WEBVTT 00:00.520 --> 00:02.110 Starting from this, Right. 00:02.440 --> 00:03.640 So I'll go here. 00:06.000 --> 00:06.570 Interface. 00:06.580 --> 00:08.850 Gigurtu is the one which is pointing up. 00:09.310 --> 00:12.720 Name if his inside security level is 100. 00:12.900 --> 00:13.980 IP address is ten. 00:13.980 --> 00:14.280 11. 00:14.280 --> 00:14.580 11. 00:14.790 --> 00:15.270 Ten. 00:17.330 --> 00:19.520 No shot just to make sure. 00:20.880 --> 00:22.710 11.1 should be able to ping it. 00:23.070 --> 00:24.390 Interface gig. 00:25.080 --> 00:27.030 We see IP. 00:28.250 --> 00:30.730 Army is outside security. 00:30.740 --> 00:35.420 Zero IP Address 151 .3. ten Just like before. 00:37.820 --> 00:38.170 Except. 00:39.050 --> 00:40.250 Go outside. 00:40.350 --> 00:43.820 001 51 .33.3. 00:44.630 --> 00:48.620 Should be able to ping on 51 .34.3. 00:49.970 --> 00:50.300 Oh, yeah. 00:52.030 --> 00:52.900 This is after. 00:52.930 --> 00:53.410 Right? 00:55.460 --> 00:56.220 This is the new one? 00:56.220 --> 00:56.970 Yes. 00:58.230 --> 00:59.040 So I'll go in here. 00:59.040 --> 01:00.340 Interface zero zero. 01:00.420 --> 01:04.260 IP Address 150 .1. 30 4.4. 01:05.790 --> 01:05.970 No. 01:05.970 --> 01:06.430 Shut. 01:08.180 --> 01:09.850 Do think quantity. 01:09.850 --> 01:11.060 1.34.2. 01:14.230 --> 01:15.180 Not able to. 01:15.190 --> 01:15.460 Why? 01:15.490 --> 01:19.360 Because probably the interface which is connected to me is not correct. 01:19.360 --> 01:21.850 So this is F10, not zero zero. 01:24.360 --> 01:25.640 Default interface. 01:35.930 --> 01:38.240 34.3 should be reachable. 01:39.290 --> 01:39.920 Is reachable. 01:40.190 --> 01:42.230 Also along the same lines, I. 01:42.260 --> 01:43.910 What else do I need to do? 01:46.490 --> 01:51.920 0163.1.3. 34 dot a default route so that I can reach. 01:53.510 --> 01:55.810 Days I can reach the essay. 01:56.410 --> 02:06.100 I'll create a loopback ten .4.4.4 and I'll create an Ik v2 ik v2 from this guy to do you remember the 02:06.100 --> 02:06.790 steps? 02:08.280 --> 02:09.060 Like we do. 02:11.770 --> 02:12.850 What was the first thing? 02:16.330 --> 02:16.870 Step one. 02:18.040 --> 02:20.470 Crypto ik v2. 02:25.840 --> 02:30.940 Proposal and you call it anything from then you specify encryption. 02:31.720 --> 02:32.470 Three days. 02:33.740 --> 02:34.700 Authentication. 02:36.060 --> 02:36.670 No, not. 02:38.470 --> 02:38.970 Hash. 02:38.980 --> 02:46.170 No integrity is, let's say MD5 and group two. 02:46.210 --> 02:49.390 You could also be more dynamic with it and specify more than one policies. 02:49.390 --> 02:51.630 But I'll do that on the RSA because this is the client. 02:52.620 --> 02:53.010 Okay. 02:53.010 --> 02:55.500 Then you went to crypto. 02:56.340 --> 02:58.700 I agree to policy. 02:59.280 --> 03:02.640 Where you just said proposal is. 03:04.760 --> 03:04.940 Correct. 03:05.930 --> 03:06.650 What else? 03:07.020 --> 03:10.900 Crypto Ikev2 keyring. 03:11.630 --> 03:12.890 Here is it. 03:12.980 --> 03:14.210 Here is RSA. 03:15.050 --> 03:18.680 The address is 151 .33. ten. 03:18.710 --> 03:22.040 Also along the same way you set pre shared. 03:23.600 --> 03:23.920 Key. 03:25.370 --> 03:25.940 Is. 03:29.510 --> 03:29.720 Right. 03:30.020 --> 03:35.060 Either you can say pre-shared key remote or pre-shared key local, but here I'm just going to use also 03:35.060 --> 03:39.380 you went and said crypto v2 profile. 03:40.490 --> 03:41.900 Toilet Ik Prof. 03:43.410 --> 03:44.040 Match. 03:45.230 --> 03:46.130 Identity. 03:46.940 --> 03:50.120 Remote address is what? 03:50.480 --> 03:52.340 151 .33.1. 03:53.180 --> 03:54.920 Then you also said authentication. 03:57.300 --> 03:59.220 Remote is pre-shared. 04:03.110 --> 04:04.730 Authentication local is also. 04:06.700 --> 04:07.390 Getting. 04:09.770 --> 04:10.550 Locals. 04:11.580 --> 04:13.350 This was the first four steps. 04:13.350 --> 04:15.570 Everything else transforms at crypto map. 04:15.600 --> 04:17.140 The way you apply it is the same. 04:17.160 --> 04:18.930 The only difference was here. 04:20.990 --> 04:22.390 Let's check on the east side. 04:22.400 --> 04:23.900 What do I need to do on the side? 04:26.930 --> 04:27.800 I'll go to the essay. 