WEBVTT 00:08.070 --> 00:09.870 So, yeah, let's move. 00:10.170 --> 00:14.320 Now the configuration is set just exactly like yesterday. 00:14.340 --> 00:17.520 The first thing you need to make sure that our R4 and five. 00:17.550 --> 00:19.110 These are two different sites. 00:20.530 --> 00:21.610 Of the same company. 00:40.960 --> 00:41.170 Right. 00:41.200 --> 00:46.900 Two different sides, same company connected to the Internet, making sure first of all, our four. 00:48.480 --> 00:49.020 Camping. 00:49.020 --> 00:53.430 151 .2.2 which is the VPN server R5. 00:53.460 --> 00:57.210 The other site can also ping 20 dot. 00:58.380 --> 00:59.520 Communication is done. 01:00.300 --> 01:01.890 I need to configure the server now. 01:04.170 --> 01:04.920 I'll call it. 01:07.100 --> 01:07.820 I server. 01:14.300 --> 01:14.650 Right. 01:15.140 --> 01:16.310 What is the configuration? 01:16.310 --> 01:16.850 Let's go. 01:18.420 --> 01:19.680 Starting from step one. 01:21.860 --> 01:22.670 Crypto scam. 01:23.880 --> 01:24.720 Policy ten. 01:26.180 --> 01:27.230 Encryption. 01:28.160 --> 01:31.070 Three days authentication. 01:32.420 --> 01:35.620 Please hashed MD5. 01:35.630 --> 01:38.870 Remember MD5 and group. 01:41.060 --> 01:45.110 Modify because the client does not support QA, then he don't need. 01:46.460 --> 01:47.480 No reader key, right. 01:47.720 --> 01:50.730 I would require a isochem configuration group. 01:52.030 --> 01:55.660 But in the group I need to specify a key and a pool. 01:55.780 --> 01:57.870 So I need to specify here first. 01:59.390 --> 02:00.150 IP pool. 02:00.230 --> 02:01.970 I'll call it sales pool. 02:02.600 --> 02:03.880 Then I'll give it an address. 02:03.880 --> 02:07.010 1932168. ten dot ten. 02:07.870 --> 02:10.060 21922168.1.. 02:11.590 --> 02:13.120 I don't think there's a tool here. 02:19.670 --> 02:19.930 Done? 02:20.910 --> 02:21.190 Said. 02:21.710 --> 02:24.970 Third is the group name and key. 02:24.980 --> 02:26.780 How crypto. 02:28.000 --> 02:39.790 I use a client configuration to whatever sales, then the key is going to be the pool that is supposed 02:39.790 --> 02:42.190 to be pushed down is the sales. 02:44.710 --> 02:44.990 Done. 02:45.280 --> 02:48.340 Then step four You already know crypto. 02:50.700 --> 02:53.490 Transform hypertext transforms. 02:57.090 --> 02:57.840 He set? 02:58.740 --> 03:00.310 BSP leaders. 03:00.460 --> 03:00.930 BSP. 03:02.260 --> 03:02.560 Five. 03:05.140 --> 03:06.280 To step five. 03:06.640 --> 03:09.340 Now I've done everything I need to push it down. 03:09.340 --> 03:11.520 To push it down, I need to first authorize the guy. 03:11.530 --> 03:14.200 How do I authorize the guy to triple a new model? 03:16.600 --> 03:17.080 triple-A. 03:18.610 --> 03:20.760 Authorization network. 03:21.250 --> 03:23.080 Whatever local. 03:25.090 --> 03:25.680 All right. 03:25.680 --> 03:30.600 So I'm saying that basic authorization of whoever comes in should be checked against the local database, 03:30.600 --> 03:36.200 not the not a triple A server should be locally done, which I've configured here. 03:36.210 --> 03:36.990 This part. 03:38.060 --> 03:44.060 Then step six is crypto dynamic map. 03:45.340 --> 03:49.390 Like anything Quinten said. 03:51.400 --> 03:53.800 Transform set to set. 03:53.830 --> 03:56.770 Also if you want reverse. 04:00.060 --> 04:00.360 None. 04:01.240 --> 04:04.570 Finally, step seven is finding the dynamic map to. 04:06.640 --> 04:12.760 I map ten IPsec Isakmp Dynamic Devi. 04:14.770 --> 04:17.020 Then other crypto map parameters. 04:17.020 --> 04:23.890 Crypto Map iMap Client Configuration Address. 04:26.740 --> 04:28.510 Crypto map I map. 04:28.720 --> 04:30.010 What else do I need to say? 04:30.940 --> 04:31.660 I say camp. 04:33.240 --> 04:34.680 Authorization list. 04:36.900 --> 04:37.950 Interface. 04:38.700 --> 04:42.960 Step eight was interface Fa0 one. 04:44.830 --> 04:46.030 Crypto map. 04:48.200 --> 04:48.710 Correct. 04:53.630 --> 04:56.690 Basecamp is on your VPN server is up. 04:58.410 --> 04:58.980 Now, yesterday. 04:58.980 --> 04:59.820 How did we connect? 04:59.820 --> 05:03.960 We just went to the client, gave the group name and key and it was connected, right? 05:05.100 --> 05:08.760 Here, let's say, for one of the clients. 05:13.530 --> 05:14.640 I say this is site one. 05:19.110 --> 05:20.070 Right here. 05:20.070 --> 05:21.570 You have to do a little configuration. 05:21.570 --> 05:22.440 Not a lot. 05:22.710 --> 05:27.900 It is still easy VPN, It is still easy on the client, but there is a slight difference between the 05:27.900 --> 05:32.220 router as a client and your normal VPN client software. 05:33.060 --> 05:34.310 What is the difference? 05:34.320 --> 05:35.490 Let's have a look at that. 05:36.030 --> 05:41.610 Now what is going to happen when he when our four is going to create a connection with R2? 05:42.060 --> 05:44.310 R2 is going to push down an IP address. 05:45.300 --> 05:47.910 Yesterday, that IP address was pushed down. 05:47.910 --> 05:48.600 To what? 05:50.320 --> 05:50.980 To the adapter. 05:52.120 --> 05:53.260 To the Vpn's adapter. 05:53.260 --> 05:53.680 Right. 05:53.710 --> 05:59.950 The adapter which was on the Windows PC today when this address is getting pushed down, which right 05:59.950 --> 06:04.230 now is going to be 192.168.1.1. 06:04.330 --> 06:06.190 Where is it going to be pushed down on? 06:07.330 --> 06:09.220 It doesn't have an adapter, right. 06:10.270 --> 06:16.120 What's going to happen is our four is going to create a new loopback. 06:16.570 --> 06:21.670 This loopback will be loopback 10,000 automatically created. 06:21.670 --> 06:25.930 And this address that you push down will be pushed down to the loopback. 06:26.650 --> 06:27.220 10,000. 06:28.860 --> 06:31.950 Same address, the one which you pushed down yesterday. 06:31.950 --> 06:34.080 It was pushed down to the VPN adapter. 06:35.480 --> 06:37.670 Which was with which comes with the software. 06:38.030 --> 06:40.520 Here it gets pushed down to a loopback. 06:40.550 --> 06:41.270 10,000. 06:41.480 --> 06:44.090 A new loopback is created and it gets pushed down. 06:44.840 --> 06:48.230 Everything else is the same except for certain other things. 06:48.260 --> 06:49.040 We'll see that. 06:50.520 --> 06:50.880 Right. 06:52.080 --> 06:57.690 Also here, when you're creating a connection, you need to specify an inside interface and an outside 06:57.690 --> 06:58.500 interface. 06:59.220 --> 07:00.560 What do I mean by that? 07:00.570 --> 07:01.680 You need to specify. 07:01.680 --> 07:04.200 Okay, this is my outside interface. 07:04.440 --> 07:05.400 Obviously. 07:05.820 --> 07:07.140 Which one do you want to be? 07:07.140 --> 07:10.350 Your inside interface on the router as a client. 07:10.620 --> 07:15.120 See on the VPN client only one person can go to the VPN server. 07:15.120 --> 07:17.850 Right to these devices. 07:17.880 --> 07:20.070 There's only one client which was connected, so you connect. 07:20.070 --> 07:24.330 Only that guy who connects up will be able to reach here on the router. 07:24.330 --> 07:32.010 You have the capability of making sure anybody who's inside can go and access these servers. 07:33.600 --> 07:40.020 So when you specify an inside and an outside outside, you specify for your public address inside, 07:40.020 --> 07:45.780 you specify for which users do you want to be able to access this service. 07:48.180 --> 07:49.080 I'll here. 07:49.080 --> 07:51.270 I'll say ten .4.4.0. 07:51.300 --> 07:56.580 Anybody on the subnet of 10.440 should be able to access whom these servers behind. 07:57.610 --> 07:59.950 Basically the traffic should go through the tunnel. 08:01.370 --> 08:01.810 Right. 08:01.850 --> 08:09.260 I'll explain how the how the mechanics works, how it works along the way, how it encrypts that traffic. 08:09.260 --> 08:11.990 But understand the inside and the outside part. 08:11.990 --> 08:17.480 Anything you specify on the inside should be able to go through the tunnel Outside is your public address 08:17.480 --> 08:18.440 that you'll be using. 08:19.520 --> 08:20.080 Okay. 08:20.090 --> 08:20.960 These two things. 08:20.960 --> 08:21.380 That's it. 08:21.380 --> 08:22.700 Everything else is the same. 08:22.880 --> 08:25.190 Let's go ahead and see how to do it on the side. 08:25.340 --> 08:29.900 Now, the command that you use is Crypto IPsec Client, a VPN. 08:36.080 --> 08:36.680 To the loopback. 08:36.710 --> 08:37.340 10,000. 08:37.340 --> 08:38.720 Yes, that'll be from the CPU. 08:40.500 --> 08:44.480 Crypto IPsec client, easy VPN, you name it anything. 08:44.490 --> 08:46.200 This name does not matter locally. 08:46.200 --> 08:47.760 Significant, I'll say easy. 08:50.070 --> 08:50.340 Here. 08:50.340 --> 08:50.610 Address. 08:50.610 --> 08:51.840 What is the address? 08:55.170 --> 08:56.340 One 51.20. 08:56.730 --> 08:57.720 Just like yesterday. 08:57.720 --> 09:00.390 We had a dress and group name and key here. 09:00.390 --> 09:02.760 Also, you specify the same things right here. 09:02.760 --> 09:04.800 Address Group. 09:04.920 --> 09:06.030 What is the group name? 09:08.140 --> 09:09.160 What is the key? 09:11.250 --> 09:11.700 Cisco. 09:15.850 --> 09:16.930 It was caps. 09:16.970 --> 09:17.950 She was caps. 09:20.100 --> 09:21.090 Salesforce gaps. 09:40.550 --> 09:42.860 Crypto IPsec client is an easy. 09:43.720 --> 09:44.200 Group. 09:45.450 --> 09:46.760 Sales key. 09:46.860 --> 09:47.600 Cisco one. 09:49.320 --> 09:49.710 Right. 09:50.190 --> 09:53.490 And I also need to give my sales. 09:53.490 --> 09:55.740 And this there's a command called connect. 09:55.770 --> 09:58.830 Do you want to connect automatically manually or through an SQL? 10:00.640 --> 10:05.350 Connect Auto means this client will keep on trying to connect and connect and connect and connect. 10:06.900 --> 10:12.900 So if something is wrong, if you have misconfigured it, you'll see a lot of messages coming in because 10:12.900 --> 10:14.580 it'll try to keep on connecting every. 10:14.790 --> 10:16.800 You'll see a lot of messages coming in. 10:16.980 --> 10:18.930 It will not stop Manuel. 10:20.250 --> 10:25.710 Means you have to enter another command for it to try and create that connection. 10:26.930 --> 10:28.300 Just like yesterday to connect. 10:28.310 --> 10:29.600 We used to double click, right? 10:29.600 --> 10:30.740 So it was up to us. 10:30.740 --> 10:32.870 The control was up to us here. 10:32.870 --> 10:35.180 If you do auto, the control will not be up to you. 10:35.180 --> 10:37.820 It will try to go and connect automatically. 10:38.770 --> 10:39.190 Right. 10:39.220 --> 10:40.330 Let's keep it, Manuel. 10:40.360 --> 10:40.990 Right now. 10:42.280 --> 10:43.120 What else do I have? 10:43.150 --> 10:45.570 Do I need anything else right now? 10:45.580 --> 10:45.940 No. 10:47.870 --> 10:50.990 By default, the mode is client but just to make sure. 10:51.020 --> 10:51.890 Mode. 10:52.070 --> 10:58.430 You have these three modes that we have that we are going to be having a look at mode, client mode, 10:58.430 --> 11:01.280 network extension and mode network plus. 11:01.700 --> 11:02.180 Here. 11:02.180 --> 11:03.470 What is the mode I'm using? 11:04.250 --> 11:05.690 I'm using router as a client. 11:07.220 --> 11:07.640 Right. 11:07.640 --> 11:10.520 So let's have a look at the client side. 11:12.580 --> 11:13.060 Crypto. 11:14.130 --> 11:15.060 IPsec client. 11:15.840 --> 11:16.980 Easy VPN. 11:17.010 --> 11:18.600 Call it anything easy. 11:23.070 --> 11:23.670 Then. 11:25.380 --> 11:26.160 Connect. 11:26.220 --> 11:30.570 Manuel Perez one 5122. 11:31.660 --> 11:32.260 Group. 11:33.480 --> 11:36.210 Sales, He says, Go on to three. 11:36.210 --> 11:37.200 Nothing special. 