WEBVTT 00:01.200 --> 00:04.260 IPsec side to side VPN on the RSA. 00:05.880 --> 00:06.330 All right. 00:06.330 --> 00:08.100 So it's going to be like this. 00:08.550 --> 00:13.530 I have one side which is connected to the Internet just like the other side is. 00:14.250 --> 00:15.570 But this side is connected. 00:15.570 --> 00:16.170 Via what? 00:16.890 --> 00:17.490 A firewall. 00:17.640 --> 00:19.320 So the edge device on. 00:20.260 --> 00:20.660 Side. 00:20.710 --> 00:21.910 A let's say this is side A. 00:24.780 --> 00:28.020 The device is not a router, but a firewall. 00:32.540 --> 00:36.110 On the other side we have a router. 00:36.590 --> 00:39.230 So we'll see the significant differences between the two. 00:42.690 --> 00:43.050 Okay. 00:45.570 --> 00:45.960 Correct. 00:45.990 --> 00:47.520 First of all, let's configure the pics. 00:47.520 --> 00:48.990 I've configured everything else. 00:48.990 --> 00:50.640 I just need to configure the pics. 00:50.670 --> 00:52.800 Let's see, what interfaces do I have? 00:52.830 --> 00:54.930 E two and e three now pics. 00:54.960 --> 00:57.270 AC is the same in this case. 00:58.220 --> 00:59.330 Comfy interface. 00:59.330 --> 01:03.980 Ethernet two is the one pointing towards our two pointing towards the internet. 01:04.550 --> 01:09.290 IP address or let's say name is since this is the outside interface. 01:09.560 --> 01:10.940 Security will be zero. 01:11.030 --> 01:13.880 IP address 151 point 20.10. 01:15.560 --> 01:21.680 No shut and rout, a default route pointing towards 20.2, the Internet. 01:22.160 --> 01:23.330 Let's see if it's working. 01:24.170 --> 01:25.160 I can go here. 01:25.190 --> 01:27.500 Can I go to 151 .15.1? 01:30.990 --> 01:34.990 You go to 12.1, which one is 12.1 or 1? 01:36.770 --> 01:39.080 So picks and R1 can communicate to each other. 01:39.080 --> 01:45.020 I also need to make sure R3 can communicate to the pigs because my tunnel is going to be from 3 to 10.1 01:45.290 --> 01:46.970 from 10.3 to 10.1. 01:47.960 --> 01:48.440 Correct. 01:48.710 --> 01:50.480 Let's go to the pigs to the other interface. 01:50.870 --> 01:56.030 Ethernet three Name F Inside Security is 100. 01:56.300 --> 01:58.280 IP address is ten three 310. 02:00.230 --> 02:00.410 And. 02:00.410 --> 02:00.590 No. 02:02.510 --> 02:02.810 Think. 02:02.810 --> 02:03.920 Ten, three, three, three. 02:06.370 --> 02:07.900 I can communicate to R3 also. 02:08.770 --> 02:09.000 Right. 02:09.040 --> 02:14.260 R3 has a default route pointing towards the firewall, so the firewall has a default route pointing 02:14.260 --> 02:15.220 towards the internet. 02:15.310 --> 02:17.920 R1 has a default route pointing towards the internet. 02:18.310 --> 02:20.740 Now, same concept. 02:20.770 --> 02:21.640 Nothing changes. 02:21.670 --> 02:22.540 Same, same. 02:22.540 --> 02:24.520 Icy campus, Same same IP. 02:25.120 --> 02:27.430 It's just that the implementation is a little different. 02:27.910 --> 02:30.330 I might have some of the configs from before. 02:30.340 --> 02:30.640 Right. 02:31.380 --> 02:32.130 Let's see. 02:32.250 --> 02:32.940 Let me just remove. 02:39.480 --> 02:39.810 Sorry. 02:41.980 --> 02:44.230 Between will be one end of the tunnel. 02:44.260 --> 02:45.700 The other end will be R1. 02:45.820 --> 02:49.360 Until now, what we've seen is what R1 and R1, R1 and R2. 