WEBVTT 00:01.190 --> 00:06.890 But today what we are going to be talking about is Ik version. 00:08.570 --> 00:09.350 What is Ik? 00:12.120 --> 00:12.780 Internet. 00:14.250 --> 00:15.560 Where did we use it? 00:15.600 --> 00:16.860 In our whatever. 00:17.280 --> 00:18.180 We were doing it. 00:19.620 --> 00:20.730 We used Ike. 00:20.760 --> 00:21.500 As Ike. 00:25.140 --> 00:26.640 The nine packets. 00:29.270 --> 00:33.280 You remember the control plane traffic was isochem, right. 00:33.550 --> 00:34.360 It was like. 00:35.470 --> 00:38.650 So before setting up the second tunnel, which was the data tunnel. 00:40.120 --> 00:41.470 Before setting up your data. 00:47.150 --> 00:48.860 You had this separate tunnel. 00:54.480 --> 00:58.320 That was equation total of how many packets? 00:58.620 --> 01:01.020 Nine If we were using main mode. 01:02.130 --> 01:06.760 Aggressive mode is three plus three six packets. 01:08.790 --> 01:12.600 Write a quick review of what were the packets going through. 01:14.700 --> 01:18.720 Packet number one and two was policies. 01:20.710 --> 01:20.960 Correct. 01:21.760 --> 01:25.150 Three and four and nonce. 01:28.080 --> 01:32.690 Five and six SK PCA. 01:33.730 --> 01:35.940 PCA certificate or whatever. 01:36.270 --> 01:40.360 Seven and eight policies. 01:40.790 --> 01:43.860 The data for the data tunnel. 01:46.720 --> 01:54.010 There is a transform set being negotiated and the last packet was acknowledgement or validation. 01:57.730 --> 01:58.990 That everything is okay. 02:01.430 --> 02:01.670 Right. 02:03.320 --> 02:12.050 Plus, we also saw that, again, when this was created, when this whole thing was created, a lot 02:12.050 --> 02:13.310 of things were not there. 02:13.730 --> 02:15.440 What do I mean by a lot of things? 02:15.830 --> 02:20.690 Stuff like Nat T Nat D was not there in V1 one. 02:20.690 --> 02:21.260 It wasn't. 02:21.620 --> 02:27.650 So what people had to do was, since the problem came up later, what people had to do is every vendor 02:27.650 --> 02:29.900 created their own implementation of Nat D. 02:31.070 --> 02:34.040 So you'll see that it's implemented in every one of them. 02:34.040 --> 02:38.780 But everyone had to do it by themselves and it's included as a payload. 02:40.270 --> 02:40.670 Is there. 02:42.500 --> 02:43.260 It's included. 02:43.280 --> 02:45.290 It was included later by the vendors. 02:45.320 --> 02:47.060 It was not there in the beginning. 02:47.750 --> 02:49.220 That's how you see it as a payload. 02:49.430 --> 02:54.770 And down the bottom you see it there because they wrote the code for it later. 02:55.700 --> 03:02.270 It was not there in the beginning, so it was a lot of other features like that were added later to 03:02.270 --> 03:04.380 Ike V1 Right. 03:04.400 --> 03:09.260 Eventually there comes a time when you keep on doing some stuff like that that it starts becoming too 03:09.260 --> 03:10.160 complex. 03:10.430 --> 03:15.530 So then they decide, okay, if we have something like this, why don't we create a new one which has 03:15.530 --> 03:21.440 all these features inbuilt and to make this exchange a little more streamlined. 03:21.620 --> 03:23.090 The keyword here is streamlined. 03:24.410 --> 03:26.750 So again, the same thing will be happening. 03:27.480 --> 03:30.900 You'll have the same exact thing configuring, right? 03:30.920 --> 03:35.960 The only thing is the way that these policies are going to be exchanged is going to be different. 03:38.230 --> 03:40.990 The new version so much better than before. 03:41.350 --> 03:42.010 How? 03:42.640 --> 03:46.900 Think I might have a document which I've already shared. 03:50.380 --> 04:00.940 So in total right now, the nine packets, which you see will be replaced by a total of four packets. 04:05.800 --> 04:08.620 You'll have the first two packets, one and two. 04:11.340 --> 04:16.200 We call it Ik sah in it. 04:18.380 --> 04:19.760 I guess, initialization. 04:21.760 --> 04:25.840 This is equivalent to main mode. 04:25.840 --> 04:31.330 One, two, four, packet number one, two four in the main mode. 04:32.590 --> 04:34.060 What do you mean by that? 04:35.320 --> 04:36.340 Your policies, your. 04:36.790 --> 04:39.850 Your nonce, all of that? 04:39.850 --> 04:40.360 Yes. 04:40.390 --> 04:41.830 In the first two packets. 04:43.650 --> 04:43.890 Right. 04:43.890 --> 04:46.140 So you get everything by the what? 04:46.140 --> 04:46.730 You need it. 04:46.740 --> 04:48.990 That's all, isn't it? 04:49.440 --> 04:51.690 All you needed was the key on both sides. 04:51.690 --> 05:00.090 So once you have the plus the policies, the plus policies plus noise from both ends at the end of this, 05:00.090 --> 05:02.130 what what will you have on the other side? 05:02.640 --> 05:03.240 A key. 05:08.800 --> 05:11.770 By the end of the first two packets, you'll have the key. 05:13.720 --> 05:19.660 Correct or not, after that packet number three and four. 05:19.690 --> 05:20.740 Can you guess what? 05:23.440 --> 05:23.950 BSC. 05:27.050 --> 05:27.710 RPI. 05:30.340 --> 05:32.650 And transforms it. 05:34.980 --> 05:36.180 Parameters. 05:36.570 --> 05:38.040 Plus the proxy is here. 05:39.900 --> 05:43.380 Basically, we call the proxy ACL here as traffic selector. 05:45.270 --> 05:46.230 Traffic selector. 05:47.070 --> 05:49.080 All of that is exchanged. 05:53.370 --> 05:54.240 From authors. 05:54.780 --> 06:04.560 So this includes main mode five, six and then the rest of the quick mode included in a single package. 06:04.560 --> 06:05.790 So three and four done. 06:06.210 --> 06:07.770 This is known as Ike. 06:13.160 --> 06:15.830 Fourth, like authentication. 06:19.190 --> 06:19.760 ICOs. 06:19.890 --> 06:23.150 So the first four packets have no pre-shared key. 06:23.480 --> 06:26.300 Then the authentication takes place in the third and the fourth packet. 06:26.390 --> 06:29.190 And the other parameters are also resolved. 06:29.210 --> 06:31.880 So your natty and all those features are all resolved here. 06:34.390 --> 06:35.250 In these packets. 06:35.260 --> 06:44.830 Now, I think I might have if I remember correctly, I had a good diagram of it. 06:52.620 --> 06:52.860 Yeah. 06:52.860 --> 06:55.890 Here are these two separate. 07:07.300 --> 07:09.550 This is the exchange that takes place. 07:09.580 --> 07:10.510 Is it visible? 07:16.590 --> 07:18.030 Let me explain while I'm saying it. 07:19.110 --> 07:20.520 This is one. 07:21.600 --> 07:26.430 This is Ikwe two Ikwe one packet. 07:26.430 --> 07:29.520 Number one is phase one policies. 07:30.150 --> 07:37.710 Packet number two is basically three is known as natty and key exchange. 07:38.340 --> 07:38.690 Correct. 07:38.700 --> 07:39.540 We know that already. 07:39.540 --> 07:41.100 So these are one, two, three, four. 07:41.100 --> 07:42.240 Packet number one, two, three, four. 07:42.270 --> 07:52.320 Then he's put a dash in the same thing on the other side becomes Ik say in it phase one policies natty 07:52.320 --> 07:55.050 also sorry is negotiated in the first packet. 07:55.050 --> 08:02.790 So natty nonce key exchange policies, all of that in the first packet on both sides. 08:02.790 --> 08:05.580 So four packets here equal to one packet here. 08:05.850 --> 08:09.450 Then what did you have on the other side? 08:10.590 --> 08:14.550 Packet number five was Ik or certificate or whatever you were sending. 08:14.940 --> 08:19.930 So your authentication either SK or PKI, right. 08:20.050 --> 08:21.280 On the other side. 08:21.280 --> 08:29.560 Again, quick mode was what Essar Transform, set some other information about what is happening and 08:29.950 --> 08:37.720 numbers and then the acknowledgement move it to the other side, your authentication ID certificate 08:37.720 --> 08:38.740 or whatever you're using. 08:38.770 --> 08:41.980 Transform set Nat information all in one packet. 08:44.740 --> 08:45.520 All in one package. 08:47.800 --> 08:48.100 Right. 08:49.090 --> 08:53.020 So much, much more easier than earlier. 08:54.940 --> 08:59.620 Yeah, but here, troubleshooting will be a little more complex than the first one because first one 08:59.620 --> 09:04.030 you would know if packet is getting stuck in 1 or 4 or 6 or 8. 09:04.060 --> 09:06.910 Now the packet can either get stuck in the first one or the second one. 09:07.540 --> 09:09.610 First one if your policy mismatches. 09:10.450 --> 09:14.970 Second one is transform, set pre-shared key and all those features are not matching. 09:14.980 --> 09:17.410 So you'll have to dig in a little deeper. 09:19.420 --> 09:24.160 But what it gives you is it's faster, quicker, less number of packets going through. 09:24.190 --> 09:27.280 It still works on the same UDP 500 to 500. 09:29.780 --> 09:35.260 Still works on the same protocol numbers 4545 is also. 09:35.800 --> 09:36.670 That is also there. 09:36.680 --> 09:44.000 So if there is nothing happening exactly same that is happening, it will move to 4500 where it works 09:44.000 --> 09:44.930 exactly the same way. 09:46.970 --> 09:47.840 Correct or not. 09:48.710 --> 09:54.680 Another thing that you have to know is in Ik v2 there is something known as create child essays. 09:55.670 --> 10:05.000 Sometimes when you have a network setup up, a phase two tunnel has already come up. 10:05.000 --> 10:13.040 Sometimes you do need Rekeying Additional essays need to be created earlier if additional essays needed 10:13.040 --> 10:16.970 to be created, the whole tunnel was swept down and being brought back up again. 10:16.970 --> 10:19.640 Here you have something called Create child essays. 10:20.600 --> 10:26.600 What you can do is once you have your negotiations for the phase one, then whenever you need to create 10:26.630 --> 10:27.200 new essays. 10:27.230 --> 10:32.490 Now, this doesn't happen always, but there are some protocols where you might need to do this right? 