11:38.380 --> 11:38.800 More. 11:40.040 --> 11:43.310 But then you just specify the inside and the outside. 11:43.670 --> 11:46.790 Zero zero is Crypto IPsec Client. 11:46.820 --> 11:50.000 Easy VPN, Easy. 11:51.100 --> 11:51.820 Outside. 11:53.010 --> 11:54.870 Interface loopback zero is. 11:56.080 --> 11:56.590 Crypto. 11:57.810 --> 11:59.580 IPsec Client. 11:59.610 --> 12:00.630 Easy VPN. 12:00.660 --> 12:01.170 Easy. 12:03.400 --> 12:03.910 Inside. 12:10.440 --> 12:10.890 Okay. 12:11.040 --> 12:11.700 Simple. 12:14.320 --> 12:16.360 Interface F00. 12:16.690 --> 12:25.360 Crypto IPsec Client VPN Easy outside interface loopback zero Crypto IPsec Client is easy and easy. 12:26.050 --> 12:26.530 That's it. 12:26.530 --> 12:30.790 The moment you do this, your easy VPN client is up, your ISO cam goes up. 12:33.230 --> 12:36.450 It also in the running configuration, if you check your zero zero. 12:36.530 --> 12:40.160 You'll see that you will not see the outside command here because that is the default. 12:41.560 --> 12:46.970 If you just write crypto IPsec client an easy that also acts as what. 12:46.990 --> 12:49.060 Outside inside you should see. 12:51.900 --> 12:52.250 Inside. 12:52.260 --> 12:52.680 You should see. 12:53.980 --> 12:54.670 Now. 12:54.670 --> 12:55.870 Connection is what? 12:57.610 --> 13:00.100 Connection is manual, so I have to use another command. 13:00.100 --> 13:03.790 If it was auto, it would have already tried to create a connection with the European server. 13:03.970 --> 13:07.870 But since it's manual I have to enter another command to connect. 13:10.410 --> 13:10.800 I start. 13:12.540 --> 13:13.470 How to do it. 13:14.010 --> 13:16.290 Crypto in not in the global config. 13:16.320 --> 13:19.340 Do not go to the global config to do that because this command will not work. 13:19.350 --> 13:23.220 Then you will get confused because you'll be going into the sub configuration mode. 13:24.000 --> 13:25.950 Crypto IPsec Client VPN. 13:25.980 --> 13:27.330 What do you think is the command? 13:28.820 --> 13:29.390 Connect. 13:32.530 --> 13:32.920 Connect. 13:33.370 --> 13:36.430 The moment you use the Connect command, it will try to go and connect. 13:36.430 --> 13:37.000 With whom? 13:38.440 --> 13:39.970 With the VPN server. 13:40.060 --> 13:41.950 And you'll see your client is. 13:43.270 --> 13:43.570 Up. 13:47.800 --> 13:48.760 The client is. 13:51.250 --> 13:51.700 Now. 13:51.730 --> 13:54.940 Easy VPN does not use your main mode. 13:54.970 --> 13:56.320 Do you remember the main mode? 13:57.070 --> 13:58.900 Main mode had how many packets? 13:59.780 --> 14:00.410 Six. 14:01.960 --> 14:05.110 Hazekamp had nine main mode has six six plus three. 14:05.140 --> 14:05.920 Three of quick mode. 14:08.160 --> 14:09.690 This has three. 14:10.520 --> 14:12.560 This aggressive mode only has three. 14:14.350 --> 14:15.340 Main mode had six. 14:15.340 --> 14:16.750 Aggressive has three. 14:16.780 --> 14:17.590 Why three? 14:17.620 --> 14:20.080 Remember what was the first and the second packet? 14:21.340 --> 14:22.360 Second policies. 14:22.390 --> 14:23.590 Third and the fourth. 14:24.720 --> 14:25.270 --. 14:25.590 --> 14:30.510 What they said was they said, why do we need all of this in two separate packets? 14:30.540 --> 14:31.980 Let's combine them together. 14:32.970 --> 14:39.540 So instead of just sending the policies, you send policies plus in the first packet and the return 14:39.540 --> 14:41.780 packet is also policies plus the. 14:43.570 --> 14:46.720 So at the end of the second packet, encryption starts with to begin. 14:48.630 --> 14:49.320 Again. 14:49.320 --> 14:53.940 Third and fifth and sixth packet was Pre-shared key being sent from both sides. 14:56.070 --> 14:56.400 Right. 14:56.400 --> 14:57.930 So they thought, why both sides? 14:57.930 --> 15:03.090 What if $0.05 to six If six accepts it, quick mode should begin. 15:06.080 --> 15:07.030 Six accepts it. 15:07.040 --> 15:08.150 Quick mode should begin. 15:09.630 --> 15:11.610 So that's how if you see. 15:13.440 --> 15:14.550 Your wireshark right now. 15:16.580 --> 15:19.130 You have your aggressive mode and aggressive mode. 15:19.130 --> 15:20.240 Only three packets. 15:21.390 --> 15:22.620 One, two and three. 15:22.620 --> 15:27.240 Then this is the transaction because configuration is being pushed down, a lot of configuration is 15:27.240 --> 15:27.780 being pushed down. 15:27.780 --> 15:29.810 So these are just transaction messages then you have. 15:31.030 --> 15:31.590 Click one. 15:33.470 --> 15:35.810 You have straight up quick mode now. 15:35.810 --> 15:38.630 But first, check out the size of the first packet. 15:39.650 --> 15:40.900 1179. 15:41.090 --> 15:43.190 This is from the client to the server. 15:43.940 --> 15:45.260 Why is this so big? 15:48.560 --> 15:56.660 Remember on the on my easy VPN client, have I specified any crypto policies? 15:57.500 --> 15:58.730 So which policies? 15:58.730 --> 16:01.500 When he sends out his packet, which policies does he send? 16:01.520 --> 16:02.330 That is the question. 16:04.460 --> 16:05.150 Let's check. 16:09.730 --> 16:11.770 Not default if you check. 16:14.080 --> 16:17.020 He sends all combinations of policies that it can use. 16:19.990 --> 16:26.070 The client will send all combination of policies that it can use to the server. 16:26.080 --> 16:35.140 Three days md5 des md5 des sha des MD5 three days MD5 with 1024 bit with group five. 16:35.170 --> 16:39.130 Group to all the possible combinations are sent to whom to the VPN server. 16:39.160 --> 16:43.510 Then the server decides the server you already chosen chosen what policies to use. 16:43.510 --> 16:44.590 So he chooses one of them. 16:44.590 --> 16:49.780 And to make this process a little smaller, what you could do is on the client side, you could also 16:49.780 --> 16:53.410 specify the policies so those policies would be sent. 16:53.410 --> 16:54.640 But yeah. 16:56.620 --> 16:57.730 Which policies? 17:00.600 --> 17:01.110 Yeah. 17:01.110 --> 17:02.250 We don't need to specify. 17:02.250 --> 17:02.700 Yes. 17:02.730 --> 17:05.580 If you specify, the first packet, size will decrease. 17:06.270 --> 17:08.370 Right now it's 1200 bytes. 17:08.640 --> 17:09.270 It will decrease. 17:09.270 --> 17:11.010 But again, it's just one packet. 17:14.480 --> 17:17.110 Here all the supported policies by the client? 17:17.120 --> 17:17.780 Yes. 17:17.780 --> 17:19.250 By the VPN client. 17:20.150 --> 17:21.700 The router has a client, right? 17:24.100 --> 17:28.060 Not second third because has to be exchanged both sides. 17:28.060 --> 17:28.300 Right. 17:28.300 --> 17:29.590 So first packet. 17:30.280 --> 17:31.180 First packet. 17:31.210 --> 17:32.770 My second packet. 17:32.770 --> 17:35.380 Your public third packet encrypted. 17:39.990 --> 17:40.080 The. 17:44.920 --> 17:45.610 With what will. 17:46.760 --> 17:47.210 Yeah. 17:49.010 --> 17:50.720 Here will not be appreciated. 17:50.840 --> 17:51.200 Right. 17:51.770 --> 17:52.160 Group. 17:52.190 --> 17:53.450 Key group name and key. 17:55.690 --> 17:58.360 In this case, only group naming from my end. 17:58.390 --> 18:00.010 After that, the server starts sending. 18:00.010 --> 18:01.780 What other stuff? 18:03.460 --> 18:07.330 Information and all of that after the quick mode is exactly the same. 18:07.780 --> 18:12.010 Obviously in this case it will be more from the server side because the client doesn't know anything. 18:12.280 --> 18:14.710 Everything will be pushed down after that. 18:14.740 --> 18:19.420 Right now I'm not sent any traffic show IP interface brief. 18:19.450 --> 18:22.360 What do you what should you see in IP interface brief. 18:26.460 --> 18:27.210 Blue back. 18:28.780 --> 18:29.710 10,000. 18:30.010 --> 18:31.330 I did not create it. 18:31.870 --> 18:33.080 10,000 loopback. 18:33.100 --> 18:34.960 What is the address that has been pushed down? 18:36.440 --> 18:39.350 192 168. ten dot ten. 18:39.650 --> 18:42.170 Check out your show Crypto Campuses. 18:43.100 --> 18:46.280 Schmeidl already show Crypto IPsec. 18:48.290 --> 18:48.710 It's here. 18:51.190 --> 18:54.190 From the client side, Is it source based or destination based? 18:55.450 --> 18:55.930 The tunnel. 18:58.560 --> 19:03.810 Right source based right from the client side, anything coming from that source will be encrypted. 19:03.810 --> 19:11.460 If you see the IPsec right now, anything coming from 192, 168, 10.10, going anywhere else will go 19:11.460 --> 19:12.090 through the tunnel. 19:14.370 --> 19:15.660 Just a quick recap. 19:15.690 --> 19:20.370 Yesterday when we were talking about this, I said, okay, an address will be pushed down. 19:20.580 --> 19:27.090 So 192 168 .1. ten will be pushed down from the server side. 19:27.090 --> 19:29.490 Anything going to 192 168. 19:30.690 --> 19:32.850 10.10 will go through the tunnel. 19:35.380 --> 19:36.880 From the server, from the client side. 19:36.880 --> 19:38.260 Anything coming with this source? 19:38.260 --> 19:38.800 Right? 19:43.570 --> 19:48.700 Anything using the source of 192 168 10.10 will go through the tunnel. 19:48.700 --> 19:53.970 Yesterday the problem was what was the client a PC on the PC? 19:53.980 --> 19:56.710 There was no way for you to choose the source. 19:57.280 --> 20:03.490 Any packet coming out from the PC was always coming out using the source of 192 168 10.10. 20:03.520 --> 20:03.700 Why? 20:03.730 --> 20:11.500 Because the virtual adapter was given a higher priority than the physical adapter on a PC on a router. 20:11.500 --> 20:12.550 It's your choice. 20:13.240 --> 20:13.660 Why? 20:13.690 --> 20:16.300 Because when you ping, you can choose your source. 20:25.760 --> 20:27.800 Whence I'm getting the address from the server. 20:29.550 --> 20:30.360 We are getting. 20:31.350 --> 20:32.850 Yes companies private. 20:36.680 --> 20:37.730 Graphical interface. 20:40.070 --> 20:40.640 Yes. 20:44.290 --> 20:46.190 How can you access the computer? 20:46.210 --> 20:46.840 See? 20:47.110 --> 20:47.850 I'll explain. 20:47.860 --> 20:48.580 I'll explain. 20:48.610 --> 20:49.480 That's a good question. 20:49.480 --> 20:56.320 He says, okay, if I have a Http server here and I'm using router as a client, what is the whole point 20:56.320 --> 20:56.770 of it? 20:57.820 --> 20:59.560 What is the point of having the server? 20:59.560 --> 21:01.240 Because what do I want to do? 21:01.270 --> 21:01.960 Ping it. 21:05.580 --> 21:06.300 On the router. 21:06.300 --> 21:12.000 What you have is capability of letting all these users who are behind you to be able to access this 21:12.000 --> 21:12.540 server. 21:12.840 --> 21:18.270 Not only are four will be able to even ten .4.4 network will be able to access it. 21:18.660 --> 21:21.900 Now these ten dot four can be PCs, separate PCs. 21:22.650 --> 21:25.050 Which will be able to access these devices. 21:26.280 --> 21:26.510 Right. 21:26.790 --> 21:35.910 We'll see in a moment how first of all, tell me now, if I go to R4 and I ping ten, 11, 11.1, will 21:35.910 --> 21:36.570 it work? 21:39.920 --> 21:41.840 If I ping it like this, will it work? 21:43.220 --> 21:44.030 It will not work. 21:44.060 --> 21:44.480 You, you. 21:44.480 --> 21:44.660 You. 21:44.660 --> 21:45.050 You, you. 21:45.500 --> 21:48.620 If I ping ten, 11 11.1 with the source of. 21:49.630 --> 21:51.820 10.10 or loopback. 21:51.850 --> 21:53.830 10,000 should work. 21:59.710 --> 22:03.300 It works, I can reach the server also. 22:03.310 --> 22:03.880 10.1. 22:03.880 --> 22:04.870 Point one 11.1. 22:04.870 --> 22:08.230 I should also be able to reach 1011 11.6. 22:09.290 --> 22:17.360 Using the source of 192 168 .1. ten Show Crypto IPsec should show me encryption and decryption is happening. 