02:49.390 --> 02:51.730 So router two router iOS to iOS. 02:51.760 --> 02:57.850 Now we are doing it from Asia to iOS one end is is the as you can do, Asia and Asia also if you want 02:57.850 --> 02:58.120 to. 02:58.120 --> 03:01.630 But I just want to show you that it's just the implementation. 03:01.840 --> 03:02.980 The concept is the same. 03:02.980 --> 03:04.450 The packet exchange is the same. 03:08.280 --> 03:13.220 Step one on the router Crypto Camp Policy ten. 03:14.750 --> 03:15.320 Encryption. 03:15.320 --> 03:15.980 Three days. 03:16.910 --> 03:17.630 Authentication. 03:17.630 --> 03:18.110 Three Share. 03:19.950 --> 03:21.270 Hash MD5. 03:25.510 --> 03:25.960 Crypto. 03:27.180 --> 03:32.760 AC key Sysco address 151 2010. 03:35.270 --> 03:37.010 Crypto IPsec. 03:38.630 --> 03:39.320 Transform. 03:40.520 --> 03:41.020 Set. 03:41.340 --> 03:41.630 Set. 03:42.790 --> 03:46.060 ESP 3ds esp d5. 03:49.100 --> 03:50.030 Access list. 03:51.660 --> 03:57.480 Permit IP from ten one one 0 to 10 330. 03:59.800 --> 04:01.090 Crypto map. 04:01.280 --> 04:04.160 Map ten IPsec Isakmp. 04:05.180 --> 04:05.870 Said here. 04:07.070 --> 04:13.280 One 51.20 ten Match Address 101 Set. 04:14.300 --> 04:16.130 Transform set to set. 04:17.070 --> 04:21.720 Interface for 00000. 04:22.960 --> 04:24.070 Crypto map? 04:24.790 --> 04:25.180 Correct. 04:30.640 --> 04:31.360 I'll paste it on. 04:32.820 --> 04:33.510 France. 04:34.740 --> 04:35.760 From ESP. 04:41.640 --> 04:42.120 Correct. 04:42.720 --> 04:44.430 Show run section. 04:48.170 --> 04:50.240 Let's see how to do the same thing on the. 04:52.040 --> 04:52.880 Same thing on this. 04:52.910 --> 04:54.170 Let's go to the first. 04:54.170 --> 04:55.190 Now, this is 8.2. 04:55.220 --> 04:57.170 There is a difference between 8.2 and 8.4. 04:58.960 --> 05:02.650 Let's do 8.2 crypto isa camp policy ten. 05:02.680 --> 05:06.850 Same It requires a activation key licensing. 05:08.240 --> 05:09.440 Check your version right now. 05:09.890 --> 05:11.330 VPN is not supported. 05:13.810 --> 05:14.890 What do you need to do? 05:30.150 --> 05:30.440 Yeah. 05:32.390 --> 05:32.550 To. 05:34.580 --> 05:38.030 8.4.6.4 comes with the license. 05:39.760 --> 05:40.780 Save and restart. 05:51.490 --> 05:52.230 We'll take a little while. 05:52.240 --> 05:53.440 It doesn't restart by itself. 05:53.920 --> 05:57.250 You have to manually go and shut it down and bring it back. 05:58.320 --> 05:58.880 With the command. 05:58.890 --> 05:59.430 It doesn't work. 06:00.120 --> 06:01.590 Routers do, but this guy doesn't. 06:03.200 --> 06:03.620 Fix. 06:07.750 --> 06:08.530 I saved it, right? 06:08.530 --> 06:08.860 Yes. 06:12.200 --> 06:13.220 Running for this anymore. 06:18.320 --> 06:18.950 Enabled. 06:21.280 --> 06:22.030 So version. 06:24.110 --> 06:25.130 VPN is enabled. 06:25.910 --> 06:28.220 So crypto is a camp policy. 06:29.340 --> 06:34.500 Encryption again, same three days authentication. 06:36.070 --> 06:36.520 Please share. 06:38.140 --> 06:38.800 Hash. 06:39.220 --> 06:42.670 Hash is what MD5 group is. 06:43.800 --> 06:44.970 It also supports seven. 06:46.290 --> 06:49.930 Because again, it's newer than the iOS version, which I'm using the newer version. 