10:32.490 --> 10:38.640 You will see that these essays will automatically be created based on the first, because the only thing 10:38.640 --> 10:45.300 that you need to exchange is what the transform set, which is just exchange for the sake of transform 10:45.300 --> 10:52.350 set being exchanged and you'll see new essays being created known as Create child essays. 10:53.890 --> 11:00.160 So first you have your essay in it, then you have your icon, which most of the times you'll always 11:00.190 --> 11:00.730 be using. 11:00.730 --> 11:02.650 So get your get your tunnel up. 11:02.650 --> 11:08.920 It's started working then in some very rare, rare cases when you have more essays which you require 11:08.920 --> 11:13.360 for Rekeying, remember get VPN Rekeying was created one after the other. 11:13.990 --> 11:20.770 For that, the essays that will be created will be which ones create child essays, which will be the 11:20.770 --> 11:22.150 same as your ICOs. 11:22.330 --> 11:24.310 It's just that they named it different. 11:24.460 --> 11:30.700 So you see that the thing that will be exchanging the stuff that is exchanged is SATs and Nat here. 11:30.700 --> 11:32.050 Also SATs and Nat. 11:34.090 --> 11:34.570 That's it. 11:36.920 --> 11:37.160 Right. 11:41.570 --> 11:43.970 Mr. H is right here. 11:48.210 --> 11:48.600 Second. 11:48.600 --> 11:48.870 What? 11:49.120 --> 11:49.410 Second. 11:52.820 --> 11:53.350 Yeah. 11:53.520 --> 11:54.480 Forwarding secrecy. 11:55.080 --> 11:56.300 You can configure that. 11:56.490 --> 11:56.730 Yeah. 11:56.760 --> 11:58.770 That'll be done here in phase two. 11:59.820 --> 12:00.480 You can do that. 12:02.370 --> 12:03.210 That comes right here. 12:03.210 --> 12:04.610 That's done under a crypto map. 12:05.340 --> 12:06.200 You have a crypto map. 12:06.210 --> 12:07.620 You can specify it there also. 12:09.030 --> 12:12.420 That is again a distro for the quick mode. 12:13.320 --> 12:15.210 Yes, for the quick mode. 12:15.210 --> 12:18.120 It does it again for for extra security. 12:18.420 --> 12:21.990 You just have to choose which group of sizes what to use. 12:23.040 --> 12:23.370 Right. 12:23.460 --> 12:32.700 And here also in until now, the authentication mechanisms that we saw and all the encryption mechanisms 12:32.700 --> 12:38.310 that we saw, we saw ESB, we saw H Ik v2 also supports EEP. 12:40.740 --> 12:44.210 Eep will be used with certain protocols. 12:44.220 --> 12:53.400 It's usually used for authentication, usually used by switches for extensible authentication protocol 12:55.170 --> 12:59.730 you'll use for triple A when you have a triple A server and you need to communicate to the triple A 12:59.730 --> 13:03.090 server, usually the frames are encapsulated within EAP. 13:03.120 --> 13:05.340 So you have an EAP one. 13:05.340 --> 13:06.990 Say for example, there's a switch, right? 13:07.080 --> 13:10.220 The switch and the user is sitting on the other side of the switch. 13:10.230 --> 13:16.530 Now whoever user logs in his information needs to be sent to the triple A server, right? 13:16.530 --> 13:23.070 So eight, not 8 or 2.1 x, that is exactly the frames that they use. 13:23.400 --> 13:27.660 The password and username is hidden inside that EAP packet. 13:28.290 --> 13:30.780 The thing is Ik v2 has support for it. 13:31.710 --> 13:37.110 So tomorrow when they want to expand and use EAP, maybe do authentication based on a triple A server 13:37.140 --> 13:37.890 can be done. 13:39.450 --> 13:41.770 So users logging in, it's very easy. 13:41.790 --> 13:42.060 Why? 13:42.090 --> 13:49.870 Because people will come in using AP and that frame will be just forwarded out to the EAP server to 13:49.870 --> 13:50.650 the 777. 13:51.100 --> 13:51.340 Right. 13:52.600 --> 13:59.800 Another thing there is a little problem though with Ik two which was not there with Ik camp. 14:00.220 --> 14:03.460 The problem is the first packet when it goes right. 14:06.110 --> 14:09.380 I see in it. 14:09.740 --> 14:13.280 The first packet that goes out is quite heavy. 14:15.420 --> 14:17.040 It has a lot of information. 14:17.190 --> 14:25.860 So if this is the initiator and this is the responder, it takes the responder a little while to respond 14:25.860 --> 14:26.490 to this. 14:26.820 --> 14:33.210 So the session on the responder stays open for some time because it takes some time to respond. 14:34.710 --> 14:36.420 The first packet is not the same as before. 14:36.460 --> 14:37.590 Earlier it was a policy. 14:37.620 --> 14:42.120 Now he has to find out his policies and create the and then reply. 14:42.210 --> 14:43.920 Check the Nat and so many different things. 14:43.920 --> 14:44.790 And just one packet. 14:45.150 --> 14:48.720 It does take him a little while more than it used to take earlier. 14:49.530 --> 14:56.280 So what it does is it leaves you open for a DDoS attack because what the other guy can do is it can 14:56.280 --> 15:01.800 send a lot of hits and your sessions will keep staying open and open everywhere. 15:02.460 --> 15:06.450 There is a possibility of a DDoS attack, right? 15:06.480 --> 15:08.630 How do you protect yourself from it? 15:08.640 --> 15:11.070 You don't like V2, does it by themselves? 15:11.070 --> 15:12.050 By itself. 15:12.060 --> 15:21.020 If you send a lot of say in it and the responder figures out that he has a lot of open sessions and 15:23.760 --> 15:26.160 also the same way, the same way it worked there. 15:26.160 --> 15:26.970 It works here. 15:27.460 --> 15:29.760 Same window size here. 15:29.760 --> 15:40.470 If this happens with the responder will do is it sends back a reply in the reply is we call it a cookie. 15:42.850 --> 15:44.740 It sends back a notify payload. 15:46.870 --> 15:54.910 It's a special type of informational message, which too has informational message where it says where 15:54.910 --> 15:55.780 it gives out a cookie. 15:55.810 --> 15:58.390 Cookie is just a small, random number. 15:58.660 --> 15:59.680 Gives it out to whom? 16:00.190 --> 16:01.090 The initiator. 16:01.360 --> 16:02.460 If it's a guy who's. 16:03.730 --> 16:11.830 There is no way that it can include this cookie in its packet because it's just sending packets. 16:11.860 --> 16:15.340 It doesn't know how to deal with them, how to accept those packets. 16:16.120 --> 16:16.630 Right? 16:16.630 --> 16:17.740 So it waits. 16:17.740 --> 16:27.280 Then the next packet that comes in from the initiator will not be accepted unless it has. 16:27.280 --> 16:27.580 What? 16:32.490 --> 16:38.670 Unless it has that cookie which from I to r should go. 16:42.420 --> 16:42.720 Right. 16:45.010 --> 16:45.270 Clear. 16:46.660 --> 16:52.480 So in case someone is spoofing the address, in case someone is spoofing the address, when I reply 16:52.480 --> 16:54.400 back, I'm not responding to the guy. 16:54.700 --> 16:55.900 I'm responding to whom? 16:56.140 --> 16:57.130 The actual guy. 17:00.330 --> 17:07.890 Back it the of notification on the next time it magically things if you want to do it again but see 17:07.890 --> 17:09.540 how does it create this connection. 17:09.540 --> 17:13.110 First of all you have to understand that he's spoofing someone else's address. 17:15.090 --> 17:18.420 It's not using his own address because you know who you are creating the tunnel with, right? 17:18.420 --> 17:19.820 You have configured it properly. 17:19.830 --> 17:21.840 He's spoofing someone else's address. 17:21.870 --> 17:25.560 When you respond back, your replies are not going to him. 17:25.860 --> 17:29.850 They're going to the original address spoofing. 17:29.850 --> 17:30.180 Right? 17:31.020 --> 17:35.370 When you respond, you're not responding to the attack that you're responding to the actual address. 17:37.470 --> 17:38.430 He doesn't have that. 17:38.430 --> 17:41.040 So when you send the cookie, it doesn't go to him. 17:41.190 --> 17:42.450 It goes to the actual guy. 17:43.050 --> 17:47.850 If he doesn't receive it, he's never going to send back the cookie to me. 17:47.850 --> 17:53.610 If he doesn't send back the cookie to me, I have prevented myself from a from a successful DDoS attack. 17:56.320 --> 17:56.800 Okay. 17:56.920 --> 17:59.500 Another mechanism inbuilt for. 18:02.210 --> 18:05.570 The other thing Anti-replay is the same which you can do here. 18:05.570 --> 18:06.320 You can do it there. 18:06.320 --> 18:10.400 Also windowing time based activity, replay detection. 18:10.850 --> 18:13.460 You can do that and you have certain other features. 18:13.460 --> 18:16.310 But these are, I think, the most important ones. 18:16.700 --> 18:17.390 Streamlined. 18:18.320 --> 18:21.430 It's much more streamlined, much lesser number of packets. 18:21.440 --> 18:29.030 It has inbuilt protection streamlined as in earlier when I told you that that was earlier was later 18:29.030 --> 18:35.060 built in, a lot of other features were there in Isakmp, which was later put in here. 18:35.060 --> 18:39.260 What they have done is they have sequentially made it when I say streamlined. 18:39.260 --> 18:43.940 So you have this thing happening first, then Nat happening, and all those features were added together 18:44.180 --> 18:48.420 not like before where it was just jumbled up like that. 18:48.680 --> 18:52.340 So now there's a there's a specific sequence that everything follows. 18:54.210 --> 18:56.610 Okay, how to configure it? 18:58.620 --> 19:05.460 The best part is that when you configure Cv2, you're only worrying about the first phase. 19:05.850 --> 19:07.920 The second phase will remain the same. 19:08.100 --> 19:11.970 Your ACLs will remain the same, your crypto maps will remain the same. 19:11.970 --> 19:13.500 Everything has to remain the same. 19:13.860 --> 19:18.770 Either you're using profile or you're using VPN, you're using VPN. 19:18.810 --> 19:20.070 Everything remains the same. 19:20.070 --> 19:24.510 The only thing that changes is the first nine packets. 