11.170 --> 46:15.160 So if you're going to the destination of 192, 168, 10.10 and you hit. 46:16.140 --> 46:16.770 This guy. 46:17.070 --> 46:19.770 Your traffic is going from x dot x to. 46:22.680 --> 46:23.460 10.10. 46:25.810 --> 46:27.160 You will be encrypted. 46:29.830 --> 46:33.250 Using ESP, What will the outside header be? 46:34.770 --> 46:37.380 Destination will be 30.25. 46:37.410 --> 46:41.700 Source will be obviously your own source, which is 20 point. 46:42.760 --> 46:43.480 So publicly. 46:43.480 --> 46:44.620 You always go where? 46:48.230 --> 46:51.020 30.25 from the guy, Right. 46:51.160 --> 46:52.040 The crypto map. 46:55.130 --> 46:58.150 It was adapted randomly, not randomly chosen. 46:58.540 --> 46:59.470 Who created the tunnel? 47:01.300 --> 47:02.410 Who initiated the tunnel. 47:04.130 --> 47:05.570 What was the public address? 47:08.610 --> 47:10.110 When it comes and registers himself. 47:10.140 --> 47:11.130 What is his public address? 47:11.970 --> 47:12.870 30.25. 47:18.170 --> 47:19.610 This is 30 to 25. 47:26.510 --> 47:28.220 View from the server. 47:28.400 --> 47:32.270 The server can give out any address from the pool of. 47:35.140 --> 47:36.580 This address was given from the pool. 47:36.610 --> 47:37.000 Right? 47:41.820 --> 47:42.150 30. 47:42.330 --> 47:42.960 25. 47:45.410 --> 47:46.910 I configure 25 on this guy. 47:47.600 --> 47:52.850 30 or 25 is whose address is the client's address is Windows Xp's address. 47:56.340 --> 47:58.050 Just so that there's no confusion. 47:58.890 --> 48:00.720 30.25 is this guy's address. 48:01.650 --> 48:02.730 The public address. 48:05.610 --> 48:06.410 1925. 48:08.430 --> 48:09.940 It goes and registers itself. 48:09.960 --> 48:12.210 Now see how the process takes place. 48:13.110 --> 48:13.410 30. 48:13.560 --> 48:14.080 25. 48:14.100 --> 48:15.180 First things first. 48:15.210 --> 48:16.740 It goes and registers itself. 48:17.420 --> 48:24.260 Today, the VPN server, the moment VPN server sees an address, it catches it puts it where in the 48:24.260 --> 48:26.480 crypto market for this address. 48:28.150 --> 48:30.340 Late, then the pool is pushed down. 48:31.160 --> 48:31.930 What address? 48:31.930 --> 48:35.380 192168.1. ten is pushed down. 48:35.380 --> 48:35.950 To whom? 48:38.130 --> 48:38.640 To see one. 48:40.650 --> 48:40.950 To the. 48:42.760 --> 48:44.470 VPN adapter on the client. 48:45.470 --> 48:47.930 It's pushed down, given to the adapter. 48:48.110 --> 48:48.620 Right? 48:48.620 --> 48:52.130 Then from the server side, it's what? 48:54.520 --> 48:55.570 Destination based. 48:56.850 --> 49:07.680 So any traffic from anywhere in this network, if it's trying to go to one and 2.168.1. ten and it hits 49:07.680 --> 49:10.980 this interface, it will be encrypted. 49:12.640 --> 49:15.430 This universe is source based. 49:15.610 --> 49:17.320 Anything from the client side? 49:17.320 --> 49:19.060 That is source from where? 49:21.750 --> 49:22.710 Going anywhere. 49:24.240 --> 49:25.260 We'll be going through where? 49:27.450 --> 49:29.610 Will be encrypted and going to work to the server. 49:33.550 --> 49:34.870 You cannot see it on the client. 49:36.510 --> 49:45.600 But what you can see is I can go to R1, sorry, the VPN server, I could say debug IP packet. 49:48.320 --> 49:51.530 And I'll try to send a pink one. 49:52.010 --> 49:53.300 It is already getting captured. 49:53.720 --> 49:54.500 I can say pink. 49:54.860 --> 49:55.610 Any address? 49:55.610 --> 49:56.960 1.1.1.1. 50:02.900 --> 50:09.680 He received a packet for one 51.22 publicly and 151.30 5.3. 50:09.680 --> 50:12.380 But when he opens it, it doesn't know where 1.1 is. 50:12.890 --> 50:14.960 But the packet is getting encapsulated. 50:14.960 --> 50:15.230 Where? 50:16.370 --> 50:17.060 On the server. 50:17.650 --> 50:20.160 So you'll see that ESP should be going through this. 50:20.200 --> 50:20.560 ESP. 50:21.790 --> 50:23.230 These are esp packets. 50:26.060 --> 50:26.300 Right. 50:27.920 --> 50:30.930 30.2 from 30.25 to 20 dot. 50:32.660 --> 50:33.740 They'll always come through. 50:34.070 --> 50:43.280 Now, the question is, the problem with this scene is can right now can see one thing, the Internet. 50:47.880 --> 50:48.660 Can I ping? 50:54.150 --> 50:55.050 30 dot. 50:56.780 --> 50:57.050 Ten. 50:59.480 --> 51:00.320 30.10. 51:00.410 --> 51:01.760 It should ping, right? 51:02.030 --> 51:03.710 It should because it directly connected. 51:03.710 --> 51:04.850 Right now I have two adapters. 51:04.850 --> 51:07.310 I have two addresses Right now. 51:07.310 --> 51:08.750 This PC has two addresses. 51:09.950 --> 51:12.020 I want to address here, I want to address here. 51:12.020 --> 51:13.580 If I bring like that, it should work. 51:13.670 --> 51:15.950 Logic says it should work, but it doesn't. 51:17.070 --> 51:23.070 Because by default, virtual clients are given a higher preference than physical adopters. 51:25.240 --> 51:25.930 Virtual client. 51:25.930 --> 51:27.400 This is a virtual client, right? 51:27.580 --> 51:34.900 Everything that will be coming out from this PC will be coming out using the source of 192, one 6810. 