06:49.950 --> 06:53.390 You use the more options you get done. 06:54.080 --> 06:56.390 So first step is exactly the same. 07:01.940 --> 07:03.230 Exactly the same. 07:06.790 --> 07:08.140 The difference comes in the key. 07:10.240 --> 07:16.120 Just like you saw in the VR, we specified the key as what, A key ring here on the firewall. 07:16.540 --> 07:22.840 The way it's done is the same process which you will see now will be there for all the corresponding 07:22.840 --> 07:23.980 VPNs after this. 07:25.390 --> 07:28.480 The key is not specified in IEC crypto Isochem key. 07:28.930 --> 07:30.940 Specified in something we call it a tunnel group. 07:33.430 --> 07:34.280 We call it a tunnel group. 07:34.300 --> 07:36.040 Then you give the IP address of the peer. 07:36.550 --> 07:37.030 Tunnel group. 07:37.030 --> 07:38.090 What is the address of the peer? 07:38.110 --> 07:43.690 151 dot 12 dot one And then you specify what type of a tunnel is this? 07:44.290 --> 07:45.580 Is this an IPsec? 07:45.580 --> 07:47.400 L2L array is not used anymore. 07:47.410 --> 07:49.390 It's either L2L or remote access. 07:51.590 --> 07:54.110 This one is what l2 L means Side to side, right? 07:54.140 --> 07:54.800 Land to land. 07:55.070 --> 07:58.790 So IPsec L2 then you do the same thing again. 07:58.820 --> 08:01.970 Tunnel Group 151 .15.1 You'll get more options. 08:02.000 --> 08:03.470 General Attributes. 08:03.500 --> 08:04.640 IPsec Attributes. 08:06.810 --> 08:11.520 IPsec attributes are used for either specifying are you using RSA? 08:12.420 --> 08:15.360 If you're using RSA, you'll point to a trust point from there. 08:15.450 --> 08:21.780 Or if you're using a key, you'll specify the key where general attributes is used for other features, 08:21.780 --> 08:25.920 like pushing down the pool, split tunnel and all those other things. 08:27.590 --> 08:27.830 Right. 08:27.830 --> 08:31.790 So right now, side to side, I don't have any pool or anything. 08:31.790 --> 08:33.170 No, no complications. 08:33.170 --> 08:35.120 So I'll just do IPsec attributes. 08:35.120 --> 08:39.440 And here you have either a trust point, you either point to a trust point or. 08:41.960 --> 08:42.410 Three. 08:43.130 --> 08:45.440 Shared key and you specify the key, let's say. 08:47.430 --> 08:48.240 That is the difference. 08:48.240 --> 08:49.290 The big difference between the two. 08:49.320 --> 08:49.860 That's all. 08:50.490 --> 08:57.750 The other step IPsec Transform set key set esp three des PSP MD5 extract same. 08:59.500 --> 09:04.000 Access list permit IP going from ten. 09:05.500 --> 09:06.860 330. 09:06.880 --> 09:10.750 Now, since this is an RSA, you don't use zero dot, you don't use wildcard mask. 09:10.780 --> 09:13.870 You use subnet mask going to ten 110. 09:16.310 --> 09:16.790 That's it. 09:16.820 --> 09:18.350 The last step is different. 09:19.460 --> 09:22.040 Now, the way I explain it is this way. 09:22.400 --> 09:23.210 So. 09:25.790 --> 09:25.960 History. 09:26.130 --> 09:27.180 I'll just copy this. 09:47.210 --> 09:47.590 Right. 09:49.060 --> 09:50.050 Remember this? 09:51.510 --> 10:00.570 When you give an access list 101 or let's say 100 and you say permit IP from any to host ten 111, just 10:00.570 --> 10:03.390 an example access list 100. 10:03.630 --> 10:06.090 If you have to add another nine, you would do something like this. 10:09.070 --> 10:09.450 Right. 