19:26.480 --> 19:28.770 The exchange of those packets. 19:28.790 --> 19:30.320 Let's check how this is done. 19:32.250 --> 19:33.390 I do have the emotion. 19:34.650 --> 19:35.760 Let's do it on the news. 19:59.580 --> 20:02.490 I'll create a simple side to side. 20:31.590 --> 20:31.860 Right. 20:32.160 --> 20:34.140 So the address that I'm going to use. 20:37.630 --> 20:38.440 Same as before. 20:59.190 --> 20:59.490 All right. 20:59.490 --> 21:01.200 So R1 can talk to R3. 21:01.230 --> 21:02.460 That was the whole purpose, right? 21:03.420 --> 21:04.200 So. 21:10.360 --> 21:11.770 This is slash 24. 21:12.340 --> 21:15.910 My job is, what, 10.3 to 10.1. 21:17.000 --> 21:19.120 Should communicate, right? 21:19.420 --> 21:22.510 Let's let's see the differences. 21:22.510 --> 21:24.970 Major differences between V2 and IQ one. 21:28.590 --> 21:28.940 We won. 21:28.940 --> 21:31.760 What was the first set of policies? 21:31.760 --> 21:33.170 How did we describe them? 21:34.180 --> 21:36.320 Crypto policy. 21:36.470 --> 21:51.040 Then you number it Encryption three days authentication key share group to. 21:52.320 --> 21:52.950 Harsh. 21:56.010 --> 21:59.490 And then you said crypto is Kam Kee. 21:59.520 --> 22:02.700 Cisco address one, two, three, one. 22:02.700 --> 22:04.430 Not as simple as that. 22:04.440 --> 22:06.150 You're defining all your packets. 22:06.150 --> 22:06.750 That's it. 22:06.750 --> 22:12.720 That's all you did right Now, if you have a look at this and you compare it to IP two, you see IP 22:12.750 --> 22:15.390 two is so much better. 22:15.840 --> 22:16.470 Why? 22:16.500 --> 22:26.430 First of all, if I say Kam, if I say Kam, you had to create two different tunnels between, let's 22:26.440 --> 22:28.350 say between R1 and R3. 22:29.220 --> 22:31.950 You are going to do for Kam Properties. 22:31.950 --> 22:35.490 You are going to do three days and MD5. 22:36.030 --> 22:40.020 But with R4 you are supposed to do S and MD5. 22:41.880 --> 22:43.800 What did you need to do here? 22:45.330 --> 22:46.590 Create two sets of policies. 22:46.600 --> 22:56.470 So the policy number ten, policy number 20 and when the exchange took place, R1 would said what all 22:56.470 --> 23:01.090 of the policies ten as a separate policy, 20 as a separate policy. 23:01.090 --> 23:02.920 And the same thing you would do here. 23:04.060 --> 23:08.740 What V2 has done is when you're configuring it on the server. 23:11.990 --> 23:16.310 What you can do is, first of all, it's not called a policy anymore. 23:17.270 --> 23:22.520 It's called crypto ikev2 proposal. 23:24.990 --> 23:27.600 It's a proposal, not a policy. 23:28.170 --> 23:28.680 Name it. 23:28.680 --> 23:29.390 Anything. 23:29.400 --> 23:30.540 It can be a name. 23:30.540 --> 23:31.680 It can be a number. 23:32.700 --> 23:33.270 Right. 23:33.720 --> 23:35.220 So I'll call it prop. 23:36.540 --> 23:39.240 Then you choose encryption. 23:40.530 --> 23:42.150 I want to use three days. 23:43.380 --> 23:47.460 I want to use as you can choose it in one line. 23:49.800 --> 23:57.090 You can choose, say for example, I want to use hash MD5 and Sha authentication. 23:57.120 --> 23:59.040 You don't choose here group. 23:59.070 --> 24:03.000 I want to use two, five and one. 24:04.970 --> 24:11.300 What you're saying is you're giving your preference when the guy comes up, give the first preference. 24:11.300 --> 24:16.220 If he's using three dice, if he uses if he's using, that's also okay. 24:16.670 --> 24:17.630 I'll accept it. 24:18.650 --> 24:22.250 If the guy comes in with MD5, MD5, give it the first preference. 24:22.250 --> 24:23.390 Sha the second preference. 24:23.660 --> 24:24.870 Same thing for group. 24:25.680 --> 24:31.340 Group two is given a higher preference group five a little lower than that, but still high then group 24:31.490 --> 24:31.690 one. 24:34.500 --> 24:35.090 You understand. 24:35.690 --> 24:41.780 So instead of writing ten different policies for ten different sites, I just have to write one proposal 24:41.780 --> 24:49.730 where I mention all the different possibilities of the encryption and authentication mechanism that 24:49.730 --> 24:50.770 people are going to commit. 24:52.450 --> 24:52.750 Okay. 24:54.430 --> 25:01.240 Also, make sure that the iOS that you're using is 15. 25:01.600 --> 25:02.860 I don't think this is 15. 25:04.070 --> 25:04.990 You need to change it. 25:06.640 --> 25:11.620 So the image that I'm using here would be. 25:13.780 --> 25:16.210 Similar to S2, right? 25:16.720 --> 25:18.250 It only works 15 above. 25:19.000 --> 25:25.840 I also make sure it's s so this command will not be there for the other outlets. 25:26.380 --> 25:26.560 Hi. 25:26.560 --> 25:31.480 Q2 just like you have crypto icecap, you also have crypto. 25:32.920 --> 25:34.900 What was the first thing I said you have to do? 25:35.260 --> 25:36.070 Proposal. 25:37.090 --> 25:37.930 The name it. 25:37.930 --> 25:39.130 Anything is just a name. 25:39.790 --> 25:40.690 I'll call it prop. 25:41.950 --> 25:42.760 What does it say? 25:42.880 --> 25:45.130 It must have at least an encryption algorithm. 25:45.130 --> 25:49.690 An integrity algorithm and a group specified encryption. 25:50.020 --> 25:52.900 You already know integrity is the same as hashing. 25:53.980 --> 25:56.500 So hashing is known as iniquity. 25:56.530 --> 25:59.350 We call it integrity encryption. 25:59.380 --> 26:00.460 What do I want to use? 26:00.460 --> 26:00.880 Three dice. 26:00.910 --> 26:02.260 Then you can choose other options. 26:02.260 --> 26:03.970 Now see the new variations? 26:04.990 --> 26:05.350 Yes. 26:05.350 --> 26:09.010 Now has 192 and 256 bits in one. 26:10.780 --> 26:13.240 Earlier it was just one 128. 26:13.240 --> 26:14.860 Right now you have more. 26:15.130 --> 26:15.910 You can use more. 26:15.940 --> 26:22.000 As long as the devices support the licensing for that should be able to do it right. 26:22.000 --> 26:26.050 So let's say I want to use as 256 as a backup. 26:27.610 --> 26:28.120 Okay. 26:28.300 --> 26:29.620 Again, integrity. 26:29.650 --> 26:30.640 Look at this. 26:31.450 --> 26:33.070 MD5 is the same. 26:33.700 --> 26:38.140 Sha has new variations, so sha one Sha 256. 26:41.770 --> 26:42.170 Right. 26:42.250 --> 26:43.660 Newer variations. 26:44.590 --> 26:45.220 Group. 26:45.250 --> 26:46.510 Check out the groups. 26:49.230 --> 26:51.960 1 to 5 has become one. 26:52.140 --> 26:59.090 Now, it doesn't matter that it doesn't mean that the higher the group size, the better. 26:59.190 --> 27:03.270 The bigger the size, the higher the number of the group, the bigger the size. 27:03.300 --> 27:04.080 Check this out. 27:04.110 --> 27:07.170 20 is just 384 in size. 27:07.980 --> 27:08.850 Group 20. 27:09.810 --> 27:10.200 Right. 27:10.240 --> 27:11.730 This is what you call these. 27:11.760 --> 27:13.890 These are called elliptical curve. 27:15.960 --> 27:17.810 Elliptical curve mechanisms. 27:18.090 --> 27:21.600 Not really sure what the P stands for, but I'm sure that this is elliptical curve. 27:21.630 --> 27:23.830 Let's check this. 27:26.000 --> 27:31.610 Yes, but faster elliptical curve rhyme groups. 27:32.600 --> 27:39.650 What they have actually done is has been so strong since it was created that they have now reduced the 27:39.650 --> 27:42.530 size of it using variations. 27:42.530 --> 27:46.430 So instead of using a normal, you use something known as elliptical curve. 27:46.730 --> 27:50.990 So they find out values based on a curve and then reduce the size. 27:50.990 --> 27:55.490 What it gives you is faster tunnels with good amount of security. 27:55.520 --> 27:57.440 Not as secure, obviously, as the original. 27:58.430 --> 28:03.620 But since that was never broken, they thought that, you know, why don't just reduce the size. 28:05.030 --> 28:10.670 That's why you see a lower size in all these steps, right? 28:10.670 --> 28:18.980 So what you would use right now, let's say, is two, five and one as the backup, Where do you specify 28:18.980 --> 28:22.070 all of this information in the proposal? 28:22.400 --> 28:24.500 So what did I use as. 28:29.940 --> 28:30.060 Yes. 28:30.400 --> 28:33.760 So that we are in sync so we can copy and paste the other side. 28:40.450 --> 28:40.660 Right. 28:41.890 --> 28:44.860 What else did we do earlier? 28:47.050 --> 28:55.480 See we have specified this group and hash authentication mechanism we have not specified yet. 28:56.200 --> 28:57.970 We also need to specify the. 28:58.960 --> 29:05.230 But yeah, but what you also here have is one additional step which is not used for anything, but it's 29:05.230 --> 29:06.010 just there. 29:06.220 --> 29:08.920 You have to specify a policy. 29:11.140 --> 29:15.030 Now you can name it anything crypto IP to policy. 29:15.040 --> 29:17.230 Again, just a name, any name you can name it. 29:17.230 --> 29:20.200 Ten You can also call it Paul here. 29:20.200 --> 29:23.110 All you have to do is call the proposal. 29:26.930 --> 29:28.370 So it is still a policy. 29:28.400 --> 29:32.480 It's just that the proposal is separately done and then called in the policy. 29:33.560 --> 29:35.390 So you had your second policy earlier. 29:35.390 --> 29:37.250 It's not an ICBM policy anymore. 29:37.280 --> 29:40.760 It's ITV2 policy, which you can call anything in here. 29:40.760 --> 29:41.630 What do you call. 29:42.440 --> 29:43.210 That's it. 29:43.220 --> 29:44.630 You just call a proposal in here. 29:44.630 --> 29:46.370 That's all you do. 29:49.540 --> 29:49.960 Okay. 29:51.190 --> 29:51.460 Clear. 29:51.910 --> 29:54.490 Now comes the real part, the key. 29:57.220 --> 30:01.390 You need to create that key here in Cv2. 