WEBVTT 00:03.310 --> 00:05.610 All right, let's start. 00:05.630 --> 00:06.670 What are we doing today? 00:07.970 --> 00:09.410 We're doing Flex. 00:12.510 --> 00:13.410 Flags. 00:15.100 --> 00:15.700 Server. 00:18.050 --> 00:23.300 And client flex server client. 00:23.630 --> 00:25.640 We have done, spoke to, spoke. 00:26.420 --> 00:33.190 We have done SVT DVT set up the last VPN in flex is server and client. 00:33.200 --> 00:34.220 What does this represent? 00:34.220 --> 00:34.880 What is it? 00:34.880 --> 00:37.360 In familiarity with easy. 00:39.020 --> 00:40.400 You have to understand some things. 00:40.430 --> 00:45.740 Easy VPN has been there for a long time, so a lot of software has been developed already for easy VPN, 00:46.820 --> 00:49.580 VPN client and all the other kind of stuff. 00:49.580 --> 00:53.630 And router can act as an easy VPN client and all the other kinds, right? 00:53.660 --> 00:58.490 But Flex VPN is relatively very new, very new. 00:58.490 --> 01:01.010 So a lot of software has not been developed yet. 01:01.250 --> 01:10.580 It's still in the beginning phases, but the basic setup of what you do with a router as a client and 01:10.580 --> 01:12.560 with the VPN server is the same. 01:12.650 --> 01:17.790 You have a flex VPN server and a flex VPN client, and then you can make the same tunnel like you used 01:17.790 --> 01:20.820 to do before, share the same things like you used to do before. 01:21.210 --> 01:24.510 But the only one thing the difference here is there is no n m. 01:25.020 --> 01:26.430 There is no n m mode. 01:26.520 --> 01:28.320 There is no any plus mode. 01:29.400 --> 01:30.360 Nothing like that. 01:30.360 --> 01:31.890 You do all of it manually. 01:33.000 --> 01:35.310 What do I mean by manually in network extension? 01:35.310 --> 01:37.950 I used to extend networks from my side to the other side. 01:38.940 --> 01:39.570 Right. 01:39.570 --> 01:45.930 And the normal mode, the client mode was I used to get an IP address and the server used to have a 01:45.930 --> 01:47.340 static route towards me. 01:48.710 --> 01:48.980 Right. 01:49.160 --> 01:50.570 The same thing is done here. 01:50.570 --> 01:52.670 You know exactly how to do it. 01:53.300 --> 01:59.900 You know how to install the static right route from the server to client to the interface as well as 01:59.900 --> 02:01.730 to that network that is inside. 02:03.170 --> 02:04.970 We did that in Dmvpn. 02:06.320 --> 02:08.150 That is why flexibility is there. 02:08.150 --> 02:09.890 Now you know how to do dmvpn. 02:09.920 --> 02:11.720 You will tell me how to do flex. 02:11.720 --> 02:12.860 I will not tell you. 02:13.190 --> 02:17.180 You will tell me the steps for flex VPN server client. 02:18.020 --> 02:18.770 You know it. 02:18.770 --> 02:22.190 You have done it already with just one small minor command. 02:22.220 --> 02:24.200 You have to do it on the client. 02:24.200 --> 02:25.700 Everything else is the same. 02:27.730 --> 02:31.120 Okay, let's do that first and we can look at the concept later. 02:32.950 --> 02:34.330 First things first. 02:36.660 --> 02:37.710 Our IOU. 02:39.930 --> 02:40.530 Was suspended. 02:42.230 --> 02:42.590 Suspend. 02:46.520 --> 02:47.540 Resume the guest. 02:59.190 --> 03:03.930 Make sure that I'm using the same interface which I need. 03:03.960 --> 03:05.670 Vnet one which is host only. 03:05.670 --> 03:06.540 That is fine. 03:10.570 --> 03:14.280 We one What is the IP 19221638210. 03:14.620 --> 03:15.460 Perfect. 03:18.900 --> 03:23.040 Hey, dude, I 100 will open my IOU. 03:30.330 --> 03:31.350 This right here. 03:31.650 --> 03:35.580 I also need to open my secure CRT. 03:37.630 --> 03:41.470 The good thing is I saved everything yesterday, so it'll be easier. 03:44.690 --> 03:45.860 Starting from one. 03:47.800 --> 03:48.460 That's fine. 03:49.000 --> 03:49.930 Everything is saved. 03:52.370 --> 03:55.220 You don't have to city in this. 03:55.220 --> 03:58.260 There is no serial fast Ethernet. 03:58.280 --> 04:00.950 You have Serial which is already there, but we are not using it. 04:04.590 --> 04:05.160 This one. 04:05.790 --> 04:07.050 These are serial links. 04:08.160 --> 04:09.150 These ones. 04:10.350 --> 04:11.280 I'm not using it. 04:11.310 --> 04:13.360 This is not the only topology you can use. 04:13.380 --> 04:17.880 You can go to the internet and download some topologies for here, and then you can import it in downloads 04:17.880 --> 04:18.690 and manage. 04:18.840 --> 04:23.820 You can import those topologies, but you really wouldn't need them because this will definitely cover 04:23.820 --> 04:24.390 everything. 04:25.380 --> 04:28.020 Eight Routers is more than enough to cover routing and switching. 04:29.850 --> 04:31.500 I'll cover most of everything. 04:31.830 --> 04:33.570 These eight routers are in your lab. 04:34.610 --> 04:35.260 Sorry. 04:35.310 --> 04:37.320 CCI, Lab routing. 04:37.320 --> 04:37.950 Switching. 04:38.460 --> 04:39.870 Look at how big the topology is. 04:41.460 --> 04:42.870 So this will cover your everything. 04:42.870 --> 04:48.270 You don't need anything else, but if you still want, you can download those sample labs and import 04:48.270 --> 04:48.540 it in. 04:53.450 --> 04:53.990 I do. 04:56.750 --> 04:57.260 Are three. 05:09.030 --> 05:09.900 Five. 05:11.670 --> 05:14.160 This two and. 05:15.500 --> 05:16.990 So which one should be this? 05:19.570 --> 05:20.980 This the second one? 05:20.980 --> 05:21.470 Probably. 05:26.200 --> 05:26.500 Yeah. 05:27.760 --> 05:27.970 Okay. 05:27.970 --> 05:29.270 So I have everything. 05:29.290 --> 05:30.550 Let me see the routing. 05:34.500 --> 05:38.160 My this is which one server client spoke to spoke. 05:40.020 --> 05:40.920 Does this book just work? 05:40.920 --> 05:45.600 If everything is fine, if everything was saved yesterday, we can still verify it. 05:46.740 --> 05:47.220 Three Yes. 05:47.340 --> 05:48.390 Two is the internet. 05:50.730 --> 05:55.500 I have this all coming from 10.1. 06:02.900 --> 06:07.430 Create a virtual access, an Http relationship will be set up. 06:13.670 --> 06:15.230 I have this, but there's a problem. 06:15.530 --> 06:16.610 There's an override here. 06:16.610 --> 06:17.780 So that means my. 06:18.230 --> 06:20.030 My mappings are not perfect. 06:20.720 --> 06:21.470 Maybe they are. 06:24.510 --> 06:25.680 They still go through here? 06:26.400 --> 06:29.310 I'll have to shut my tunnel down and bring it back up again. 06:29.310 --> 06:30.810 But from our four. 06:32.850 --> 06:33.960 Hartford is also the same. 06:35.490 --> 06:36.580 So let's go in here. 06:36.600 --> 06:37.910 Interface Channel zero. 06:37.920 --> 06:38.790 Shut. 06:47.060 --> 06:47.220 I? 06:47.240 --> 06:47.570 No. 06:56.750 --> 06:57.260 Okay. 07:07.090 --> 07:09.460 Good is going straight. 07:09.460 --> 07:09.850 Spoke to. 07:09.850 --> 07:10.360 Spoke. 07:11.510 --> 07:14.840 Now R4 and R3 are spoke to spoke. 07:16.040 --> 07:16.670 Are one. 07:18.440 --> 07:22.190 I can do the same thing on the same topology, but I'm not going to do that right now. 07:22.520 --> 07:24.230 We'll start over from zero. 07:24.350 --> 07:25.910 All I have to do is just change one thing. 