22:20.360 --> 22:20.800 Okay. 22:20.810 --> 22:28.040 From the server side, if I go from the server side show IP route, I should be able to see a static 22:28.040 --> 22:32.690 route installed because reverse route injection is on towards the public address. 22:34.600 --> 22:36.790 Us whoever registered to me. 22:37.360 --> 22:37.750 Right. 22:37.750 --> 22:41.740 So I should be also able to send traffic to one and 2168.1.. 22:44.860 --> 22:45.280 From the. 22:45.280 --> 22:47.200 So what do you have to make sure? 22:47.200 --> 22:50.470 What you have to understand is when you create a tunnel with the server. 22:54.550 --> 22:56.890 When you create a tunnel with the server. 23:00.620 --> 23:05.270 Your traffic gets encapsulated at the server wherever the server can go. 23:05.570 --> 23:06.650 You can go. 23:08.700 --> 23:13.080 If the server has reachability to these two devices, you should be able to go there. 23:13.620 --> 23:19.920 If the server has reachability to anybody, wherever the server can reach, because then your decision 23:20.070 --> 23:23.400 will be entirely based on r2's routing table. 23:24.090 --> 23:29.820 When you capsulate here, where you're supposed to go will be entirely based on r2's routing table. 23:29.850 --> 23:34.740 Yes, you also have to make sure that whichever device you're going to it has a reverse path. 23:39.140 --> 23:39.770 All the time. 23:39.770 --> 23:40.360 Even after. 23:41.170 --> 23:42.730 Even after split tunnel. 23:42.730 --> 23:44.140 Yes, it would be one night. 23:44.380 --> 23:46.390 Yes, but only after split tunnel. 23:46.390 --> 23:50.470 We said that only traffic going till 1111 six will use 192 168. 23:50.800 --> 23:53.080 The other ones will use the physical interface. 23:58.420 --> 23:59.350 That was the split tunnel. 23:59.380 --> 23:59.770 Right. 24:00.130 --> 24:01.660 Split tunnel said on the router. 24:01.660 --> 24:08.530 As a client, it said, use the adapter only if you're going to the destination of ten, 11, 11.1. 24:09.160 --> 24:11.470 If you're going anywhere else, this adapter will not be used. 24:11.470 --> 24:12.520 Which adapter will be used? 24:13.020 --> 24:13.220 Why? 24:16.700 --> 24:18.870 Right now, are you? 24:18.950 --> 24:21.140 I will be able to, but not to these devices. 24:21.140 --> 24:24.470 I'll be able to bring these devices with the physical interface. 24:25.310 --> 24:26.540 This is a private network. 24:26.700 --> 24:26.870 Okay. 24:27.080 --> 24:28.250 We won't have connectivity. 24:28.490 --> 24:29.400 I won't have connectivity. 24:29.420 --> 24:30.100 That is the server. 24:30.110 --> 24:32.720 If I was able to, I wouldn't need the VPN server. 24:33.590 --> 24:35.270 Right from the physical interface. 24:35.270 --> 24:36.020 I should be able to. 24:36.020 --> 24:37.580 Yesterday this was not possible. 24:39.650 --> 24:44.000 Yesterday this was not possible because yesterday I did not have an option to choose my source. 24:44.180 --> 24:48.230 Here I have an option to choose my source so I can go anywhere else. 24:50.770 --> 24:53.140 So there's a difference with the client and the server. 24:55.840 --> 24:56.320 Side to side? 24:56.320 --> 24:56.830 Yes. 25:02.790 --> 25:05.550 Easy dependent side to side because it's easier on the client. 25:08.690 --> 25:09.680 We have to configure. 25:11.420 --> 25:15.720 Did you see the configuration that I needed to do here on the slide? 25:17.420 --> 25:19.250 Show run section crypto. 25:20.150 --> 25:21.860 Check out the config that I did here. 25:24.690 --> 25:25.500 That's it. 25:25.770 --> 25:31.950 No policies, no transform set, no ACL, no crypto maps, no applying it on the interface. 25:31.950 --> 25:32.610 Nothing. 25:32.880 --> 25:33.570 Only this. 25:33.570 --> 25:38.100 Plus if I have another site coming in, same configuration on the other side. 25:38.610 --> 25:41.430 My policy is transform set is already configured on the server. 25:41.430 --> 25:43.200 Now anyone can connect up to the server. 25:43.320 --> 25:49.920 If I have 50 sites only this small amount of configuration on the 50 sites and they'll come up and register 25:49.920 --> 25:50.190 to me. 25:52.720 --> 25:53.110 Right. 25:53.910 --> 25:56.340 Fighting the server from one nine. 25:58.650 --> 26:01.370 Plenty to do with the source of loopback. 26:01.800 --> 26:02.480 10,000. 26:18.220 --> 26:18.460 Should. 26:19.700 --> 26:20.280 Should come up. 26:22.350 --> 26:22.980 You should come. 26:25.480 --> 26:26.410 Here it is. 26:27.420 --> 26:27.930 It should. 26:28.200 --> 26:30.210 If we have time, I don't think we will. 26:30.240 --> 26:31.830 But if we have, we'll try it with the client. 26:31.830 --> 26:33.120 We just have to connect the client to the. 26:34.530 --> 26:34.760 Right. 26:35.150 --> 26:36.350 The pink should be successful. 26:36.380 --> 26:36.820 Right? 26:36.830 --> 26:37.280 Yeah. 26:37.310 --> 26:38.450 The pink is successful. 26:38.690 --> 26:39.860 Why is the pink successful? 26:39.860 --> 26:41.030 If pink the public address? 26:41.030 --> 26:42.140 Can anyone guess? 26:44.350 --> 26:46.660 What I did was from R4. 26:46.660 --> 26:47.530 I pinged. 26:49.900 --> 26:51.430 From after I pinged. 26:53.050 --> 26:57.220 151 .23.2 with a source of. 26:59.970 --> 27:03.210 Then not then will it go through the tunnel. 27:03.240 --> 27:04.050 First question. 27:06.570 --> 27:07.140 Through the drummer. 27:08.040 --> 27:10.410 The only criteria to go through the tunnel is what? 27:11.550 --> 27:16.230 The source if you're using the source as 192, 168, ten, ten, it will go through. 27:16.230 --> 27:17.580 That is the only criteria. 27:18.630 --> 27:20.590 Always remember only two criteria. 27:20.610 --> 27:21.240 One on the server. 27:21.270 --> 27:25.980 The server is if it's going to the destination of 192, 168, 10 or 10, it will go through the tunnel 27:26.100 --> 27:27.060 from the client side. 27:27.060 --> 27:29.850 If it's using that source, it will go through the tunnel. 27:29.850 --> 27:31.770 That's the whole point of pushing down the address. 27:33.830 --> 27:35.330 Right now. 27:36.020 --> 27:37.010 It will go through the tunnel. 27:37.040 --> 27:37.520 Right. 27:37.610 --> 27:40.440 When it reaches R2, it Capsulatus. 27:40.610 --> 27:44.290 Does R2 have the right to one Route 192 168 20.2. 27:44.300 --> 27:45.850 It's directly connected to him. 27:50.450 --> 27:53.050 One 5122 is R2's interface. 27:54.020 --> 27:56.090 Yes, but it's not leaving the router, right? 27:57.260 --> 27:59.510 It's on the router routers interface. 28:01.480 --> 28:01.840 No, no. 28:01.870 --> 28:03.370 151 point 20.2. 28:03.400 --> 28:04.390 Who's 20.2? 28:05.290 --> 28:08.080 20.2 is his R2 is interface. 28:08.080 --> 28:09.690 So it sends it to that interface. 28:09.700 --> 28:15.400 R2's Interface replies checks the routing table destinations one 192 168 10.10 goes back through the 28:15.400 --> 28:15.700 tunnel. 28:16.970 --> 28:18.290 So we are pinging the server. 28:19.430 --> 28:23.030 Just only pinging the server From what public IP is it coming from? 28:24.200 --> 28:26.930 After 20.2. 28:27.320 --> 28:27.950 40.2. 28:28.580 --> 28:30.680 Coming from 40.4 to 20 point. 28:32.040 --> 28:32.790 The encapsulation. 28:32.970 --> 28:35.910 The tunnel means going from here to here as public address. 28:36.810 --> 28:39.660 My question to you guys is, okay, this is working. 28:39.660 --> 28:40.710 Everything is fine. 28:42.220 --> 28:42.820 Can. 28:44.760 --> 28:45.960 I do this. 28:46.230 --> 28:48.270 Ten, one, one, 11, 11, 11. 28:50.100 --> 28:51.870 One with the source of ten. 28:51.870 --> 28:52.590 Four, four, four. 28:58.340 --> 28:59.290 It does go through. 28:59.300 --> 29:03.400 That means my ten phone networks can also go to the 1011 networks. 29:03.410 --> 29:06.160 They can also access the Internet, the servers. 29:06.170 --> 29:07.310 How does this work? 29:10.480 --> 29:10.810 Sure. 29:11.290 --> 29:12.340 Crypto IPsec. 29:14.880 --> 29:16.170 3435. 29:23.350 --> 29:23.920 So. 29:27.660 --> 29:29.190 Yes, but if you check your tunnel. 29:31.700 --> 29:36.710 It is only anything coming from the source of 192 168 10.10 should go through the tunnel. 29:37.540 --> 29:38.900 Yeah, it has to come from that. 29:38.910 --> 29:39.590 It has to be in. 29:41.540 --> 29:46.370 If you check your IP interface brief, you'll see you have this interface envy. 29:46.400 --> 29:47.120 What is envy? 29:50.540 --> 29:54.080 What is an NBA net virtual interface? 29:55.950 --> 30:01.790 And means a not virtual interface if you check show IP nat translations. 30:07.250 --> 30:09.860 Before going out by default. 30:09.860 --> 30:12.100 That's why you do the inside and the outside. 30:12.170 --> 30:15.710 Remember that you have to do IP nat inside and IP nat outside. 30:16.340 --> 30:20.830 What you're basically saying is traffic coming from 10.4. 30:21.260 --> 30:26.300 The moment it hits your router, it will be changed to the source of what? 30:28.680 --> 30:31.770 So let's say the traffic is coming from ten .4.4.4. 30:31.770 --> 30:35.340 When it hits it will be changed to 192168.. 30:35.970 --> 30:37.830 The source of the packet will be changed. 30:41.290 --> 30:42.100 What is a private. 30:43.430 --> 30:44.090 Yes. 30:44.090 --> 30:49.460 But I also know at the same time that when it gets translated to this address, it will go through the 30:49.460 --> 30:49.700 tunnel. 30:52.370 --> 30:52.490 In. 30:55.110 --> 30:55.890 On top of that. 30:55.890 --> 30:57.270 Yeah, this is just translation. 30:58.080 --> 31:01.200 I'm going to the address of 1011 11.1. 31:01.230 --> 31:03.230 My source was ten four, four, four. 31:03.270 --> 31:09.150 It got changed to 192168. ten dot ten when it hits the interface. 31:09.180 --> 31:10.770 What happens to this packet? 31:11.910 --> 31:12.990 Encapsulation. 31:13.290 --> 31:20.670 Because the source is 192 168 10.10 encapsulation has the public header and it goes through. 31:21.350 --> 31:21.830 Reaches the. 31:23.530 --> 31:28.150 Again, traffic coming from now you can talk about any guy doesn't have to be. 31:30.360 --> 31:31.940 Talk about this part of the network. 31:33.460 --> 31:42.640 Traffic going from let's say there's a there's a guy sitting here whose address is ten .4.4.4. 31:43.750 --> 31:44.980 It wants to send a packet. 31:44.980 --> 31:45.490 To whom? 31:46.600 --> 31:47.950 Ten, 11. 31:47.950 --> 31:48.850 11 dot. 31:50.670 --> 31:53.300 The moment this traffic hits. 31:53.310 --> 31:53.730 What? 31:55.430 --> 31:57.620 The interface before going out. 31:57.650 --> 32:02.630 What is going to happen to this traffic is this is going to be changed to packet. 32:04.700 --> 32:05.600 Bad thing happens. 32:06.520 --> 32:10.420 So all of all of the people coming in will be patted on to this address. 32:13.870 --> 32:16.120 Now it tries to hit the interface, leave the interface. 32:16.120 --> 32:17.410 But what does the interface see? 32:17.410 --> 32:19.840 The source is 192 168 .1. ten. 32:19.870 --> 32:22.540 The tunnel says anything coming from the source. 32:26.250 --> 32:31.350 ESP going from 40.4 to. 32:32.380 --> 32:33.940 28 public address. 32:33.940 --> 32:34.990 And this part will be. 32:36.850 --> 32:37.000 And. 32:39.530 --> 32:39.890 Right. 32:39.890 --> 32:43.220 So you'll see that your traffic then will flow from. 32:44.520 --> 32:45.360 This part. 32:46.730 --> 32:51.440 To whatever you're trying to go, wherever you're trying to go, it will encapsulate. 32:53.260 --> 32:57.580 It will encapsulate here, R2 it go wherever it wants to go. 32:57.610 --> 33:00.100 When R1 replies, which address does it reply to? 33:02.020 --> 33:06.090 Ten 44192168192168. 33:08.240 --> 33:09.260 It was already patterned? 