30:02.560 --> 30:07.540 See in the first section and I see what you could do was if this is R1 and R2. 30:07.570 --> 30:08.110 Right? 30:10.780 --> 30:12.790 For them to be able to authenticate each other. 30:12.790 --> 30:13.750 Both should have the same. 30:20.180 --> 30:22.190 If there was a mismatch, they wouldn't create the tunnels. 30:22.190 --> 30:22.490 Right? 30:22.540 --> 30:24.140 Same on both sides. 30:24.290 --> 30:30.830 What we do gives you is you can have a separate PSK for sending and a separate one for receiving. 30:32.630 --> 30:41.450 So let's say I want to use Cisco one as my sending sorry, receiving one, Cisco two as the. 30:44.390 --> 30:46.130 Sending 1 or 2. 30:46.160 --> 30:47.630 What should be the receiving one? 30:51.230 --> 30:52.760 Cisco to and sending one. 30:57.400 --> 31:01.360 A separate key for sending a separate key for receiving, we call it local and remote. 31:02.770 --> 31:05.350 Local will be one for R1. 31:05.350 --> 31:10.180 Remote will be what will be sent will be Cisco two for the other side, the receiving one, the local 31:10.180 --> 31:14.050 one should be Cisco two and he should be sending his remote should be Cisco. 31:17.850 --> 31:18.090 Then. 31:20.220 --> 31:23.040 Played with this, how this works. 31:23.190 --> 31:24.000 So. 31:26.990 --> 31:27.920 R1 and R2. 31:28.640 --> 31:37.520 Also, another thing we've got to show you is in Icecap, you can only choose one mechanism. 31:37.520 --> 31:44.180 Either use SQ, which will be negotiated on both sides or use RSA, RSA signatures. 31:44.510 --> 31:52.010 In here you can say from here, from R1 to R2, I'm going to send a SQ from R2 to R1, I'm going to 31:52.010 --> 31:52.310 send. 31:55.680 --> 31:56.230 I'm going to use. 31:57.870 --> 31:59.100 I'm going to use a certificate. 31:59.850 --> 32:05.040 So once I will be sending a pre-shared key, the other side will be sending a certificate back which 32:05.070 --> 32:10.110 most of the times you will not use, but it's just that it is available to you in case you're stuck 32:10.110 --> 32:13.620 in a situation where you have to use it, you can use it. 32:15.810 --> 32:18.390 You also have to specify authentication method. 32:18.690 --> 32:23.100 Remote is SK or local is PKI and stuff like that, just like you do here. 32:24.650 --> 32:29.810 Okay, so let's see how the key is specified here in Ikev2. 32:29.840 --> 32:32.980 The key is not specified openly, just like in icecap. 32:33.230 --> 32:40.670 Here you specify it in a crypto to keyring and you name it. 32:42.890 --> 32:44.420 You call it a key ring. 32:44.900 --> 32:50.600 So go here crypto IP to keyring, call it here. 32:51.470 --> 32:57.350 Then you specify the peer who is your peer, not the IP, just the name. 32:57.800 --> 32:59.030 This name is local. 32:59.030 --> 33:00.020 Can be anything. 33:00.110 --> 33:02.900 This is just for you to know what you're configuring your neighbor with. 33:03.140 --> 33:04.610 I can call this as R3. 33:05.960 --> 33:10.940 This is where you specify the address inside the sub configuration. 33:11.210 --> 33:14.540 151 .13. also. 33:18.540 --> 33:19.220 Pre-shared key. 33:20.100 --> 33:25.950 Now you can either specify pre-shared key or if you just specify Cisco, you're using the same key on 33:25.950 --> 33:26.760 both sides. 33:27.750 --> 33:33.030 Or what you could also do is you could say Pre-shared key local is Cisco. 33:34.140 --> 33:36.750 Pre-shared key remote is Cisco one. 33:40.580 --> 33:41.630 Two ways of doing it. 33:41.900 --> 33:43.730 Either you specify local and remote. 33:44.150 --> 33:47.990 That would mean you have to specify it separately or you just say Right. 33:48.020 --> 33:48.600 Pre-shared Key. 33:48.620 --> 33:50.120 Cisco like we used to do earlier. 33:50.660 --> 33:52.760 So what's the point of having? 33:53.250 --> 33:55.130 In nothing. 33:56.060 --> 33:57.590 I think it's just a prop. 33:58.040 --> 34:01.280 Something doesn't really make much of a difference. 34:02.940 --> 34:03.780 You can. 34:03.810 --> 34:05.000 The option is there. 34:05.010 --> 34:06.510 You can do it if you want. 34:08.040 --> 34:13.950 So in the key ring, what you'll say is PR R3, because most of the times you will not use it. 34:14.760 --> 34:19.500 Most of the times you will use if you have a problem like that for security, you will use RSA signatures, 34:20.820 --> 34:21.060 right? 34:21.060 --> 34:22.410 You wouldn't use Pre-shared keys. 34:22.410 --> 34:23.850 It becomes more complicated. 34:25.380 --> 34:27.540 Yes, there is an option as an option. 34:28.560 --> 34:35.220 So you usually you would say is pre shared key is Cisco. 34:35.220 --> 34:37.530 Usually you would do this or. 34:41.420 --> 34:45.050 You could also say Pre-shared key local Cisco. 34:49.000 --> 34:49.420 Remote. 34:51.580 --> 34:52.300 This Cisco. 34:52.870 --> 34:55.960 Let's say Cisco three is remote and local. 34:55.960 --> 34:58.450 Is Cisco one this year. 34:59.890 --> 35:01.870 Reset the local Cisco one. 35:02.380 --> 35:06.670 We should be remote Cisco because I'm creating my tunnel. 35:08.230 --> 35:09.820 So if you have a look now. 35:11.920 --> 35:13.570 Actual crypto configuration. 35:13.960 --> 35:16.240 Why is this good enough for you? 35:16.240 --> 35:20.980 Because later, if you have ten tunnels, when you look at your keyring, you will know which key you're 35:20.980 --> 35:21.310 using. 35:23.410 --> 35:23.600 Right. 35:23.650 --> 35:25.750 You'll know that you're doing this with R3. 35:25.780 --> 35:29.170 The address of R3 is one 5123 So streamlined. 35:32.480 --> 35:33.740 Even in configuration. 35:34.250 --> 35:35.360 Much easier to. 35:37.260 --> 35:40.920 We didn't have so many bullets in killing us. 35:41.580 --> 35:43.990 So we can if we want to move and we will talk about. 35:44.580 --> 35:46.750 You just have to add that we're in the key. 35:47.970 --> 35:48.480 That's all. 35:48.490 --> 35:50.560 That's why it's better, right? 35:52.150 --> 35:53.130 Tomorrow we have our four. 35:53.140 --> 35:53.950 Where will you add it? 35:53.950 --> 35:55.480 Right here, right under his nose. 35:56.200 --> 35:59.410 You just add another beer, right? 35:59.650 --> 35:59.920 Done. 36:00.550 --> 36:02.770 The last thing that you have to do is crypto. 36:02.800 --> 36:04.450 We call it V2 profile. 36:06.370 --> 36:09.320 You have to bind all of these together using the profile. 36:09.340 --> 36:10.630 Now, this can be called anything. 36:10.630 --> 36:12.810 I call it Ik from I to Prof. 36:14.290 --> 36:17.620 It says a local and remote authentication method has to be specified. 36:19.330 --> 36:20.650 Authentication remote. 36:20.680 --> 36:22.000 But how do you want to do it? 36:22.030 --> 36:22.840 You want to do it? 36:23.950 --> 36:25.120 EAP is also there. 36:25.220 --> 36:26.710 EC Electrical curve. 36:26.740 --> 36:27.470 There's another one. 36:27.510 --> 36:29.200 DSA signature, Right. 36:29.230 --> 36:31.510 New ones have been introduced. 36:31.540 --> 36:36.160 What I'll say is remote pre-shared and local is also. 36:39.230 --> 36:43.650 Authentication, remote user authentication local is also present. 36:45.360 --> 36:48.690 Then it also says you have to match. 36:49.890 --> 36:50.900 Match identity. 36:50.910 --> 36:52.860 Remote address. 36:53.970 --> 36:55.590 Basically specifying your peer. 36:58.230 --> 36:59.640 What is the address of the other side? 37:01.680 --> 37:03.330 Match Identity Address. 37:03.690 --> 37:06.390 Now, it doesn't necessarily have to be peer. 37:06.660 --> 37:09.350 You could also say it's fqdn. 37:09.390 --> 37:11.340 If you have a domain name specified. 37:11.430 --> 37:13.500 If you're using key IDs. 37:13.890 --> 37:16.440 If you're using an email address. 37:17.790 --> 37:19.230 You can specify that. 37:19.230 --> 37:23.310 But for that you have to locally specify. 37:24.480 --> 37:25.590 Identity local. 37:26.550 --> 37:30.810 So local identity address which you use from here should be used from the other side. 37:30.810 --> 37:35.100 So let's say I want to use Fqd and so I'll say cisco.com. 37:36.150 --> 37:40.230 From the other side should be match identity remote cisco.com. 37:41.130 --> 37:43.260 You can do it based on an email address. 37:43.260 --> 37:45.410 If you specify key ID, if you specify. 37:45.430 --> 37:47.260 But most of the time, what do we do? 37:47.680 --> 37:48.250 Address. 37:49.270 --> 37:51.010 What do you mean by it's just. 37:51.340 --> 37:56.530 You can specify any so you can say match sorry, identity local. 37:56.800 --> 37:59.050 You can say email whatever. 38:01.420 --> 38:03.040 At Cisco.com. 38:06.020 --> 38:06.800 How does it work? 38:07.430 --> 38:12.920 So when I send right, when I'm creating my name, when I'm creating my relationship with you, I'll 38:12.920 --> 38:14.790 send you my email address. 38:14.810 --> 38:17.360 You send me your email address from here. 38:17.360 --> 38:23.450 My local is what that cisco.com when I receive from the other side, what should I receive? 38:24.430 --> 38:27.530 Dot Most of the times you always use address. 38:28.430 --> 38:33.410 You say identity local is 151 .15.1. 38:33.680 --> 38:39.170 Then when you send your remote you'll be sending it to 12.1 right for here. 38:39.170 --> 38:44.960 For example, when I say match identity remote address, what did I say? 38:44.960 --> 38:52.100 151 .23.3 So when I'm sending creating my relationship, I'm sending which address going to which address? 38:52.100 --> 38:58.370 151 dot 20 3.3 The other side is local should be that which it is, which is correct. 38:58.370 --> 39:02.240 But if you know know you have to configure one way of doing it. 39:02.840 --> 39:03.770 At least one way. 39:03.770 --> 39:08.360 Either either address or your email address. 