51:37.690 --> 51:38.620 If it is coming through. 51:38.620 --> 51:40.060 192 168, 1.10. 51:40.060 --> 51:41.230 What is the problem with that? 51:41.530 --> 51:43.780 It gets encrypted and goes where? 51:44.170 --> 51:45.070 To the server. 51:48.860 --> 51:49.670 Do you understand? 51:50.000 --> 51:50.750 Any questions? 51:50.750 --> 51:51.950 Please stop me and ask. 51:58.530 --> 52:00.900 See, when you use your root print, right? 52:00.930 --> 52:01.860 It will show you the root. 52:02.520 --> 52:03.390 How many roots? 52:03.390 --> 52:04.620 How many networks do I have? 52:04.650 --> 52:05.040 Two. 52:05.070 --> 52:08.400 One is 151 .3. 25. 52:08.430 --> 52:09.720 The other is 192. 52:09.720 --> 52:10.320 168. 52:10.350 --> 52:10.880 10.10. 52:12.650 --> 52:14.060 The pool address given to me. 52:14.240 --> 52:16.430 But right now, this PC has two addresses. 52:18.950 --> 52:20.240 What is the physical address? 52:20.270 --> 52:21.470 What is the pool address? 52:26.260 --> 52:27.250 Not only to address. 52:30.820 --> 52:35.610 A public address which is on the physical adapter from where you're connected to the Internet. 52:46.770 --> 52:49.770 One 5120 These are all public address. 52:52.830 --> 52:53.070 Right. 52:56.840 --> 52:58.310 20 or 25 is not there. 52:58.310 --> 52:59.090 I removed it. 53:00.670 --> 53:01.150 That was. 53:01.150 --> 53:07.030 I kept it earlier when I was creating the topology, but then I kept it as 30 because 20 I was already 53:07.030 --> 53:09.250 using on this link by mistake. 53:09.250 --> 53:11.950 I made this also 20 so I removed it and changed it to 30. 53:14.430 --> 53:14.780 Okay. 53:14.790 --> 53:16.730 Now, again, let me explain this again. 53:16.740 --> 53:18.660 Now, this PC has two adapters. 53:19.380 --> 53:24.030 One is the physical one, which is directly connected with and another is the. 53:26.730 --> 53:27.780 When the packet goes out. 53:27.780 --> 53:30.960 The question is which source does it use the physical one or the virtual one? 53:31.200 --> 53:37.380 The priority is always given to the virtual one, so any packet that is coming out from this PC will 53:37.380 --> 53:39.030 be coming out with what source? 53:41.420 --> 53:42.770 Ten, not ten. 53:43.130 --> 53:47.980 So even if you try to connect this directly connected Internet, your packet will not go there. 53:47.990 --> 53:48.590 It will go there. 53:53.750 --> 53:55.150 Because it's coming from the source, right? 53:55.160 --> 53:57.660 If it's coming from the source, it will go through the tunnel. 53:57.680 --> 53:58.700 It'll be encrypted. 53:59.630 --> 54:00.950 Going through the tunnel to where? 54:03.080 --> 54:04.790 Like you want to check? 54:06.620 --> 54:07.280 Basically you do. 54:09.420 --> 54:11.240 Let's ping my directly connected ring. 54:11.250 --> 54:13.260 150 .1.3. ten. 54:13.290 --> 54:14.460 Directly connected to me. 54:15.930 --> 54:16.500 Cannot send. 54:19.670 --> 54:22.130 Even if it's physically right connected to me. 54:22.130 --> 54:23.540 I don't even need a default gateway. 54:23.750 --> 54:26.540 It's right there connected to the other end of the physical link. 54:29.780 --> 54:30.500 Do you understand? 54:30.830 --> 54:31.670 It's connected. 54:31.670 --> 54:34.310 We're directly connected to each other. 54:34.340 --> 54:39.230 On the other end of the physical link, I cannot ping him because whatever packets are coming from me 54:39.230 --> 54:40.580 are coming from its source. 54:40.730 --> 54:42.380 192 168.1.1. 54:42.380 --> 54:47.870 And whatever is coming from that source when it hits the physical interface is going to be encrypted 54:48.050 --> 54:48.920 and thrown away. 54:48.920 --> 54:49.460 To whom? 54:50.270 --> 54:52.460 To the VPN server. 54:54.580 --> 54:56.570 Going to be pushed out over to the VPN. 54:56.590 --> 54:56.950 So. 54:59.520 --> 54:59.730 Right. 54:59.730 --> 55:01.320 Because it's going to be encrypted. 55:01.320 --> 55:01.770 Like what? 55:01.800 --> 55:02.910 Let me draw the packet. 55:03.210 --> 55:07.620 The packet is going to look like 192.168.1. ten. 55:07.650 --> 55:14.340 Going to 150 .1.3. ten which is directly connected to me from here to here. 55:17.140 --> 55:21.400 Since it is here, it will be encrypted using ESP. 55:24.340 --> 55:29.890 Going from 150 .1. 30 dot 25. 55:29.920 --> 55:32.620 Going to 20 dot. 55:34.510 --> 55:37.930 So the routing and everything will be done based on 20.2 and the packet will reach where. 55:40.860 --> 55:41.180 Richard. 55:47.610 --> 55:50.270 Yeah, but when it goes here, right, the sauce will remain. 55:50.280 --> 55:50.670 What? 55:51.820 --> 55:52.810 192 and 68. 55:52.830 --> 55:52.990 Ten. 55:53.170 --> 55:53.320 Ten. 55:53.350 --> 55:54.550 Does he know where that guy is? 55:54.640 --> 55:54.990 Does it? 55:58.570 --> 55:59.480 It doesn't go to the. 55:59.480 --> 55:59.730 Yeah. 55:59.740 --> 56:01.980 Because it will be decrypted where R2. 56:02.020 --> 56:02.320 Yeah. 56:03.010 --> 56:05.210 Internet will get the packet but see from where. 56:05.230 --> 56:11.620 From the server side it will first go to the server, then the server will see where is 151 .33. ten. 56:11.620 --> 56:13.300 So it bring back the packet. 