04:27.950 --> 04:29.140 This is actually our. 04:32.840 --> 04:35.000 I'll go to the crypto. 04:35.210 --> 04:36.800 It is again. 04:36.800 --> 04:37.730 It is ITV2. 04:37.760 --> 04:39.380 Obviously ITV2. 04:39.380 --> 04:40.430 But ITV to what? 04:40.460 --> 04:41.750 There is no proposal. 04:42.470 --> 04:44.570 Instead of having those two extra steps. 04:44.600 --> 04:48.770 Let's just put it into policy number. 04:48.770 --> 04:50.600 The policy again, just like before. 04:51.850 --> 04:53.370 And then you specify your stuff. 04:53.380 --> 04:54.250 Encryption. 04:54.970 --> 04:55.590 Three days. 04:55.600 --> 04:57.760 You could also specify a year as a backup. 04:59.200 --> 05:00.280 Integrity. 05:06.380 --> 05:06.920 Integrity. 05:08.780 --> 05:09.130 Degree. 05:09.590 --> 05:13.790 So you specify MD5 and Sha as the backup group. 05:13.820 --> 05:16.730 215. 05:20.050 --> 05:20.620 As a backup. 05:20.680 --> 05:24.250 Also for the newer versions have newer variations. 05:25.030 --> 05:25.390 Right. 05:25.440 --> 05:28.960 There's also one more thing that you have to take care about here. 05:28.990 --> 05:30.460 It's called pseudo random function. 05:31.530 --> 05:41.040 In ITV2 pseudo random function is used for adding extra security to the exchange rate, but it has to 05:41.040 --> 05:43.770 match your integrity. 05:44.100 --> 05:46.380 Whatever integrity you choose by default, it's. 05:46.620 --> 05:47.660 So this is also sha. 05:47.700 --> 05:50.850 But now I changed my integrity to what MD5. 05:50.880 --> 05:53.010 I need to change my prf also to. 05:57.020 --> 05:58.010 Pseudorandom function. 05:59.300 --> 06:02.690 Right policy is the same. 06:02.870 --> 06:04.340 What else was the next part? 06:05.960 --> 06:08.960 How do you think will be the I'll specify the key ring here. 06:08.960 --> 06:09.920 Can you guess? 06:17.100 --> 06:17.910 Talent group, right? 06:18.000 --> 06:21.000 150 .1.34.4. 06:21.240 --> 06:23.280 Type IPsec L2 L. 06:24.270 --> 06:25.050 Tunnel Group again. 06:25.050 --> 06:27.230 150 .1.34.4. 06:27.240 --> 06:28.830 Which attributes do I need? 06:29.850 --> 06:33.300 IPsec Attributes in the IPsec attributes. 06:33.300 --> 06:35.400 I have certain things, but I configure what part. 06:36.690 --> 06:38.370 It's not Ike V1, it's Ike. 06:39.830 --> 06:43.100 Then you specify local authentication is pre-shared. 06:43.100 --> 06:44.960 And the key also you specify here. 06:47.950 --> 06:50.230 Remote authentication is. 06:53.680 --> 06:53.920 What? 06:55.840 --> 07:01.660 Pike V two Remote authentication is also pre-shared key, and the key is. 07:02.890 --> 07:07.360 So local and remote is both things you specify together. 07:07.750 --> 07:08.560 That's it. 07:09.010 --> 07:10.210 That's all you do here. 07:10.330 --> 07:12.490 So your authentication type is also specified. 07:12.490 --> 07:14.410 Your authentication key is also specified. 07:15.980 --> 07:18.590 Dun dun group with the address is also specified. 07:18.620 --> 07:22.510 Then the normal stuff crypto IPsec used to have a transform set. 07:22.520 --> 07:22.910 Right. 07:22.910 --> 07:24.560 There is no transform set anymore. 07:26.290 --> 07:30.640 It's called Ikev2 IPsec proposal. 07:31.870 --> 07:32.890 The name is changed. 07:37.510 --> 07:39.550 Everyone else know everyone was normal. 07:40.450 --> 07:40.720 Hi. 07:40.730 --> 07:41.800 Everyone were here? 07:41.980 --> 07:42.220 No. 07:43.000 --> 07:43.960 On 8.4. 07:43.960 --> 07:44.650 It's like that. 07:44.770 --> 07:45.270 8.4. 07:45.280 --> 07:46.270 We didn't do it yet. 07:46.570 --> 07:47.800 We have to do it after this. 07:48.920 --> 07:49.930 We do proposal, right? 07:49.930 --> 07:50.620 Call it anything. 07:50.620 --> 07:51.550 I'll call it tea set. 07:52.810 --> 07:54.970 Then you specify the protocol. 07:54.970 --> 07:57.070 It's a little different than IPCC transform set. 07:57.460 --> 07:58.840 You specify the protocol. 07:58.870 --> 08:05.140 Obviously you only use one protocol which is ESP H is not their encryption. 08:05.140 --> 08:05.380 What? 08:05.500 --> 08:07.240 What method are you using for encryption? 