39:08.360 --> 39:16.090 Most of the times you'll do it based on address email router doesn't have any, but if you you can configure 39:16.100 --> 39:20.270 right, you can say identity local address email address. 39:20.270 --> 39:21.860 So I can specify an email address. 39:22.790 --> 39:23.660 Just an identity. 39:23.780 --> 39:24.170 Exactly. 39:24.890 --> 39:27.970 So it doesn't mean that the physical address or something. 39:28.040 --> 39:28.580 No, no, no. 39:28.580 --> 39:30.470 Any address you could use any address here. 39:30.470 --> 39:34.370 But again, the local which you use here should be the remote from the other side. 39:34.370 --> 39:34.650 Yes, sir. 39:34.730 --> 39:35.390 That's all. 39:35.570 --> 39:36.470 That's all you have to match. 39:36.590 --> 39:37.130 Exactly. 39:37.610 --> 39:38.180 Exactly. 39:38.180 --> 39:41.540 If you don't configure the local by default, it will take the public one. 39:43.490 --> 39:46.490 If you don't configure the local address, which I did not configure here. 39:46.490 --> 39:53.570 If you check show run section crypto, it actually doesn't make any sense. 39:54.870 --> 39:57.620 What do you want to do, Max? 39:57.650 --> 40:00.640 This is extra security to match. 40:00.860 --> 40:02.120 I'm creating a tunnel with you. 40:02.120 --> 40:02.690 Right. 40:02.720 --> 40:03.920 Earlier, when I used to create. 40:03.950 --> 40:11.000 What was the only thing that should match Cisco Key to add extra security, They said we'll add something 40:11.000 --> 40:11.270 else. 40:11.270 --> 40:14.720 Now they have to verify their identities when they're creating themselves. 40:14.720 --> 40:18.770 They have to verify the identities which can be done based on domain names. 40:19.070 --> 40:19.610 Right. 40:19.610 --> 40:22.220 So domain name on your side and mine should be the same. 40:22.220 --> 40:26.090 So if someone in the middle is spoofing, he will not know what the domain name you used. 40:26.330 --> 40:28.340 What was the domain name that you used? 40:28.340 --> 40:33.650 You could do it based on email addresses so the guy in the middle can try doing it on domain names, 40:33.650 --> 40:35.990 but he doesn't know that you're not using the domain names. 40:35.990 --> 40:37.490 You're using email addresses. 40:38.060 --> 40:38.360 Right. 40:38.360 --> 40:39.290 We could do it now. 40:39.320 --> 40:44.060 Low security would be doing it based on addresses, just normal addresses. 40:44.060 --> 40:51.470 But again, most of the times since it's very entirely new, people have not been exploring new options. 40:51.710 --> 40:52.130 Right. 40:52.130 --> 40:52.970 Very new. 40:52.970 --> 40:56.100 This technology, you can do all of these features in there. 40:56.880 --> 40:57.930 So how do you do it? 40:57.930 --> 41:00.000 I agree to profile. 41:01.740 --> 41:02.730 I'll call it I to. 41:03.930 --> 41:08.760 So when I say match, first of all, identity remote. 41:09.840 --> 41:13.650 Either you can do it address or domain name or email address, whichever you want. 41:13.680 --> 41:15.570 Let's say address for our case. 41:16.050 --> 41:27.330 If you got three then you also say authentication remote is pre-shared authentication local also pre-shared. 41:28.860 --> 41:32.730 Then you have to specify the key. 41:35.030 --> 41:35.390 Heating. 41:35.540 --> 41:40.940 Don't forget the keyword local heating, which has been specified locally. 41:41.030 --> 41:42.860 The address of that heating is what? 41:43.380 --> 41:45.320 Yeah, That's how you're done. 41:51.550 --> 41:52.930 That's what we'll be doing now. 41:53.140 --> 41:56.760 This is just hitting local. 41:57.250 --> 42:04.210 What you have done is you have only configured if you compare it to if you only configured this part. 42:06.960 --> 42:07.500 That's it. 42:08.250 --> 42:10.260 You have not moved to the second phase. 42:10.680 --> 42:11.180 Phase? 42:11.190 --> 42:15.540 You have completed all the phase parameters, but you transform it and everything will remain the same. 42:15.540 --> 42:16.410 That's a good thing. 42:16.800 --> 42:18.870 You only only mention here. 42:18.870 --> 42:19.410 Yes. 42:19.440 --> 42:22.620 Instead of saying authentication pressure, now you have more options. 42:22.860 --> 42:24.240 You can say remote authentication. 42:24.240 --> 42:25.200 Local authentication. 42:25.200 --> 42:27.120 Remote is pre-shared, local is RSA. 42:27.660 --> 42:28.320 That's it. 42:28.530 --> 42:32.310 I cried Ike Internet key exchange. 42:33.630 --> 42:36.160 Then we can use. 42:37.560 --> 42:39.810 Yeah, sometime you can. 42:40.070 --> 42:40.550 You can. 42:40.710 --> 42:41.760 We'll see that in brief. 42:42.870 --> 42:46.020 If you're not changing the default behavior of it, you don't use the profile. 42:46.470 --> 42:50.430 If you're changing the default behavior, then you need to use the profile some some time. 42:50.430 --> 42:51.390 We are using sometimes. 42:51.390 --> 42:51.600 Yes. 42:51.630 --> 42:53.040 Sometimes we'll see. 42:53.070 --> 42:54.840 Tomorrow we'll also use a key ring there. 42:55.380 --> 42:59.040 When we are doing VRF, we'll be using Key Ring along with Isakmp. 42:59.100 --> 43:03.140 Also at that time we'll have to call the Isakmp profiles inside. 43:03.690 --> 43:04.130 Yes. 43:05.250 --> 43:12.190 Now again, going back down here, this is just an hour, so don't worry about this. 43:13.330 --> 43:14.920 You're doing the same thing. 43:14.920 --> 43:18.610 You have more options here instead of just specifying the address here. 43:18.640 --> 43:19.750 Now you have more options here. 43:19.750 --> 43:25.000 Also, instead of just specifying one key, you have more options here, but you are actually basically 43:25.000 --> 43:26.080 doing the same thing. 43:27.010 --> 43:28.690 What about the other features? 43:30.730 --> 43:36.010 Crypto IPsec Transform set? 43:37.510 --> 43:40.730 See this at ESP Peter's ESV. 43:41.140 --> 43:44.620 And let's check out in the new version. 43:44.620 --> 43:45.070 Do I have? 43:45.100 --> 43:46.630 Do we have new options? 43:50.970 --> 43:56.520 These are tools I use the iOS 15 iOS in 15 iOS. 43:56.550 --> 43:59.400 We get again, different variations of the same thing. 43:59.400 --> 44:04.650 So ESP you could have three days as there's right? 44:04.710 --> 44:06.810 So let's say I want to use as. 44:09.170 --> 44:10.880 He did not have anything like. 44:12.260 --> 44:14.030 Yes, no encryption. 44:16.870 --> 44:18.070 We no encryption. 44:18.400 --> 44:20.020 So you have this, right? 44:20.050 --> 44:21.190 What else do you have here? 44:21.550 --> 44:24.400 Now, again, you can specify which one do you want to use? 44:24.400 --> 44:29.180 128 192 or 256 So I could say 128 for example. 44:29.200 --> 44:32.710 Then do you want to use sha MD5? 44:32.740 --> 44:33.850 Let's say MD5. 44:33.880 --> 44:35.560 You can specify more. 44:35.950 --> 44:40.760 That's h if you want to use, but right now you only want to use MD5. 44:40.810 --> 44:42.040 So let's do that. 44:42.070 --> 44:43.480 Then what else do we have? 44:43.900 --> 44:44.830 Let's copy this. 44:45.430 --> 44:48.580 What else did we specify in our site to site tunnel 44:51.340 --> 44:51.730 ACL. 44:53.780 --> 44:54.560 So step. 44:55.040 --> 44:56.090 Let's call this step two. 44:57.580 --> 44:59.440 Step three is. 45:01.240 --> 45:04.360 Access list 101 permit IP going from ten. 45:06.900 --> 45:08.880 I'm going to ten 330. 45:11.400 --> 45:17.220 And finally, crypto map I map ten IPsec 45:21.420 --> 45:25.760 IPsec profile, where we apply it. 45:25.830 --> 45:26.140 Apply it. 45:27.480 --> 45:28.320 You don't have a tunnel. 45:28.440 --> 45:29.060 You have a tunnel. 45:29.070 --> 45:32.330 You use that set here. 45:32.340 --> 45:41.610 151 .13.3 Match address 101 set Transform. 45:42.660 --> 45:43.500 Set. 45:43.740 --> 45:44.280 Set. 45:45.380 --> 45:48.670 Set eight v2. 45:48.720 --> 45:52.890 This is the one extra step like we do profile IP. 45:53.340 --> 45:54.600 This is one extra step. 45:55.440 --> 46:00.900 You also have to bind the V2 profile in here, basically telling him that I'm not using icecap, I'm 46:00.900 --> 46:02.250 using it v2. 46:07.310 --> 46:07.570 None. 46:09.080 --> 46:11.150 Very applied interface for one zero. 46:11.540 --> 46:12.710 Crypto map. 46:16.410 --> 46:21.130 The camp is on show the detail. 46:21.130 --> 46:24.130 This command is not here to show you which code numbers are open. 46:27.430 --> 46:27.670 Done. 46:27.670 --> 46:28.020 Right. 46:28.030 --> 46:28.900 This part is done. 46:28.930 --> 46:29.430 Let's figure. 46:29.470 --> 46:30.730 Let's configure the other side. 46:31.850 --> 46:32.950 Let's copy this first. 46:35.170 --> 46:43.090 Yeah, I'm just going to paste it here and then make the changes proposal. 46:43.420 --> 46:46.680 Let's say this side is only using because I don't want to confuse him. 46:46.690 --> 46:50.770 It can if you want to, but usually on the other side you only configure one part. 46:50.800 --> 46:56.740 Let's say group five, the server has all the policies, the different variations. 46:56.740 --> 47:00.400 The clients will only have the ones which they require to make with the server. 47:01.240 --> 47:06.190 Policy remains the same, prop remains the same keyring r1. 47:06.670 --> 47:07.840 The address is. 47:09.820 --> 47:09.970 Up. 47:11.440 --> 47:15.640 So I'll be copying this one has to be the name of. 47:16.240 --> 47:16.660 No, no, no. 47:16.660 --> 47:17.730 This is just a local name. 47:17.740 --> 47:21.760 This is just a local name for a local name locally for you to know. 47:22.450 --> 47:25.000 So I can also call it site one. 47:25.000 --> 47:25.630 Yes. 47:25.990 --> 47:26.580 Description. 