56:13.300 --> 56:13.480 Where. 56:16.490 --> 56:17.120 Obviously not. 56:17.980 --> 56:19.480 Never knows if it had. 56:22.830 --> 56:23.470 It would work. 56:23.490 --> 56:25.140 The thing would work, but your ping would flow. 56:25.140 --> 56:26.010 Which direction? 56:34.360 --> 56:39.910 Right, Because everything originating from you has to decrypt at this level. 56:40.150 --> 56:45.340 Whatever packets coming from your side will always go where to the VPN server. 56:45.610 --> 56:48.420 But when directed towards the internet, why is it going to. 56:49.420 --> 56:51.880 Because this water is the source that you're using for each packet. 56:54.900 --> 56:56.190 No, the pool. 56:57.750 --> 56:59.670 The world would be changed to the. 57:01.500 --> 57:02.820 That's how the routing will happen. 57:02.820 --> 57:05.460 But you're whenever you're originating any packet. 57:05.490 --> 57:07.620 Now that packet has what source? 57:08.440 --> 57:08.990 192. 57:08.990 --> 57:09.560 161. 57:11.410 --> 57:15.340 Whatever package will be originated from, you will have that source, so you'll be encapsulated. 57:19.880 --> 57:22.070 Yeah, but the sauce will still again be used. 57:22.070 --> 57:22.550 As what? 57:23.210 --> 57:27.200 When I ping the internet, what is my sauce that should be used normally? 57:27.470 --> 57:32.180 151 .33. 25 to 151 .3. ten. 57:32.210 --> 57:33.650 This should have been the normal case. 57:35.350 --> 57:36.850 It doesn't end up using that? 57:36.940 --> 57:37.460 No. 57:37.480 --> 57:39.880 Here the destination is this and source is this. 57:39.880 --> 57:42.160 But since your source is what? 57:43.750 --> 57:45.460 Physical is not given a preference. 57:45.500 --> 57:49.360 Loopback sorry, your loopback adapter is given a more preference. 57:49.360 --> 57:50.380 A virtual adapter. 57:50.500 --> 57:51.730 Your address will be. 57:54.100 --> 57:55.180 It doesn't end up like that. 57:55.210 --> 57:55.450 Why? 57:55.480 --> 57:57.370 Because you have an extra encryption. 57:58.200 --> 57:59.400 Encapsulation again. 57:59.450 --> 58:02.310 ESB And at the outside you have what? 58:04.170 --> 58:05.280 30.25. 58:05.310 --> 58:05.570 Yes. 58:05.580 --> 58:07.500 Going to the destination changes now. 58:09.090 --> 58:10.920 It's, what, 20.2? 58:14.760 --> 58:15.540 20.2. 58:15.570 --> 58:16.700 20.2 is home. 58:18.050 --> 58:18.730 Easy to cancel. 58:21.540 --> 58:22.410 Why is this there? 58:30.800 --> 58:31.130 11. 58:31.730 --> 58:31.910 Ten. 58:31.910 --> 58:32.080 11. 58:32.120 --> 58:32.390 11. 58:32.400 --> 58:32.630 Yes. 58:32.630 --> 58:33.110 Yes. 58:35.340 --> 58:37.790 Interval between 192. 58:37.810 --> 58:38.280 168? 58:38.310 --> 58:41.100 No, but there is a default route from here pointing towards R2. 58:42.180 --> 58:43.350 So when it replies. 58:43.590 --> 58:44.100 Yeah. 58:51.880 --> 58:55.150 Not a part of the internal where or who knows it. 59:00.620 --> 59:01.490 Yes. 59:03.640 --> 59:05.260 I'm not getting the address from that fool. 59:05.470 --> 59:09.470 I'm getting an address from a completely different address, which is not assigned to any anything. 59:10.230 --> 59:11.370 It's a separate address. 59:12.690 --> 59:14.280 Doesn't make any difference. 59:17.160 --> 59:17.880 Anywhere else. 59:18.240 --> 59:22.380 You'll have a separate subnet for this for the pools so that you can differentiate that these are the 59:22.380 --> 59:24.930 addresses who are coming from the VPN client. 59:26.500 --> 59:30.830 Once you are there in your network, you know that these people have come from the client. 59:35.020 --> 59:35.710 Yes. 59:40.620 --> 59:41.190 In the policy. 59:41.190 --> 59:42.300 I'm not pushing any default. 59:44.620 --> 59:46.930 I have not added any reverse route right now. 59:46.960 --> 59:51.190 The thing is, I'll explain how the packet flow goes from I've not said I've not talked about the packet 59:51.190 --> 59:52.420 going through 1011 one. 59:52.600 --> 59:54.520 Before that, I want you to understand this part. 59:55.000 --> 59:55.860 Do you understand this? 59:55.900 --> 59:56.260 20. 59:58.640 --> 59:59.240 Just like that. 1:00:00.920 --> 1:00:02.120 It's always going to the server. 1:00:02.420 --> 1:00:03.480 Why is this here? 1:00:03.500 --> 1:00:04.800 The question is, why is this here? 1:00:04.820 --> 1:00:06.560 Why did they do something like this? 1:00:07.370 --> 1:00:07.850 Why? 1:00:08.000 --> 1:00:10.340 Why was VPN adapter given a higher preference? 1:00:10.370 --> 1:00:13.010 It was done because, say, for example, this is your company. 1:00:14.130 --> 1:00:16.940 This is a PC where at your home there. 1:00:16.980 --> 1:00:19.170 There's a very high chance that it can have a Trojan. 1:00:19.770 --> 1:00:21.270 How does a Trojan work? 1:00:21.630 --> 1:00:22.830 The host is here. 1:00:23.190 --> 1:00:25.620 The server is sitting somewhere else on the Internet. 1:00:27.380 --> 1:00:29.040 And the server controls the Trojan. 1:00:30.400 --> 1:00:32.800 If you have the connection up straight to your server. 