07:25.910 --> 07:27.220 But I won't do that right now. 07:27.230 --> 07:30.050 What I'll do is I'll erase this and reload. 07:31.800 --> 07:34.170 Because I want to set up a server client relationship. 07:34.170 --> 07:34.770 Between whom? 07:34.800 --> 07:36.060 R1 and R5. 07:37.620 --> 07:39.420 The diagram is the same as yesterday. 07:41.320 --> 07:44.530 Part one will be connected to the Internet. 07:45.400 --> 07:49.570 Part two will be inside and half will be here. 07:51.260 --> 07:52.760 There is no smoke to smoke here. 07:52.940 --> 07:55.460 Remember, it is not smoke to smoke. 07:55.490 --> 08:00.860 This will just act as a client to this game, just like an easy VPN service. 08:01.190 --> 08:03.650 Does he know what the IP of this guy is going to be? 08:04.190 --> 08:06.530 No, he does not, because he's the server. 08:06.560 --> 08:10.100 These guys will connect up from home from their internet connection. 08:10.250 --> 08:11.540 So he doesn't have to know. 08:11.540 --> 08:13.340 Do they need to know what his IP is? 08:14.210 --> 08:14.870 Definitely. 08:16.160 --> 08:16.640 Right. 08:16.670 --> 08:18.140 Everything else will be the same. 08:18.170 --> 08:23.720 You'll see the similarities between VPN on Plex and Easy VPN on Plex. 08:25.700 --> 08:30.470 Let's start and help me with this, because I want you to critically think about it. 08:32.320 --> 08:34.520 First step I need to create. 08:34.540 --> 08:35.650 First, let's think about it. 08:35.680 --> 08:38.500 What do I need to create on R1 DVD? 08:40.480 --> 08:42.190 I need to create a DVD. 08:42.310 --> 08:43.730 Should it be protected? 08:43.750 --> 08:44.380 Yes. 08:44.380 --> 08:46.820 Yes, it should be protected. 08:46.840 --> 08:48.790 So for that I would require a profile. 08:49.840 --> 08:52.960 For the profile, I would require an Ik v2 profile also. 08:54.340 --> 08:54.910 Right. 08:54.910 --> 08:58.720 So I'll have a virtual template for the DVD. 08:58.900 --> 09:04.900 To protect the virtual template, I will have an IP sec transform set profile plus Ik v2 profile. 09:06.370 --> 09:06.760 Right. 09:06.790 --> 09:08.590 Do I need to push any root down? 09:09.130 --> 09:09.460 Yes. 09:09.480 --> 09:09.690 Yes. 09:09.870 --> 09:10.840 Yes. 09:10.840 --> 09:16.750 Because my internal networks ten .1.1.1 should be pushed down so they can reach up just like I used 09:16.750 --> 09:17.920 to do in an ACL. 09:17.950 --> 09:18.720 A split ACL. 09:18.730 --> 09:20.320 I used to push it down. 09:20.500 --> 09:22.180 So I need to do that also. 09:23.810 --> 09:26.360 Right from the from the client side. 09:26.510 --> 09:28.880 In the beginning, we'll just do client mode. 09:29.600 --> 09:31.910 Client mode does not need to fix anything up. 09:32.630 --> 09:34.310 He does not need to send anything up. 09:35.870 --> 09:36.050 Right. 09:36.080 --> 09:38.180 But he needs to set that one interface. 09:38.420 --> 09:39.020 Which one? 09:39.020 --> 09:41.300 The IP address that he's going to receive. 09:41.330 --> 09:44.810 He needs to tell the server, Hey, you gave me this. 09:44.810 --> 09:46.550 Have a static route towards me. 09:48.960 --> 09:50.580 We'll talk about the server side now. 09:50.580 --> 09:51.360 What is the first step? 09:51.360 --> 09:53.160 What am I supposed to do in the beginning? 09:55.140 --> 09:57.660 I need to create the Ik profile for that. 09:57.660 --> 09:59.580 Do I need to change the default policy? 10:01.500 --> 10:07.740 I need to do root set interface node set interface is there the access as well as access list? 10:07.740 --> 10:11.220 I need to push down access list as well as an interface address. 10:11.220 --> 10:11.460 So. 10:11.640 --> 10:14.100 So I do need to change my authorization policy. 10:15.560 --> 10:16.000 Remember. 10:16.420 --> 10:17.560 So what are the steps? 10:17.590 --> 10:26.590 The first step is I enable the model and create an authorization list which points towards my local 10:27.040 --> 10:28.060 authorization. 10:29.110 --> 10:33.190 Now, this is not spoke to spoke, so I do not need to do it on the default. 10:34.360 --> 10:39.850 I only need to do sports spoke to spoke default default when I'm doing spoke to spoke because as I said 10:39.850 --> 10:45.580 there are there are some bugs so it does not work with if you change the list you need to do it on the 10:45.580 --> 10:48.190 default for server spoke here. 10:48.190 --> 10:49.180 You can do it on any. 10:49.180 --> 10:52.090 So name it anything authorization network. 10:56.860 --> 10:57.220 Local. 10:58.690 --> 10:59.100 Right. 10:59.110 --> 11:04.510 So I'm telling him that the authorization policy is going to be done locally, but I need to do it locally, 11:04.510 --> 11:06.010 so let's do it locally. 11:06.370 --> 11:11.200 Crypto Ikev2 Authorization Policy. 11:12.640 --> 11:15.340 Call it anything I call. 11:16.150 --> 11:17.920 And what am I pushing down? 11:21.520 --> 11:24.430 Root set interface. 11:25.270 --> 11:26.110 And. 11:27.380 --> 11:29.030 Without said. 11:30.090 --> 11:31.230 Access list. 11:31.470 --> 11:33.270 Then I have not created ten. 11:33.810 --> 11:36.000 So before I do this, I'll go in here. 11:36.780 --> 11:41.100 Access list ten permit ten 1.1.0. 11:43.490 --> 11:47.240 So I'm pushing 10.1 network down so they know where 10.1 is. 11:49.000 --> 11:50.710 This is a standard access list. 11:52.590 --> 11:53.800 This is a standard access list. 11:53.850 --> 11:57.400 I'm pushing down so he'll have a route towards this this network. 11:57.420 --> 12:01.350 If I do ten dot zero, he will have a static route towards ten .0.0. 12:01.650 --> 12:06.330 Whatever I push down as the access list will be installed as a static route on the other side. 12:06.440 --> 12:08.130 That's why you don't need to specify the. 12:08.730 --> 12:09.050 For this. 12:09.520 --> 12:10.320 This is standard. 12:11.010 --> 12:13.140 This is a standard access list. 12:13.170 --> 12:17.700 If I had 100 here, then it was permit IP from this source to this destination. 12:17.820 --> 12:19.730 Here it's a standard access list. 12:19.740 --> 12:21.210 So I'm just pushing that down. 12:21.810 --> 12:23.010 I just need the source. 12:23.370 --> 12:24.690 I do not need the destination. 12:24.690 --> 12:26.700 I just need to tell him where to install the route to. 12:29.280 --> 12:29.820 Right. 12:30.280 --> 12:32.340 Then this part is done. 12:33.180 --> 12:34.380 I need to put all of this. 12:34.380 --> 12:34.630 Where? 12:34.680 --> 12:35.580 In a profile. 12:35.610 --> 12:36.540 Ikev2 profile. 12:36.570 --> 12:36.740 Right. 12:36.750 --> 12:38.400 I call it in the V2 profile. 12:38.430 --> 12:39.590 For that, what do I need? 12:39.600 --> 12:42.510 All those proposal and policies for the profile. 12:43.170 --> 12:46.260 I'm telling you the steps so you can link it up together when you're doing it. 12:46.290 --> 12:49.620 So what is missing now is the crypto. 12:51.660 --> 12:53.850 Crypto ikev2 proposal. 12:55.730 --> 13:00.620 Prop encryption three days. 13:02.190 --> 13:04.110 Group two. 13:05.700 --> 13:10.230 Integrity and MD5 done. 13:13.040 --> 13:18.080 Crypto Ik v2 profile I. 13:18.120 --> 13:18.680 Prof. 13:18.770 --> 13:21.290 I didn't do one thing here, which I had done before. 