47:26.800 --> 47:27.340 Yeah. 47:27.820 --> 47:31.210 For you to know when you check your running configuration, you should know. 47:31.210 --> 47:31.390 Okay. 47:31.390 --> 47:32.140 This is site one. 47:32.140 --> 47:33.390 This is side to side three. 47:33.850 --> 47:34.180 Okay. 47:34.660 --> 47:35.230 Just like this. 47:37.150 --> 47:37.600 Yeah. 47:37.630 --> 47:38.080 Local. 47:38.080 --> 47:40.750 Local to the clients, local to every router. 47:41.860 --> 47:44.470 So here address is 12.1. 47:44.650 --> 47:46.330 The local key is three. 47:46.360 --> 47:53.470 Remote key is one high profile remote address is 12.1. 47:53.650 --> 47:58.780 No remote address that that's also here from here. 47:58.780 --> 47:59.770 Also remote address. 47:59.920 --> 48:02.950 I told you if you don't specify the local, it will use the public address. 48:04.000 --> 48:04.270 Right. 48:04.270 --> 48:07.030 So I'm using here the local address as 23.3. 48:07.060 --> 48:10.120 The other guy is using the local address as 12 dot. 48:10.610 --> 48:14.480 So if I don't specify, my remote should be 12, his remote should be 23. 48:14.960 --> 48:15.350 That's it. 48:16.890 --> 48:17.250 Okay. 48:17.790 --> 48:20.130 Authentication local remote is pre-shared. 48:20.160 --> 48:24.240 Local is Pre-shared key ring is key and this is done. 48:24.240 --> 48:25.710 So you copy this. 48:27.930 --> 48:31.170 Copy this and control key is not working. 48:31.170 --> 48:31.380 So. 48:33.420 --> 48:33.570 It's. 48:35.620 --> 48:36.430 You need to copy it. 48:36.430 --> 48:37.110 Where on R3? 48:37.150 --> 48:37.660 Right. 48:38.770 --> 48:40.870 So this should be okay. 48:41.710 --> 48:42.460 Then. 48:44.590 --> 48:45.600 We need this now. 48:51.320 --> 48:51.770 Copy it. 49:05.230 --> 49:10.740 Just you should not be thinking. 49:11.230 --> 49:11.980 Oh, okay. 49:12.940 --> 49:13.870 Yes. 49:13.900 --> 49:14.870 No, that was not the mistake. 49:14.890 --> 49:15.790 It will still paste. 49:16.330 --> 49:17.380 I have added a. 49:21.030 --> 49:23.400 An extra space it should face anywhere. 49:25.870 --> 49:30.220 Then the rest is also the same. 49:30.250 --> 49:35.910 Transform set remains the same and I'll just reverse the set. 49:35.980 --> 49:39.110 Pair should become one. 49:39.190 --> 49:40.150 Everything else is same. 49:40.150 --> 49:40.600 Right? 49:41.290 --> 49:44.020 Copy it and paste it. 49:45.250 --> 49:52.900 And finally interface for one zero crypto map so you'll see that it works the same way. 49:52.900 --> 49:55.240 It will be triggered when you have interesting traffic. 49:55.240 --> 49:57.100 All those things are the same. 49:57.880 --> 50:02.260 It's just that the exchange in the first packets, the camp exchange will be different now. 50:02.290 --> 50:03.970 Everything else will be the same. 50:06.330 --> 50:08.280 Okay, let's try and see. 50:13.600 --> 50:14.410 To make this work. 50:14.410 --> 50:18.160 All I have to do is send interesting traffic from R3 to R1. 50:18.160 --> 50:23.560 So that's ten 111 going from source ten .3.3. 50:25.240 --> 50:32.650 The packet goes through, but the important part is in total of four packets. 50:32.740 --> 50:33.700 First packet. 50:37.890 --> 50:39.450 Security associations. 50:43.790 --> 50:44.690 I'm sending. 50:44.690 --> 50:45.410 What? 50:47.730 --> 50:50.910 Protocol is I'm sending encryption as three days. 50:51.810 --> 50:54.450 I'm sending my PRF as pseudo random function. 50:54.450 --> 50:58.650 We are sending also a mad MD5. 51:00.270 --> 51:02.070 We are also sending RD which group? 51:02.070 --> 51:03.930 Number five. 51:04.320 --> 51:06.660 Then you have your same key exchange. 51:06.870 --> 51:12.030 You have your nonce, you have your vendor IDs, your nat and everything is happening on. 51:12.690 --> 51:17.100 So the first two packets cover everything, but the size is huge. 51:19.640 --> 51:24.160 405 hundred earlier, which was around 150 and 200. 51:24.170 --> 51:26.050 Now it's 500, 500. 51:26.060 --> 51:31.370 The packet size increases as compared to the earlier one, but everything else is almost the same. 51:31.550 --> 51:38.720 Then from here you won't see anything onwards because it is encrypted and authenticated post so you 51:38.720 --> 51:42.650 don't see the encrypted data right here, but you don't see anything. 51:46.100 --> 51:46.390 Right. 51:46.490 --> 51:47.780 Same process is happening. 51:47.780 --> 51:54.080 So if you check the verification, if you check your second tunnel show Crypto IPsec essay, you will 51:54.080 --> 51:55.340 not see a difference. 51:56.810 --> 51:58.250 It is exactly the same. 51:58.790 --> 52:02.330 No difference at all in the IPsec essay. 52:02.690 --> 52:06.170 But if you check your show crypto Eissey campus, you'll see that it is empty. 52:08.000 --> 52:08.690 Why is this empty? 52:11.360 --> 52:16.310 This is what I should be like was the first. 52:16.430 --> 52:17.420 The whole thing has changed. 52:17.450 --> 52:18.710 It's not camp anymore. 52:19.280 --> 52:20.240 It's more like V2. 52:21.050 --> 52:27.140 If you check local is 151 .23.3. 52:27.170 --> 52:31.220 Remote is 12 dot one will do later. 52:31.640 --> 52:32.720 Status is what? 52:33.440 --> 52:33.920 Ready. 52:34.220 --> 52:35.250 The tunnel is up. 52:35.270 --> 52:36.890 Basically, it's not called idle. 52:37.220 --> 52:38.470 It's called status. 52:40.760 --> 52:45.590 Instead of calling all those different states, it will just tell you what the status of the tunnel 52:45.590 --> 52:46.070 is. 52:46.220 --> 52:48.080 What have you negotiated upon? 52:48.920 --> 52:53.180 Three des MD5 bch group. 52:55.030 --> 53:03.070 Authentication signature is you send, you'll be sending and receiving Pre-shared Key Remote Pre-shared 53:03.070 --> 53:08.080 Key Local Lifetime 86,400 seconds. 53:08.110 --> 53:11.560 You have chosen right now one one three seconds have passed by. 53:12.160 --> 53:13.750 You can also go into details. 53:18.380 --> 53:18.670 Right. 53:18.710 --> 53:24.770 So in details, what you would do is if you have specified you have your IDs, it will tell you your 53:24.770 --> 53:30.350 local ID, remember, identity, local identity, remote match identity. 53:30.350 --> 53:32.890 Local local identity is 23.3. 53:32.900 --> 53:38.800 Remote identity is how many messages have been going through this, right? 53:39.020 --> 53:45.350 Nat has not been going through and Sgt is trust security. 53:45.380 --> 53:51.350 Now this is these are certain new features, security groups, these are new features which are included 53:51.350 --> 53:54.230 in your ISC, right. 53:54.260 --> 53:56.300 If are not being used right now. 53:56.300 --> 53:58.250 But that's what Cisco is moving towards. 53:58.250 --> 53:59.410 Trust security. 53:59.420 --> 54:07.940 Where is device where is device can communicate to this server and make sure that they are part of the 54:07.940 --> 54:11.540 same domain and a lot of different things. 54:11.630 --> 54:14.420 It's like, for example, let's talk about a person, right? 54:15.050 --> 54:17.090 A person who's coming to a company. 54:17.090 --> 54:18.680 He has four devices with him. 54:18.680 --> 54:20.300 He has an iPad, he has an iPhone. 54:21.140 --> 54:23.840 Bring your own device based on security groups. 54:23.840 --> 54:29.390 So that user will be linked to that one profile security group. 54:30.260 --> 54:33.890 Doesn't matter which device he has, doesn't matter how many different things he has. 54:33.980 --> 54:39.200 All of those devices will be pushed down with the same policies based on his security groups. 54:41.090 --> 54:42.920 So his laptop will have the same policy. 54:42.920 --> 54:44.520 His phone will have the same policy. 54:44.520 --> 54:46.190 His iPad will have the same policy. 54:46.230 --> 54:47.810 You grouping devices together? 54:48.680 --> 54:49.880 The same concept. 54:50.000 --> 54:54.860 Not exactly the same, but somewhat close is the concept which they brought into it. 54:56.060 --> 54:58.070 Again, very new, right? 54:58.070 --> 55:02.000 Still in experimentation with all these new features. 55:02.870 --> 55:03.230 Right. 55:03.230 --> 55:06.800 But all you have to understand is this part which is important for you. 55:08.650 --> 55:11.320 Is this clear how this works? 55:12.260 --> 55:13.750 Just requires a little practice. 55:13.750 --> 55:14.140 That's it. 55:14.600 --> 55:15.030 It's new. 55:15.040 --> 55:17.620 Yes, but with a little practice, it's easy. 55:24.700 --> 55:25.200 What are you. 55:27.010 --> 55:27.370 Which. 55:27.370 --> 55:28.180 Which group part? 55:33.600 --> 55:34.380 Does it need to? 55:34.380 --> 55:36.480 The client doesn't need to know what one. 55:38.040 --> 55:39.030 The group number. 55:39.060 --> 55:41.280 Yeah, it's five. 55:41.310 --> 55:41.850 Yes. 55:41.880 --> 55:43.380 See, the thing is on the server. 55:43.410 --> 55:44.670 I got your question. 55:44.670 --> 55:49.020 You're saying that if the server does the client need to know which group should I use? 55:49.020 --> 55:49.470 This one. 55:49.950 --> 55:50.400 Is it? 55:53.340 --> 55:53.910 Yeah. 55:54.090 --> 55:55.470 Oh, you're saying the client. 55:55.470 --> 55:58.200 Can I use two, three and five like that from the client? 55:58.200 --> 56:00.570 We can, but again it'll be based on priority. 56:00.570 --> 56:03.240 So when the client goes first, he will try to do it with five. 56:04.680 --> 56:13.140 First five will be checked against all the server sites on the server side and has 251 say 251 it'll 56:13.140 --> 56:19.620 be, it'll be negotiating on five because five will go and check with all the server policies here we 56:19.620 --> 56:20.430 can mix and match. 