1:00:34.410 --> 1:00:42.390 That Trojan who has control of your server can also control your actual companies because you have access 1:00:42.390 --> 1:00:43.680 to all the servers here, right? 1:00:44.670 --> 1:00:50.460 So if he has control over your Trojan, that Trojan will have access to what all these devices so you 1:00:50.460 --> 1:00:52.410 can gain information about those devices. 1:00:54.620 --> 1:01:00.260 So that's why what they said was they said, okay, when you connect up to the Internet, internet connectivity 1:01:00.260 --> 1:01:01.040 should not be there. 1:01:01.880 --> 1:01:06.500 So even if the Trojan was there, the server was there, the Trojan will not be able to communicate 1:01:06.500 --> 1:01:07.250 to its server. 1:01:08.370 --> 1:01:09.630 And your connection is safe. 1:01:12.240 --> 1:01:13.780 This was created earlier. 1:01:13.800 --> 1:01:17.820 Now the question comes, how do you reach ten, 11, 11 one. 1:01:19.310 --> 1:01:20.780 I send a ping, How do I go there? 1:01:20.810 --> 1:01:22.340 How does the packet look like? 1:01:25.100 --> 1:01:25.820 Going to. 1:01:27.900 --> 1:01:28.800 11.1. 1:01:29.460 --> 1:01:31.080 What is it encrypted using? 1:01:36.610 --> 1:01:38.020 Public source of. 1:01:38.910 --> 1:01:42.330 30.25 designation of 20.2. 1:01:42.720 --> 1:01:46.530 It will go to the internet route based on the outside header route where. 1:01:48.000 --> 1:01:48.810 Is the VPN server. 1:01:48.810 --> 1:01:52.290 The VPN server will do what the Capsulate this. 1:01:52.590 --> 1:01:53.880 Then what does it do? 1:01:55.500 --> 1:01:56.330 With this packet. 1:02:01.370 --> 1:02:02.450 So it's a destination right? 1:02:02.450 --> 1:02:07.670 Whereas it forward this packet to know based on this routing table, you'll see where the ten 1111 network 1:02:07.670 --> 1:02:09.290 is from here. 1:02:09.290 --> 1:02:10.430 It's a normal routing process. 1:02:10.430 --> 1:02:10.940 So he'll see. 1:02:10.940 --> 1:02:12.860 Okay, I have access to ten, 11, 11 one. 1:02:12.860 --> 1:02:14.780 So it forwards it out to ten, 11. 1:02:14.780 --> 1:02:15.140 11. 1:02:16.310 --> 1:02:17.140 That's the question. 1:02:17.150 --> 1:02:18.110 How does it come back? 1:02:18.110 --> 1:02:23.030 How does the return packet looks like look like coming from ten, 11, 11.1. 1:02:25.400 --> 1:02:27.560 Going to exactly 190 2.1 68. 1:02:27.590 --> 1:02:29.060 It will reply to 10.10. 1:02:31.040 --> 1:02:32.000 From here right now. 1:02:32.000 --> 1:02:33.980 The question is, are one. 1:02:34.870 --> 1:02:37.450 Will forward it to R2 based on what? 1:02:37.480 --> 1:02:37.930 Default? 1:02:39.630 --> 1:02:40.280 Before drought. 1:02:40.290 --> 1:02:40.860 It comes here. 1:02:40.860 --> 1:02:47.910 The question is, are to does he know where 192 168 10.10 is that is the problem. 1:02:48.360 --> 1:02:54.110 He doesn't know that if you do your route he doesn't know where 192 168 addresses. 1:02:58.770 --> 1:02:59.430 Here's how we think. 1:02:59.670 --> 1:03:01.170 How does it think that is the question? 1:03:01.200 --> 1:03:01.740 See, right now. 1:03:01.740 --> 1:03:02.940 But he has what? 1:03:02.970 --> 1:03:06.060 He has a default route pointing towards where? 1:03:06.060 --> 1:03:06.660 The Internet. 1:03:08.780 --> 1:03:09.090 Losses. 1:03:09.720 --> 1:03:11.660 Losses are the default route. 1:03:11.660 --> 1:03:14.480 So what he does with the packet, he says, okay, I don't know where you are. 1:03:14.480 --> 1:03:15.040 I don't know where. 1:03:15.040 --> 1:03:17.570 1921681.1. ten is. 1:03:17.570 --> 1:03:19.130 So it forwards it out. 1:03:19.610 --> 1:03:20.930 What is applied here? 1:03:22.190 --> 1:03:29.310 A crypto crypto map says anything which is destined to 192 168 10.10 should be encrypted using what 1:03:29.320 --> 1:03:29.560 set. 1:03:29.560 --> 1:03:30.610 Set pair command. 1:03:33.320 --> 1:03:38.240 Said player is 30.25 there and 20.2 is the source. 1:03:38.420 --> 1:03:39.920 So it forwards it back to. 1:03:41.170 --> 1:03:45.130 But what would be better is if it had a root already. 1:03:46.650 --> 1:03:52.050 So instead of going through the default route and going out, if it had a route to 181, 68 and ten, 1:03:52.050 --> 1:03:52.950 that would be better. 1:03:54.540 --> 1:03:56.160 That would be better for the routing table. 1:03:56.160 --> 1:03:57.480 It doesn't have to go through The default. 1:03:57.780 --> 1:03:59.340 Default route is a little dangerous. 1:03:59.460 --> 1:04:07.020 So for that, whenever you're giving out an address from the pool, right, whenever you give out an 1:04:07.020 --> 1:04:12.270 address of 192.168.1. ten, he gives it out to a public address. 1:04:15.270 --> 1:04:20.090 25 Whenever you're giving it out, you can install a static route on R2. 1:04:21.180 --> 1:04:23.070 You can inject we call it injection. 1:04:23.520 --> 1:04:24.660 Inject it out. 1:04:24.690 --> 1:04:26.310 This route is known as. 1:04:28.190 --> 1:04:28.790 Reverse. 1:04:30.710 --> 1:04:33.020 We call it reverse route injection. 1:04:37.020 --> 1:04:40.690 Whatever address that I've given up, it'll be pointing towards the see. 1:04:41.190 --> 1:04:42.480 Pointing towards the public address. 