13:21.410 --> 13:22.550 There was a pool. 13:22.850 --> 13:26.610 Yes, I forgot to do the pool because this is easy. 13:26.630 --> 13:33.830 VPN Yes, Access is when it is pushed down, the source and destination won't be changed like we did 13:33.830 --> 13:35.060 for that was easy. 13:35.090 --> 13:36.040 VPN no see. 13:36.080 --> 13:36.290 Easy. 13:36.650 --> 13:38.900 I only did a source he does not installed. 13:38.900 --> 13:42.200 He does not use it to install the root as a static root. 13:42.230 --> 13:46.250 Remember yesterday I showed you this when we did root set access list. 13:46.280 --> 13:51.380 This one address will only be used so that the other guy installs it as a static root. 13:51.410 --> 13:53.810 He will not use it as an access list there. 13:55.720 --> 13:56.530 Just like I do. 13:56.560 --> 13:57.580 Root set interface. 13:57.580 --> 14:02.920 He installs a static route towards my interface, so the access list is converted into a static is a 14:02.920 --> 14:03.400 static route. 14:03.430 --> 14:04.000 On the other side. 14:04.000 --> 14:04.690 Exactly. 14:05.110 --> 14:06.310 Just a static route. 14:07.560 --> 14:13.830 Okay, this is easy VPN, so I also need a full VPN server. 14:13.830 --> 14:15.330 So I also need a pool. 14:15.330 --> 14:18.060 So this does not become two. 14:18.090 --> 14:18.750 This is three. 14:18.780 --> 14:19.740 Two will be. 14:22.700 --> 14:26.240 IP Local pool flex. 14:27.230 --> 14:30.560 1.11.. 14:32.830 --> 14:35.590 I can have 100 users, 100 clients. 14:35.590 --> 14:37.660 And where do I call this pool? 14:39.660 --> 14:39.910 Cool. 14:40.840 --> 14:41.190 Let's. 14:42.690 --> 14:43.290 Flex. 14:43.320 --> 14:43.920 Was it pull? 14:46.820 --> 14:50.030 So he's going to push down the pool to the other side. 14:50.180 --> 14:50.570 Right. 14:50.570 --> 14:53.210 So give out an IP from this pool to the other interface. 14:53.210 --> 14:56.750 Then create send out a static route. 14:56.780 --> 15:03.200 Tell him to install a static route towards you and also tell him have a static route towards my internal 15:03.200 --> 15:03.640 networks. 15:03.680 --> 15:04.370 10.11. 15:04.370 --> 15:04.820 10.1. 15:04.820 --> 15:05.210 Point one. 15:06.410 --> 15:06.910 Okay. 15:06.920 --> 15:07.430 Done. 15:07.460 --> 15:09.920 Then profile, not profile policy. 15:12.880 --> 15:13.420 Policy. 15:13.480 --> 15:17.110 Paul What do I call in here? 15:17.660 --> 15:33.580 Proposal prop then Keating Crypto ikev2 keyring cr my peer is any addresses and. 15:36.300 --> 15:37.080 Pre-shared key. 15:40.070 --> 15:43.240 This heating is done. 15:44.140 --> 15:46.690 I need to profile, create a profile. 15:46.690 --> 15:54.310 So this is for step five will be profile crypto Ik v2 profile. 15:54.880 --> 15:57.160 Call it anything ik. 15:58.600 --> 15:59.650 What was the next step? 16:01.210 --> 16:01.960 Match. 16:02.800 --> 16:03.460 Address. 16:03.490 --> 16:04.210 Match Identity. 16:04.480 --> 16:10.450 AWS Identity Remote Address 0000. 16:11.680 --> 16:15.520 Anyone can come in and create a profile with me and. 16:17.050 --> 16:17.980 Authentication. 16:17.980 --> 16:22.750 Local Pre-shared Authentication. 16:23.800 --> 16:27.550 Remote Patient KeyRing. 16:28.600 --> 16:31.080 Local key. 16:32.110 --> 16:34.450 And do I need a virtual template? 16:34.650 --> 16:34.860 Yes. 16:35.800 --> 16:37.060 I need a virtual template. 16:37.990 --> 16:39.100 Virtual template. 16:43.000 --> 16:47.230 So I need a virtual template so that I can create a DVD downstairs. 16:49.240 --> 16:51.580 Yeah, I forgot which one. 16:53.380 --> 16:56.350 After virtual template or before this? 16:56.350 --> 16:59.480 Triple A authorization. 17:00.010 --> 17:02.320 I'm using group not user group. 17:02.710 --> 17:04.990 User is for triple A server. 17:04.990 --> 17:11.890 If I'm using a user based authentication on the triple A server and I'll be using SRC, not EAP, not 17:11.890 --> 17:12.790 anything else. 17:13.060 --> 17:14.230 I'm not overriding. 17:14.230 --> 17:15.640 I can override if I want to. 17:15.640 --> 17:16.480 That will work. 17:16.510 --> 17:19.600 That command will also work because I'm not using users anyways. 17:20.140 --> 17:22.390 If you use override user will never be used. 17:22.390 --> 17:23.190 But that's okay. 17:23.200 --> 17:24.340 I don't need it right now. 17:24.640 --> 17:26.770 SRC and list. 17:29.000 --> 17:29.690 List. 17:31.700 --> 17:34.220 List is the name. 17:34.220 --> 17:37.020 What is the name of Good? 17:37.070 --> 17:40.670 And the other one is the username is Ike Paul. 17:42.560 --> 17:43.610 I call is which one? 17:43.970 --> 17:46.310 The policy which I created right here. 17:47.030 --> 17:48.080 Where did it go? 17:48.110 --> 17:48.620 This one. 17:48.650 --> 17:50.900 The one which I edited locally. 17:53.070 --> 17:54.120 I edited this locally. 17:54.120 --> 17:57.940 When I say ruleset, interface and all the other kind of stuff, right. 17:58.080 --> 17:58.970 Virtual template. 17:59.490 --> 18:00.930 Now what is the next step? 18:02.040 --> 18:10.410 Step six Crypto IPsec Transform set to set. 18:12.460 --> 18:14.280 DSP three days. 18:14.310 --> 18:16.200 DSP MD5. 18:17.340 --> 18:17.640 Good. 18:17.640 --> 18:18.180 Good. 18:19.290 --> 18:23.530 Crypto IPsec Profile. 18:24.600 --> 18:24.960 I. 18:26.640 --> 18:27.180 Set. 18:28.620 --> 18:29.250 Transform. 18:29.250 --> 18:31.350 Set d set. 18:31.860 --> 18:35.400 Set ik v2 profile. 18:38.380 --> 18:39.010 Next step. 18:41.120 --> 18:41.630 Yes. 18:42.470 --> 18:43.340 What is the next step? 18:43.520 --> 18:46.670 Interface Interface. 18:47.600 --> 18:50.840 Virtual template ten type tunnel. 18:50.870 --> 18:52.430 Do not forget type tunnel. 18:52.790 --> 19:03.080 Keep on repeating this tunnel source is 192 1.1.1 no destination IP address. 19:04.790 --> 19:06.290 What is my IP address? 19:07.610 --> 19:07.970 A number. 19:08.060 --> 19:10.000 What number? 19:10.700 --> 19:12.770 Maybe I need to create it. 19:14.210 --> 19:18.650 I need to create the loopback 11 and give it an address of the same range. 19:21.640 --> 19:22.120 Right. 19:22.390 --> 19:27.390 And then IP and numbered loopback. 19:27.400 --> 19:27.760 11. 19:28.420 --> 19:29.620 So the source is done. 19:29.650 --> 19:30.130 IP is done. 19:30.130 --> 19:30.580 Destination. 19:30.580 --> 19:31.240 I don't know. 19:31.720 --> 19:36.600 Can this be a pure IPsec tunnel or does it have to be GRE? 19:39.780 --> 19:41.460 Does it have to be or can it be pure? 19:43.080 --> 19:44.520 Am I using an air in here? 19:46.020 --> 19:46.890 I'm not using an air. 19:47.250 --> 19:50.570 But if we try to connect many users, then it will not. 19:50.700 --> 19:52.170 But they are not talking to each other. 19:52.600 --> 19:57.720 Then you have to understand why do we do server and client server and client for the clients to access 19:57.720 --> 20:00.090 their internal networks only for that reason. 20:00.270 --> 20:01.890 So there is no spoke to spoke here. 20:01.890 --> 20:04.530 If you do that you'll be going back to spoke to. 20:04.530 --> 20:05.100 Spoke. 20:06.510 --> 20:09.240 I don't need spoke to spoke communication. 