08:07.240 --> 08:15.640 Three days you can specify more than one protocol esp also for authentication or integrity. 08:15.850 --> 08:17.470 What are you using for integrity? 08:17.920 --> 08:19.960 MD5 as a backup Sha. 08:22.570 --> 08:22.900 Correct. 08:24.160 --> 08:25.330 Specify both of them. 08:26.110 --> 08:28.030 Then I have my transform set. 08:28.060 --> 08:29.200 What else do I require? 08:29.680 --> 08:41.380 Access list 101 Permit IP from ten 1111 .02552552550 Going to ten 440. 08:44.290 --> 08:47.100 So I might transform set, which is the proposal. 08:47.110 --> 08:51.220 I have my access list, I have my peer, I have my I have two properties. 08:51.250 --> 08:56.230 The last thing that I would require is what crypto map. 08:56.800 --> 08:57.460 I map. 08:58.580 --> 09:00.730 Then again, this is IPsec. 09:01.190 --> 09:01.580 No need. 09:01.940 --> 09:03.020 I have set. 09:03.900 --> 09:05.940 Not transform set, but. 09:06.680 --> 09:08.510 Ikev2 IPsec proposal. 09:10.920 --> 09:15.420 Crypto map I mapped and set here will be the same. 09:15.420 --> 09:17.640 150 .1.34.4. 09:18.060 --> 09:29.340 Crypto map i map ten match address will be the same crypto map i map interface outside crypto ikev2 09:29.790 --> 09:31.800 enable outside not. 09:31.830 --> 09:34.050 I enable outside ikev2. 09:34.050 --> 09:34.710 Enable outside. 09:38.550 --> 09:38.880 Okay. 09:40.680 --> 09:42.280 Let me do this on the notepad quickly. 09:45.320 --> 09:46.340 So I do all of that. 09:46.340 --> 09:49.400 I do the I do the proposal after the proposal is what? 09:50.060 --> 09:59.360 Tunnel Group 150 .1.34.4 Type IPsec L2 And then again the same thing. 09:59.360 --> 10:01.100 But which properties? 10:02.870 --> 10:03.530 IPsec. 10:04.320 --> 10:05.220 Properties. 10:07.570 --> 10:16.540 What properties are likely to local authentication is pre-shared and the key is. 10:18.410 --> 10:19.610 Similarly for. 10:21.260 --> 10:22.250 Remote authentication. 10:22.640 --> 10:24.140 So you're doing two things. 10:24.170 --> 10:25.910 You're killing two birds with one stone. 10:26.390 --> 10:28.640 You're saying my authentication type is pre-shared. 10:28.670 --> 10:30.200 You're also specifying the key. 10:30.260 --> 10:32.150 So pre-shared key, remote and local is also. 10:33.800 --> 10:34.130 Right. 10:34.280 --> 10:34.850 Done. 10:35.060 --> 10:36.200 What else did I do? 10:36.890 --> 10:40.940 Crypto IPsec not transform set, but it's called IP to. 10:41.960 --> 10:42.450 Proposal. 10:45.190 --> 10:45.580 Episode. 10:49.090 --> 10:50.770 I called it what he said. 10:51.010 --> 10:58.390 Then you go into the sub configuration mode and you say protocol is ESP encryption. 10:59.110 --> 11:02.170 Then I'm going to be using is three dash. 11:03.440 --> 11:04.160 Protocol. 11:04.200 --> 11:09.250 ESP integrity that I'm going to be using is EMD. 11:11.360 --> 11:12.290 Access list. 11:16.980 --> 11:21.720 101 permit IP coming from 1011 11.0. 11:22.990 --> 11:24.490 1210 440. 11:26.960 --> 11:28.010 Texas is also set. 11:28.340 --> 11:31.700 Then the final one is crypto map. 11:31.950 --> 11:37.730 Map then set here on 51 .34.4. 11:39.050 --> 11:40.220 Crypto Map. 11:40.430 --> 11:41.990 Map ten set. 11:42.620 --> 11:43.430 Match. 11:44.500 --> 11:47.860 Address 101 Crypto map. 11:48.070 --> 11:57.520 Map ten set not transform set Ikev2 IPsec proposal to. 11:58.480 --> 11:59.800 He said finally. 11:59.800 --> 12:00.250 Crypto. 12:02.510 --> 12:03.560 Interface. 12:07.090 --> 12:07.540 Outside. 12:07.540 --> 12:08.800 And finally, crypto. 12:10.950 --> 12:12.690 Ike we to. 12:13.340 --> 12:13.970 Enable. 12:16.200 --> 12:16.830 And the outside. 12:18.920 --> 12:20.380 This is from the side. 12:20.900 --> 12:23.780 I didn't configure my other side yet. 12:24.530 --> 12:25.670 I still have to do that. 12:29.840 --> 12:31.100 I still have to do this part. 12:31.100 --> 12:36.800 So let me just first copy this to our for. 12:42.700 --> 12:49.780 Okay then crypto IPsec transform set key set esp three days esp MD5. 12:51.890 --> 12:55.790 Access list 101 permit IP going from ten 440. 12:58.110 --> 12:59.160 Going to ten, 11. 12:59.160 --> 12:59.860 11, zero. 13:02.140 --> 13:03.300 Crypto map. 13:03.530 --> 13:03.890 Map. 13:05.900 --> 13:15.230 IPsec Isakmp Set PIR 151 .3. ten Match Address 101. 