10:09.490 --> 10:11.740 If you're using standard ACL, how will you do it? 10:12.010 --> 10:15.520 IP axis list extended. 10:16.830 --> 10:17.610 The 300. 10:18.400 --> 10:23.440 Then use permit IP any to host ten 111. 10:24.440 --> 10:24.920 Permit. 10:26.190 --> 10:29.760 IP from any to host tend to to to correct. 10:30.180 --> 10:31.800 You'll go into the sub configuration mode. 10:32.700 --> 10:35.610 That is the same differences between the pics and the file. 10:35.700 --> 10:40.500 Sorry, between the pics and the iOS on the iOS when you see a crypto map. 10:42.360 --> 10:44.850 The crypto map is in a sub configuration mode. 10:46.710 --> 10:50.100 So you do the crypto map once, then you specify everything under the sub config. 10:52.090 --> 10:52.780 On the assay. 10:52.780 --> 10:53.500 Its opposite. 10:53.530 --> 10:55.150 There is no sub configuration mode. 10:55.150 --> 10:58.690 So you have to add these commands to the crypto map every time you configure it. 10:59.860 --> 11:00.460 How? 11:01.300 --> 11:02.440 Crypto map. 11:02.650 --> 11:03.010 Map. 11:05.180 --> 11:05.460 Correct. 11:05.810 --> 11:10.490 You specify the sequence number, then all the options which you have are used here. 11:11.770 --> 11:12.370 Set. 11:12.520 --> 11:13.230 Transform. 11:13.240 --> 11:13.750 Set. 11:13.990 --> 11:14.680 D set. 11:15.100 --> 11:19.960 Same crypto map I mapped n match address 101. 11:22.960 --> 11:23.220 Right. 11:23.230 --> 11:24.160 What else do I have? 11:26.450 --> 11:27.630 Papier mache. 11:28.040 --> 11:30.620 I did appear so set. 11:31.750 --> 11:32.080 Beer. 11:32.710 --> 11:39.850 151 .15.1 Same three commands which you use there, but there you use it under the sub config mode. 11:39.880 --> 11:42.110 Here you use it with the crypto map. 11:44.240 --> 11:47.030 Also, the way you apply it to the interface is different. 11:47.060 --> 11:47.640 There you go. 11:47.660 --> 11:49.400 Under the interface and you apply here. 11:49.400 --> 11:51.800 Even in access group, you say, How do you apply an access group? 11:52.010 --> 11:55.490 Access group in interface outside right from the global config. 11:55.790 --> 11:57.410 Same thing for crypto map. 11:57.440 --> 12:02.090 You say crypto map i map and you specify the interface interface. 12:02.390 --> 12:03.410 Check this out. 12:03.530 --> 12:05.090 If I use outside right. 12:05.570 --> 12:12.590 Usually until now, whenever you have used the firewall you never saw or use this or think thought of 12:12.770 --> 12:14.150 this as a case sensitive command. 12:14.150 --> 12:14.510 Right. 12:14.540 --> 12:17.930 If I do this, he tells me that outside does not exist. 12:20.060 --> 12:23.240 It's just that whoever created this made this case sensitive. 12:27.050 --> 12:30.530 Most of the times you will not need the case sensitive part of it, but here you use it. 12:30.680 --> 12:31.430 It has to be. 12:31.430 --> 12:33.680 Otherwise it will tell you that it does not find that interface. 12:33.950 --> 12:35.990 Make sure that you keep that in mind. 12:37.540 --> 12:37.920 Correct. 12:37.930 --> 12:38.870 Everything is good. 12:38.890 --> 12:40.240 I have applied it to the interface. 