20:09.240 --> 20:11.370 That is exactly what Dmvpn is. 20:11.850 --> 20:13.830 That is the only difference between the two. 20:14.670 --> 20:21.690 Here my job is for the remote users to access the headquarters and whatever is behind the headquarters. 20:22.750 --> 20:30.340 Okay, so IP number loopback zero tunnel mode IPsec IPV four and tunnel protection. 20:32.070 --> 20:36.210 Use protection IPsec Profile. 20:36.720 --> 20:37.110 I. 20:39.860 --> 20:40.850 I'm missing something. 20:41.750 --> 20:42.050 Nope. 20:43.910 --> 20:45.920 Let's check this again from the beginning. 20:45.920 --> 20:48.200 New model network is local. 20:48.500 --> 20:50.180 Authorization is done locally. 20:50.510 --> 20:53.660 What is my local authorization here? 20:53.900 --> 20:56.180 Whereas a root set interface, root set access list. 20:56.180 --> 20:56.870 And the pool. 20:56.900 --> 21:02.000 The pool is defined right here and my access list is defined right here. 21:02.330 --> 21:03.770 So they're all called here. 21:03.890 --> 21:06.800 This needs to be called in the profile to create the profile. 21:06.800 --> 21:07.760 I need this stuff. 21:08.300 --> 21:11.750 My proposal, my policy, my key to create the profile. 21:11.750 --> 21:18.410 Call all of this and also call the authorization group, which I just created a group along with pointing 21:18.440 --> 21:20.150 to the local list. 21:21.470 --> 21:23.270 And the group is right here. 21:23.750 --> 21:25.880 Then you have virtual template. 21:25.880 --> 21:26.030 Why? 21:26.060 --> 21:27.260 Because I need a DVD. 21:27.410 --> 21:30.600 So now I need to configure parameters of the virtual template. 21:30.620 --> 21:32.390 I will require a transform set. 21:32.630 --> 21:40.520 I will require a profile IPsec profile where I call the Transform set along with the Ikev2 profile. 21:41.090 --> 21:45.470 Finally, configure the virtual template and protect it using the IP. 21:48.100 --> 21:48.820 Right. 21:49.500 --> 21:50.130 Copy. 21:52.620 --> 21:54.480 Is the same thing we had done before. 21:54.720 --> 21:55.950 There's nothing new in here. 21:58.050 --> 21:58.840 For this book. 22:00.040 --> 22:03.580 We are not using we we're not using DVD for spokes to spokes. 22:03.610 --> 22:05.230 This has nothing to do with spokes. 22:06.790 --> 22:10.030 We are not using here smoke to smoke. 22:10.030 --> 22:15.010 We use because we're supposed to use and HIV works in conjunction with GR. 22:17.290 --> 22:18.040 Is this okay? 22:18.070 --> 22:19.930 My virtual template is down. 22:19.930 --> 22:20.700 Why is it down? 22:20.710 --> 22:22.700 It will be down because virtual access is up. 22:22.780 --> 22:24.220 Virtual template is always down. 22:24.910 --> 22:26.140 The protocol is always down. 22:26.260 --> 22:29.350 Now to create the virtual access, it'll be done from the other side. 22:30.490 --> 22:31.330 This is the side. 22:31.330 --> 22:32.920 This is where there's a little different. 22:33.130 --> 22:38.680 Until now it's everything is the same except for the pool we did yesterday. 22:38.680 --> 22:44.170 The only one thing that I added was route set access list interface also I had done yesterday. 22:47.040 --> 22:48.960 Interface also had done yesterday. 22:50.100 --> 22:51.300 So can I do this now? 22:52.890 --> 22:55.890 Let's go to create a tunnel with R4 R5. 22:56.970 --> 22:58.890 I'll create it with R5. 22:59.190 --> 23:00.150 Go in here. 23:01.650 --> 23:02.550 New model. 23:04.200 --> 23:06.300 Why do I need to do this local here? 23:07.680 --> 23:08.520 Check the local. 23:09.480 --> 23:11.730 Why do I need to create a policy on the client side? 23:13.910 --> 23:27.890 To one client side for root set y so that the other side will know where I am and my behind address. 23:28.190 --> 23:32.930 And if I need to do network extension mode, then I need to do the access list also. 23:32.930 --> 23:34.850 First, we will not do the access list part. 23:34.880 --> 23:37.070 We will just do this part. 23:38.570 --> 23:39.500 Do I need a pool? 23:40.420 --> 23:42.290 No, I do not need a pool. 23:42.320 --> 23:44.240 Let's do this separately. 23:51.030 --> 23:51.690 I need a pool. 23:51.690 --> 23:54.570 No, I don't need a pool. 23:55.590 --> 23:57.030 I need a access list right now. 23:57.030 --> 23:57.630 I don't. 23:57.930 --> 23:59.760 So pool and access list, remove it. 23:59.760 --> 24:02.850 The only thing I'll do is basic route, set interface. 24:02.850 --> 24:04.440 So he knows what IP he gave me. 24:04.440 --> 24:06.360 And what is the virtual access it's coming from? 24:06.740 --> 24:09.150 He installs a static route towards me. 24:09.180 --> 24:09.900 Do I need this? 24:09.900 --> 24:11.550 Obviously I need this. 24:11.550 --> 24:12.030 I need this. 24:12.030 --> 24:12.960 I need this. 24:12.960 --> 24:13.830 I need this. 24:13.830 --> 24:14.430 I need this. 24:14.430 --> 24:15.870 I need this as well as this. 24:15.900 --> 24:16.290 Why? 24:16.320 --> 24:20.160 Because I have to point to I am setting a route set interface. 24:20.190 --> 24:21.330 Do I need this? 24:22.300 --> 24:23.340 No, no, no, no. 24:23.340 --> 24:24.390 It's not a DVT. 24:24.570 --> 24:27.930 It's a static transform set. 24:27.930 --> 24:28.680 Yes. 24:29.530 --> 24:30.130 Profile. 24:30.280 --> 24:31.060 Yes. 24:31.060 --> 24:31.400 Yes. 24:32.020 --> 24:32.860 Lubbock. 24:34.190 --> 24:37.000 No, this will not be a virtual template tunnel. 24:37.010 --> 24:37.940 This will be a 24:41.150 --> 24:42.140 tunnel source. 24:43.760 --> 24:45.200 25.5. 24:47.310 --> 24:48.300 IP address. 24:50.460 --> 24:51.900 What is the IP address going to be? 24:52.920 --> 24:53.910 No practice yesterday. 24:54.210 --> 24:55.440 No one practices yesterday. 24:57.270 --> 25:00.210 She negotiated. 25:00.240 --> 25:02.850 Negotiate from the other end, then tunnel mode. 25:02.880 --> 25:04.470 Same tunnel protection. 25:04.470 --> 25:04.710 Same. 25:06.180 --> 25:06.750 Right. 25:06.780 --> 25:08.550 I do not know the destination. 25:09.270 --> 25:12.870 That is exactly where the difference comes into play. 25:13.200 --> 25:14.370 The destination. 25:14.370 --> 25:18.810 I'm not going to put it inside the tunnel because I want this to be accepted as a client. 25:20.650 --> 25:21.100 Right. 25:21.130 --> 25:23.360 He should be accepted as a client. 25:23.380 --> 25:32.710 For that, I'll have to do this one extra command which says tunnel destination is dynamic. 25:36.260 --> 25:38.330 Dynamic y dynamic. 25:38.360 --> 25:39.420 It's the same. 25:39.440 --> 25:44.130 I'm still specifying the destination, just not there, but in a different module. 25:44.150 --> 25:46.670 I'm just taking it out and putting it in a different module. 25:47.240 --> 25:48.230 I'll see what that is. 25:48.260 --> 25:49.280 We'll see what that is. 25:49.280 --> 25:49.710 Right. 25:49.730 --> 25:51.230 Until now, everything is okay. 25:53.030 --> 25:53.480 This is okay. 25:53.480 --> 25:53.900 This is okay. 25:53.900 --> 25:54.380 This is okay. 25:54.380 --> 25:55.950 And this is okay. 25:55.970 --> 25:57.320 First things first. 25:59.310 --> 25:59.560 Zelda. 