56:20.580 --> 56:26.790 Yeah you can if you want to, you can, but usually you would not because that would defeat the purpose 56:26.790 --> 56:28.020 of why you're doing this. 56:28.170 --> 56:33.550 Usually one side which we know that is going to create multiple tunnels, you'll create all those policy 56:33.550 --> 56:34.810 sets on that side. 56:35.530 --> 56:37.210 It will work in any way. 56:37.270 --> 56:40.090 It will work if you if you if you do it this way, also, it will work. 56:40.870 --> 56:45.610 So if you choose 5 to 1 here, it will negotiate on five because five will be matched on the other side, 56:46.590 --> 56:46.700 Right? 56:47.050 --> 56:49.300 So five will be checked with all the server policies. 56:49.300 --> 56:49.840 Does it match? 56:49.840 --> 56:51.070 Goes with the other one? 56:53.350 --> 56:53.770 Okay. 56:56.140 --> 57:01.670 That is based on crypto maps like we do based on crypto maps. 57:01.690 --> 57:05.800 Now you can apply the same thing to everything you have done until now. 57:06.610 --> 57:07.900 How do you apply it to a time? 57:08.700 --> 57:10.120 I will do that after the break. 57:11.350 --> 57:12.100 The same thing. 57:12.100 --> 57:13.460 You just have to do it in a profile. 57:13.480 --> 57:14.500 I'll show you how to do that. 57:15.400 --> 57:19.240 After that, I'll create a tunnel between R1 and R4 and I'll apply the same thing here. 57:20.230 --> 57:23.560 We have another profile which profile I go to profile. 57:24.520 --> 57:25.050 We have. 57:25.180 --> 57:27.130 I will use the same profile. 57:27.410 --> 57:27.760 Okay. 57:28.390 --> 57:31.810 It's the same exact profile and we'll create a tunnel between R1 and R3. 57:34.300 --> 57:34.600 KeyRing. 57:34.630 --> 57:35.710 I have to change. 57:36.460 --> 57:37.960 I have to bring in a new keyring. 57:38.320 --> 57:38.650 Right. 57:38.680 --> 57:39.310 Same keyring. 57:39.310 --> 57:42.530 I have to add a new pair and I have to do something else. 57:42.550 --> 57:43.000 We'll do that. 57:45.640 --> 57:46.470 Sorry, would call that. 57:49.080 --> 57:49.710 We'll do that. 57:50.370 --> 57:52.350 Let's keep it as suspense, right? 57:54.240 --> 57:55.080 Let's take a break. 57:58.160 --> 58:00.020 A club in what? 58:01.640 --> 58:02.200 Furnitureland? 58:10.340 --> 58:11.060 What is the problem? 58:11.330 --> 58:12.200 It's not working. 58:14.120 --> 58:14.330 Yeah. 58:16.970 --> 58:17.210 Yeah. 58:18.560 --> 58:19.850 The command is not taking 58:23.750 --> 58:24.170 up here. 58:24.770 --> 58:26.480 So it's a multicast. 58:26.480 --> 58:27.530 Dynamic is not working. 58:27.530 --> 58:28.610 The command is not working. 58:28.940 --> 58:29.570 Did you shut up? 58:29.600 --> 58:29.750 No. 58:29.750 --> 58:30.350 Shut the tunnel. 58:31.640 --> 58:33.320 After you do that, try this. 58:34.220 --> 58:34.490 Okay. 58:34.760 --> 58:35.180 Bring it. 58:35.180 --> 58:35.600 And then. 58:36.860 --> 58:37.280 Like this? 58:37.580 --> 58:38.390 No, it should not. 58:39.290 --> 58:39.920 Yeah, it should. 58:40.100 --> 58:43.760 Should work properly from the server side. 58:43.760 --> 58:44.120 Basically. 58:44.120 --> 58:45.740 You're then specifying remote. 58:46.550 --> 58:48.350 In this case, packets are there. 58:48.350 --> 58:49.760 Two packets are coming. 58:50.210 --> 58:50.420 Packets. 58:51.150 --> 58:52.460 But routing protocol is. 58:54.320 --> 58:54.680 Okay. 58:56.300 --> 58:58.550 Multicast is not properly properly. 58:58.550 --> 59:00.020 It's not getting the clients. 59:00.200 --> 59:00.770 It's not going. 59:02.210 --> 59:04.130 Clients or neighbor comes up from which side. 59:04.160 --> 59:06.980 Client or server gets the neighbor. 59:07.220 --> 59:13.880 So servers and multicast are not reaching the clients server, but packets are capturing the packets. 59:14.090 --> 59:14.540 Packets are. 59:15.830 --> 59:16.520 Packets are going. 59:19.790 --> 59:20.180 We'll see. 59:21.080 --> 59:21.470 We'll see. 59:21.500 --> 59:22.700 Just bring it tomorrow. 59:22.730 --> 59:24.860 Maybe we'll have a look. 59:28.220 --> 59:31.790 So what we are is something related to routing, right? 59:32.810 --> 59:38.300 Is when you divide one router into two something, there is something related to the routing table, 59:38.540 --> 59:38.750 right? 59:38.750 --> 59:39.050 Yeah. 59:39.260 --> 59:40.190 Two routing table. 59:40.700 --> 59:42.410 Everything will be split into half. 59:43.430 --> 59:46.460 Router will be split into half, so one router will be two routers. 59:46.790 --> 59:47.180 Okay. 59:47.300 --> 59:49.370 So your interfaces will be split. 59:49.730 --> 59:56.780 You can only use one interface and it comes in, but you have to do it because it's important. 59:59.640 --> 1:00:07.530 So what we'll be doing is configuring a tunnel between that. 1:00:09.530 --> 1:00:16.520 Between R1 and R4, a simple tunnel between R1 and R2, SVR like we've been doing until now. 1:00:16.790 --> 1:00:20.330 Or we can do it on also does not make a difference. 1:00:20.330 --> 1:00:24.590 So tunnel between R1 and R4 should be able to cover it. 1:00:24.590 --> 1:00:28.760 First of all, let's create that to then protect it later. 1:00:31.190 --> 1:00:35.600 Tunnel zero IP Address 19216.1.1. 1:00:39.940 --> 1:00:44.050 Zero tunnel source for one zero tunnel destination. 1:00:44.050 --> 1:00:46.820 150 .1.24.4. 1:00:46.840 --> 1:00:47.620 Simple, right? 1:00:47.980 --> 1:00:49.930 And from R4 I'll do the same. 1:00:51.580 --> 1:00:56.920 Interface tunnel zero IP address 1921681.4. 1:00:59.160 --> 1:00:59.860 Kernel source. 1:00:59.880 --> 1:01:01.230 Fast Ethernet one zero. 1:01:02.850 --> 1:01:06.630 Kernel destination 153.1.2.1. 1:01:08.690 --> 1:01:09.110 Okay. 1:01:09.140 --> 1:01:13.070 Send a ping to 192 168 .1.1 successful. 1:01:13.340 --> 1:01:15.140 But it's just it's not protected. 1:01:15.650 --> 1:01:16.490 It's open. 1:01:17.660 --> 1:01:17.890 Right. 1:01:17.900 --> 1:01:27.620 So you see that not protected to simple tunnel between whom R one and R So now I want to protect it. 1:01:27.620 --> 1:01:30.140 Let's try this out first. 1:01:42.060 --> 1:01:45.390 192 160 810. 1:01:49.270 --> 1:01:49.650 Okay. 1:01:51.190 --> 1:01:52.840 This is about one. 1:01:57.870 --> 1:01:58.710 This is dark. 1:02:03.040 --> 1:02:03.360 Correct. 1:02:05.080 --> 1:02:06.640 Now, how to protect it. 1:02:07.840 --> 1:02:08.620 Let's do it from our. 1:02:08.890 --> 1:02:13.640 First, the easiest one, because I have the policies already. 1:02:13.660 --> 1:02:18.440 So from here, let's say I'm using as. 1:02:20.460 --> 1:02:24.450 Because the server side I have configured what is 256. 1:02:24.840 --> 1:02:28.970 So from this side I'll configure the other side is using three days. 1:02:28.980 --> 1:02:36.480 This side will use yes, let's say group two and five. 1:02:38.520 --> 1:02:38.680 Right. 1:02:39.390 --> 1:02:39.960 Keating. 1:02:41.060 --> 1:02:41.970 Who's the peer? 1:02:42.990 --> 1:02:43.380 R1. 1:02:43.410 --> 1:02:43.860 Correct. 1:02:44.520 --> 1:02:45.330 Pre-shared Key. 1:02:45.690 --> 1:02:46.830 Cisco or remote? 1:02:46.830 --> 1:02:47.130 Local. 1:02:47.140 --> 1:02:48.240 I could do it that way. 1:02:48.480 --> 1:02:50.040 I'll just use Cisco this time. 1:02:51.930 --> 1:02:52.860 I will not use Cisco. 1:02:52.860 --> 1:02:53.340 One, two, three. 1:02:53.340 --> 1:02:53.940 I'll use Cisco. 1:02:55.020 --> 1:02:57.390 I'll use one key authentication. 1:02:57.390 --> 1:02:59.100 Remote address is same. 1:02:59.190 --> 1:02:59.700 Pre-shared. 1:02:59.700 --> 1:03:00.450 Key Pre-shared key. 1:03:00.480 --> 1:03:00.900 Local. 1:03:00.900 --> 1:03:01.620 Everything is well. 1:03:03.500 --> 1:03:07.310 Be sure both sides are using Pre-shared key most of the time. 1:03:07.320 --> 1:03:08.070 You will do this. 1:03:08.790 --> 1:03:10.310 Remote is also using Pre-shared key. 1:03:10.320 --> 1:03:13.530 I'm also using Pre-shared key because I'm not using digital certificates. 1:03:14.550 --> 1:03:15.030 Right. 1:03:15.120 --> 1:03:16.170 Copy this. 1:03:17.280 --> 1:03:18.270 Paste it on our phone. 1:03:20.630 --> 1:03:20.910 Then. 1:03:25.830 --> 1:03:26.180 Done. 1:03:26.640 --> 1:03:28.410 Then the other stuff is the same. 1:03:28.410 --> 1:03:30.600 What stuff transforms that you need. 1:03:30.600 --> 1:03:33.840 So just copy the transform set, paste it here. 1:03:35.190 --> 1:03:37.470 Also need a profile. 1:03:38.340 --> 1:03:38.790 No. 1:03:38.790 --> 1:03:39.330 Need an IP. 1:03:39.510 --> 1:03:39.770 No. 1:03:39.990 --> 1:03:40.250 Yeah. 1:03:40.560 --> 1:03:42.570 No need access list. 1:03:42.600 --> 1:03:43.440 Set. 1:03:43.530 --> 1:03:44.190 Transform. 1:03:44.190 --> 1:03:45.480 Set reset. 1:03:45.510 --> 1:03:48.810 Also set to profile. 1:03:52.000 --> 1:03:54.220 So earlier I used to apply this on the crypto map. 1:03:54.370 --> 1:03:58.720 Since I don't have a crypto map on an ACL anymore, I'll apply it on the profile. 1:03:58.870 --> 1:04:00.580 You do have two profiles, right? 1:04:01.210 --> 1:04:02.890 Two profiles here on R4. 1:04:02.890 --> 1:04:03.060 No. 1:04:03.100 --> 1:04:09.820 After I only have one, you have a profile I drop and that one is my profile. 1:04:09.820 --> 1:04:11.020 This is IPsec profile. 1:04:11.500 --> 1:04:12.940 That one's I32 profile. 1:04:14.050 --> 1:04:24.340 So if you check your crypto, you'll see that you have a proposal, a policy, a keyring, a profile. 1:04:24.340 --> 1:04:26.230 But this is i32 profile. 1:04:26.230 --> 1:04:30.690 So in your actual IPsec profile you call what I give. 1:04:31.930 --> 1:04:35.260 Where do you apply this interface? 1:04:35.290 --> 1:04:38.470 Tunnel Zero Tunnel Protection IPsec Profile. 1:04:38.470 --> 1:04:38.680 I. 1:04:42.200 --> 1:04:43.490 Heisterkamp is on from this end. 1:04:43.700 --> 1:04:46.460 Also need to do the same thing on R1. 1:04:46.460 --> 1:04:47.750 Now what change is on R1? 1:04:50.620 --> 1:04:51.190 R1. 1:04:52.000 --> 1:04:55.090 If this stuff doesn't change, your proposal doesn't change. 