1:04:44.200 --> 1:04:47.110 Yeah, but to have information in your routing table is better. 1:04:47.290 --> 1:04:47.710 Why? 1:04:47.740 --> 1:04:50.350 Because then you can you can route that. 1:04:51.280 --> 1:04:54.460 What you can do with that is you can route that in a routing protocol. 1:04:54.850 --> 1:04:59.090 You can say redistribute this statically connected route so it can go all over your network. 1:04:59.140 --> 1:05:01.090 Everybody in the network will know that address. 1:05:03.230 --> 1:05:06.020 How you do it is in your crypto dynamic map. 1:05:08.700 --> 1:05:08.860 Here. 1:05:08.880 --> 1:05:10.110 I said set, transform, set. 1:05:10.380 --> 1:05:11.640 Another command is. 1:05:11.880 --> 1:05:12.480 That's it. 1:05:12.480 --> 1:05:12.960 Just set. 1:05:12.960 --> 1:05:13.650 Reverse route. 1:05:17.310 --> 1:05:17.980 Septimus. 1:05:23.140 --> 1:05:23.890 I think it's just a. 1:05:26.340 --> 1:05:27.810 Those are the parameters of reverse. 1:05:28.380 --> 1:05:30.930 You can set reverse route parameters of it want. 1:05:30.960 --> 1:05:33.750 Do you want it to be statically or stuff like that. 1:05:33.960 --> 1:05:36.450 So right now I'll go back here. 1:05:38.600 --> 1:05:46.650 Even after you create the tunnel again, after it gives out the address Right now, he will not ship 1:05:46.730 --> 1:05:46.970 it out. 1:05:46.970 --> 1:05:47.930 Right now there is no route. 1:05:50.700 --> 1:05:50.940 Right. 1:05:51.120 --> 1:05:54.300 But once you go in, clear your tunnel again. 1:06:00.240 --> 1:06:00.930 Is connected. 1:06:04.750 --> 1:06:05.650 Connected again. 1:06:07.570 --> 1:06:07.810 Then. 1:06:08.670 --> 1:06:09.720 Then you go to the side. 1:06:10.480 --> 1:06:11.640 Do you show IP route? 1:06:18.110 --> 1:06:20.840 The address that has been pushed down is what, 192, 168. 1:06:20.870 --> 1:06:22.160 1011. 1:06:24.220 --> 1:06:26.500 So I have a route for that to say. 1:06:26.500 --> 1:06:32.110 Anything going to 192 168 1.5 should be going out from 30.25. 1:06:34.400 --> 1:06:36.540 3025 is which interface? 1:06:36.570 --> 1:06:40.290 Obviously your F0 one, the one which is pointing to the internet. 1:06:42.740 --> 1:06:43.370 It's better. 1:06:43.370 --> 1:06:43.610 Why? 1:06:43.640 --> 1:06:49.510 Now you can redistribute this in any routing protocol so your whole internal network will know where 1:06:49.510 --> 1:06:52.190 192 168 1011 is. 1:06:56.850 --> 1:06:57.120 Yeah. 1:07:00.730 --> 1:07:01.300 The right. 1:07:01.300 --> 1:07:02.480 Now I need a default route. 1:07:02.500 --> 1:07:02.740 Why? 1:07:03.460 --> 1:07:05.420 Because I only have two devices. 1:07:05.440 --> 1:07:06.850 What if I have hundreds? 1:07:10.100 --> 1:07:13.090 New IP from the pool because I removed the previous tunnel. 1:07:13.100 --> 1:07:13.430 Right. 1:07:13.610 --> 1:07:15.350 So that one was used already? 1:07:16.400 --> 1:07:16.760 Yeah. 1:07:16.760 --> 1:07:17.480 Now it's 11. 1:07:17.480 --> 1:07:21.740 If you pare it down and bring it back up again, it'll be 12, 13, 14 like that. 1:07:24.210 --> 1:07:24.960 Go back to ten. 1:07:25.890 --> 1:07:26.550 Ten, 11, 12. 1:07:26.700 --> 1:07:27.810 Keep on cycling. 1:07:28.290 --> 1:07:31.170 The question is, why do I need this reverse route? 1:07:31.170 --> 1:07:31.450 Right? 1:07:31.470 --> 1:07:32.980 It would work without that also. 1:07:33.000 --> 1:07:36.690 The question is, right now I only have two devices pointing their default routes to me. 1:07:36.720 --> 1:07:39.270 What if I have more devices here? 1:07:40.980 --> 1:07:43.080 Not have all of them pointing the default routes. 1:07:43.380 --> 1:07:47.730 I have a routing protocol running between them, and in that writing routing protocol, I also need 1:07:47.730 --> 1:07:50.220 to tell them what is the IP on the other side. 1:07:52.570 --> 1:07:56.350 The AP that has been given to another client is a part of the company now, right? 1:07:56.560 --> 1:07:59.530 He's a part of the company using which private address? 1:08:03.480 --> 1:08:09.010 So everybody every private address here needs to know that we have another guy, which is 92 and 68, 1:08:09.010 --> 1:08:09.960 ten, 11. 1:08:09.990 --> 1:08:11.820 My question to you is this. 1:08:11.970 --> 1:08:14.100 Can I from our one. 1:08:16.680 --> 1:08:16.950 No. 1:08:16.950 --> 1:08:20.190 Can I ping 192168.1. 11 right now. 1:08:29.740 --> 1:08:30.960 Virtual adapter on the PC. 1:08:30.970 --> 1:08:32.290 Can I ping from R1? 1:08:37.640 --> 1:08:39.260 192 168. 1:08:39.590 --> 1:08:40.670 10.11. 1:08:42.920 --> 1:08:46.370 Now, I wouldn't call it a chain of the border. 1:08:46.820 --> 1:08:47.780 How did I do it? 1:08:48.880 --> 1:08:49.540 Going from. 1:08:51.290 --> 1:08:51.650 Can I? 1:08:53.510 --> 1:08:53.770 So. 1:08:57.430 --> 1:08:58.480 And then get encrypted. 1:09:01.290 --> 1:09:02.670 As long as you don't tear it down. 1:09:07.470 --> 1:09:08.460 It is going through the tunnel. 1:09:09.820 --> 1:09:13.600 The next stop is 1011, 11.2, which is the VPN server. 1:09:13.750 --> 1:09:16.750 After that, the only hop is straight. 1:09:17.050 --> 1:09:17.470 The final. 