TASK 1.1 BASIC SITE-TO-SITE VPN BETWEEN two ROUTERS Using MAIN MODE

Configure the network as shown in the topology.



Configure basic site-to-site VPN between R1 and R2 Such that loopback 0 of both  
the peers are protected using the following parameters.

ISAKMP POLICY (Phase-1):

  

Encryption algorithm
aes
Hash algorithm
md5
DH group
5
Authentication method
Pre-shared-key (Nh12345)
Lifetime
43200


IPSEC POLICY (Phase-2):

Encapsulation-Encryption
esp-des
Encapsulation-Hash
esp-sha-hmac


Solution:

STEP 0:

Before starting VPN Configuration, check the reachability between VPN peers.

Note: R3 is not aware about the loopbacks of R1 and R2 (interesting traffic). The  
following routes should be given in R1 and R2.

   R1(config)#ip route 10.1.2.0 255.255.255.0 10.1.1.5

     R1(config)#ip route 2.2.2.2 255.255.255.255 10.1.1.5

     R2(config)#ip route 1.1.1.1 255.255.255.255 10.1.2.5

     R2(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.5

Verification:

R1#ping 10.1.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/75/88 ms


R1 Configuration:

Step 1: Configure ISAKMP Policy

R1(config)#crypto isakmp policy 1

R1(config-isakmp)#encryption aes

R1(config-isakmp)#hash md5

R1(config-isakmp)#group 5

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#lifetime 43200

R1(config-isakmp)#exit

Step 2: Configure ISAKMP Key

R1(config)#crypto isakmp key 0 Nh12345 address 10.1.2.2

Step 3: Configure Mirrored ACL/Crypto ACL for interesting traffic

R1(config)#access-list 111 permit ip host 1.1.1.1 host 2.2.2.2

Step 4: Configure Transform set

R1(config)#crypto ipsec transform-set TFS esp-des esp-sha-hmac

R1(cfg-crypto-trans)#mode tunnel

//Since my VPN Peers and proxy-id are different, use tunnel mode//

R1(cfg-crypto-trans)#exit

Step 5: Configure Crypto Map

R1(config)#crypto map CRYMAP 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

               and a valid access list have been configured.

//This warning message says that we must configure peer address and mirror access list in order to
  enable crypto map//

R1(config-crypto-map)#set peer 10.1.2.2

R1(config-crypto-map)#match address 111

R1(config-crypto-map)#set transform-set TFS

R1(config-crypto-map)#exit


Step 6: Apply Crypto Map to an Interface

R1(config)#interface fastEthernet 0/0

R1(config-if)#crypto map CRYMAP

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

//ISAKMP is enabled//

R1(config-if)#exit


R2 Configuration:

Do the same configuration in R2. The only changes are Mirrored ACL and peer address in key  
configuration and in crypto map.

Step 1: Configure ISAKMP Policy

R2(config)#crypto isakmp policy 1

R2(config-isakmp)#encryption aes

R2(config-isakmp)#hash md5

R2(config-isakmp)#group 5

R2(config-isakmp)#authentication pre-share

R2(config-isakmp)#lifetime 43200

R2(config-isakmp)#exit

Step 2: Configure ISAKMP Key

R2(config)#crypto isakmp key 0 Nh12345 address 10.1.1.1

Step 3: Configure Mirrored ACL/Crypto ACL for interesting traffic

R2(config)#access-list 111 permit ip host 2.2.2.2 host 1.1.1.1

Step 4: Configure Transform set

R2(config)#crypto ipsec transform-set TFS esp-des esp-sha-hmac

R2(cfg-crypto-trans)#mode tunnel

R2(cfg-crypto-trans)#exit

Step 5: Configure Crypto Map

R2(config)#crypto map CRYMAP 1 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

               and a valid access list have been configured.

R2(config-crypto-map)#set peer 10.1.1.1

R2(config-crypto-map)#match address 111

R2(config-crypto-map)#set transform-set TFS

R2(config-crypto-map)#exit


Step 6: Apply Crypto Map to an Interface

R2(config)#interface fastEthernet 0/0

R2(config-if)#crypto map CRYMAP

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R2(config-if)#exit



VERIFY THE CONFIGURATION:


This command displays the isakmp policy we have configured along with default policy.



This command displays our proxy-id (interesting traffic that has to be protected)


This command displays the transform-set we have configured.


This command displays the crypto map we have configured and on which interface we have  
applied this crypto map.


This command displays the crypto map we have applied on the particular interface.


Let’s generate the traffic between the proxy-id (interested traffic)

R1#ping 2.2.2.2 source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5)



This command displays the sa created for isakmp tunnel.


This command displays the detailed information of sa including the isakmp policy parameters  
created for isakmp tunnel.


  


This command displays the two SAs created for phase 2 tunnel.


This command displays the session formed between the VPN peers and it shows that the  
session is up and active.