25:59.610 --> 26:00.390 One is. 26:03.770 --> 26:06.500 Start configured Ethernet zero zero. 26:06.530 --> 26:08.180 Hopefully it's Ethernet zero zero. 26:12.450 --> 26:13.620 Shot in the dark. 26:20.060 --> 26:20.330 Yeah. 26:20.330 --> 26:21.980 That's too many O's. 26:28.700 --> 26:29.660 It's not zero zero. 26:32.240 --> 26:33.230 I'll have to check. 26:36.120 --> 26:38.820 I five it is zero zero. 26:39.630 --> 26:40.970 Have I put it in the right villain? 26:45.210 --> 26:46.680 Switch one show. 26:48.510 --> 26:49.230 Yeah, that's. 26:49.230 --> 26:51.820 That's what I'm checking on. 26:51.840 --> 26:52.770 Brief. 26:53.560 --> 26:55.980 Okay, First, I'll have to check what port this is. 27:00.120 --> 27:00.840 WI fi. 27:00.870 --> 27:02.910 This is 111. 27:02.910 --> 27:04.800 One needs to be put into 25. 27:10.490 --> 27:11.930 Ethernet one one. 27:12.530 --> 27:17.360 Switchboard Mode Access Switchport Access Vlan 25. 27:18.020 --> 27:21.140 It wasn't even created along the same lines. 27:21.140 --> 27:24.500 Let's check if this has 25. 27:26.400 --> 27:27.440 Does not have 25. 27:27.710 --> 27:30.950 So here also I need to create 25. 27:31.850 --> 27:38.840 Encapsulation dot one Queue 25 IP Address 20 5.2. 27:51.500 --> 27:51.950 Okay. 27:53.540 --> 27:55.580 The number five should be able to reach. 27:57.250 --> 27:57.730 That one? 27:58.000 --> 27:58.600 No. 28:00.010 --> 28:00.550 Why not? 28:04.440 --> 28:06.300 Do you trust this guy? 28:07.890 --> 28:08.230 Why not? 28:08.250 --> 28:09.000 12 to 1. 28:17.870 --> 28:19.940 Something's wrong with that one. 28:20.630 --> 28:21.530 I restarted it. 28:21.530 --> 28:22.940 So there's no IP address on the side. 28:40.020 --> 28:44.040 Okay, so R5 is reachable to R1. 28:44.730 --> 28:49.940 Now I need to paste all this beginning from a new model. 28:56.380 --> 28:56.770 Done. 28:58.580 --> 28:59.930 Something is wrong. 28:59.930 --> 29:00.500 Where? 29:03.100 --> 29:04.540 I agree to policy. 29:08.280 --> 29:10.470 To up model local. 29:10.470 --> 29:12.270 Everything else should be okay. 29:12.270 --> 29:14.160 Everything is okay. 29:15.330 --> 29:16.350 But. 29:17.010 --> 29:19.800 To check this guy has nothing. 29:20.460 --> 29:21.330 Transito has nothing. 29:21.330 --> 29:21.480 Why? 29:21.510 --> 29:25.470 Because his destination is not there to do the destination. 29:25.620 --> 29:29.400 This is the only place where you'll use this one command. 29:29.520 --> 29:31.050 Until now we have done flex VPN. 29:31.080 --> 29:33.540 Have you ever seen that keyword flex VPN? 29:34.020 --> 29:34.920 We did not see it. 29:35.040 --> 29:36.960 It's only in the client that you see it. 29:37.800 --> 29:40.590 Crypto Ikev2 Client. 29:42.300 --> 29:44.410 What client Flex. 29:44.820 --> 29:48.420 This guy is going to be a flex VPN client name this anything. 29:48.570 --> 29:51.570 Just like we do it on a server, we name it anything. 29:51.930 --> 29:54.360 So f x. 29:55.850 --> 29:56.450 Flex. 29:57.080 --> 29:57.560 Okay. 29:57.560 --> 29:59.420 And then you have certain options. 29:59.840 --> 30:01.640 You remember some of them. 30:01.640 --> 30:04.190 The first one you'll use is here. 30:04.220 --> 30:07.910 You need to give a sequence number of the peer, Right? 30:07.910 --> 30:08.120 Why? 30:08.150 --> 30:11.660 Because in this you can also have backup VPN servers. 30:11.660 --> 30:13.490 You have one flex VPN server. 30:13.490 --> 30:15.800 So the sequence number one will always be tried. 30:15.830 --> 30:18.170 If he cannot reach there, he'll go and try the second one. 30:19.980 --> 30:21.330 For tunnel destination. 30:21.630 --> 30:24.330 So you have that flexibility also on the client side. 30:24.750 --> 30:31.230 If one side is not, you have two backups to easy to flex VPN servers doing the same thing, but different 30:31.230 --> 30:32.130 IP addresses now. 30:32.130 --> 30:34.470 So if one goes down, you can reach it from the other side. 30:34.500 --> 30:36.660 All you need to do in that case is do it here. 30:36.690 --> 30:39.000 Peer one is this peer to peer, two is the other one. 30:39.120 --> 30:40.830 He will always go to peer one first. 30:40.830 --> 30:45.600 If peer one is down, then he'll try Peer two What is Peer One's address? 30:46.320 --> 30:47.910 So it's like priority. 30:48.510 --> 30:49.230 It's like a priority. 30:49.230 --> 30:50.100 It's like your Isa camp. 30:50.100 --> 30:51.360 You have priorities, right? 30:51.450 --> 30:53.220 Isaac Camp ten, 20, 30. 30:53.250 --> 30:55.440 Ten is tried first, then 20 is tried. 30:56.430 --> 30:57.690 My public address there. 30:57.690 --> 31:02.130 So the destination there is specified here, but I need to link them together. 31:03.030 --> 31:10.770 Client Connect tunnel which tunnel connect using tunnel zero. 31:11.010 --> 31:12.960 And I also have that Connect auto. 31:13.170 --> 31:17.610 But before I did that, the flex VPN client is up. 31:21.140 --> 31:21.890 What is this server? 31:21.890 --> 31:22.620 Public address. 31:22.640 --> 31:23.490 12.1. 31:23.510 --> 31:25.040 And the tunnel has been assigned. 31:25.070 --> 31:25.850 What address? 31:27.910 --> 31:28.480 21. 31:29.870 --> 31:30.800 Should I it out? 31:32.270 --> 31:33.830 Does he have that static route? 31:38.150 --> 31:39.440 He has the ecstatic crowd. 31:39.470 --> 31:41.480 This is one thing I wanted you to see. 31:41.810 --> 31:44.510 If I ping 10.1, will I be able to reach it? 31:45.920 --> 31:48.860 I don't have a loopback, so let's just create a loopback first. 31:55.960 --> 31:57.840 I cannot reach it from 10.5. 31:57.850 --> 32:00.790 I should be able to reach it from my normal interface. 32:01.990 --> 32:03.130 But I'm not able to. 32:03.160 --> 32:04.600 Can anyone tell me why? 32:09.320 --> 32:09.940 Because of. 32:09.980 --> 32:10.490 No. 32:11.530 --> 32:13.210 He has a static route through the tunnel. 32:13.240 --> 32:15.160 The other end point of the tunnel is one. 32:19.610 --> 32:21.440 There's one thing from here I want you to remember. 32:21.440 --> 32:22.910 So that's why I want you to think. 32:24.570 --> 32:25.320 I have the axis. 32:25.440 --> 32:27.570 So the axis is telling me to install this root. 32:27.570 --> 32:28.290 I have that root. 32:30.760 --> 32:31.260 Another out. 32:31.260 --> 32:33.390 Also, it says go through the tunnel. 32:33.600 --> 32:34.980 If I check my tunnel. 32:38.110 --> 32:39.060 My sources. 32:39.070 --> 32:41.560 25.5 destination is. 32:45.670 --> 32:46.320 On one. 32:46.360 --> 32:47.650 Let's check the route on R1. 32:49.390 --> 32:50.050 I have. 32:53.020 --> 32:53.960 Have this guy, right? 32:54.410 --> 32:57.170 And I have a static route towards the virtual axis. 32:59.670 --> 33:00.300 I have done it. 33:00.300 --> 33:01.860 So that's how I have 21. 33:05.220 --> 33:06.720 That's how I have 21. 33:06.720 --> 33:10.770 If I ping 21, it goes. 33:11.970 --> 33:15.360 I can ping the interface, but I cannot bring it with the source. 33:15.390 --> 33:15.660 Why? 33:21.450 --> 33:21.710 Yeah. 33:23.180 --> 33:23.630 Not any. 33:23.900 --> 33:24.710 Check this. 33:25.880 --> 33:26.820 No authorization. 33:26.840 --> 33:28.070 There is no loopback. 33:32.920 --> 33:34.060 There is no loopback. 