1:09:20.860 --> 1:09:22.540 Encryption is done based on the restriction. 1:09:22.630 --> 1:09:29.170 So if you try right now, if you want to see if it's really going through the tunnel, go to R2, show 1:09:29.170 --> 1:09:32.200 crypto, IPsec RSA section caps. 1:09:32.200 --> 1:09:32.830 How many? 1:09:33.400 --> 1:09:34.540 19 and 64. 1:09:36.030 --> 1:09:36.240 Right. 1:09:38.310 --> 1:09:39.750 Send another packet. 1:09:42.570 --> 1:09:43.400 I sent them. 1:09:46.000 --> 1:09:47.470 29 and 74. 1:09:48.640 --> 1:09:49.780 How is it going to. 1:09:51.710 --> 1:09:52.570 I'll explain it again. 1:09:52.580 --> 1:09:54.160 I'll write down the whole thing. 1:09:54.170 --> 1:09:56.870 It's coming from ten, 11, 11.1 going to. 1:09:59.420 --> 1:10:00.170 10.10. 1:10:02.100 --> 1:10:02.290 Right. 1:10:03.000 --> 1:10:03.900 It reaches. 1:10:03.900 --> 1:10:04.380 What? 1:10:05.270 --> 1:10:07.500 I do checks the routing table. 1:10:07.680 --> 1:10:09.240 What is the leaving interface? 1:10:10.050 --> 1:10:11.510 Hits the crypto map. 1:10:11.520 --> 1:10:12.690 Crypto map says what? 1:10:12.720 --> 1:10:14.010 What destination are you going to? 1:10:14.040 --> 1:10:14.220 Ten. 1:10:14.340 --> 1:10:14.640 11. 1:10:14.730 --> 1:10:16.080 Are you going to ten? 1:10:16.260 --> 1:10:16.770 11? 1:10:16.890 --> 1:10:18.720 You can just go as it is. 1:10:18.720 --> 1:10:20.850 You have to get encrypted. 1:10:22.080 --> 1:10:23.340 Encrypts it using. 1:10:23.990 --> 1:10:24.920 Buried at one end. 1:10:26.340 --> 1:10:31.110 30 dot four Was it across to the internet to 30.25? 1:10:31.140 --> 1:10:35.100 The VPN client decrypts it and the traffic reaches the destination. 1:10:36.160 --> 1:10:36.990 From here. 1:10:37.000 --> 1:10:38.290 Destination based. 1:10:38.950 --> 1:10:39.940 From here. 1:10:39.940 --> 1:10:40.930 Source based. 1:10:43.120 --> 1:10:43.900 Destination based. 1:10:44.260 --> 1:10:45.220 Source based. 1:10:45.370 --> 1:10:47.530 We will not do the router as a client today. 1:10:47.940 --> 1:10:49.480 Don't want to do too much. 1:10:54.360 --> 1:10:54.640 Not. 1:10:54.640 --> 1:10:55.070 Not here. 1:10:55.640 --> 1:10:56.810 It works almost the same way. 1:10:57.530 --> 1:10:58.070 In the same way. 1:10:58.070 --> 1:11:03.650 But there it used to be from source and destination used to be defined here from the server side only 1:11:03.650 --> 1:11:07.040 the destination is defined from the client side only the source is defined. 1:11:08.260 --> 1:11:08.900 If it works. 1:11:09.170 --> 1:11:09.860 It works the same. 1:11:10.800 --> 1:11:11.240 Looks the same. 1:11:11.550 --> 1:11:12.450 Exactly the same. 1:11:13.220 --> 1:11:18.050 Another thing that I want to show you, one last thing before we break off is check this out. 1:11:18.050 --> 1:11:19.430 You can also check that out here. 1:11:20.610 --> 1:11:21.540 We call this tunnel. 1:11:21.540 --> 1:11:22.230 Everything. 1:11:22.230 --> 1:11:23.070 Everything. 1:11:23.100 --> 1:11:31.800 If you go to statistics and you check your out details, 0000 means everything is going through the 1:11:31.800 --> 1:11:32.070 tunnel. 1:11:32.880 --> 1:11:38.910 Every traffic that is going through from leaving this router is going through the tunnel. 1:11:39.990 --> 1:11:40.440 Right. 1:11:40.440 --> 1:11:41.670 I need to change that. 1:11:44.930 --> 1:11:46.280 Now I want the Internet to work. 1:11:46.280 --> 1:11:52.190 I don't want people to just go to the to come here see what good. 1:11:52.220 --> 1:11:56.390 Another good thing is you might want the users to use the Internet at the same time, Right. 1:11:56.390 --> 1:11:57.830 And you want extra security. 1:11:57.830 --> 1:12:02.570 So what you could do is first let them connect up through the tunnel, then have your own internet running 1:12:02.570 --> 1:12:02.840 here. 1:12:04.780 --> 1:12:05.950 And apply firewalls. 1:12:08.290 --> 1:12:08.470 Right. 1:12:08.470 --> 1:12:13.060 So when the user comes in, he can still connect to the Internet, but not from his Internet through 1:12:13.060 --> 1:12:14.560 the company's Internet connection. 1:12:15.190 --> 1:12:18.160 So everything that is coming in is coming through the company's Internet. 1:12:18.160 --> 1:12:19.630 So you might have a firewall here. 1:12:19.630 --> 1:12:23.350 So whenever a Trojan or anything is coming in, it will protect you from that. 1:12:26.740 --> 1:12:27.090 Right. 1:12:27.100 --> 1:12:32.290 If you want Internet connection for the clients, if it is absolutely necessary that they should connect. 1:12:32.290 --> 1:12:33.760 Plus you also need security. 1:12:34.660 --> 1:12:36.220 If it's not that important. 1:12:36.250 --> 1:12:39.910 But you could also say is you can tune this VPN adapter. 1:12:41.340 --> 1:12:41.940 This client. 1:12:42.730 --> 1:12:46.480 And tell him exactly this traffic should come through you. 1:12:47.050 --> 1:12:49.720 Everything else, let it go when it lets him go. 1:12:49.750 --> 1:12:52.210 The other adapter that is left is the physical adapter. 1:12:52.210 --> 1:12:53.530 It will go through the physical adapter. 