13:16.750 --> 13:17.160 Right. 13:17.380 --> 13:18.160 What else? 13:22.660 --> 13:23.110 That. 13:24.220 --> 13:29.680 Transform setting apply to the interface interface. 13:31.160 --> 13:32.230 I say one zero. 13:33.910 --> 13:34.840 Crypto map. 13:38.230 --> 13:39.370 Both sides are done right? 13:41.770 --> 13:44.080 If you enable Wireshark so we can see the exchange. 13:57.750 --> 13:57.980 Ten. 13:58.020 --> 13:58.290 Ten. 13:58.290 --> 13:58.560 11. 13:58.560 --> 13:59.370 11.1. 13:59.370 --> 14:00.450 Source ten four. 14:06.640 --> 14:07.120 Very good. 14:09.360 --> 14:11.730 So crypto to. 14:12.890 --> 14:13.220 I see. 14:14.030 --> 14:14.960 Nothing is formed. 14:15.140 --> 14:16.850 Let's check from R to R for. 14:18.510 --> 14:19.200 So I beat out. 14:23.070 --> 14:23.820 And food is here. 14:23.820 --> 14:24.830 I have a default route. 14:24.840 --> 14:29.130 Can I ping 150 .1. 40. 14:29.370 --> 14:30.450 30 dot ten. 14:31.340 --> 14:33.920 Again showed on section crypto. 14:34.670 --> 14:36.590 Let's check if everything is all right here. 14:38.610 --> 14:39.890 Proposal three. 14:40.350 --> 14:43.730 Five Group two policy is prop keyring. 14:43.770 --> 14:44.820 PR is RSA. 14:45.300 --> 14:47.520 The Pre-shared key is Cisco. 14:47.880 --> 14:50.100 Then I have remote authentication. 14:50.100 --> 14:50.550 Pre-shared. 14:50.550 --> 14:53.220 Pre-shared keyring is which is correct. 14:53.550 --> 14:54.300 Mode is tunnel. 14:54.300 --> 14:54.960 That is okay. 14:54.990 --> 14:59.040 My peer is 30.10 from here is okay, let's do one thing. 15:00.090 --> 15:02.670 Let's go here and try here. 15:02.700 --> 15:03.120 RSA. 15:04.200 --> 15:10.200 I'll say Pre-shared key local Cisco because from that side I'm also doing the same key, right? 15:12.280 --> 15:13.270 I'm not using. 15:13.690 --> 15:16.000 I'm using one for remote and one for local. 15:16.000 --> 15:23.080 So I'll say the local pre-shared key remote should not make a difference, but just to try. 15:27.840 --> 15:28.440 Ten, ten. 15:28.440 --> 15:28.710 11. 15:28.710 --> 15:29.640 11.1. 15:29.820 --> 15:30.780 So stands for. 15:33.750 --> 15:35.520 In the meantime, I should also have. 15:37.370 --> 15:39.290 So the package is not leaving out for. 15:41.590 --> 15:43.180 Problem would be in the access list here. 15:48.230 --> 15:49.220 In the crypto map. 15:49.820 --> 15:50.480 Oh yeah. 15:51.380 --> 15:54.260 How did I forget that Crypto map? 15:54.290 --> 15:56.250 iMap and IPsec Isakmp. 15:56.270 --> 15:57.110 I forgot to attach. 15:57.150 --> 15:59.750 What set it to profile. 16:00.740 --> 16:01.430 Which was Ike. 16:02.790 --> 16:03.030 Correct? 16:03.420 --> 16:03.800 Correct. 16:05.840 --> 16:06.890 This is okay right here. 16:06.920 --> 16:10.160 Matches are happening, so now should be okay. 16:12.730 --> 16:16.980 Goes to show crypto have to say. 16:18.950 --> 16:20.800 I have negotiated on MD5. 16:21.230 --> 16:22.970 I've negotiated on three days. 16:23.120 --> 16:23.900 Right. 16:24.350 --> 16:29.850 I'm using from both sides and I have 86,400 seconds just to check. 16:29.870 --> 16:31.790 I'll go back and change this. 16:33.050 --> 16:35.960 So we ensure that this does not make a difference. 16:38.040 --> 16:38.460 Crypto. 16:40.230 --> 16:42.290 I agree to hearing here. 16:42.850 --> 16:47.270 Here any I say no Pre-shared key local. 16:48.570 --> 16:49.020 Cisco. 16:50.440 --> 16:51.580 No remote. 16:51.990 --> 16:53.970 Cisco only Pre-shared key. 16:55.800 --> 16:56.820 Let's see if it works. 17:00.740 --> 17:01.190 Me to. 17:11.650 --> 17:13.210 Send interesting traffic again. 17:15.360 --> 17:20.490 Does not make a difference as long as it matches, as long as what you send matches there. 17:20.490 --> 17:21.960 And what he send matches here. 17:22.160 --> 17:24.560 To not make a difference to one side, you can use local and remote. 17:24.570 --> 17:28.450 The other side you just use the symmetrical key as right. 17:28.680 --> 17:29.970 Sending traffic through. 17:34.070 --> 17:34.710 I can go. 17:34.730 --> 17:36.470 I can also go to the other server. 17:41.050 --> 17:41.530 Rachel. 