33:34.930 --> 33:35.350 Why? 33:35.350 --> 33:36.730 I wanted you to show this. 33:36.970 --> 33:41.920 Even if there is no loopback, the route still goes in here. 33:43.210 --> 33:43.660 Why? 33:43.690 --> 33:48.730 Because this access list, which you push down, has nothing to do with if the network actually exists 33:48.730 --> 33:49.360 or not. 33:49.570 --> 33:52.570 It will just be purely what the access list states. 33:54.040 --> 33:59.680 There was no 10.11, but he still pushed that route only because the access list stated it. 34:00.070 --> 34:02.200 He does not care if it exists or not. 34:02.230 --> 34:03.610 It's just pure one command. 34:03.610 --> 34:07.390 Whatever is in here create a static route towards me using that. 34:10.240 --> 34:10.960 You understand? 34:12.580 --> 34:14.650 Show IP interface brief. 34:14.680 --> 34:16.600 These tunnels that were going down. 34:17.020 --> 34:18.700 These were the older tunnels. 34:19.720 --> 34:21.520 The one with R3 and R4 spoke. 34:21.520 --> 34:22.000 Two spoke. 34:22.480 --> 34:22.630 Why? 34:22.660 --> 34:24.130 Because my characteristics changed. 34:24.130 --> 34:25.260 The other side is Mgr. 34:25.440 --> 34:26.260 Sorry guy. 34:26.290 --> 34:28.900 This side is IPsec IP. 34:30.700 --> 34:32.380 That's why he's not able to create it with them. 34:32.380 --> 34:33.130 So. 34:33.550 --> 34:35.700 So that we don't see these messages. 34:35.710 --> 34:39.190 What I'll do is I'll shut these tunnels down for some time. 34:47.510 --> 34:48.050 Okay. 34:50.520 --> 34:51.360 Is this clear? 34:51.780 --> 34:53.500 Now, what do I have to do? 34:53.520 --> 34:55.290 Create that loopback interface. 34:59.640 --> 35:03.690 So our five can ping. 35:06.070 --> 35:07.330 Not with the sauce. 35:07.780 --> 35:08.680 With this? 35:08.710 --> 35:09.670 Why not with the sauce? 35:09.670 --> 35:12.130 Because he does not know what that side is. 35:12.160 --> 35:14.860 He doesn't know what we're 10.5 is. 35:15.070 --> 35:17.020 That is network extension mode. 35:17.320 --> 35:18.610 I'll have to do it manually. 35:20.560 --> 35:21.820 I'll have to do it, man. 35:21.970 --> 35:22.990 See this? 35:25.810 --> 35:28.240 This is No, this is the static route for the tunnel. 35:28.270 --> 35:29.260 The other side of the tunnel. 35:29.350 --> 35:31.030 There's also one more thing I can do. 35:31.060 --> 35:34.450 Instead of doing route set interface, I can also do this. 35:35.260 --> 35:36.150 Client. 35:36.400 --> 35:36.790 No. 35:38.110 --> 35:40.890 Was the plan like to. 35:46.160 --> 35:46.390 Yes. 35:47.520 --> 35:49.200 Yeah, I am in the interface. 35:52.120 --> 35:52.720 No, there's. 35:52.730 --> 35:53.190 Okay. 35:53.200 --> 35:54.040 I'll have to do it here. 35:54.040 --> 35:54.640 Yes. 35:54.820 --> 35:58.090 Crypto v2 Client Flex VPN f x. 35:59.400 --> 36:01.290 Client inside. 36:02.330 --> 36:03.170 Blue back. 36:04.340 --> 36:08.540 Zero telling my insight is loopback zero. 36:08.790 --> 36:10.010 Remember we used to do it? 36:10.010 --> 36:11.850 Where is VPN? 36:11.870 --> 36:12.910 Inside and outside. 36:12.920 --> 36:13.280 Outside. 36:13.280 --> 36:15.110 He already knows which one is it inside. 36:15.110 --> 36:17.120 But there's a difference here when I do this. 36:23.760 --> 36:29.100 Can I beat out a static route towards one on one static route towards here? 36:32.770 --> 36:34.380 It does not have anything right? 36:36.610 --> 36:37.710 No, this should happen. 36:38.960 --> 36:39.990 I'm not telling it. 36:45.400 --> 36:46.690 He's not installing anything. 36:49.260 --> 36:51.050 You should install it on the other side. 37:00.170 --> 37:01.760 From the vertical axis is down. 37:05.550 --> 37:08.940 That's what it says, but it doesn't usually it should, Pat. 37:10.020 --> 37:12.180 That's what it says in the documentation that this should. 37:12.180 --> 37:12.750 Pat. 37:13.110 --> 37:14.790 But I tried it yesterday. 37:14.790 --> 37:15.600 It didn't work. 37:16.680 --> 37:19.440 It should Pat with 192 168 .1.1. 37:21.440 --> 37:22.290 But it doesn't. 37:27.920 --> 37:28.820 There's no outside in here. 37:29.840 --> 37:36.710 There's no outside option C Crypto Ikev2 Client Flex. 37:37.390 --> 37:38.190 F x. 37:38.470 --> 37:39.580 There is no outside option. 37:39.580 --> 37:42.490 You have client inside and connect. 37:42.820 --> 37:47.500 Connect is where do you connect through and inside is what is the inside. 37:49.410 --> 37:50.760 But that's one way of doing it. 37:50.760 --> 37:52.410 What is the other way of doing this? 37:53.040 --> 37:56.850 To tell him my inside networks crypto. 37:56.880 --> 37:58.410 What do I need to change on this one? 38:00.750 --> 38:03.990 The only one thing I need to change here is. 38:06.060 --> 38:07.050 Access list. 38:07.080 --> 38:09.540 Then permit. 38:11.860 --> 38:13.320 Liking it then. 38:13.330 --> 38:13.470 Now. 38:13.480 --> 38:14.650 5.5.0. 38:16.100 --> 38:17.000 And. 38:19.550 --> 38:23.660 Here will be route side access list. 38:24.380 --> 38:27.500 That's all I need to do on the client side. 38:32.470 --> 38:32.920 Done. 38:34.670 --> 38:35.110 Let's check. 38:38.520 --> 38:39.300 Clear the tunnel. 38:39.870 --> 38:41.780 You can do it as we can do it here. 38:41.790 --> 38:42.180 Like this. 38:42.630 --> 38:48.960 Iv2 Crypto Iv2 Client Flex. 38:50.740 --> 38:51.300 Down. 38:51.310 --> 38:51.880 Up. 38:53.560 --> 38:54.520 Swipe out. 38:57.800 --> 38:58.310 No. 38:59.770 --> 39:00.340 Did I do it? 39:00.340 --> 39:01.000 Clearly. 39:07.020 --> 39:08.920 And I would say access list ten. 39:11.420 --> 39:15.680 Because my access list n permit now 5.0.0. 39:17.850 --> 39:18.480 This is fine. 39:18.480 --> 39:19.260 This should work. 39:21.150 --> 39:22.810 This is Access list ten. 39:25.930 --> 39:26.290 Let's go. 39:26.290 --> 39:26.830 Here. 39:28.940 --> 39:30.380 Set this down first. 39:31.670 --> 39:32.840 See, this is what I was saying. 39:32.840 --> 39:39.710 If you go to R1 right now, interface virtual template, then type tunnel, see, he'll show you a message. 39:40.760 --> 39:46.310 He also says why I have active virtual access present, so I'll have to go for here. 39:46.820 --> 39:49.760 And even I felt it. 39:50.240 --> 39:51.500 Maybe there it would not be. 39:51.980 --> 39:53.750 Maybe it was not clearing from this side. 39:54.020 --> 39:55.760 I'll say connect manual first. 39:57.060 --> 39:58.110 And then shut it. 39:59.640 --> 40:00.510 Not shut here. 40:01.020 --> 40:01.880 Interface Tunnel. 40:03.330 --> 40:04.260 I just cleared it. 40:05.130 --> 40:05.520 Clear. 40:05.520 --> 40:06.100 Crypto. 40:07.720 --> 40:09.630 Ikev2 Plex VPN. 40:11.570 --> 40:12.110 Client. 40:12.650 --> 40:13.090 Flexible. 40:14.430 --> 40:15.380 Player the client. 40:15.980 --> 40:17.240 And then I'll try it again. 40:18.200 --> 40:19.040 Now you can enter. 40:19.620 --> 40:19.730 Right. 40:19.790 --> 40:20.330 Shut. 40:22.890 --> 40:23.940 As the camp is off. 40:24.830 --> 40:24.980 No. 40:25.040 --> 40:25.480 Shut. 40:27.710 --> 40:27.940 I see. 40:27.950 --> 40:29.780 Camp is on and here. 40:30.670 --> 40:37.490 Crypto hike v2 same as VPN flex same as before. 