12:40.240 --> 12:41.170 I have an access list. 12:41.410 --> 12:42.670 All well and good. 12:42.700 --> 12:46.120 The only one problem right now is what? 12:48.700 --> 12:49.360 Not out to him. 12:49.810 --> 12:56.530 Remember I told you by default to traffic to a firewall is blocked for everything except for which protocol. 12:57.550 --> 12:58.060 ICMP. 13:00.100 --> 13:01.810 This is also going to be to traffic. 13:03.930 --> 13:05.880 It's going to be a scam to traffic control. 13:05.880 --> 13:06.750 Plane traffic. 13:08.040 --> 13:08.520 Correct. 13:08.730 --> 13:10.980 It's going to come to you, negotiate with you. 13:10.980 --> 13:12.240 So you have to enable it. 13:12.240 --> 13:14.340 Just like how do you enable ICMP? 13:14.370 --> 13:15.180 You say ICMP. 13:16.550 --> 13:19.650 Permit any on the outside interface. 13:19.670 --> 13:22.130 Here, the way you do it is crypto. 13:22.170 --> 13:24.050 I can enable. 13:25.940 --> 13:26.240 Okay. 13:26.810 --> 13:30.440 Enable the ice cap on the outside interface. 13:30.990 --> 13:33.330 So I can accept Isaac features. 13:33.330 --> 13:34.560 Do not forget this. 13:35.510 --> 13:39.290 This is the most important thing that you have to remember when you're doing the assay. 13:39.320 --> 13:44.750 The most important because this you tend to forget because everything else is you just copying it, 13:44.750 --> 13:45.140 right? 13:45.170 --> 13:46.730 This is the command which is extra. 13:46.880 --> 13:48.800 If you copy paste, it should be fine. 13:53.940 --> 13:54.710 So you repeat. 13:54.810 --> 13:56.490 I'm not sure how you do it here. 14:00.280 --> 14:01.560 I don't know how to check the votes here. 14:02.220 --> 14:03.390 I'm not sure if there is a command. 14:03.390 --> 14:06.210 Also also in the router, not all the router is supported. 14:08.680 --> 14:11.190 Here it's supporting traffic to the. 14:12.100 --> 14:13.120 We can compete with an. 14:13.740 --> 14:14.810 Yeah, but why? 14:16.160 --> 14:17.510 That's the way they decided it. 14:17.800 --> 14:24.140 They integrate this integrated the two control plane traffic was kept separate and data plane traffic 14:24.140 --> 14:26.750 was kept separate ACLs were for the data plane traffic. 14:26.750 --> 14:30.650 If you want to control the control plane traffic they are disabled by default. 14:30.650 --> 14:36.560 You have to enable them one by one, your telnet ssh, all of that traffic, you have to enable it. 14:38.590 --> 14:40.330 I lose all the control. 14:41.160 --> 14:42.300 Those are all control things. 14:43.050 --> 14:45.630 The services which you enable for it, those are control plane. 14:48.730 --> 14:49.060 Okay. 14:52.540 --> 14:56.290 Management and control can be used inter interrelated to each other. 14:56.320 --> 14:58.840 Control plane has management plane in there. 14:58.870 --> 14:59.350 Why? 14:59.380 --> 15:04.240 Because control plane will have telnet ssh your isochem and routing protocol. 15:04.240 --> 15:09.010 Traffic out of that traffic management plane only includes the traffic which is used to manage the router 15:09.010 --> 15:11.620 which will be telnet ssh ip sctp. 15:12.510 --> 15:13.290 And SNP. 15:14.870 --> 15:15.210 All right. 15:15.220 --> 15:20.020 So only a few protocols become management, but there are also two traffic, so come under the control. 15:22.760 --> 15:23.690 Then save. 15:23.720 --> 15:25.040 You want to see if it's working? 