1:12:55.130 --> 1:12:57.170 First preference will still be given to whom? 1:12:57.350 --> 1:12:58.520 The VPN adapter. 1:12:58.700 --> 1:13:05.480 But now you can configure the VPN adapter and tell him Listen, only traffic coming to this network 1:13:05.510 --> 1:13:06.680 should come through you. 1:13:08.280 --> 1:13:09.150 Nothing else. 1:13:11.330 --> 1:13:13.790 I'll do it on the server side and then push it down to the client. 1:13:15.040 --> 1:13:16.630 Using an access list. 1:13:17.820 --> 1:13:19.320 Now this access list. 1:13:20.780 --> 1:13:21.860 Can be a standard one. 1:13:24.300 --> 1:13:25.200 Can we extend that one? 1:13:25.200 --> 1:13:27.510 I'll say permit ten, 11, 11. 1:13:27.900 --> 1:13:28.470 Let's say one. 1:13:31.880 --> 1:13:32.470 Summit host. 1:13:38.620 --> 1:13:40.750 1011 11.1 is the server. 1:13:42.040 --> 1:13:44.020 Now this is reversed, so be careful here. 1:13:44.050 --> 1:13:45.700 This is applied reverse. 1:13:49.450 --> 1:13:49.780 Here. 1:13:49.780 --> 1:13:53.770 I'm saying any traffic which is sourced from ten, 11, 11.1. 1:13:53.890 --> 1:13:56.410 But when I push it down, this will be reversed. 1:13:57.190 --> 1:13:59.380 So for the client, this will become the destination. 1:13:59.380 --> 1:14:01.240 Any traffic going to this destination? 1:14:01.960 --> 1:14:02.610 Should we allow? 1:14:06.390 --> 1:14:06.840 Right here. 1:14:06.840 --> 1:14:11.400 I'm saying anything going from ten, 11, 11.1 to any. 1:14:11.820 --> 1:14:14.040 When it was pushed down, it becomes from what? 1:14:14.220 --> 1:14:15.900 Any to. 1:14:17.900 --> 1:14:18.830 11.1. 1:14:20.510 --> 1:14:23.660 Let's see how this is applied so we can have a good idea of how it works. 1:14:25.920 --> 1:14:26.910 I'll go to the server. 1:14:31.650 --> 1:14:39.570 Right and I'll go to my crypto client config crypto client configuration group sales. 1:14:40.640 --> 1:14:41.510 It's called ACL. 1:14:41.810 --> 1:14:43.640 What is the name number of the ACL? 1:14:45.060 --> 1:14:45.330 Then. 1:14:47.020 --> 1:14:47.530 The server. 1:14:48.710 --> 1:14:51.400 The server in the client configuration group. 1:14:51.410 --> 1:14:53.630 I'm giving out a pool with the pool. 1:14:53.630 --> 1:14:57.170 I'm also giving out was an ACL for the VPN client. 1:14:57.740 --> 1:15:00.740 I'm telling the client only come to this from the tunnel. 1:15:03.660 --> 1:15:05.160 Let's go ahead and disconnect. 1:15:11.810 --> 1:15:13.100 And connect back up again. 1:15:14.850 --> 1:15:15.840 I am connected. 1:15:21.720 --> 1:15:22.770 Statistics. 1:15:34.860 --> 1:15:35.580 Should be. 1:15:36.250 --> 1:15:39.310 Usually works with the standard ACL, but let's try with the other one. 1:15:42.610 --> 1:15:43.420 It doesn't go through the. 1:15:45.220 --> 1:15:46.810 How I use correctly. 1:15:47.020 --> 1:15:48.460 So access. 1:15:50.530 --> 1:15:52.570 No access list and I'll create another one. 1:15:52.570 --> 1:15:53.320 Extended one. 1:15:53.560 --> 1:15:54.760 Usually, sometimes it does. 1:15:54.760 --> 1:15:56.050 But right now it's not working. 1:15:56.050 --> 1:15:58.570 So I'll say anything coming from which host. 1:15:59.840 --> 1:16:01.000 Permit IP going from which. 1:16:01.010 --> 1:16:02.690 Host 1011 11.1. 1:16:05.500 --> 1:16:07.020 Going to any. 1:16:08.140 --> 1:16:15.520 Same thing, just an extended essay and then apply it where crypto is a client configuration group sales. 1:16:16.660 --> 1:16:18.340 Golan Heights 101. 1:16:20.660 --> 1:16:21.590 Let's start again now. 1:16:41.690 --> 1:16:42.440 What do you see? 1:16:45.060 --> 1:16:45.320 Ten. 1:16:45.330 --> 1:16:45.630 11. 1:16:45.630 --> 1:16:46.590 11.125. 1:16:46.620 --> 1:16:47.330 It's a host. 1:16:48.690 --> 1:16:50.400 It's closed now. 1:16:50.430 --> 1:16:52.380 Traffic when it's coming from here. 1:16:52.410 --> 1:16:56.970 Now it also has a VPN adapter whenever traffic is originated from here. 1:16:58.260 --> 1:17:05.370 When you think, for example, ten, 11, 11.1 before applying the source, it will check the adapter. 1:17:06.090 --> 1:17:08.160 Should it be allowed through the tunnel or not? 1:17:08.190 --> 1:17:08.880 It says yes. 1:17:08.880 --> 1:17:11.430 If it says yes, it will allow which source? 1:17:13.150 --> 1:17:13.870 Ten dot. 1:17:16.840 --> 1:17:21.850 If, however, and if this source is applied, obviously it will go through the tunnel because the source 1:17:21.850 --> 1:17:24.580 based everything on the client side is source based. 1:17:24.610 --> 1:17:27.190 If this source is applied, means it will go through the tunnel. 1:17:28.330 --> 1:17:31.990 If you're not going to one 10.1, if you're going to ten dot. 1:17:33.960 --> 1:17:35.160 Let's say six. 1:17:36.740 --> 1:17:37.390 Will it pass? 1:17:37.400 --> 1:17:39.120 Will the adapter let you go? 1:17:39.140 --> 1:17:39.560 No. 1:17:39.560 --> 1:17:41.240 So it will not use its own source? 1:17:41.270 --> 1:17:42.650 What source will you use? 1:17:44.650 --> 1:17:46.420 150 that you only have one. 1:17:46.510 --> 1:17:47.560 One other option. 1:17:50.440 --> 1:17:53.260 The source will not be used at 192 168.1.. 