1:04:55.180 --> 1:04:59.770 You add another in the keyring, add another peer. 1:05:01.060 --> 1:05:03.730 So let's configure that part on our own. 1:05:04.540 --> 1:05:05.740 KeyRing is the same. 1:05:06.100 --> 1:05:10.270 Peer r r4. 1:05:10.840 --> 1:05:12.970 The only thing is I have to check the other part. 1:05:13.000 --> 1:05:14.920 Let's let's do that address. 1:05:14.950 --> 1:05:18.070 151 dot 20 4.4. 1:05:19.450 --> 1:05:20.110 Pre-shared Key. 1:05:23.070 --> 1:05:24.120 No remote, no local. 1:05:24.120 --> 1:05:26.190 If you just specify one, you'll only be using one. 1:05:26.220 --> 1:05:27.840 The same for sending and receiving. 1:05:28.390 --> 1:05:37.080 Then to profile right here, I need to make sure that I'm doing the same thing. 1:05:37.590 --> 1:05:39.630 I think I might have to use a different profile. 1:05:40.810 --> 1:05:43.020 Why should The profile should be different. 1:05:43.020 --> 1:05:43.730 But let's try. 1:05:45.240 --> 1:05:49.040 If I can specify a different match. 1:05:49.350 --> 1:05:50.340 Address has to be different. 1:05:50.340 --> 1:05:50.780 Yes. 1:05:50.790 --> 1:05:52.980 That's why I agreed to profile. 1:05:54.710 --> 1:05:55.090 I agree. 1:05:56.370 --> 1:05:57.020 I agree, too. 1:05:57.050 --> 1:05:58.160 Yes, I agree too. 1:05:58.340 --> 1:05:58.940 I agree, too. 1:05:59.540 --> 1:06:01.020 But let's just just check. 1:06:01.040 --> 1:06:07.160 Yeah, it has definitely has to be different because I have to apply it in the transform set. 1:06:07.160 --> 1:06:08.510 Right in the profile. 1:06:08.810 --> 1:06:11.860 So in the profile, I'm not applying the same address. 1:06:11.870 --> 1:06:13.700 Otherwise you have to get a different one. 1:06:13.920 --> 1:06:14.330 Yes. 1:06:15.920 --> 1:06:16.970 Not specifically there. 1:06:17.210 --> 1:06:17.990 Yes, exactly. 1:06:18.320 --> 1:06:23.750 So this will be I pro for R4 match identity remote address. 1:06:23.750 --> 1:06:27.080 This one I have to specify it as 24.4. 1:06:27.980 --> 1:06:28.490 Right. 1:06:28.670 --> 1:06:38.300 Then authentication remote is pre-shared authentication local is the keyring that I'll be using is the 1:06:38.300 --> 1:06:40.760 same because the pier. 1:06:41.050 --> 1:06:43.940 I have the pier has been specified in the keyring. 1:06:44.270 --> 1:06:47.070 Then transform set the same. 1:06:48.020 --> 1:06:51.480 I need a crypto IPsec profile i prof. 1:06:52.060 --> 1:06:53.270 Set transform set. 1:06:53.270 --> 1:06:58.580 I'll use the same transform set set hike v2 profile I to Prof. 1:06:58.610 --> 1:06:59.480 This is. 1:07:01.390 --> 1:07:06.640 Interface Tunnel Zero Tunnel Protection IPsec Profile. 1:07:06.670 --> 1:07:06.910 I. 1:07:16.440 --> 1:07:20.070 So Crypto IPsec SA Caps. 1:07:20.100 --> 1:07:20.640 It's working. 1:07:24.000 --> 1:07:25.690 Correct the marker. 1:07:25.710 --> 1:07:33.330 Also let's do router one network 19216810 north. 1:07:34.580 --> 1:07:34.790 Look. 1:07:34.790 --> 1:07:37.520 Ten 0000. 1:07:45.440 --> 1:07:49.850 R1 Router one Network ten 000. 1:07:50.890 --> 1:07:51.950 Nortel Network. 1:07:51.950 --> 1:07:53.690 19216. 1:07:57.770 --> 1:08:01.650 He has out Wellington. 1:08:02.930 --> 1:08:07.190 I have the route to ten .4.4.4 with a source of ten dot one. 1:08:09.780 --> 1:08:10.640 You check your wireshark. 1:08:10.640 --> 1:08:17.810 This should go as ESP, but 198 because of all those added headers, how do you stop? 1:08:17.810 --> 1:08:18.940 It transforms. 1:08:19.070 --> 1:08:26.090 You can create change the mode to transport or change the tunnel interface. 1:08:26.090 --> 1:08:30.980 Tunnel zero tunnel mode IPsec IPV four from this end. 1:08:30.980 --> 1:08:31.910 Also from the other end. 1:08:34.920 --> 1:08:35.490 Colour mode. 1:08:35.500 --> 1:08:36.030 Ipicyt. 1:08:44.340 --> 1:08:44.940 It does not. 1:08:46.380 --> 1:08:48.420 It seems the mob from the other side also. 1:09:18.780 --> 1:09:19.170 Right. 1:09:23.940 --> 1:09:24.720 Good enough. 1:09:24.870 --> 1:09:25.710 The same thing. 1:09:25.830 --> 1:09:28.920 The only thing I did was I went to the other side. 1:09:28.920 --> 1:09:29.910 I applied everything. 1:09:29.910 --> 1:09:30.510 On what? 1:09:31.380 --> 1:09:32.280 On the profile. 1:09:33.780 --> 1:09:35.220 So I copied the same thing. 1:09:35.430 --> 1:09:36.990 Then I went to crypto. 1:09:38.910 --> 1:09:41.010 IPsec profile at it. 1:09:44.440 --> 1:09:44.800 Set. 1:09:46.000 --> 1:09:46.540 Transform. 1:09:46.540 --> 1:09:47.200 Set. 1:09:47.440 --> 1:09:47.950 Set. 1:09:48.580 --> 1:09:49.420 Set. 1:09:49.960 --> 1:09:52.420 Ik v2 profile. 1:09:53.380 --> 1:09:54.080 Ik two. 1:09:54.160 --> 1:09:54.580 From. 1:09:57.940 --> 1:09:58.690 That's all. 1:09:59.300 --> 1:10:06.120 And then you go to your interface Tunnel Zero Tunnel Protection, IPsec Profile High. 1:10:09.400 --> 1:10:10.270 As simple as that. 1:10:11.650 --> 1:10:18.730 So earlier in a normal crypto map, you would apply the set IQ to profile under the crypto map, right? 1:10:18.730 --> 1:10:19.390 In a tunnel. 1:10:19.810 --> 1:10:23.110 You just apply it wherever you want to and then do the prediction. 1:10:23.110 --> 1:10:26.590 So if you want to have a look at the whole thing, it's. 1:10:28.030 --> 1:10:28.960 It's this. 1:10:42.670 --> 1:10:43.510 For the profile. 1:10:43.510 --> 1:10:44.590 This is what it is. 1:11:07.200 --> 1:11:07.650 That's it. 1:11:10.720 --> 1:11:12.250 That's how you protect a tunnel. 1:11:14.290 --> 1:11:16.090 First, your policy is all here. 1:11:16.420 --> 1:11:17.970 After that, you already know this part. 1:11:19.300 --> 1:11:20.930 The policies are not the policies anymore. 1:11:20.950 --> 1:11:25.900 You have to be careful about the pre-shared key, the authentication, remote and local, and the key 1:11:25.900 --> 1:11:26.500 that you are using. 1:11:26.650 --> 1:11:27.010 That's it. 1:11:28.120 --> 1:11:30.760 Once you're done with that, well and good. 1:11:32.590 --> 1:11:33.070 Okay. 1:11:33.100 --> 1:11:39.520 Another thing which I want to show you is before we break off, if you go to your crypto to keyring, 1:11:41.110 --> 1:11:44.380 you specify a let's say are in the pair. 1:11:45.220 --> 1:11:48.070 You have pre-shared key, right? 1:11:48.100 --> 1:11:56.290 You can also specify an identity address here which address should be used because sometimes you might, 1:11:56.650 --> 1:12:04.270 sometimes there is a possibility where you might have RF running virtual router forwarding running. 1:12:04.420 --> 1:12:06.010 That is where you use a keyring. 1:12:07.330 --> 1:12:08.980 That is where you use this address. 1:12:08.980 --> 1:12:11.410 Identity address, identity, local address. 1:12:13.210 --> 1:12:13.500 Right. 1:12:13.510 --> 1:12:16.060 We'll talk about more, more about RF later. 1:12:16.060 --> 1:12:17.140 We'll see how that is done. 1:12:18.460 --> 1:12:18.820 Right. 1:12:18.820 --> 1:12:25.660 There'll be a full document on it, full lab on VFS and how to apply VPNs. 1:12:25.660 --> 1:12:34.520 When you have VFS running on a router, VRF is nothing, but you break down one router, just an overview, 1:12:34.550 --> 1:12:36.440 you break down one router into two. 1:12:39.100 --> 1:12:39.460 Right. 1:12:39.460 --> 1:12:44.620 So the problem with that is when you break down a router into two, this will be one router, this will 1:12:44.620 --> 1:12:45.310 be another router. 1:12:45.310 --> 1:12:47.410 One interface can only be part of one router. 1:12:49.120 --> 1:12:52.120 We call it a virtual routing router forwarding. 1:12:52.930 --> 1:12:58.090 So if you use this, if you put this interface as a part of this router, this router will not be able 1:12:58.090 --> 1:13:05.200 to use the interface F10 anymore unless you subinterface it and one Subinterface you make part of this 1:13:05.200 --> 1:13:08.860 guy, the other one part of this guy at that time. 1:13:08.860 --> 1:13:14.050 When you run VPN you will not be running it with the router, will be running it with this instance 1:13:15.010 --> 1:13:17.140 between this and this router. 1:13:17.650 --> 1:13:21.080 So your tunnel will be like that at that time you'll use this. 1:13:21.100 --> 1:13:22.090 Just keep this in mind. 1:13:22.090 --> 1:13:23.680 So later we know how to apply. 1:13:25.880 --> 1:13:26.300 Clear. 1:13:29.130 --> 1:13:30.750 That is your too. 1:13:32.010 --> 1:13:37.320 Also, some people might call it flex, but it's not really flex. 1:13:37.710 --> 1:13:41.240 It's just like to normal side to side tunnel using ikev2. 1:13:41.280 --> 1:13:47.640 Then you have other instances in it where you can do server client server client model, just like your 1:13:47.850 --> 1:13:48.270 VPN. 1:13:48.600 --> 1:13:53.910 You can do hub and spoke and you can use site to site. 1:13:55.560 --> 1:13:59.190 Those three are different modifications which are known as Flex. 1:14:00.210 --> 1:14:01.250 Why flex? 1:14:01.260 --> 1:14:06.420 Because earlier until now, which you saw, if you remember, site to site and you compare site to site 1:14:06.420 --> 1:14:11.740 to dmvpn, both are completely different in configurations. 1:14:11.760 --> 1:14:14.940 If you remember, in all those different things happening. 1:14:14.940 --> 1:14:15.390 Right. 1:14:15.720 --> 1:14:19.530 And then you compare that to remote access VPN, imagine the difference. 1:14:20.760 --> 1:14:22.980 Remote access is entirely a different ballgame. 1:14:23.280 --> 1:14:28.900 What they have done with Flex VPN is a similar configuration for all for all three. 1:14:29.650 --> 1:14:33.790 So when you're doing when you're going from Hub and spoke to server client, you don't have to change 1:14:33.790 --> 1:14:34.350 much. 1:14:34.360 --> 1:14:35.860 Just 3 or 4 commands here. 1:14:35.860 --> 1:14:36.430 Change done. 1:14:39.490 --> 1:14:40.720 That's why it's called flexible. 1:14:44.330 --> 1:14:45.620 Tomorrow we'll do our.