40:37.910 --> 40:39.260 The face is up, you get an IP. 40:42.830 --> 40:45.050 You get the static charge, you get this. 40:45.280 --> 40:47.660 This side should also get a. 40:50.840 --> 40:51.650 Stomping grounds. 40:54.570 --> 40:55.350 Maybe that was the case. 40:55.350 --> 40:56.200 I had to shut it. 40:56.220 --> 40:58.410 That's why he was not getting it from inside also. 41:00.470 --> 41:01.460 Now we have the inside. 41:01.930 --> 41:04.000 Now we have both inside also. 41:04.000 --> 41:05.170 And this is installing it. 41:05.170 --> 41:07.530 One of the two ways he'll do the same thing. 41:07.540 --> 41:10.990 He will also install the static route the same way when you do inside. 41:10.990 --> 41:12.610 He will not do your netting. 41:12.640 --> 41:14.320 He will install the static route. 41:14.350 --> 41:19.120 He will take it up as the static route to the other side so the outside static is done automatically. 41:19.780 --> 41:21.640 So now my inside network. 41:24.840 --> 41:26.790 With the source to backup zero is also stuck. 41:28.260 --> 41:30.620 So headquarters and everything else is done. 41:30.630 --> 41:34.620 Now this gives you a lot of flexibility as compared to easy VPN. 41:34.920 --> 41:37.890 First, you don't have to do that split tunneling part. 41:38.370 --> 41:43.890 You can just send the networks which you want the other guy just send those specific networks to that 41:43.890 --> 41:44.100 guy. 41:46.570 --> 41:48.320 You can set no specific networks. 41:48.340 --> 41:52.330 The other thing that it does which VPN does not give you is. 41:57.790 --> 41:58.540 You can run. 42:04.210 --> 42:05.920 Can run a routing protocol over it. 42:07.630 --> 42:07.990 Why? 42:08.020 --> 42:10.120 Because now this is not a host client. 42:10.330 --> 42:11.860 This is a router as a client. 42:18.280 --> 42:20.080 I have this. 42:21.610 --> 42:22.150 He's not. 42:22.150 --> 42:23.150 He's going to take only this. 42:23.170 --> 42:23.560 Why? 42:23.590 --> 42:25.570 Because this is statically present to him. 42:25.570 --> 42:27.070 So he has a better route. 42:27.070 --> 42:28.870 But if I create another loopback. 42:33.640 --> 42:37.060 172 .5.5.5. 42:39.410 --> 42:39.690 Right. 42:39.710 --> 42:43.070 And in my I'll say. 42:48.200 --> 42:49.820 Yeah, it'll work both ways. 42:51.410 --> 42:53.240 It's easier to share my roots. 43:01.370 --> 43:05.290 Not the functionality with easy VPN, although easy VPN. 43:05.300 --> 43:09.170 You can also do this reverse route injection on both sides. 43:09.530 --> 43:12.320 You'll have to do some extra steps on the client side. 43:12.320 --> 43:16.400 So he also gets a because remember easy VPN, he didn't have that the same problem. 43:16.640 --> 43:18.650 There was a virtual template on the other side. 43:18.680 --> 43:21.590 He didn't have that route to where that guy is. 43:21.590 --> 43:23.450 That's why he could not ping that interface. 43:24.650 --> 43:28.850 Remember, he could not bring the interface, but he could bring the inside networks. 43:29.390 --> 43:33.350 If he can get that one interface set, you can run routing protocols over that also. 43:33.350 --> 43:35.030 But it's more complicated here. 43:35.060 --> 43:36.290 See how simple this is? 43:38.650 --> 43:43.810 All you have to do is just root set, interface, root set, access, IP, local pool and push the pool 43:43.810 --> 43:45.370 down from one side to the other side. 43:45.370 --> 43:45.910 And it's done. 43:48.250 --> 43:52.870 How much was different between the MVP and an easy VPN on flex? 43:52.870 --> 43:53.710 Not much. 43:54.910 --> 43:58.540 All you have to do is learn that basic set up first. 43:59.230 --> 44:01.870 That basic setup is same in all three. 44:02.920 --> 44:05.080 This basic setup is same in all three. 44:05.560 --> 44:08.530 What authorization profiles? 44:09.460 --> 44:14.500 Call them inside your profiles and then you have either a normal tunnel or a virtual tunnel. 44:15.520 --> 44:17.140 Not more than that one. 44:17.140 --> 44:17.860 Normal tunnel. 44:17.860 --> 44:18.760 One virtual tunnel. 44:20.930 --> 44:23.420 The two towns are only used in spoke to spoke. 44:23.570 --> 44:27.440 The others have one static tunnel from down and one DVT on the top. 44:31.220 --> 44:31.880 Authentication. 44:31.880 --> 44:32.450 Which one? 44:32.450 --> 44:35.300 Here you don't have that same x auth you had before. 44:38.150 --> 44:39.140 We can try. 44:39.380 --> 44:40.370 We can try. 44:40.400 --> 44:44.180 Remember what we have at that time for authentication. 44:44.180 --> 44:51.170 What did we use to do a authentication login? 44:51.680 --> 44:52.970 Call it anything. 44:53.510 --> 44:56.480 Local username. 44:58.400 --> 44:58.970 Password. 45:00.890 --> 45:01.400 Cisco. 45:03.040 --> 45:04.030 Copy this. 45:05.110 --> 45:05.530 Bring it. 45:05.530 --> 45:05.800 Where? 45:09.120 --> 45:09.780 Here. 45:11.610 --> 45:17.820 Okay, where we used to call it inside our profile crypto like V2 profile. 45:19.460 --> 45:20.000 Ike. 45:20.980 --> 45:22.230 But maybe we can. 45:23.320 --> 45:26.590 NDB indication authentication. 45:29.960 --> 45:31.660 No, this is the normal authentication. 45:31.670 --> 45:32.510 Local pressure. 45:33.960 --> 45:34.900 A Yes. 45:35.480 --> 45:37.880 A authentication. 45:39.470 --> 45:39.860 No. 45:39.860 --> 45:40.990 You can only do it with EAP. 45:41.030 --> 45:45.200 Yes, you can only do it with the protocol called EAP. 45:45.620 --> 45:48.230 User based used with the triple. 45:49.400 --> 45:50.690 You cannot do it locally here. 45:51.890 --> 45:55.280 EAP is only done with the triple, so you have to call the list. 45:56.200 --> 46:02.560 That list should not be local, should be pointing to a group which is radius server and the username 46:02.560 --> 46:08.230 and password should be there and then he will check it from there and then he'll push it down. 46:10.260 --> 46:17.900 Is extensible authentication protocol used for communication between your triple A server and the authenticator 46:20.270 --> 46:21.140 and the authenticator. 46:21.170 --> 46:22.760 This is that protocol that is used. 46:22.790 --> 46:28.370 That's why you have a username and password is used to add an. 46:30.310 --> 46:30.970 Athenaeus. 46:30.970 --> 46:32.380 And then where? 46:32.410 --> 46:35.650 There we do that when you do a local. 46:36.010 --> 46:43.780 We do we used to do radius and local remember but this is just a he only supports gap in authorization 46:43.780 --> 46:44.860 he does support group. 46:46.570 --> 46:53.020 I showed you the group and the user in authorization but in authentication he only supports EAP. 46:53.950 --> 46:56.560 The authentication should not be done locally should be done. 46:56.590 --> 47:01.720 EAP the local which you're talking about, we do it if we have console backup here. 47:01.720 --> 47:02.740 I'm not doing it for console. 47:02.740 --> 47:09.700 This is for remote users login, so I don't need to protect my console, I don't need to protect my 47:09.700 --> 47:10.690 console in that way. 47:12.980 --> 47:13.460 Okay. 47:14.800 --> 47:17.670 People like crypto policy? 47:17.670 --> 47:18.630 I don't think so. 47:19.530 --> 47:21.570 We'll still try crypto like we do. 47:21.600 --> 47:22.830 We have authorization policy. 