1:17:55.360 --> 1:17:56.740 That source will not be used. 1:17:56.770 --> 1:18:00.760 This source will be used since this source is used, this traffic, is it encrypted? 1:18:01.390 --> 1:18:02.170 It's not encrypted. 1:18:02.170 --> 1:18:03.490 So it will go to the. 1:18:06.250 --> 1:18:08.680 He'll go to the Internet, but it will go to the Internet. 1:18:09.600 --> 1:18:10.720 Not meant to the tunnel. 1:18:10.740 --> 1:18:11.970 It will not go to 20.2. 1:18:12.000 --> 1:18:12.900 It will go to the. 1:18:13.960 --> 1:18:17.140 So anywhere else, if you're trying to go, you can go. 1:18:18.680 --> 1:18:24.170 But if you're trying to go to 10 or 11.1 since the VPN adapter agrees with that, it will use its own 1:18:24.170 --> 1:18:24.740 source. 1:18:24.770 --> 1:18:26.570 It will be encrypted and decrypted. 1:18:26.570 --> 1:18:32.510 Where on the VPN server you can you can try this and you can verify this now. 1:18:33.910 --> 1:18:34.840 If I go to. 1:18:36.660 --> 1:18:37.110 Think. 1:18:37.110 --> 1:18:38.580 Ten, 11, 11.1. 1:18:39.210 --> 1:18:39.900 I can go. 1:18:39.930 --> 1:18:40.620 But if I go. 1:18:40.620 --> 1:18:41.730 2.6. 1:18:41.880 --> 1:18:42.690 Destination. 1:18:42.690 --> 1:18:43.470 Unreachable. 1:18:43.500 --> 1:18:44.820 Can I go to the Internet? 1:18:46.090 --> 1:18:49.570 151 dot 30 dot directly connected. 1:18:49.570 --> 1:18:49.970 Right? 1:18:52.900 --> 1:18:53.380 Split them. 1:18:53.410 --> 1:18:54.520 This is known as Split tunnel. 1:18:55.310 --> 1:18:57.790 I can even go to the VPN server. 1:18:58.450 --> 1:18:59.860 I can go anywhere on the internet. 1:19:03.330 --> 1:19:04.440 For two things. 1:19:04.440 --> 1:19:04.830 You saw. 1:19:05.010 --> 1:19:05.730 What? 1:19:07.070 --> 1:19:12.700 You know, right now it's the only one one time when it will be encrypted is. 1:19:16.190 --> 1:19:19.490 That's the only one time it'll be encrypted because you're. 1:19:22.860 --> 1:19:23.880 Because your status is. 1:19:27.390 --> 1:19:28.440 Any questions, guys? 1:19:32.550 --> 1:19:34.890 Retailers in split ACL. 1:19:34.890 --> 1:19:38.280 Split ACL is in reverse direction because the way when it supplied. 1:19:39.870 --> 1:19:41.100 On the on the server. 1:19:41.100 --> 1:19:42.480 It says 1020. 1:19:42.880 --> 1:19:45.000 When it goes to the client side, it's reversed. 1:19:45.840 --> 1:19:47.320 That's how the protocol is built. 1:19:47.340 --> 1:19:52.290 Yes, it's coming from any to ten, but when you specify it on the server side, it should be from. 1:19:52.880 --> 1:19:53.510 So swing. 1:19:57.420 --> 1:20:00.060 By default, the ACL is 02000. 1:20:00.130 --> 1:20:06.700 Means everything that is coming out from the PC is using the source of 192, one 6810, not ten or 11 1:20:06.700 --> 1:20:08.190 or 12 or whatever you have right now. 1:20:09.770 --> 1:20:10.950 Any confusion, guys? 1:20:15.050 --> 1:20:15.570 After all. 1:20:15.590 --> 1:20:16.670 Now you can pick anything. 1:20:19.480 --> 1:20:20.590 Will it be encrypted? 1:20:23.370 --> 1:20:23.680 Correct. 1:20:31.590 --> 1:20:32.580 I can bring this over. 1:20:32.580 --> 1:20:33.180 Yes. 1:20:37.920 --> 1:20:39.570 The What will be the status of what? 1:20:42.630 --> 1:20:43.710 No, no, no, it won't be. 1:20:43.860 --> 1:20:45.300 The panel is already created. 1:20:46.440 --> 1:20:48.060 You're already connected through the tunnel. 1:20:48.300 --> 1:20:50.670 Now you have a connection to the server, right? 1:20:50.700 --> 1:20:53.940 Now you can send packets also from the other adapter that you have. 1:20:54.060 --> 1:20:55.870 You can go anywhere from that adapter. 1:20:55.890 --> 1:20:56.760 You can ping the server. 1:20:56.760 --> 1:20:57.840 You can ping anywhere else. 1:20:57.840 --> 1:20:59.370 But this tunnel is set up. 1:20:59.610 --> 1:21:03.780 Only traffic going through this tunnel will be what, to ten, 11, 11 one. 1:21:04.730 --> 1:21:08.960 You would whatever package you're sending through the other physical link, it does not affect this 1:21:08.960 --> 1:21:09.380 link. 1:21:09.900 --> 1:21:12.420 This is already set unless you disconnect it. 1:21:14.150 --> 1:21:14.540 Okay. 1:21:16.320 --> 1:21:16.560 Let. 1:21:18.070 --> 1:21:18.760 Everybody clear? 1:21:20.180 --> 1:21:21.130 There with VPN. 1:21:21.350 --> 1:21:22.780 This is just the client mode. 1:21:24.700 --> 1:21:26.330 This is just the client mode. 1:21:26.350 --> 1:21:27.940 Now you have network extension mode. 1:21:28.120 --> 1:21:29.380 Network plus mode. 1:21:30.630 --> 1:21:32.430 Plus you also have to do. 1:21:33.420 --> 1:21:37.670 The same VPN using VPNs virtual tunnel interfaces. 1:21:39.740 --> 1:21:40.190 So. 1:21:40.400 --> 1:21:41.350 So three more. 1:21:41.360 --> 1:21:43.190 Three more implementations of the same thing. 1:21:44.300 --> 1:21:47.360 Right based on the VPN client as well as on the server. 1:21:47.360 --> 1:21:53.180 So tomorrow what we'll do is we'll do the same thing, but using what router as a client? 1:21:54.960 --> 1:21:55.980 LLC network extension. 1:21:55.980 --> 1:22:01.830 But before that, do practice this part because tomorrow we'll be going into more advanced features 1:22:01.830 --> 1:22:02.500 of VPN. 1:22:04.400 --> 1:22:04.810 Let we say.