33:09.350 --> 33:10.250 Yes. 33:13.630 --> 33:14.350 Exactly. 33:14.350 --> 33:15.950 So when it comes back to R2. 33:15.970 --> 33:19.960 R2 will see the destination is 192 168 dot 10.10. 33:21.040 --> 33:21.460 It will do. 33:21.490 --> 33:21.910 What? 33:21.940 --> 33:23.350 Send it back through the tunnel. 33:24.250 --> 33:25.270 It'll come back here. 33:25.300 --> 33:26.860 The moment it comes back here. 33:26.860 --> 33:30.810 Now it comes back here from the source of ten, 11, 11. 33:30.820 --> 33:33.000 One coming to 192, 168, 10.10. 33:33.010 --> 33:35.860 But it will have a port number also associated with it. 33:36.460 --> 33:42.070 Based on that port number, it will change 192 168, 10.10 back to 10.444. 33:42.070 --> 33:45.010 Same port number forward it back to the same client. 33:46.800 --> 33:51.300 That's how the router can act as an easy VPN client. 33:51.330 --> 33:56.070 The flexibility that it gives you is on the easy VPN server. 33:56.460 --> 33:57.720 Sorry, on the easy VPN client. 33:57.720 --> 34:01.530 As the software, you can only have one user connecting up here. 34:01.530 --> 34:06.840 If you do it on a router, everybody behind you will be able to go and use the easy VPN server. 34:08.130 --> 34:09.030 Everyone behind. 34:13.070 --> 34:16.760 One of the software would be required on each of the PCs here. 34:16.760 --> 34:20.450 You just need to do it where the clients don't need a software. 34:20.450 --> 34:22.450 They can just send a ping to ten, 11, 11, one. 34:22.490 --> 34:23.420 It will go through. 34:33.510 --> 34:34.110 Exactly. 34:34.110 --> 34:35.640 But you just have to do it once. 34:36.030 --> 34:37.920 Connection has to be established only once. 34:43.280 --> 34:43.690 Good. 34:43.700 --> 34:44.110 Yeah. 34:48.280 --> 34:51.130 So course the server cannot communicate again. 34:51.160 --> 34:51.910 Good point. 34:51.940 --> 34:55.150 Right now our R2 can go to what with which address. 34:55.150 --> 34:58.210 If R2 wants to ping ten .4.4, can it go? 35:01.250 --> 35:01.730 Can do. 35:01.730 --> 35:02.060 Pink. 35:02.090 --> 35:03.380 Ten .4.4. 35:04.760 --> 35:05.650 Cannot write. 35:06.030 --> 35:08.010 So the side to is a VPN server. 35:08.030 --> 35:08.870 Can I ping? 35:08.900 --> 35:10.250 Ten 444. 35:12.050 --> 35:12.590 I cannot. 35:13.160 --> 35:13.850 Why? 35:13.880 --> 35:16.610 Because I don't know what 10.4 is. 35:18.260 --> 35:19.490 I only know 192. 35:19.490 --> 35:20.050 168. 35:20.060 --> 35:20.730 10.10. 35:22.390 --> 35:27.790 Then not four was known to whom or for when R4 comes to me, he doesn't come as 10.4. 35:27.820 --> 35:31.300 He comes in as a patted address of 1922168 9.10. 35:31.300 --> 35:33.310 And that is the only address the server knows. 35:35.930 --> 35:36.260 Right. 35:38.750 --> 35:39.260 Even in. 35:40.930 --> 35:42.480 Yesterday's situation. 35:42.490 --> 35:44.400 There was no there was no loopback. 35:44.810 --> 35:46.240 Yesterday's service situation. 35:46.240 --> 35:47.190 There was only one address. 35:47.200 --> 35:48.160 Which address? 35:49.270 --> 35:52.630 192 168 .1. ten Yesterday. 35:52.630 --> 35:53.320 Also it was the same. 35:53.320 --> 35:54.730 So I can reach 10.10. 35:58.520 --> 36:02.030 You would be able to ping the physical interface, but the GUI would not reply back. 36:02.210 --> 36:03.620 That's a different case here. 36:03.620 --> 36:03.950 Here. 36:03.950 --> 36:05.390 Yesterday there was no loopback. 36:05.720 --> 36:09.020 Yesterday no one was getting patted here. 36:09.050 --> 36:12.170 Today I want to access all the users who are behind R1. 36:12.560 --> 36:14.360 Yesterday there was no one behind the PC. 36:15.620 --> 36:16.850 Do you understand what I want to do? 36:16.850 --> 36:21.890 The server wants to do what it wants to access all the PCs which are behind R2. 36:22.760 --> 36:23.840 How do I do that? 36:27.650 --> 36:29.150 I need to know that information. 36:29.150 --> 36:29.930 I don't know it. 36:30.200 --> 36:32.480 I only know the address that I pushed down. 36:34.020 --> 36:36.900 The way you do this is pretty simple. 36:38.610 --> 36:40.020 You go to the site. 36:40.950 --> 36:43.200 Crypto IPsec client is an easy. 36:44.240 --> 36:48.980 Mode, not client, but network extension. 36:51.010 --> 36:52.630 A network extension mode. 36:53.230 --> 36:56.500 It will not ask for an address from the server. 36:57.400 --> 36:59.090 An address will not be pushed down. 37:01.130 --> 37:02.000 The client goes down. 37:02.000 --> 37:02.390 Right. 37:03.330 --> 37:05.120 Loopback 10,000 removed. 37:05.630 --> 37:06.740 Show IP interface Brief. 37:09.230 --> 37:09.440 No. 37:09.440 --> 37:09.730 Look back. 37:09.740 --> 37:10.230 10,000. 37:10.250 --> 37:12.890 It goes back to normal show IP route. 37:14.620 --> 37:17.110 Charles the crypto IPsec client is VPN easy. 37:17.780 --> 37:18.180 Sorry. 37:18.280 --> 37:18.820 Connect. 37:24.800 --> 37:25.520 Connection is up. 37:27.740 --> 37:28.580 Check this out. 37:28.610 --> 37:31.220 N m remote subnets. 37:34.720 --> 37:36.010 The more subnets means. 37:36.010 --> 37:42.220 Now, when the connection is created, not only does the server push down anything, the client also 37:42.220 --> 37:43.150 pushes up. 37:44.580 --> 37:45.050 Pushes up. 37:45.060 --> 37:45.480 What? 37:47.450 --> 37:48.650 These addresses. 37:49.190 --> 37:51.740 He will tell the server, Listen, I have this address. 37:51.740 --> 37:55.430 If you want to send traffic to 10.4, send it through the tunnel. 37:57.840 --> 37:58.140 Earlier. 37:58.140 --> 37:59.280 It was not possible here. 37:59.310 --> 38:00.540 Nothing will not happen. 38:00.690 --> 38:03.240 The server did not push down any address to me. 38:04.840 --> 38:06.340 The server pushes nothing to me. 38:08.410 --> 38:13.890 Okay, so from here, the tunnel will be based on anything source from ten 440. 38:13.900 --> 38:15.070 We'll go through the tunnel. 38:17.920 --> 38:21.250 I will show you that that that that's another good thing. 38:21.250 --> 38:23.380 We need to check that I didn't show you last time. 38:23.380 --> 38:23.740 We'll show you. 38:23.740 --> 38:27.790 Here are two anything going to 10.4 will go through the. 38:29.930 --> 38:30.820 Let's go to R2. 38:33.680 --> 38:34.610 Check your route. 38:36.910 --> 38:37.780 What do you see? 38:40.600 --> 38:42.850 You do need reverse route injection here. 38:43.450 --> 38:45.370 You do need reverse route injection. 38:46.090 --> 38:46.990 What do you see? 38:48.390 --> 38:49.800 No IP has been pushed down. 38:54.130 --> 38:57.120 If you check here show IP interface brief. 38:57.130 --> 38:57.880 There is no loopback. 38:57.910 --> 38:58.540 10,000. 38:58.780 --> 39:00.040 Nothing has been pushed down. 39:00.040 --> 39:00.970 It's very simple. 39:00.970 --> 39:03.880 The client is telling the server, Listen, I have this address. 39:03.880 --> 39:06.760 If you want to send traffic to this address, send it through me. 39:08.550 --> 39:16.860 So Crypto IPsec SA will show you any traffic going to north 192 168 going to ten .4.4. 39:18.470 --> 39:19.910 Any traffic going to 10.4. 39:19.910 --> 39:21.200 And from the side side. 39:21.830 --> 39:23.030 Show crypto IPsec. 39:23.540 --> 39:26.390 Any traffic coming from 10.4. 39:27.840 --> 39:31.980 So earlier, the address that was pushed down was used as a source. 39:32.160 --> 39:37.230 Now, the loopback will be used as the source. 39:38.340 --> 39:42.480 Now the loopback in real life scenario in production environment, you'll be having what? 39:42.630 --> 39:46.230 A full network that will be pushed up. 39:47.680 --> 39:49.270 Or down both ways. 39:50.110 --> 39:50.380 Right. 39:50.470 --> 39:52.210 Let's see if the server can reach. 39:53.010 --> 39:53.250 Ten. 39:53.250 --> 39:54.020 Four, four, four. 39:54.660 --> 39:55.560 Obviously it can. 39:56.410 --> 39:56.950 This is the site. 39:58.840 --> 40:06.850 Pink then for four for can the people inside R1 and R6, can they reach ten for for for obviously can. 40:08.720 --> 40:09.520 Obviously can. 40:09.530 --> 40:11.990 Now it acts exactly like a site to site VPN. 40:14.400 --> 40:19.470 Now, this is an exact copy of a site to site VPN, and this is what a lot of people have been doing. 40:20.790 --> 40:24.840 As a replacement to site to site VPN because this is much easier to configure. 40:26.870 --> 40:27.110 Right. 40:27.410 --> 40:29.870 You see right now that both the sides. 40:31.710 --> 40:35.170 This loopback is able to reach the server behind. 40:39.860 --> 40:40.880 If we had a lan. 40:40.880 --> 40:42.860 Let's simulate that Lan Using what? 40:43.220 --> 40:43.800 Another loop. 40:45.500 --> 40:46.040 To back one. 40:47.690 --> 40:49.280 What if I had another land here? 40:49.310 --> 40:49.850 44. 40:49.850 --> 40:50.300 44. 40:50.510 --> 40:51.140 44. 40:52.660 --> 40:53.040 Right. 40:53.080 --> 40:55.900 What if I wanted those users to also go up earlier? 40:55.900 --> 40:56.490 I would do it. 40:56.500 --> 40:56.850 How? 40:57.010 --> 40:58.560 Using ACLs, right? 40:58.570 --> 41:00.960 Proxy ACL would specify traffic going from here. 41:01.000 --> 41:03.430 Here all you need to do is go to that land. 41:05.470 --> 41:08.950 Crypto IPsec client Easy VPN easy inside. 41:11.650 --> 41:11.950 Okay. 41:12.670 --> 41:16.060 Crypto IPsec Client VPN Connect. 41:21.540 --> 41:23.880 Connection is up instead of sending one. 41:24.240 --> 41:25.560 It sends how many? 41:25.980 --> 41:27.150 Two subnets up. 41:28.170 --> 41:32.520 So from the server side show IP route you'll see not one but. 41:35.700 --> 41:36.450 Two subnets. 41:41.580 --> 41:42.300 Which inside. 41:43.500 --> 41:43.920 Yeah. 41:43.950 --> 41:45.870 Like right now I'm using interface loopback. 41:45.900 --> 41:48.210 You can use interface fast ethernet zero zero. 41:50.100 --> 41:51.000 The full subnet. 41:51.630 --> 41:56.940 If you check right now, he's sending the subnet 1044 44 zero slash 24. 41:57.450 --> 41:58.950 The full subnet is sent up. 42:00.180 --> 42:05.700 So now the users, your PC they can also access 4444 dot. 42:07.930 --> 42:10.890 Your servers can also access full networks. 42:10.900 --> 42:14.320 All the loopbacks that you specify as the inside will be acted up. 42:15.040 --> 42:16.180 Let's do another thing. 42:16.180 --> 42:22.450 Let's go to the other side side to let's configure this guy also has network extension mode and then 42:22.450 --> 42:26.710 let's see if the two sides can communicate to each other through the VPN server. 42:28.120 --> 42:28.380 Right. 42:30.710 --> 42:33.070 The rout is used on the VPN server. 42:33.110 --> 42:35.120 That's how it installs the static nodes. 42:36.620 --> 42:37.730 Let's go to R5. 42:41.670 --> 42:42.160 Football. 42:43.110 --> 42:47.460 It should, because you're not pushing down anything and you're not giving out an address. 42:47.490 --> 42:51.420 The static route will be installed anyways, but it's always a good practice to have it installed. 42:53.880 --> 42:55.520 Easy connect. 42:55.530 --> 42:58.920 I'll keep Connect Auto here instead of connect manual. 42:58.950 --> 43:04.140 On the other side here is the same 151 .2.2 group. 43:05.590 --> 43:07.120 Sales key. 43:08.360 --> 43:09.440 Cisco one, two, three. 43:09.920 --> 43:11.390 Mode network. 43:13.440 --> 43:23.040 Interface F00 Crypto IPsec Client Easy VPN Easy outside interface to back zero crypto IPsec client is 43:23.080 --> 43:23.750 European easy. 43:27.520 --> 43:28.510 Interface Loopback zero. 43:28.510 --> 43:29.590 I've not created yet. 43:29.620 --> 43:29.890 Ten. 43:29.890 --> 43:30.100 Five. 43:30.110 --> 43:30.310 Five. 43:30.310 --> 43:30.670 Five. 43:36.950 --> 43:38.160 Connection is down now It's up. 43:38.220 --> 43:40.520 See, Otto, I didn't have to use the command. 