17:43.550 --> 17:44.500 Crypto IPsec. 17:45.290 --> 17:46.580 I have traffic going through. 17:48.480 --> 17:50.060 Even from the SSI Crypto. 17:50.080 --> 17:50.150 Crypto. 17:53.380 --> 17:54.160 App traffic going. 17:55.480 --> 17:56.770 Same same concept. 17:56.830 --> 18:04.090 So crypto to say will show you a little more details about who's the local guy, who's the remote guy, 18:04.810 --> 18:06.780 your spy numbers sq. 18:08.380 --> 18:09.520 You were the responder. 18:09.520 --> 18:10.890 You didn't initiate the connection. 18:10.900 --> 18:11.690 Someone else did. 18:11.710 --> 18:12.970 You responded to it. 18:13.930 --> 18:16.990 The port numbers that I'm using everything same. 18:18.320 --> 18:19.040 No difference. 18:19.280 --> 18:20.470 And the package. 18:20.480 --> 18:20.960 Right? 18:21.410 --> 18:22.430 Forgot the package. 18:25.150 --> 18:26.970 Internet authors. 18:29.970 --> 18:32.250 Initialize the connection and then authenticate the connection. 18:34.380 --> 18:34.740 Correct. 18:35.520 --> 18:36.810 Any questions would like me to. 18:38.670 --> 18:40.020 It's the same thing before. 18:40.050 --> 18:41.250 It's the same exact thing. 18:54.050 --> 18:54.620 This is it. 18:57.420 --> 18:59.160 The only one extra step was what? 19:00.510 --> 19:01.200 Crypto. 19:02.700 --> 19:05.070 Agree to policy ten. 19:05.100 --> 19:08.340 Then I said encryption three days. 19:08.760 --> 19:12.750 Integrity is MD5. 19:12.750 --> 19:13.830 And finally. 19:16.810 --> 19:17.500 That's it. 19:18.940 --> 19:19.780 I figured this. 19:19.780 --> 19:21.850 And from the other side, you already know how to do it. 19:22.120 --> 19:22.460 Like we. 19:24.200 --> 19:25.230 Difference comes here. 19:25.250 --> 19:30.110 Tunnel group is used in all of your all of your VPNs Tunnel group. 19:30.140 --> 19:34.300 You will always use to specify either the pre-shared key in this case. 19:34.430 --> 19:36.500 In this case you don't specify the pre-shared key. 19:36.530 --> 19:37.400 You do it local. 19:37.400 --> 19:38.690 Is Cisco remote? 19:38.690 --> 19:42.200 Is Cisco a little different, but the method is the same. 19:42.500 --> 19:45.650 To specify the key, you will always use this easy VPN. 19:45.680 --> 19:50.930 You use this web VPN, you use this, and now you're using it here. 19:52.790 --> 19:53.600 To specify the key. 19:53.600 --> 19:53.810 Right. 19:54.050 --> 19:58.590 And if you have, let's say, a C server, you will point to the key server also using the tunnel group. 20:03.470 --> 20:08.440 You could say local authentication is server RSA and remote is PSP. 20:08.570 --> 20:12.170 But as I said last time, we won't usually do that. 20:12.170 --> 20:16.190 Yes, to get you out of situations where you don't have any other option, you'll use it, but most 20:16.190 --> 20:17.300 generally you will not. 20:18.710 --> 20:19.130 Okay. 20:19.130 --> 20:22.760 Then the other thing that changes is transform. 20:22.820 --> 20:24.470 That is not transform set anymore. 20:24.500 --> 20:26.120 It's called IPsec proposal. 20:26.330 --> 20:29.960 So that's your proposal and the rest of the stuff is already the same. 20:30.350 --> 20:34.340 Instead of saying set, transform, set, you set, set like we do proposal. 20:34.370 --> 20:35.300 That's it. 20:35.660 --> 20:40.880 Just remember Transform set is IPsec proposal now Ikev2 IPsec proposal. 20:40.970 --> 20:44.930 The name is a little longer than it was before, but it does the same things. 20:46.340 --> 20:48.440 Okay, last thing, quickly. 20:49.220 --> 20:52.640 The easiest one is. 20:53.820 --> 20:55.530 Isaac Ike V1. 20:56.400 --> 21:00.720 So I'll go to R4 interface fast Ethernet one zero. 21:00.750 --> 21:03.190 I'll say no crypto map. 21:03.260 --> 21:06.550 I map no crypto map. 21:06.570 --> 21:07.700 I map ten. 21:08.160 --> 21:09.420 I'll remove the whole crypto map. 21:10.020 --> 21:11.550 I'll remove no crypto. 21:11.580 --> 21:13.860 IPsec transform set to set. 21:17.220 --> 21:18.000 Like me to. 21:20.820 --> 21:21.360 Profile. 21:27.970 --> 21:28.420 Heating. 21:42.090 --> 21:42.190 Right. 21:42.260 --> 21:43.430 So basically everything. 21:48.500 --> 21:50.310 Nothing is there on the assay. 