15:25.640 --> 15:28.280 I'll send traffic from our three. 15:31.000 --> 15:32.440 210 .1.1.1. 15:39.180 --> 15:39.720 This capture. 15:41.940 --> 15:47.520 The commands to debug show crypto a campus. 15:48.880 --> 15:52.690 Initiator is active, so it's not able to negotiate the policies. 15:53.140 --> 15:56.110 So Crypto IPsec is same. 15:56.110 --> 15:57.280 Exactly the same. 15:57.310 --> 15:58.330 No difference. 16:00.020 --> 16:01.010 No, it is encrypted. 16:01.880 --> 16:02.690 It is active. 16:02.720 --> 16:04.010 No, active here means it's done. 16:04.010 --> 16:05.210 So encryption is happening. 16:05.210 --> 16:06.120 From which side? 16:06.140 --> 16:06.950 From this side. 16:07.000 --> 16:08.360 Where am I sending the traffic to? 16:08.360 --> 16:09.760 Ten .1.1.1. 16:09.770 --> 16:11.360 I don't think I have a loopback here. 16:13.500 --> 16:13.740 Yeah. 16:14.250 --> 16:15.110 Routing problem, right? 16:15.120 --> 16:19.620 Encryption is happening one way and it's not getting decrypted on the other side or the return traffic 16:19.620 --> 16:20.430 is not coming. 16:20.520 --> 16:21.240 So. 16:22.870 --> 16:25.060 Goes through show crypto. 16:26.670 --> 16:27.340 IPCC. 16:28.500 --> 16:29.460 Exact same thing. 16:29.460 --> 16:30.840 You will not see any difference here. 16:32.190 --> 16:33.300 Any difference here? 16:34.080 --> 16:35.190 It's exactly the same. 16:35.700 --> 16:37.380 10.3 to 10.1. 16:38.550 --> 16:38.950 Right. 16:39.000 --> 16:40.440 Your end point is the same. 16:40.440 --> 16:45.040 How many packets have been encrypted, decrypted, remote end point, local endpoint, M2. 16:46.100 --> 16:48.880 Your ESP, you are using a land to land. 16:48.890 --> 16:50.000 Right now the mode is tunnel. 16:50.780 --> 16:51.290 Right. 16:51.290 --> 16:52.220 Same thing here. 16:52.610 --> 17:00.080 ESP total amount of time left on the tech total amount of data left on the on the data portion of it. 17:01.060 --> 17:01.450 Correct. 17:01.480 --> 17:08.590 If you go to R1 show Crypto IPsec Campus, it shows you the same show. 17:08.590 --> 17:09.970 Crypto IPsec. 17:10.870 --> 17:12.190 Essay will show you. 17:12.190 --> 17:14.790 The second packets are coming and going along. 17:18.260 --> 17:18.620 Okay. 17:18.650 --> 17:19.550 No difference at all. 17:22.160 --> 17:25.220 That's why I said it's easier now because you know the concept already. 17:25.220 --> 17:28.520 You know how the exchange is done if you really want to see this. 17:34.160 --> 17:38.090 What I'll do is I'll clear the tunnel from one side with ice and you clear the ice. 17:38.330 --> 17:40.190 It gets cleared from both ends. 17:42.360 --> 17:42.630 Right. 17:42.630 --> 17:47.790 So you see some informational messages going through and then I'll ping again. 17:50.670 --> 17:52.170 Your exchange is exactly the same. 17:56.040 --> 17:57.150 Same nine packets. 17:57.450 --> 17:58.500 No difference at all. 17:58.980 --> 18:00.420 Informational messages are sent. 18:00.420 --> 18:02.550 When there is something, there is a mismatch in something. 18:03.950 --> 18:08.870 Right now the mismatch comes because R2 is not supporting R1, I think is not supporting fragmentation. 18:13.870 --> 18:16.180 You just have to use this command to support fragmentation. 