47:22.830 --> 47:24.300 There's no authentication policy. 47:25.050 --> 47:26.700 Authorization policy is why? 47:26.730 --> 47:27.900 What to push down. 47:27.900 --> 47:28.360 What to do. 47:28.380 --> 47:29.610 Authentication is separate from. 47:32.120 --> 47:35.780 Okay, Claire, any more questions? 47:36.830 --> 47:38.450 This is the end of Flex. 47:39.260 --> 47:40.490 Flex is finished. 47:42.550 --> 47:43.600 Anything else? 47:43.630 --> 47:46.960 As I said before, the clients have not been developed for it yet. 47:46.990 --> 47:48.850 They're still in testing. 47:49.630 --> 47:53.440 The clients, the flex, like you have easy VPN, you have a separate client. 47:53.560 --> 47:55.660 It's not the same for Flex right now. 47:55.690 --> 47:59.380 They are in development phases, so you'll get it soon. 47:59.380 --> 48:03.280 Even the documentation, if you check on Cisco, it's not complete yet. 48:03.940 --> 48:05.140 It's only a few pieces. 48:05.140 --> 48:07.060 They're missing bytes bits a lot. 48:07.090 --> 48:07.420 Why? 48:07.450 --> 48:08.740 Because it's a new technology. 48:08.740 --> 48:10.720 They're creating new stuff about it. 48:10.720 --> 48:14.110 But again, whatever is new in technology is in demand. 48:17.990 --> 48:19.640 Do you know which ones? 48:19.770 --> 48:20.210 Jai. 48:20.590 --> 48:21.750 Jai, Which one? 48:21.770 --> 48:23.240 The ACM. 48:23.630 --> 48:25.880 ACM Can the iOS. 48:26.270 --> 48:29.000 Jai may be, obviously. 48:32.550 --> 48:34.980 Cisco communication professional Cisco. 48:35.010 --> 48:42.290 I have never personally used it, but also checking on the Internet is very easy to configure with all 48:42.300 --> 48:47.670 these all of these things, you can use it to configure all of those policies and you can push them 48:47.670 --> 48:47.970 down. 48:48.720 --> 48:56.220 Destination What kind of, you know, the address address and that address and what commands it ran 48:56.250 --> 48:57.120 in the background. 48:57.390 --> 49:03.590 And it shows you all the commands just like Asdm does, but do the configuration pasting. 49:03.660 --> 49:07.300 It shows all the this is what I'm going to use in production. 49:07.530 --> 49:07.870 Yeah. 49:08.790 --> 49:12.570 Employee goes to client side and just copies this. 49:13.740 --> 49:14.010 Yeah. 49:15.330 --> 49:18.420 And all the other kind of stuff can but troubleshooting you 49:21.840 --> 49:23.100 can do at that time right. 49:23.100 --> 49:26.070 So it's good I mean once you know this. 49:26.070 --> 49:26.670 Yes, yes. 49:26.760 --> 49:28.800 Then it's okay to do that. 49:28.800 --> 49:30.510 But it's not good to start from there. 49:30.510 --> 49:31.300 And come here. 49:31.750 --> 49:34.750 But what I'm saying is it's a very good thing. 49:34.750 --> 49:41.020 Yeah, but as Jessica in the lab should be done in the end, it's not good if you look at the lab first 49:41.020 --> 49:44.800 and then start studying the process. 49:44.800 --> 49:48.070 So don't look at the lab first, do everything, and then go to the lab. 49:48.430 --> 49:49.390 Same way. 49:49.420 --> 49:51.910 First this, and then that is the. 49:51.910 --> 49:53.350 That is the shortcut for time. 49:54.010 --> 49:54.250 Yes. 49:55.840 --> 49:56.350 Nice. 49:57.770 --> 49:58.140 Three. 49:59.520 --> 50:00.190 Predecessors. 50:01.280 --> 50:02.000 Predecessors. 50:02.360 --> 50:03.290 What kind of predecessors? 50:04.370 --> 50:04.750 The easy. 50:05.180 --> 50:05.780 No, no, no. 50:05.810 --> 50:07.340 It's not backward compatible. 50:07.950 --> 50:09.590 You mean backward compatibility? 50:09.650 --> 50:13.960 Key Flex VPN server, Easy VPN, Client Easy VPN uses. 50:13.970 --> 50:14.420 I can 50:17.180 --> 50:21.350 remember the client which is created uses Ik v1 policies Ik v2. 50:21.380 --> 50:23.420 They'll have to create a completely different protocol. 50:23.420 --> 50:23.810 Why? 50:23.840 --> 50:25.970 Because the packet exchange is completely different. 50:26.450 --> 50:29.960 And that was my Ik six messages plus three messages. 50:29.960 --> 50:31.340 Here it's completely different. 50:31.340 --> 50:36.260 So the client also has to support remote access here. 50:36.590 --> 50:37.280 Remote access. 50:39.590 --> 50:45.380 There is no client right now for remote access, There is no remote access client right now, but they'll 50:45.380 --> 50:51.710 develop probably VPN version that will support Ik V2 and all the other kind of new technologies 50:56.570 --> 51:03.710 to support the already accomplished between those he will support, as in which case 51:06.350 --> 51:08.870 the VPN server client or flex as a whole. 51:09.920 --> 51:12.560 So you can accomplish that. 51:13.790 --> 51:15.800 No, I saw the documentation yesterday. 51:15.830 --> 51:23.270 What it is is easy VPN, you create a redundant flex VPN over there, then migration over the migration 51:23.270 --> 51:23.810 will be easy. 51:23.810 --> 51:24.830 That's what it says. 51:24.920 --> 51:31.390 I've read that document, the migration will be but backward compatibility that flex VPN server, easy 51:31.430 --> 51:35.390 VPN client that's backward compatibility that will not be there. 51:35.420 --> 51:39.170 It will support when the client is updated that will run both. 51:39.170 --> 51:42.080 They'll be able to run easy VPN as well as this. 51:42.080 --> 51:48.620 So here you cannot connect to this using an easy VPN client or you cannot have a flex VPN client and 51:48.620 --> 51:52.160 connect it to an easy VPN server AC compatibility. 51:52.520 --> 51:59.490 But yeah, in a network you can run both the easy VPN server, run this router, flex VPN, but easy 51:59.490 --> 52:03.690 VPN client should be easy VPN, but flex VPN client should be flex VPN. 52:04.740 --> 52:06.930 The functionality will be exactly the same. 52:06.930 --> 52:09.060 We'll provide you the same functions on both. 52:11.000 --> 52:11.480 Okay. 52:11.780 --> 52:20.120 So on the client side, you used save one and then yeah, so that is if I have multiple flex VPN servers, 52:20.870 --> 52:24.920 I have one and second one as a backup one. 52:26.240 --> 52:28.490 The one is the priority number. 52:28.940 --> 52:30.680 The first priority will be given to this. 52:30.710 --> 52:34.160 If this is down, then second will be the priority. 52:34.160 --> 52:35.440 So we'll go to the second one. 52:35.450 --> 52:37.450 If that is down, he'll go to the third one. 52:37.460 --> 52:41.300 Basically trying with this server doesn't work, tries with this server, it doesn't work, tries with 52:41.300 --> 52:41.750 this server. 52:42.740 --> 52:45.320 So different servers right now only have R1 as the server. 52:45.620 --> 52:48.760 I can have R2 as the server also or R3 as the server also. 52:48.770 --> 52:55.340 So first he'll always go to R1 for priority basis, but if R1 is down in any case for redundancy he'll 52:55.340 --> 52:55.880 go to R2. 52:59.340 --> 53:00.090 Is this clear? 53:01.380 --> 53:02.190 Everybody. 53:04.150 --> 53:05.590 To finish it off with Flex. 53:08.350 --> 53:09.170 Yes. 53:09.190 --> 53:09.660 Yes. 53:10.930 --> 53:11.510 All right. 53:12.760 --> 53:14.260 That is your flex VPN. 53:14.290 --> 53:15.220 All three.