43:41.000 --> 43:42.560 It keeps on trying and trying. 43:42.740 --> 43:44.960 When the remote subnets did I push up? 43:45.680 --> 43:47.030 Ten, five, five zero. 43:47.540 --> 43:54.170 So if you go to the server side and check your static stuffs now you also have new static routes. 43:54.170 --> 43:55.580 You have ten, five, five, five. 43:58.240 --> 44:04.230 Can I from here go to 1011 11.1 with a source of ten. 44:04.240 --> 44:06.990 Five, five five should be able to go. 44:07.000 --> 44:08.530 But can I go to. 44:19.460 --> 44:20.180 Think about it. 44:22.070 --> 44:24.740 I want to go from 10 to 5, five, five. 44:25.400 --> 44:27.410 My traffic should go from ten. 44:29.800 --> 44:31.000 Five, five, five. 44:31.030 --> 44:31.780 Go to where? 44:31.810 --> 44:32.260 Ten. 44:35.240 --> 44:35.810 From here. 44:45.190 --> 44:45.370 Right. 44:46.530 --> 44:47.160 From where? 44:47.730 --> 44:48.420 From our side. 44:48.900 --> 44:49.590 We'll be interrupted. 44:57.880 --> 45:01.040 It doesn't have to go to the server, it can go to the cloud directly. 45:01.040 --> 45:01.510 It won't go. 45:03.250 --> 45:06.370 Everything has to go to this because your peer is only the server. 45:12.740 --> 45:16.010 And then going back to our for our for our for reply. 45:17.900 --> 45:18.740 That's what I will be replying. 45:18.770 --> 45:19.100 To whom? 45:19.130 --> 45:20.420 Ten dot five. 45:23.310 --> 45:24.300 Hartford will be replying. 45:24.330 --> 45:24.840 To whom? 45:26.670 --> 45:27.110 It Reply. 45:27.900 --> 45:29.280 Does it have the route to 10.5? 45:37.440 --> 45:38.180 He doesn't need that. 45:40.040 --> 45:41.330 Because the source will be used. 45:42.820 --> 45:45.070 10.4 when it's coming back. 45:46.850 --> 45:48.060 And this guy is coming back. 45:48.080 --> 45:49.310 The sauce will be used as well. 45:51.950 --> 45:52.690 1044. 45:53.540 --> 45:54.500 Default it doesn't have. 45:54.500 --> 45:56.270 But everything will be leaving from there. 45:57.110 --> 45:59.030 When it hits that interface, only the source will be. 46:01.170 --> 46:02.010 But does it have an. 46:05.340 --> 46:12.390 Who are for four pointing towards it has a default are pointing towards this guy. 46:12.420 --> 46:13.920 That's how it connects to the server. 46:15.240 --> 46:16.590 That's how it's connected to the server, right? 46:17.250 --> 46:18.720 So will it or will it not? 46:20.990 --> 46:21.230 Will. 46:23.810 --> 46:24.290 It should. 46:25.070 --> 46:25.540 Let's try. 46:30.640 --> 46:31.270 It does. 46:32.790 --> 46:33.600 It does go through. 46:33.600 --> 46:35.970 So two sides are also communicating to each other. 46:36.000 --> 46:41.700 Now you can control it using spread tunnel ACLs, by the way, if you're concerned about that, just 46:41.700 --> 46:42.540 use split ACL. 46:42.640 --> 46:44.850 Yeah, it will go through the server. 46:45.180 --> 46:48.420 It has to go through the server because the tunnels are created through the server. 46:50.380 --> 46:50.850 The tunnels. 46:50.860 --> 46:53.060 The tunnels are like that on VPN. 46:53.080 --> 46:53.680 That's how it is. 46:53.680 --> 46:54.910 You cannot have smoke to smoke. 46:56.110 --> 46:59.680 It's always server to client server client VPN. 46:59.680 --> 47:03.450 Right Now what you would have here, explain. 47:04.590 --> 47:04.950 Yeah. 47:06.010 --> 47:06.250 So. 47:09.180 --> 47:11.790 See your packet originating from R5. 47:11.820 --> 47:20.100 How does it look like coming from ten 550 going to ten four, four, four, to be specific. 47:26.540 --> 47:27.980 Let's give it more space. 47:29.430 --> 47:32.730 Then going to ten for four for coming from ten. 47:39.220 --> 47:41.980 What happens to this packet here on R5? 47:43.390 --> 47:44.920 Will it be encrypted or not? 47:46.240 --> 47:47.420 It will be Y will be. 47:47.440 --> 47:48.520 Will it be encrypted? 47:48.850 --> 47:49.220 Because. 47:49.630 --> 47:50.920 Because of the source. 47:51.220 --> 47:53.560 Because the source is 1055 destination. 47:53.560 --> 47:58.180 It doesn't care about it doesn't even know in his routing table where this destination is. 47:58.210 --> 48:03.460 It just knows that the leaving interface is this guy and the crypto map is applied on that interface. 48:03.460 --> 48:06.160 So based on the source, it encrypts it. 48:10.040 --> 48:13.580 The said pair address on this guy is 20.2. 48:13.610 --> 48:16.220 Source will use its own source which is 50 dot. 48:20.440 --> 48:21.250 50 dot. 48:22.170 --> 48:22.520 Correct. 48:23.190 --> 48:26.040 The packet will go through the tunnel and encapsulate where. 48:28.570 --> 48:30.860 Add the VPN server because it's meant for him. 48:31.640 --> 48:33.110 The server will check. 48:34.260 --> 48:35.310 The source and destination. 48:35.310 --> 48:38.910 What is the destination now on the server? 48:38.940 --> 48:41.790 The tunnel is what source based or destination based? 48:43.070 --> 48:44.270 Destination based. 48:44.990 --> 48:49.100 So based on which destination you're going to, it will encapsulate here. 48:49.100 --> 48:49.940 The destination is what? 48:49.970 --> 48:54.200 Ten .4.4.4 from the server traffic going to ten dot four goes through. 48:54.200 --> 48:54.650 Which tunnel? 48:57.410 --> 49:03.530 So it encapsulates it again, but with the source and destination of the second tunnel. 49:03.530 --> 49:06.590 So the source will be 20.2. 49:06.620 --> 49:07.760 Destination will be. 49:08.850 --> 49:09.610 40 dot. 49:09.780 --> 49:13.470 So the traffic goes from this tunnel coming back to 10.4. 49:13.680 --> 49:14.970 10.4 will open it. 49:16.740 --> 49:18.120 Check the source and destination. 49:18.120 --> 49:19.350 It's meant for him. 49:20.230 --> 49:21.610 So it's the packet. 49:23.490 --> 49:24.930 Sends a reply coming from. 49:29.560 --> 49:30.740 What happens to this packet. 49:30.760 --> 49:32.740 The tunnel on the client is what based? 49:33.280 --> 49:34.420 Source based. 49:35.500 --> 49:38.290 Anything coming from 10.4 source will go where? 49:38.530 --> 49:40.510 To the server through the tunnel. 49:40.780 --> 49:43.360 So again, encapsulation will take place. 49:47.990 --> 49:49.010 Source will be. 49:50.860 --> 49:51.940 Destination will be. 49:53.660 --> 49:55.220 Where will this traffic go back to? 49:57.290 --> 49:57.890 Through this tunnel. 49:57.890 --> 49:59.810 Right back to the server. 50:01.160 --> 50:02.570 The server will receive it. 50:02.960 --> 50:04.450 Open it again. 50:04.460 --> 50:05.790 Check the destination. 50:05.810 --> 50:07.250 Destination is 5.5. 50:07.280 --> 50:08.300 Its destination base. 50:08.300 --> 50:11.120 So anything going to ten .5.5.5 will be. 50:11.540 --> 50:12.980 Encapsulated again. 50:14.620 --> 50:16.450 Using what destination address? 50:18.370 --> 50:19.480 Source as. 50:22.280 --> 50:23.720 So the traffic will go back to. 50:25.660 --> 50:30.850 So you'll see when you send this traffic traffic on the VPN server, you'll see both the tunnels will 50:30.850 --> 50:34.080 be showing increase in the packets. 50:35.400 --> 50:36.480 How will you check that? 50:36.510 --> 50:37.890 You send traffic again. 50:38.030 --> 50:39.480 But you wouldn't be able to bring the Internet. 50:41.410 --> 50:42.400 What just happened? 50:55.340 --> 50:56.360 What just happened? 50:57.470 --> 50:59.000 I wouldn't be able to do what? 51:03.530 --> 51:05.320 If I use the source, I wouldn't. 51:07.290 --> 51:08.690 I have control over my source. 51:08.690 --> 51:09.170 Right? 51:09.830 --> 51:10.160 You won't. 51:10.550 --> 51:12.770 With the loopback, you won't be able to because it'll be encrypted. 51:14.400 --> 51:15.280 Easy VPN. 51:15.390 --> 51:20.670 But you have to understand with the network extension mode is it's not meant for bulky sites. 51:20.850 --> 51:25.230 It's meant for small sites, very small sites, not for bulky sites. 51:25.260 --> 51:29.850 If you have a site like this, a server, you will not use something like this. 51:30.090 --> 51:33.420 You'll use a normal site to site or VPN or stuff like that. 51:33.450 --> 51:39.090 This is if your site is very small and you want to access the services of that site, you will use what 51:39.780 --> 51:41.670 the network extension mode. 51:42.120 --> 51:43.740 Do you understand how it works? 51:43.770 --> 51:44.910 Network extension. 51:45.510 --> 51:50.430 What happens is what I send my networks up to the server. 51:50.460 --> 51:51.860 The server knows about them. 51:51.870 --> 51:53.610 No natting takes place. 51:53.640 --> 51:55.290 Everything is 1 to 1. 51:56.160 --> 52:00.600 There is another mode which is known as network extension plus. 52:02.110 --> 52:03.040 Network extension. 52:03.040 --> 52:09.580 Plus, it's a very new one and it does have certain bugs, but in crypto maps, it works properly. 52:09.580 --> 52:15.190 In DVT, in the virtual tunnel interfaces, it has certain problems right now it should work fine. 52:15.190 --> 52:19.510 So what we'll do is we'll convert it into network extension. 52:19.510 --> 52:21.760 Plus, can you guess what will happen in that case? 52:22.680 --> 52:23.940 Extension plus. 52:25.680 --> 52:27.000 Can you guess what will happen? 52:31.610 --> 52:33.530 See, right now, everything is okay. 52:34.100 --> 52:36.670 You can access anywhere, any device you want. 52:36.680 --> 52:38.450 But there is one slight little problem. 52:38.450 --> 52:42.710 What if from the server you wanted to telnet into R4? 52:43.520 --> 52:46.850 Do you know R4 address right now? 52:48.490 --> 52:50.230 I do not know R4's address. 52:50.620 --> 52:52.080 I only know that there is a network. 52:52.090 --> 52:55.210 1044 .4.0 slash 24. 52:55.240 --> 52:58.120 I don't know specifically what r4's address is. 52:58.930 --> 53:01.840 So if I wanted to manage it remotely, I could not. 53:02.850 --> 53:03.990 502. 53:05.410 --> 53:11.530 For for for that you know right now it's for for for but if you're sitting remotely will you know. 53:12.970 --> 53:13.780 Mean for the server. 53:14.260 --> 53:15.490 I'm only sitting here. 53:16.150 --> 53:17.050 I'm only sitting here. 53:17.050 --> 53:18.850 I don't know what address is on the other side. 53:19.000 --> 53:20.110 You said the client would. 53:21.130 --> 53:24.170 A client pushes the whole subnet. 53:26.810 --> 53:31.580 Client pushes to the server what the full subnet if you're only sitting on the server, if you don't 53:31.580 --> 53:34.910 have access to the client, you only have access to the server. 53:34.910 --> 53:38.840 What you can see is 1044 is not connected, is it? 53:40.880 --> 53:42.020 Crypto IPsec client. 53:42.020 --> 53:42.290 Okay. 53:42.290 --> 53:42.660 It's in. 53:42.890 --> 53:43.850 It's in client mode. 53:44.780 --> 53:45.710 Crypto IPsec. 53:46.190 --> 53:47.390 Let's talk about ten, five. 53:48.200 --> 53:48.470 Ten. 53:48.470 --> 53:49.190 Five. 53:49.550 --> 53:51.020 I have access to what? 53:54.090 --> 53:55.230 The full subnet. 53:57.130 --> 54:00.220 If I wanted to telnet into R5, how would I do that? 54:01.090 --> 54:02.320 I'll enable it here. 54:06.260 --> 54:07.340 I will not be able to go there. 54:07.340 --> 54:07.770 Right? 54:07.790 --> 54:10.100 I will not be able to tell anything to our five. 54:12.420 --> 54:12.960 The public. 54:12.960 --> 54:13.740 What is private? 54:13.740 --> 54:15.030 I want you to go through the tunnel. 54:16.050 --> 54:16.900 Encrypted. 54:16.920 --> 54:20.370 I would not know the address to do this. 54:20.370 --> 54:24.930 What you can do is you can go to the site, you configure it not in network extension mode, but in 54:24.930 --> 54:25.860 network Plus. 54:28.390 --> 54:30.190 Mode network. 54:35.330 --> 54:36.170 It'll do both things. 