18:16.900 --> 18:17.290 Right. 18:17.290 --> 18:21.880 But again, compatibility is something is not matching, which will not affect the tunnel, but for 18:21.880 --> 18:24.670 their control planes or they're exchanging informational messages. 18:26.140 --> 18:27.070 Keep on doing that. 18:29.030 --> 18:29.360 Okay. 18:33.980 --> 18:34.370 Deeply. 18:36.280 --> 18:38.680 VPN group filter that's used in VPN. 18:39.680 --> 18:41.840 To control access, General. 18:43.290 --> 18:45.820 On is what we call it. 18:45.840 --> 18:47.210 For example, you want to filter. 18:47.220 --> 18:51.140 You have a split tunnel already, but you still want to apply a filter on the users who are coming in, 18:51.150 --> 18:52.770 don't want them to access everything. 18:53.070 --> 18:54.240 You can apply a group filter. 18:55.880 --> 18:56.240 Yeah. 18:57.650 --> 18:58.180 Side to side. 18:58.190 --> 19:00.330 I don't think we use I don't think it's important. 19:01.250 --> 19:01.670 Right. 19:02.750 --> 19:07.220 So again, the good thing about the essay is what? 19:08.360 --> 19:11.150 There's a command called VPN setup. 19:12.450 --> 19:13.530 And you specify. 19:14.130 --> 19:15.360 What do you want to set up? 19:15.360 --> 19:17.340 A side to side tunnel or a remote access tunnel? 19:17.730 --> 19:18.840 I'll say side to side tunnel. 19:19.140 --> 19:21.030 And then you use the command steps. 19:21.210 --> 19:21.930 Check it out. 19:23.040 --> 19:24.360 It tells you exactly what to do. 19:26.430 --> 19:27.510 Tells you exactly what to do. 19:27.630 --> 19:30.360 Go to the interface, enable it, give it an IP. 19:30.390 --> 19:30.660 Go to. 19:30.900 --> 19:34.010 Now, this is this is just a demo, so don't use these addresses. 19:36.300 --> 19:37.080 Change your address. 19:37.080 --> 19:38.220 You can do that also. 19:38.250 --> 19:38.700 Right? 19:38.700 --> 19:40.290 But it shows you the whole process. 19:40.290 --> 19:43.230 So this is how you do your policy, right? 19:43.230 --> 19:45.420 It does not specify the group by default. 19:45.420 --> 19:46.920 It'll take two then. 19:48.800 --> 19:50.480 You have your transform set? 19:51.710 --> 19:52.070 Correct. 19:52.280 --> 19:52.670 Nice. 19:52.670 --> 19:57.380 Right access list L2L Tunnel Group Specify the Pre-shared key. 19:59.750 --> 20:01.940 Exactly this diverse route. 20:01.940 --> 20:07.490 Also, you could set if you're giving out addresses and enable it on the outside interface step by step. 20:08.390 --> 20:11.240 Everyone wants this command VPN setup. 20:13.930 --> 20:14.590 Definitely. 20:15.070 --> 20:20.230 So not only show you here, I'll show you easy VPN to all those things. 20:20.380 --> 20:24.610 You just have to specify which ones will show you everything, what you have to do. 20:25.330 --> 20:25.570 Right. 20:25.570 --> 20:27.940 But I would recommend that you don't go through this. 20:28.900 --> 20:34.540 Use this as a disaster management when you don't remember something because you understand the concept, 20:34.540 --> 20:36.160 obviously you'll have to do it the other way. 20:36.190 --> 20:39.650 Then this is just to check it is there on the essay. 20:39.670 --> 20:41.270 It's not there on the iOS. 20:44.680 --> 20:49.320 Everybody good with this side to side tunnels using the AC. 20:51.510 --> 20:51.870 We also have.