21:50.330 --> 21:51.900 It's even easier to remove. 21:51.920 --> 21:54.710 How to configure Crypto. 21:56.150 --> 21:57.020 Crypto. 22:02.500 --> 22:02.920 Crypto. 22:04.200 --> 22:04.800 Tunnel group. 22:07.190 --> 22:08.480 Group policy. 22:09.290 --> 22:09.800 That's it. 22:09.800 --> 22:10.070 Clear. 22:10.190 --> 22:11.030 All of it is clear. 22:11.880 --> 22:12.310 So run. 22:12.320 --> 22:14.630 You will not see any sign of crypto here anywhere. 22:16.700 --> 22:17.000 Okay. 22:17.360 --> 22:19.190 I do need my ACL, which is here. 22:19.190 --> 22:20.110 I'll use that later. 22:20.120 --> 22:20.870 ACL 101. 22:21.470 --> 22:30.710 Let's do it from our for side crypto policy ten encryption three days authentication key Share hash 22:30.740 --> 22:46.490 MD5 and group two Crypto Icecap key Cisco Address 150 .1.3. ten Crypto IPsec Transform Set Key Set. 22:47.480 --> 22:47.770 As. 22:48.840 --> 22:49.410 25. 22:50.360 --> 22:50.800 Crypto. 22:52.760 --> 22:53.140 Map. 22:53.480 --> 22:54.380 I map ten. 22:55.830 --> 22:58.320 IPsec Isocarp set here. 22:58.350 --> 23:08.640 151 .3. ten Set Transform set to set match address one on one interface for one zero crypto map. 23:11.060 --> 23:11.840 As the camp is on. 23:15.020 --> 23:15.880 Does not support this. 23:17.390 --> 23:19.490 Go to the crypto. 23:19.910 --> 23:20.990 What do you choose? 23:26.710 --> 23:27.910 From the options. 23:27.910 --> 23:28.570 What do you use? 23:30.180 --> 23:33.090 Ik one Ik v one. 23:33.270 --> 23:34.530 What do you want right now? 23:36.540 --> 23:37.170 Policy. 23:37.200 --> 23:38.130 I'll call it ten. 23:39.210 --> 23:40.080 Encryption. 23:41.840 --> 23:46.820 He does authentication pre-shared hash, not integrity. 23:46.850 --> 23:52.580 Hash integrity is part of IPV two hash MD5 and group two. 23:53.660 --> 23:55.100 How do I specify the key? 23:59.910 --> 24:00.420 Tunnel group. 24:00.420 --> 24:00.750 Right? 24:01.290 --> 24:02.070 Dental group. 24:02.580 --> 24:06.750 The address is 151 .334.4. 24:07.960 --> 24:12.850 And then type is IPsec L to L Tunnel Group. 24:12.850 --> 24:15.100 150 .1.34.4. 24:15.550 --> 24:16.990 IPsec Attributes. 24:17.020 --> 24:18.430 How do I specify the key? 24:21.950 --> 24:23.780 Have a look at the options. 24:27.360 --> 24:29.750 Like we won earlier. 24:29.750 --> 24:31.370 It was like we to authentication. 24:31.370 --> 24:32.660 Now it's ikev2. 24:32.780 --> 24:33.980 Pre-shared key is what? 24:38.250 --> 24:38.760 I know. 24:40.490 --> 24:41.960 Okay, then. 24:41.970 --> 24:42.480 See? 24:42.480 --> 24:43.260 I'll do it here. 24:46.560 --> 24:48.360 This was what ik v2. 24:49.080 --> 24:52.200 Ik v1 is like that if you compare the two crypto. 24:52.230 --> 24:58.350 Ik v1 policy then when you say encryption three days. 24:59.140 --> 25:00.130 Authentication. 25:02.440 --> 25:02.690 Share. 25:04.070 --> 25:04.580 Group. 25:08.480 --> 25:10.280 Hash MD. 25:12.050 --> 25:15.770 Then to specify the key is tunnel group. 25:18.030 --> 25:20.730 Specify the address type. 25:21.300 --> 25:22.730 IPsec L2 L. 25:24.230 --> 25:27.890 Do the same thing again, but this time specify what? 25:29.060 --> 25:31.790 IPsec Because this is where you specify the key every time. 25:32.870 --> 25:34.160 Here how did you do it? 25:34.550 --> 25:36.590 To local authentication and stuff like that. 25:36.680 --> 25:46.580 On V1 you just say Ik v1 pre shared key is Cisco because you don't have the option of local and remote 25:46.580 --> 25:47.150 and IP one. 25:47.150 --> 25:48.920 It's only available to you in IP two. 25:51.920 --> 25:52.130 Right. 25:53.830 --> 25:54.460 8.4. 25:55.680 --> 25:56.520 The other stuff. 25:58.420 --> 25:59.220 What else do I need? 25:59.230 --> 26:03.400 A transform set Crypto IPsec Who do I go to? 26:05.880 --> 26:06.690 Ike again. 26:06.720 --> 26:07.050 Same. 26:07.050 --> 26:08.370 I mean, you just have to follow it. 26:08.700 --> 26:10.350 Ike We won then. 26:11.310 --> 26:13.110 It's not called an IPsec proposal here. 26:13.110 --> 26:14.280 It's called a We know that. 26:14.280 --> 26:15.840 It's called a transform set. 26:15.960 --> 26:17.910 And you call it T set. 26:18.240 --> 26:20.760 Then you specify ESP three days, ESP. 26:22.710 --> 26:23.430 MD5. 