54:36.170 --> 54:37.460 They'll combine both together. 54:38.060 --> 54:40.430 Network extension and client mode together. 54:40.430 --> 54:42.530 So my subnets will go to the server. 54:42.530 --> 54:47.420 Plus I will receive a route or I will receive an address from the pool. 54:48.110 --> 54:51.470 So I will have an address plus the routes. 54:53.560 --> 55:01.210 So if you check show IP interface brief, I have received an address from the pool and if you go to 55:01.210 --> 55:02.230 the server side. 55:03.710 --> 55:08.210 The server has 10.5 as well as the address that has been given to me. 55:10.640 --> 55:13.460 Both things the server will push down and address. 55:13.880 --> 55:17.690 The client will give me what its remote subnets. 55:19.380 --> 55:20.730 In the client mode. 55:20.730 --> 55:24.590 Only the server pushes down an address in the network extension mode. 55:24.600 --> 55:29.760 Only the client brings up what its remote subnets in network extension. 55:29.760 --> 55:31.140 Plus both things happen. 55:31.140 --> 55:32.430 I'll give out an address. 55:32.460 --> 55:33.900 The client will give out it. 55:33.900 --> 55:34.890 Give out its. 55:37.450 --> 55:40.600 When I telnet I'll be using 192 168 .1.. 55:45.110 --> 55:46.550 This is only for remote management. 55:46.550 --> 55:48.800 It will not make any difference on the client side. 55:48.830 --> 55:50.000 Show crypto. 55:51.440 --> 55:53.870 IPsec SA will be the same. 55:54.790 --> 55:55.480 10.5. 55:57.430 --> 56:00.850 And 192 168, but two different essays. 56:02.050 --> 56:05.200 192 And that both will use two different tunnels. 56:06.770 --> 56:08.030 Two different IPsec tunnels. 56:08.120 --> 56:12.230 One going to 192, 168, 1011, one going to 10.550. 56:12.260 --> 56:20.900 Even from this side you should be able to see that crypto IPsec sa include include. 56:24.070 --> 56:24.490 Check it out. 56:24.520 --> 56:25.090 Two tunnels. 56:28.000 --> 56:30.520 One going from ten .5.5.0. 56:32.240 --> 56:33.230 The other going from where? 56:38.140 --> 56:40.100 We are going from 190 to 168 dot. 56:50.310 --> 56:53.850 Line will be using the ten dot, obviously. 56:53.880 --> 56:56.220 10.5 will be coming in as 10.5. 56:56.250 --> 56:57.810 But everything else will be. 56:58.380 --> 57:01.950 This is only one channel only there for remote management. 57:01.950 --> 57:02.520 That's it. 57:03.720 --> 57:05.040 It's there for nothing else. 57:05.040 --> 57:06.360 Only for remote management. 57:08.670 --> 57:09.120 Okay. 57:09.780 --> 57:11.400 Do you understand the difference between them? 57:12.180 --> 57:16.250 Network mode, client network extension and network extension. 57:16.260 --> 57:19.430 Plus three clients together. 57:21.670 --> 57:23.410 Right now our focus is in client mode. 57:23.620 --> 57:27.880 What happens in client mode is the server gives out an address. 57:31.490 --> 57:37.240 So there's an IPsec tunnel on the client side saying anything coming from the source of 192 one 6810, 57:37.250 --> 57:38.420 basically this loopback. 57:41.730 --> 57:43.500 Anything coming from this source. 57:43.680 --> 57:46.230 192 168 10.10 should go through the tunnel. 57:47.160 --> 57:51.000 Now what happens is these users also are supposed to go through the tunnel. 57:51.120 --> 57:55.850 So what happens is their address is patted on 281 68, 10.10. 57:55.890 --> 57:57.840 Once they get patted, they go through the tunnel. 57:59.820 --> 58:00.870 In client mode. 58:02.620 --> 58:05.590 In network plus network extension mode. 58:05.620 --> 58:08.860 No address is pushed down, a tunnel is created. 58:09.010 --> 58:14.120 But what the client does is it pushes out, which is up its own addresses. 58:14.120 --> 58:16.360 So in the server mode, the server knows. 58:16.390 --> 58:23.530 Ten .5.5.0 slash 24 is through the tunnel, so when the server has to send traffic to ten .5.0 network, 58:23.530 --> 58:25.900 it will send it through the tunnel and the client side. 58:25.900 --> 58:29.950 Anything sourcing from ten .5.5.0 will go through the tunnel. 58:30.130 --> 58:36.280 The difference between the two here, anything sourcing from 190 to 168 10.10 will go through the tunnel 58:36.580 --> 58:37.440 on R5. 58:37.450 --> 58:41.020 Anything sourcing from ten .5.5.0 will go through the tunnel. 58:42.650 --> 58:44.780 In network extension plus. 58:45.830 --> 58:51.560 The client will send out its address, plus the server will also give out the loopback. 58:54.740 --> 58:56.570 Two individual tunnels will be created. 58:56.570 --> 58:59.480 One will be sourcing from 190 to 1, 68, 10.10. 58:59.510 --> 59:04.080 The other will be sourcing from ten .5.5.0 slash 24. 59:04.110 --> 59:10.130 Even from the server side, anything going to 1092 .168.1. ten will go through here. 59:10.160 --> 59:14.330 Anything going from ten .5.5.0 will go through. 59:15.640 --> 59:15.840 This. 59:18.190 --> 59:19.630 Network extension plus. 59:20.880 --> 59:21.150 Here. 59:22.410 --> 59:24.330 But there's another thing. 59:26.530 --> 59:27.500 There's another thing. 59:27.520 --> 59:28.450 Do you remember? 59:28.450 --> 59:30.040 I would have to connect my. 59:32.070 --> 59:34.410 BC for this to connect a PC. 59:35.910 --> 59:36.840 To connect a PC to. 59:37.170 --> 59:38.480 Let me explain how that is done. 59:38.490 --> 59:39.780 You get a host here. 59:41.190 --> 59:42.200 You double click on that. 59:42.210 --> 59:44.850 Host Sorry, Configure that host. 59:46.750 --> 59:48.670 You have so many different adapters, right? 59:48.700 --> 59:54.580 You could use any one which any one of them, but I would recommend you use the one with the loopback. 59:57.810 --> 1:00:01.450 If you don't know how to create a loopback, just open any YouTube video. 1:00:01.470 --> 1:00:03.840 How to create a Microsoft Loopback Adapter. 1:00:05.420 --> 1:00:07.430 All Windows 7, Windows 8 or anywhere. 1:00:07.460 --> 1:00:09.920 You could create a Microsoft Windows Loopback adapter. 1:00:13.230 --> 1:00:14.220 For this. 1:00:14.940 --> 1:00:16.890 That's because for the loopback. 1:00:17.430 --> 1:00:20.910 That's because your PC has certain privileges. 1:00:21.420 --> 1:00:23.490 Reduce the security of your PC. 1:00:24.010 --> 1:00:25.440 And we use VMware. 1:00:25.770 --> 1:00:26.160 Yeah. 1:00:26.190 --> 1:00:26.440 Can. 1:00:26.760 --> 1:00:26.970 Can. 1:00:27.840 --> 1:00:28.230 It'll work. 1:00:28.230 --> 1:00:28.500 Yeah. 1:00:28.530 --> 1:00:31.490 It'll work with the VMware adapter but it's recommended you use the loopback one. 1:00:33.040 --> 1:00:34.690 So, yeah. 1:00:36.000 --> 1:00:41.220 You can use any one of these adapters as long as it's a virtual adapter, you can use any one of them, 1:00:41.220 --> 1:00:43.830 but some people might not have VMware right now. 1:00:44.040 --> 1:00:46.670 So Microsoft Loopback adapter will also work. 1:00:51.360 --> 1:00:51.700 Right. 1:00:51.750 --> 1:00:52.400 You go here. 1:00:52.410 --> 1:00:52.620 Now. 1:00:52.620 --> 1:00:54.690 You need to choose an address for this adapter. 1:00:56.170 --> 1:00:58.390 Write any address here? 1:01:00.850 --> 1:01:08.050 I'll choose 150 .1. let's say 30 dot 25. 1:01:08.080 --> 1:01:08.710 Yesterday I used. 1:01:09.370 --> 1:01:10.680 Am I using 30 anywhere? 1:01:10.690 --> 1:01:11.710 40 and 50. 1:01:11.710 --> 1:01:12.550 I'm using 30. 1:01:12.550 --> 1:01:13.180 I'm not using. 1:01:14.420 --> 1:01:16.630 30, 20, 40 and 50. 1:01:16.640 --> 1:01:16.990 I'm using. 1:01:19.490 --> 1:01:21.380 151 point 30.25. 1:01:21.410 --> 1:01:22.550 Now this. 1:01:23.630 --> 1:01:23.870 Okay. 1:01:23.870 --> 1:01:26.960 I want to show you the I want to show you the loop, not the loop back. 1:01:26.960 --> 1:01:30.320 I will show you the VMware, how to attach it to VMware. 1:01:33.690 --> 1:01:34.680 Some doubt with the VMware. 1:01:36.030 --> 1:01:37.500 Let me explain how to do that now. 1:01:37.530 --> 1:01:37.950 VMware. 1:01:37.950 --> 1:01:38.970 I have Windows XP here. 1:01:38.970 --> 1:01:39.480 Right. 1:01:39.990 --> 1:01:40.710 I'll power it. 1:01:40.710 --> 1:01:41.400 Power it on. 1:01:42.570 --> 1:01:44.340 Let me explain how this works. 1:01:46.160 --> 1:01:47.570 VMware is a virtual machine. 1:01:50.470 --> 1:01:52.090 It has two adapters. 1:01:53.960 --> 1:01:54.930 Two adapters. 1:01:54.950 --> 1:01:59.420 These adapters are VM zero VM, let's say eight. 1:02:00.170 --> 1:02:01.880 Now these are virtual adapters. 1:02:02.180 --> 1:02:03.860 Your machine is running here. 1:02:03.860 --> 1:02:05.450 Your actual XP is running here. 1:02:07.410 --> 1:02:08.070 This XP. 1:02:08.880 --> 1:02:10.350 This is the box. 1:02:11.710 --> 1:02:12.040 Right. 1:02:12.130 --> 1:02:17.230 These adapters, half of them belong to your PC, which is right here. 1:02:17.770 --> 1:02:24.130 The actual PC, which I'm working on the desktop, which I'm working on, half of the VM belongs to 1:02:24.130 --> 1:02:24.520 whom? 1:02:25.610 --> 1:02:26.270 My PC. 1:02:26.720 --> 1:02:28.220 My PC is interface. 1:02:28.250 --> 1:02:30.590 Half of it belongs to the VMs interface. 1:02:31.490 --> 1:02:32.840 The VM machine's interface. 1:02:33.230 --> 1:02:35.840 Just like I have a physical adapter here. 1:02:36.440 --> 1:02:37.940 Half of it belongs to the physical. 1:02:37.940 --> 1:02:41.090 Other side, wherever I connect it to, the other half belongs to me. 1:02:41.780 --> 1:02:42.800 Same way here. 1:02:42.800 --> 1:02:43.880 Half of it belongs to me. 1:02:43.880 --> 1:02:44.840 But it's virtual. 1:02:44.870 --> 1:02:46.970 The other half belongs to the VM box. 1:02:47.880 --> 1:02:49.860 XRP has only one. 1:02:51.210 --> 1:02:51.580 Adapter. 1:02:51.930 --> 1:02:52.800 Local area. 1:02:55.290 --> 1:02:57.980 Right that I will connect to what? 1:02:57.990 --> 1:02:58.670 VM zero. 1:03:00.330 --> 1:03:01.860 I'll connect that to VM zero. 1:03:02.010 --> 1:03:03.420 How to make that connection. 1:03:03.420 --> 1:03:04.230 Let me show you. 1:03:06.740 --> 1:03:08.270 It has only one, right? 1:03:08.300 --> 1:03:09.260 How to connect it. 1:03:09.290 --> 1:03:11.480 You go here to the settings. 1:03:11.480 --> 1:03:12.920 You say, okay, XRP is. 1:03:12.950 --> 1:03:18.230 Whatever XRP is inside local boxes, I want you to connect it to net zero. 1:03:22.610 --> 1:03:23.150 Right now? 1:03:23.150 --> 1:03:24.050 No, it's host only. 1:03:24.920 --> 1:03:27.770 It's host only means it is not connected anywhere else. 1:03:28.560 --> 1:03:29.060 Post on. 1:03:30.060 --> 1:03:30.450 Yeah. 1:03:30.780 --> 1:03:31.170 Do it. 1:03:31.200 --> 1:03:32.160 Do it for host only. 1:03:32.700 --> 1:03:34.320 Make sure you do it for host only. 1:03:34.800 --> 1:03:35.250 Right. 1:03:35.250 --> 1:03:35.700 How do you do? 1:03:35.730 --> 1:03:38.610 Host only go to net editor. 1:03:47.670 --> 1:03:48.900 Let it be there. 1:03:48.900 --> 1:03:50.090 You just choose an adapter. 1:03:50.100 --> 1:03:56.070 Whatever adapter you have out of all of this, choose what Host Only if you choose bridge, you can 1:03:56.070 --> 1:03:58.290 bridge it to a physical port and connect it somewhere else. 1:03:58.290 --> 1:04:00.300 That is done when you connect connecting a server. 1:04:00.510 --> 1:04:03.030 But right now I want to use it as a host. 1:04:04.430 --> 1:04:04.880 Done. 1:04:04.880 --> 1:04:09.650 What I've done is I have bound my exp2 VM zero. 1:04:09.800 --> 1:04:11.990 Now what I'll do is I'll open. 1:04:11.990 --> 1:04:12.260 What? 1:04:13.870 --> 1:04:14.590 DNS. 1:04:15.940 --> 1:04:18.240 I'll create a PC That PC. 1:04:18.250 --> 1:04:18.700 I'll join. 1:04:18.700 --> 1:04:19.170 Where? 1:04:23.910 --> 1:04:24.900 Two zero. 1:04:27.140 --> 1:04:29.090 That PC I'll also join to. 1:04:31.260 --> 1:04:38.250 Now this VM zero is acting as what, a switch in the middle of your DNS and your XP machine. 1:04:38.670 --> 1:04:46.410 On this end, I'm going to use the address of 151 .3. ten from here I'm going to use 30.25. 1:04:46.650 --> 1:04:51.180 Now this address in the middle can be anything, but it has to be on the same network. 1:04:54.130 --> 1:04:55.870 It'll be acting as a switch in the middle. 1:04:57.280 --> 1:04:57.550 Right. 1:04:57.550 --> 1:05:00.690 Because one end is connected to one end is connected to gas. 1:05:01.090 --> 1:05:02.620 Here you could have anything. 1:05:03.970 --> 1:05:09.550 Now, the good thing is, since it's a part of this PC, this PC right here, if you open cmd here. 1:05:10.790 --> 1:05:12.980 And you think you should be able to pick XP. 1:05:13.220 --> 1:05:15.050 You should be able to pick GM's. 1:05:16.160 --> 1:05:16.560 Why? 1:05:16.610 --> 1:05:18.470 Because you're picking from which interface. 1:05:20.240 --> 1:05:24.980 When you're on this PC, your net zero, you're pinging this side as well as this side. 1:05:26.860 --> 1:05:30.040 We have zero PC now on my PC. 1:05:30.700 --> 1:05:32.820 I have XP connected on this side. 1:05:32.830 --> 1:05:35.020 I have connected on this side. 1:05:35.020 --> 1:05:36.220 They are connecting through me. 1:05:37.940 --> 1:05:38.410 Right. 1:05:38.420 --> 1:05:39.380 That's what I'll do. 1:05:39.380 --> 1:05:44.640 So net zero, whatever address you give, you just have to make sure that it belongs to the same network. 1:05:44.660 --> 1:05:45.290 That's it. 1:05:46.960 --> 1:05:48.250 This is the switch in the middle. 1:05:51.790 --> 1:05:55.390 So this usually I keep it as 151 .33.101. 1:05:55.390 --> 1:05:56.440 I use it as 101. 1:05:59.140 --> 1:06:00.620 Do not require a default gateway. 1:06:02.020 --> 1:06:03.970 You don't because you're connecting those two together. 1:06:07.200 --> 1:06:08.130 That's you. 1:06:08.370 --> 1:06:10.200 Do you want to go somewhere else? 1:06:10.320 --> 1:06:12.870 If I want to go somewhere else, I'm not using this adapter. 1:06:12.870 --> 1:06:13.320 Right? 1:06:13.350 --> 1:06:15.900 Right now I'm going to the Internet using which adapter? 1:06:21.510 --> 1:06:24.810 Yes, in that case, public IP will be connected to the DNS. 1:06:24.840 --> 1:06:26.010 You don't need to give it here. 1:06:26.010 --> 1:06:27.180 You need to give it where. 1:06:28.480 --> 1:06:29.350 On that host. 1:06:31.780 --> 1:06:33.160 See, this is a switch in the middle, right? 1:06:33.160 --> 1:06:34.360 What is the switch in the middle? 1:06:35.960 --> 1:06:41.690 VM zero connected to XRP connected to. 1:06:42.760 --> 1:06:43.330 DNS. 1:06:44.260 --> 1:06:47.470 You want to go here, you want to go here. 1:06:47.470 --> 1:06:48.520 But who wants to go? 1:06:48.550 --> 1:06:50.500 This wants to go, not you. 1:06:50.680 --> 1:06:51.670 This is me. 1:06:52.150 --> 1:06:53.380 This wants to go. 1:06:53.380 --> 1:06:55.150 So the default gateway will be given here. 1:06:55.150 --> 1:06:56.260 Pointing towards where? 1:07:00.640 --> 1:07:05.650 You have to manually specify it on the machine, pointing it towards this router because then it will 1:07:05.650 --> 1:07:06.940 send the traffic to the router. 1:07:06.970 --> 1:07:08.380 The router will forward it. 1:07:09.460 --> 1:07:10.630 This will be nothing. 1:07:10.630 --> 1:07:11.980 You will never use this. 1:07:12.220 --> 1:07:15.310 This will only be to create your connectivity between and. 1:07:18.120 --> 1:07:18.380 Right. 1:07:19.820 --> 1:07:20.990 So let's go to XRP. 1:07:21.470 --> 1:07:23.420 Let's see, what address do I have here? 1:07:30.380 --> 1:07:31.490 XP to the Internet. 1:07:31.640 --> 1:07:32.810 Then what will. 1:07:32.910 --> 1:07:38.960 Well, then what you will do is the default gateway that you point will be towards VM net zero, VM 1:07:38.960 --> 1:07:39.770 net zero. 1:07:40.010 --> 1:07:41.900 This is another thing that's called bridging. 1:07:41.900 --> 1:07:44.690 You will bridge VM net zero and wireless connection together. 1:07:46.030 --> 1:07:46.600 Can I come back? 1:07:46.720 --> 1:07:47.650 Can manually bridge it. 1:07:49.180 --> 1:07:50.560 Or you can just use the nat. 1:07:50.980 --> 1:07:52.840 You could use bridge connections here. 1:07:53.950 --> 1:07:54.270 Whatever. 1:07:54.290 --> 1:07:54.340 I. 1:07:55.680 --> 1:07:57.630 Yeah, see whether it works or not. 1:07:58.830 --> 1:08:00.330 Also, you can connect to the internet. 1:08:00.580 --> 1:08:01.560 Suppose if I block it? 1:08:03.040 --> 1:08:03.240 Yes. 1:08:03.340 --> 1:08:03.500 Yes. 1:08:03.670 --> 1:08:04.080 Yes. 1:08:04.280 --> 1:08:04.620 Yes. 1:08:04.860 --> 1:08:09.940 If you check my video for Asia in Asia, I have my video for MPF. 1:08:09.960 --> 1:08:10.800 I've done it. 1:08:10.830 --> 1:08:12.270 I've used Firewall in the middle. 1:08:12.300 --> 1:08:14.100 The internet connection through the firewall. 1:08:15.280 --> 1:08:18.290 Then whatever I'm blocking on the firewall, my PC is also getting blocked. 1:08:20.350 --> 1:08:23.650 You won't be you won't be able to certain websites and stuff. 1:08:23.650 --> 1:08:25.330 I blocked it using that. 1:08:26.730 --> 1:08:27.540 You can see there. 1:08:27.540 --> 1:08:28.020 I've done it. 1:08:28.020 --> 1:08:29.430 I've shown you how to do that. 1:08:29.730 --> 1:08:33.110 For now, let me just fix this, because we are running out of time. 1:08:36.370 --> 1:08:37.270 When I'm using. 1:08:39.410 --> 1:08:40.830 Host only is VMware. 1:08:40.850 --> 1:08:44.840 I'm saying that I'll choose this manually wherever I want to do with this. 1:08:44.840 --> 1:08:46.310 I'll do I'll do this manually. 1:08:47.840 --> 1:08:50.750 If you use bridging, it means you are binding it to the physical port. 1:08:50.750 --> 1:08:53.870 If you use Natting, it will Nat with the internet interface. 1:08:53.870 --> 1:08:57.840 Whatever interface is taking you to the internet, you will get nat it onto that interface. 1:08:57.860 --> 1:08:58.670 This is fine. 1:08:58.670 --> 1:08:59.620 30.25. 1:08:59.630 --> 1:09:00.980 Next stop is 30.10. 1:09:01.010 --> 1:09:04.640 The only one problem I might run into is. 1:09:05.980 --> 1:09:07.990 DNS will not have enough interfaces for me. 1:09:09.850 --> 1:09:11.740 So what I'll do is I'll just remove this. 1:09:14.570 --> 1:09:15.740 I'll attach it here. 1:09:16.250 --> 1:09:18.050 If I don't need that client, I'll use this client. 1:09:20.830 --> 1:09:22.240 Was it blue back? 1:09:23.020 --> 1:09:23.800 I don't remember. 1:09:24.880 --> 1:09:25.570 Let me check. 1:09:31.540 --> 1:09:31.960 Let me check. 1:09:31.960 --> 1:09:32.650 I don't remember. 1:09:39.800 --> 1:09:40.910 Lubeck should be. 1:09:53.390 --> 1:09:53.540 It. 1:09:53.540 --> 1:09:58.790 Also, if you are adding a loop back, you will see that the loop back will not come to your CNNs. 1:09:58.790 --> 1:09:59.930 You'll have to restart it. 1:10:01.650 --> 1:10:06.060 You'll have to restart your PC when you install a new loopback. 1:10:06.090 --> 1:10:07.680 You have to reinstall the PC. 1:10:07.710 --> 1:10:08.190 Sorry. 1:10:08.220 --> 1:10:09.090 Restart the PC. 1:10:09.750 --> 1:10:10.050 R3. 1:10:10.050 --> 1:10:11.460 I need to change the address now. 1:10:17.350 --> 1:10:18.830 That's how you restart the PC. 1:10:19.600 --> 1:10:20.860 You know, it shows. 1:10:22.060 --> 1:10:27.870 I can look back right back or Kim can look back. 1:10:27.900 --> 1:10:28.890 It's called Microsoft. 1:10:33.600 --> 1:10:35.820 There's many, but the one which you have to do is. 1:10:39.980 --> 1:10:40.400 Should. 1:10:41.330 --> 1:10:42.770 You should usually. 1:10:42.770 --> 1:10:43.580 Does this work? 1:10:44.120 --> 1:10:44.410 Yeah. 1:10:44.420 --> 1:10:44.960 Yeah. 1:10:45.230 --> 1:10:50.210 See, right now, I should be able to pick, what, 30.101, which is net zero. 1:10:51.390 --> 1:10:52.710 I can ping net zero. 1:10:53.040 --> 1:10:55.170 Net zero on the other side is connected to 25. 1:10:55.170 --> 1:10:57.300 So I can also ping 25. 1:10:57.300 --> 1:10:59.340 I'm connected to my machine. 1:10:59.340 --> 1:11:06.210 What I want to show you here is why I did this is because I want to show you something else the dangers 1:11:06.210 --> 1:11:07.500 of using the VPN client. 1:11:08.810 --> 1:11:15.230 If you use that, if you use it as I'm using right now, the dangers of it is. 1:11:16.010 --> 1:11:16.850 I'm connected. 1:11:17.600 --> 1:11:18.470 Don't you think? 1:11:18.470 --> 1:11:21.020 Think it's dangerous to connect just like it is as it is. 1:11:21.050 --> 1:11:22.310 The information is saved. 1:11:22.310 --> 1:11:23.750 Saved in the VPN client. 1:11:24.320 --> 1:11:26.240 Anyone coming in just can double click. 1:11:26.240 --> 1:11:30.020 And my PC is at home, right? 1:11:30.380 --> 1:11:33.110 I have a younger brother, right? 1:11:33.140 --> 1:11:38.480 He likes to play around, so he goes in there, he double clicks, gets connected. 1:11:39.500 --> 1:11:40.010 Right. 1:11:40.040 --> 1:11:41.780 He has access to all the servers. 1:11:42.560 --> 1:11:43.580 Go do anything. 1:11:44.450 --> 1:11:44.720 Right. 1:11:44.720 --> 1:11:47.180 Quite dangerous to connect like this for this. 1:11:47.180 --> 1:11:50.270 Plus another thing is, remember aggressive mode. 1:11:52.980 --> 1:12:01.500 Easy VPN use uses aggressive mode so the group name and key that you specify going in the third packet 1:12:02.010 --> 1:12:03.180 in the third packet. 1:12:03.180 --> 1:12:08.580 But again, aggressive mode is not considered to be as safe as main mode because main mode you have 1:12:08.580 --> 1:12:14.310 very nice exchange of data, you have first packet, second packet policies exchange here it's very 1:12:14.310 --> 1:12:18.330 quick, so it's considered to be a little less safe, the aggressive mode. 1:12:18.330 --> 1:12:24.360 So what they have done is they have added another mode, another phase which is known as phase 1.5. 1:12:27.690 --> 1:12:28.230 Extended. 1:12:28.230 --> 1:12:29.220 We call it extended. 1:12:32.660 --> 1:12:37.250 Extended EU also known as Aix en. 1:12:39.580 --> 1:12:39.980 Xor. 1:12:42.160 --> 1:12:47.530 Extended authentication is once aggressive mode is done, once aggressive mode is done, it will stop 1:12:47.530 --> 1:12:48.340 the exchange. 1:12:49.600 --> 1:12:51.700 Wait for another username and password. 1:12:52.660 --> 1:12:55.180 If you don't specify that, you won't be able to connect. 1:12:58.060 --> 1:12:59.580 Won't be able to connect. 1:12:59.580 --> 1:13:01.590 The way you do it is pretty simple. 1:13:01.590 --> 1:13:02.850 You go to your. 1:13:04.230 --> 1:13:08.010 So remember, we did triple A authorization. 1:13:08.640 --> 1:13:10.170 Now, I'll also do Triple A. 1:13:11.450 --> 1:13:12.500 Authentication. 1:13:14.170 --> 1:13:17.110 I'll authentication for login, obviously. 1:13:17.110 --> 1:13:21.850 And the name of the list, I'll call it Sha pointing to the local database. 1:13:21.850 --> 1:13:27.280 Since I'm pointing it to the local database, I also need to create a username and password. 1:13:30.180 --> 1:13:30.650 Right. 1:13:30.750 --> 1:13:31.890 How do you apply it? 1:13:32.070 --> 1:13:34.410 Crypto map. 1:13:34.740 --> 1:13:38.730 I map client authentication list is. 1:13:42.610 --> 1:13:43.090 That's it. 1:13:44.030 --> 1:13:44.750 Three commands. 1:13:45.710 --> 1:13:46.130 What? 1:13:46.130 --> 1:13:47.120 Create a list. 1:13:47.450 --> 1:13:48.230 Bind it. 1:13:48.230 --> 1:13:48.740 That's it. 1:13:48.740 --> 1:13:49.910 That's all you need to do. 1:13:51.170 --> 1:13:51.830 Create a list. 1:13:51.830 --> 1:13:52.190 Bind it. 1:13:52.190 --> 1:13:54.410 But for that list, you also need a username and password. 1:13:54.810 --> 1:13:55.430 Just do that. 1:13:56.210 --> 1:14:00.920 The only thing is I was crypto map I-map Isakmp authorization list. 1:14:01.130 --> 1:14:03.500 Here it's client authentication list. 1:14:03.770 --> 1:14:05.030 The only difference. 