26:25.020 --> 26:27.920 Okay, access list is already created. 26:27.940 --> 26:29.340 Then the last one is crypto map. 26:29.910 --> 26:35.190 I map ten set here 151 .34.4. 26:38.500 --> 26:45.610 Match Address 101 Crypto Map map ten Set transform Set. 26:45.610 --> 26:46.690 I won't have transform set. 26:46.690 --> 26:49.330 I have what I have one transform set. 26:52.340 --> 26:54.040 The difference is transformed. 26:54.110 --> 26:55.790 It becomes I one transformed set. 26:55.820 --> 26:56.570 That's it. 26:57.230 --> 26:58.670 Everything else is the same. 27:00.040 --> 27:00.820 As before. 27:00.910 --> 27:01.420 Right. 27:01.450 --> 27:08.980 Finally, crypto map map interface outside crypto ikev1. 27:09.100 --> 27:11.440 Enable outside not icecap ip. 27:12.920 --> 27:14.420 Basecamp is out of the question. 27:14.840 --> 27:17.810 Show access list just to see if I have the access list. 27:17.840 --> 27:18.570 I do. 27:18.590 --> 27:20.470 I'll go from R4 and pink. 27:23.810 --> 27:24.680 10.11 point. 27:24.680 --> 27:35.690 11.1 goes through show crypto campus to show crypto IPsec section caps traffic is getting encrypted 27:35.690 --> 27:41.600 decrypted from RSA also show crypto IPsec section caps just. 27:42.800 --> 27:43.730 Blue caps. 27:46.470 --> 27:49.540 The traffic is going both direction, so R1 can also go. 27:52.000 --> 27:52.370 I don't. 27:52.370 --> 27:54.560 Is that R2? 27:55.280 --> 27:57.500 R2 is also dead, but that's okay. 27:57.500 --> 27:58.850 I can send traffic to them. 28:02.510 --> 28:03.360 It is. 28:03.360 --> 28:04.550 And it's the same thing. 28:04.940 --> 28:05.450 Where's my. 28:05.480 --> 28:06.080 Where's my wife? 28:10.060 --> 28:11.770 Look at the packets that were exchanged. 28:12.760 --> 28:16.270 One, two, three, four, five, six, seven, eight, nine. 28:18.260 --> 28:18.590 Same. 28:18.590 --> 28:20.780 Nothing changes at all. 28:20.900 --> 28:24.200 The only thing that changes is what. 28:25.670 --> 28:27.610 The implementation on the. 28:28.580 --> 28:30.450 That's the only thing that changes. 28:30.470 --> 28:35.240 They've made it better if you really think about this, because tunnel group will remain the same on 28:35.240 --> 28:37.940 all of them where VPN and the process will be the same. 28:37.940 --> 28:42.350 Once you learn one of them properly, the other ones become much easier once you understand the whole 28:42.350 --> 28:43.550 concept of how it works. 28:43.550 --> 28:45.680 And obviously you always have. 28:45.680 --> 28:46.190 What. 28:50.260 --> 28:51.360 We've been set up for a. 28:52.970 --> 28:53.180 Right. 28:53.180 --> 28:54.410 So which one do I want to set up? 28:54.410 --> 28:57.980 For example, right now it's side to side steps. 28:59.660 --> 29:01.710 The step four side to side. 29:04.900 --> 29:06.250 Yeah, that's what I want to see. 29:06.970 --> 29:08.020 Remote access is here. 29:08.050 --> 29:10.810 L2 Remote access site to site SSL. 29:10.810 --> 29:12.160 Remote access is also here. 29:12.370 --> 29:13.150 Very nice. 29:13.690 --> 29:14.650 SSL VPN. 29:16.840 --> 29:17.640 This is for the. 29:20.450 --> 29:23.400 Its enable SBC image AnyConnect. 29:23.420 --> 29:25.610 Tunnel protocol is SBC and Web VPN. 29:25.910 --> 29:26.870 I don't think. 29:28.050 --> 29:30.090 Should I be able to choose to write? 29:30.630 --> 29:32.670 But I don't see the option here. 29:34.780 --> 29:37.780 With and side to side. 29:37.780 --> 29:38.860 He shows me one. 29:42.490 --> 29:45.760 This is the one which we did set up. 29:47.110 --> 29:47.730 Safe to say. 29:50.960 --> 29:51.500 Steps. 29:53.150 --> 29:54.920 I see camp shows your normal camp. 29:54.920 --> 29:56.060 It doesn't even show you that one. 29:58.640 --> 30:00.650 I will not even work here. 30:02.970 --> 30:03.810 It's showing guys again. 30:04.890 --> 30:07.350 But yeah, that's what it feels. 30:08.520 --> 30:12.060 But the thing is, even this one is not transform set anymore. 30:12.420 --> 30:14.100 It's IP one transform set. 30:17.630 --> 30:18.840 See the command will not be here. 30:18.870 --> 30:27.080 Crypto Crypto IPsec Transform Set is not a command, it's Ike v1 Transform set. 30:28.400 --> 30:32.260 So I think the the steps that he's showing you, I think they're outdated. 