1:14:07.420 --> 1:14:08.410 For authorization. 1:14:08.410 --> 1:14:09.070 What did he use? 1:14:09.070 --> 1:14:09.810 Crypto map. 1:14:09.850 --> 1:14:11.740 I map isakmp authorization. 1:14:11.740 --> 1:14:11.980 Right. 1:14:14.040 --> 1:14:15.750 I camp authorization here. 1:14:15.750 --> 1:14:18.090 It's client authentication. 1:14:20.480 --> 1:14:20.930 List. 1:14:22.070 --> 1:14:23.510 That was the client configuration. 1:14:25.070 --> 1:14:25.330 Done. 1:14:25.490 --> 1:14:26.330 Save it. 1:14:27.860 --> 1:14:29.480 Go back to your machine. 1:14:34.930 --> 1:14:36.190 Disconnect the tunnel. 1:14:40.510 --> 1:14:41.410 Connect back up. 1:14:44.690 --> 1:14:45.560 Extended off. 1:14:47.490 --> 1:14:49.290 You need to specify a username and password. 1:14:49.290 --> 1:14:51.930 If you specify it as wrong, it will not accept. 1:14:53.880 --> 1:14:56.720 And you see your exchange will be stuck in the aggressive mode. 1:14:56.730 --> 1:14:57.940 It will not go to the quick note. 1:15:00.200 --> 1:15:00.750 Aggressive mode. 1:15:00.770 --> 1:15:01.640 Then that's it. 1:15:03.590 --> 1:15:04.060 Stuck there. 1:15:05.330 --> 1:15:07.430 Aggressive, aggressive, aggressive. 1:15:07.520 --> 1:15:09.740 Then stuck doesn't go to the next mode. 1:15:09.740 --> 1:15:12.790 You need to specify the username and password. 1:15:12.800 --> 1:15:13.670 Cisco and. 1:15:15.060 --> 1:15:18.060 Now it connects extended are very important. 1:15:19.970 --> 1:15:21.240 Very important to implement. 1:15:21.260 --> 1:15:23.150 Now how about the client side? 1:15:23.990 --> 1:15:25.520 How about router as a client? 1:15:26.180 --> 1:15:27.590 How to clear the tunnel is clear. 1:15:27.590 --> 1:15:29.300 Crypto IPsec Client. 1:15:31.890 --> 1:15:32.900 It will clear the tunnel. 1:15:37.520 --> 1:15:39.920 It's correct to say it tries to connect automatically. 1:15:39.950 --> 1:15:44.780 What does it say pending x auth request please. 1:15:44.810 --> 1:15:45.260 X auth. 1:15:45.260 --> 1:15:47.900 First, provide your username and password. 1:15:47.930 --> 1:15:49.520 Until then, you cannot log in. 1:15:51.950 --> 1:15:52.180 Right. 1:15:52.180 --> 1:15:57.820 So you have to provide your username and password for all the days that is missing. 1:15:58.510 --> 1:15:59.440 How do I do that? 1:15:59.440 --> 1:16:04.660 Use this command again, not in the global configuration mode in your user privilege. 1:16:06.230 --> 1:16:06.590 Cisco. 1:16:06.590 --> 1:16:06.980 Cisco. 1:16:08.980 --> 1:16:10.030 And you connect up. 1:16:12.780 --> 1:16:19.890 Extended are useful most of the times in the client mode in the VPN client. 1:16:24.690 --> 1:16:24.990 Claire. 1:16:27.650 --> 1:16:28.640 Any questions? 1:16:30.000 --> 1:16:31.200 Any questions with this? 1:16:31.350 --> 1:16:34.650 I know there's a lot again, a lot advanced, right? 1:16:35.760 --> 1:16:37.230 There's a lot of things happening. 1:16:39.900 --> 1:16:40.820 For the land, anything. 1:16:40.860 --> 1:16:41.070 Right? 1:16:41.520 --> 1:16:42.960 We wouldn't we wouldn't do the. 1:16:44.430 --> 1:16:46.020 We wouldn't do this for the land thing. 1:16:46.020 --> 1:16:46.470 No. 1:16:46.650 --> 1:16:48.300 Yeah, you can do it on the land thing. 1:16:48.330 --> 1:16:48.830 See? 1:16:48.840 --> 1:16:52.290 To make it easier for you if you right now have to whenever I connect. 1:16:52.290 --> 1:16:52.830 Right. 1:16:54.280 --> 1:16:55.970 Somebody behind Apple is gone. 1:16:56.380 --> 1:16:57.370 He doesn't need to connect. 1:16:57.370 --> 1:16:58.600 Only R4 connects. 1:16:59.620 --> 1:17:00.970 R4 doesn't need to connect. 1:17:01.270 --> 1:17:04.510 R4 connects when they send the traffic it goes through. 1:17:07.880 --> 1:17:08.890 It will remain like that. 1:17:08.900 --> 1:17:09.740 It will remain like that. 1:17:10.220 --> 1:17:15.260 Now, see, last one last thing is whenever you try to connect, it will give you this pending request. 1:17:15.260 --> 1:17:15.740 Right? 1:17:17.380 --> 1:17:22.060 I didn't show you the Verification Command Show Crypto IPsec Client. 1:17:22.100 --> 1:17:24.160 Easy VPN will show you your client VPN. 1:17:25.240 --> 1:17:26.860 Your current state is you're stuck in. 1:17:28.270 --> 1:17:34.720 Request your interface inside interface Outside interface in the pair it shows you right save password 1:17:34.720 --> 1:17:35.740 is disallowed. 1:17:36.730 --> 1:17:42.010 What you can also do to make this work is you can go to crypto IPsec Client. 1:17:42.050 --> 1:17:43.000 Easy VPN Easy. 1:17:44.720 --> 1:17:45.680 Not say password. 1:17:45.680 --> 1:17:47.530 You could use your username. 1:17:47.540 --> 1:17:49.640 What is the username which you're using on the server? 1:17:50.150 --> 1:17:52.220 The password is. 1:17:52.220 --> 1:17:56.270 Yeah, but this username and password you put where on the client. 1:17:57.340 --> 1:18:00.190 What username and password will you use to connect up Cisco? 1:18:00.190 --> 1:18:03.360 Cisco And there's also another command which is x auth. 1:18:04.200 --> 1:18:06.450 User id is saved. 1:18:06.450 --> 1:18:08.840 Where mode local. 1:18:11.580 --> 1:18:12.780 See right now I'm using. 1:18:12.780 --> 1:18:13.200 What? 1:18:14.510 --> 1:18:14.970 Exactly. 1:18:15.760 --> 1:18:19.720 So whenever I'm getting X is telling me what pending x auth request. 1:18:19.810 --> 1:18:22.720 So whenever I have to connect up, I have to first go what? 1:18:22.750 --> 1:18:23.530 Do what first? 1:18:23.530 --> 1:18:27.330 Copy this request, then use the username and password. 1:18:27.340 --> 1:18:28.840 I don't want to do that all the time. 1:18:28.840 --> 1:18:30.160 What if the tunnel goes down? 1:18:30.610 --> 1:18:32.920 I have to go back and connect up again using that. 1:18:33.310 --> 1:18:33.550 Right. 1:18:33.550 --> 1:18:39.070 So what I do is I go to my crypto configuration client VPN, I put the username and password, which 1:18:39.070 --> 1:18:43.420 I want to connect up, and then I use the command x auth user ID mode. 1:18:43.420 --> 1:18:46.780 Local means my username and password is saved. 1:18:46.780 --> 1:18:48.550 Where locally? 1:18:49.920 --> 1:18:51.140 The one which will be used for. 1:18:51.540 --> 1:18:55.230 One more thing that you have to do is you have to go to your VPN server. 1:18:55.320 --> 1:18:58.340 Crypto Scam Client Configuration Group. 1:18:58.350 --> 1:18:59.160 What was the group? 1:19:00.500 --> 1:19:01.050 Sales. 1:19:01.080 --> 1:19:02.520 And here you say save. 1:19:04.530 --> 1:19:07.140 The clients are allowed to save the password. 1:19:07.920 --> 1:19:11.970 So now you'll see that you will not get that request. 1:19:14.260 --> 1:19:17.080 So Crypto IPsec Client VPN. 1:19:18.640 --> 1:19:20.860 Clear crypto IPsec client is. 1:19:23.530 --> 1:19:23.890 Yeah. 1:19:23.890 --> 1:19:26.140 Now we'll go back and create the connection again, Right? 1:19:30.030 --> 1:19:30.690 Should not be. 1:19:33.430 --> 1:19:34.720 Should not be disallowed. 1:19:35.920 --> 1:19:37.860 Show run section. 1:19:40.810 --> 1:19:42.130 Say password is allowed. 1:19:50.770 --> 1:19:51.160 We're going to. 1:19:52.880 --> 1:19:54.310 No client doesn't have this command. 1:19:56.170 --> 1:19:57.220 The server has the command. 1:20:02.210 --> 1:20:02.870 User ID. 1:20:03.110 --> 1:20:04.880 Let me see if the command is. 1:20:06.110 --> 1:20:07.970 If the command is in the request. 1:20:12.060 --> 1:20:12.690 It is there. 1:20:12.960 --> 1:20:14.130 Let's do it manually. 1:20:15.860 --> 1:20:17.120 Connect manual. 1:20:19.350 --> 1:20:21.100 Clear crypto IPsec client is. 1:20:22.310 --> 1:20:23.450 Connection terminated. 1:20:24.110 --> 1:20:26.780 Crypto IPsec Client VPN Connect. 1:20:35.230 --> 1:20:36.340 Let me do another thing. 1:20:36.790 --> 1:20:38.140 Interface Phase zero zero. 1:20:38.140 --> 1:20:38.500 No. 1:20:38.500 --> 1:20:39.760 Crypto IPsec Client. 1:20:48.110 --> 1:20:48.950 I'll remove it. 1:21:04.040 --> 1:21:04.890 Crypto client. 1:21:18.920 --> 1:21:19.340 Connect. 1:21:28.900 --> 1:21:32.610 It's again, this has a lot to do with the iOS. 1:21:33.670 --> 1:21:34.420 This has a lot. 1:21:34.450 --> 1:21:37.480 There's two things which depend on the iOS in VPN. 1:21:37.510 --> 1:21:44.620 There's the Save password and there's another thing Crypto IPsec Client VPN is there's Connect ACL. 1:21:44.800 --> 1:21:49.030 So this connect ACL, it also depends a lot on what. 1:21:50.790 --> 1:21:54.800 Connect is, say, for example, you want to connect the tunnel. 1:21:54.810 --> 1:21:56.850 Only right now it's manual or auto. 1:21:57.360 --> 1:21:59.130 In manual, you use the command. 1:21:59.160 --> 1:22:01.470 In auto, you don't use the command. 1:22:01.950 --> 1:22:05.580 In Connect ACL, you specify the traffic in the ACL. 1:22:05.610 --> 1:22:10.230 If you hit that traffic on the interface, it will go and initiate the tunnel. 1:22:12.980 --> 1:22:13.260 Right. 1:22:13.310 --> 1:22:16.160 Not used a lot of times, but it is an option. 1:22:16.160 --> 1:22:20.330 Again, that part is also iOS dependent and the save password. 1:22:20.330 --> 1:22:21.860 But that's all you have to do in save password. 1:22:21.860 --> 1:22:22.730 There's nothing else. 1:22:23.870 --> 1:22:25.160 So in the same password? 1:22:25.490 --> 1:22:27.650 Yeah, in the same password. 1:22:27.650 --> 1:22:30.710 All you have to do is on the server side. 1:22:32.580 --> 1:22:40.560 Crypto is a camp client configuration group was what sales? 1:22:42.470 --> 1:22:43.700 You say say password. 1:22:45.560 --> 1:22:46.820 Then on the client. 1:22:48.470 --> 1:22:50.380 Crypto IPsec Client. 1:22:50.420 --> 1:22:52.610 Easy VPN Easy. 1:22:53.960 --> 1:22:54.950 Is a username. 1:22:55.760 --> 1:22:56.300 It's Cisco. 1:22:57.390 --> 1:23:00.590 Password is Cisco then x auth. 1:23:02.900 --> 1:23:03.380 Mode. 1:23:04.700 --> 1:23:05.390 User ID. 1:23:10.100 --> 1:23:13.940 The username is created on the server because I'll be sending it to him. 1:23:14.030 --> 1:23:15.620 He'll be checking it locally. 1:23:18.050 --> 1:23:20.690 The client is sending the username and password. 1:23:20.810 --> 1:23:21.770 You will be prompted for. 1:23:22.130 --> 1:23:23.510 I will not be prompted for it. 1:23:23.660 --> 1:23:25.560 Right now I'm getting prompted for it. 1:23:25.580 --> 1:23:27.350 I don't want to be prompted for it. 1:23:29.790 --> 1:23:31.770 Yeah, I entered it. 1:23:31.980 --> 1:23:34.860 I pre-configured right. 1:23:34.860 --> 1:23:39.930 Instead of because he keeps on bugging me and asking me for whenever I try to connect, he keeps on 1:23:39.930 --> 1:23:42.150 bugging me and asking for the username and password. 1:23:42.150 --> 1:23:45.960 So what I do is I just save it in the configuration so he doesn't have to ask me. 1:23:47.440 --> 1:23:48.240 Hey, it will work. 1:23:48.250 --> 1:23:49.010 It's just the iOS. 1:23:49.030 --> 1:23:50.080 I'm sure about that. 1:23:51.300 --> 1:23:52.530 Clear VPN. 1:23:53.520 --> 1:23:56.370 The split ACL will work exactly the same way as yesterday. 1:23:58.080 --> 1:23:59.790 Everything else is the same. 1:23:59.820 --> 1:24:03.610 Tomorrow we'll be doing the same thing, the same things that we have done until now. 1:24:03.630 --> 1:24:05.250 Client mode, mode extension. 1:24:05.250 --> 1:24:05.940 All of that. 1:24:05.940 --> 1:24:06.840 Using what? 1:24:06.870 --> 1:24:09.540 DVT, SVT and DVT. 1:24:09.990 --> 1:24:10.410 We have done. 1:24:10.410 --> 1:24:12.090 We have to see what DVT does. 1:24:12.390 --> 1:24:14.160 Virtual tunnel interfaces. 1:24:15.800 --> 1:24:16.730 What's your talent interface? 1:24:16.740 --> 1:24:17.000 Right? 1:24:19.750 --> 1:24:20.470 124.