30:32.270 --> 30:37.430 Maybe they have not updated the VPN setup yet because these steps are from the old 18.2. 30:37.460 --> 30:38.420 These won't work. 30:40.460 --> 30:41.900 8.28.4. 30:41.930 --> 30:45.530 Maybe in this version, which I have, they have not, but I'm sure that they will. 30:47.000 --> 30:47.600 Should be there. 30:47.810 --> 30:49.880 8.6 probably they might have updated it. 30:50.990 --> 30:52.130 Now you're using nine. 30:52.130 --> 30:53.960 So obviously there should be there. 30:55.680 --> 30:55.980 Clear. 30:57.680 --> 30:58.940 You understand how this is done? 30:58.990 --> 31:00.320 I cvv2 ikwe one. 31:01.740 --> 31:02.970 That's all about VPNs. 31:03.930 --> 31:05.820 If you want, you can do this. 31:05.970 --> 31:07.350 Remember the VPN that we did? 31:07.350 --> 31:08.790 You can do it with RSA. 31:08.820 --> 31:11.730 Also, you can do it with RSA. 31:11.760 --> 31:17.760 All you have to do is get a server here, authenticate and enroll the same way that you used to do before. 31:19.990 --> 31:20.410 Crypto. 31:21.070 --> 31:25.930 CA Then what price point, whatever CA that you create, right? 31:25.930 --> 31:35.980 The commands are the same enrollment URL, you enroll it, then crypto CA authenticate CA and enroll. 31:38.910 --> 31:41.670 Once you do that, then you can go to your tunnel group. 31:43.860 --> 31:46.890 In your IPsec attributes, you can specify. 31:49.160 --> 31:49.940 I've one. 31:52.710 --> 31:57.390 Best point, not the pre-shared key, but the trust point pointed to the server, so it will use the 31:57.390 --> 31:59.290 ECC to form the certificates. 32:01.030 --> 32:01.500 Okay. 32:01.510 --> 32:05.380 I'll say if you check my previous video, one of the videos in the series. 32:05.470 --> 32:09.160 What I've done is because mostly VPN is not used with the Pre-shared key. 32:10.030 --> 32:13.570 Most of the times it will be used with what RSA Certificates. 32:16.660 --> 32:18.150 The clients have to get a certificate. 32:18.160 --> 32:18.820 They have to. 32:19.060 --> 32:20.350 There's a way of doing it. 32:22.440 --> 32:22.800 By the. 32:24.140 --> 32:26.600 You have to your VPN client, right? 32:26.630 --> 32:29.390 You have to authenticate it with a CA server. 32:29.690 --> 32:30.920 Get the key from there. 32:31.280 --> 32:33.350 Then go to the to the. 32:33.740 --> 32:34.350 It's very easy. 32:34.370 --> 32:35.570 It's not really difficult. 32:35.720 --> 32:38.270 It is in the video for properly documented. 32:38.540 --> 32:41.060 Do that also for reference. 32:41.090 --> 32:43.770 Do take the videos for flex vpn hub and spoke. 32:43.790 --> 32:47.060 Flex vpn site site to site and flex VPN. 32:47.630 --> 32:49.280 Spoke to spoke and remote access. 32:49.310 --> 32:51.230 All three also from the previous series. 32:51.260 --> 32:52.100 There are there. 32:52.250 --> 32:55.520 You don't have time to do that right now, but do that. 32:55.520 --> 32:56.290 Keep them with you. 32:56.300 --> 32:57.800 You might need it in the future. 32:57.800 --> 32:58.820 It's flex. 32:58.820 --> 33:00.440 VPNs are replacing everything. 33:01.980 --> 33:02.180 Next. 33:02.550 --> 33:02.750 Why? 33:02.850 --> 33:05.280 Because, again, same process of implementation. 33:05.460 --> 33:07.500 You can do the same process of implementation. 33:07.500 --> 33:13.830 You can add Dmvpn, easy VPN, get VPN all together so you want to migrate from one to another. 33:13.830 --> 33:15.270 It's very easy with flex VPN. 33:15.390 --> 33:21.150 Obviously when you create something scalable, the configuration is even more difficult, right? 33:21.750 --> 33:23.820 Because obviously it's scalable, right? 33:23.820 --> 33:29.100 Scalable means adding will be easy, but to configure it will be difficult, right? 33:29.100 --> 33:34.270 Keep them because I know right now you won't go through with all those VPNs, right? 33:34.290 --> 33:36.720 You have a lot to cover, obviously. 33:36.880 --> 33:37.740 Let's do that. 33:37.740 --> 33:38.940 But keep it with you. 33:38.970 --> 33:39.840 You might need it. 33:44.080 --> 33:45.130 I mean, not just.