WEBVTT 00:01.350 --> 00:01.890 All right. 00:02.160 --> 00:04.020 So this is what we are going to do. 00:04.710 --> 00:08.670 Now, yesterday we did create a tunnel between R one and R three. 00:09.180 --> 00:12.360 I'm going to do it again a little quickly this time. 00:13.930 --> 00:14.340 Okay. 00:14.340 --> 00:16.140 And I'm not going to use routers here. 00:16.140 --> 00:22.020 I'm going to use this loopbacks since I showed you yesterday how a loopback is just another network 00:22.020 --> 00:23.110 behind R1. 00:24.230 --> 00:24.540 Right. 00:24.540 --> 00:28.710 We'll do that just as it is and we'll see how the tunnel will be created. 00:29.640 --> 00:34.170 Okay, let's configure it starting from R1. 00:35.880 --> 00:38.460 This is 0000. 00:38.610 --> 00:39.090 Fine. 00:45.120 --> 00:46.860 This is 151 12.1. 01:15.710 --> 01:16.760 Look back on our three. 01:21.960 --> 01:25.500 I need to know finally are to. 01:46.590 --> 01:48.080 No need for anything else. 01:48.710 --> 01:50.030 One should be able to talk. 01:50.030 --> 01:51.460 Where to? 01:51.500 --> 01:52.280 23 points. 01:53.840 --> 01:55.040 That is the whole purpose. 02:14.010 --> 02:14.730 Tell that to. 02:29.730 --> 02:31.350 So first thing is you make sure is what? 02:33.840 --> 02:40.230 The first thing that you always check is what connectivity between the two edges. 02:40.230 --> 02:42.510 So you're connected via the Internet. 02:42.540 --> 02:45.510 You need to make sure that R1 and R3 are able to communicate to each other. 02:46.440 --> 02:51.300 Site to site VPN and connecting one site to another site. 02:52.710 --> 02:53.220 Okay. 02:53.250 --> 02:55.490 This is the most basic form of site to site VPN. 02:55.500 --> 02:59.610 So this guy and this guy I need to create the tunnel. 02:59.850 --> 03:03.060 When I created the first tunnel that is going to be created is going to be. 03:03.060 --> 03:03.660 Which one? 03:06.930 --> 03:09.190 Is a gap in this. 03:09.200 --> 03:10.280 How many phases? 03:11.660 --> 03:12.350 Nine packets. 03:12.350 --> 03:13.520 But how many phases? 03:14.300 --> 03:15.110 Two phases. 03:15.590 --> 03:19.130 First phase is the first phase six packets, which is also known as main mode. 03:19.640 --> 03:23.150 Second phase is the other three packets, which is the quick mode. 03:23.420 --> 03:26.990 The transform set exchange and everything. 03:27.500 --> 03:28.010 Right. 03:28.130 --> 03:30.950 At the end of the nine packets, what is going to be created? 03:32.300 --> 03:33.130 Phase two tunnel. 03:34.490 --> 03:38.360 Hard to have information, without any doubt at all. 03:38.360 --> 03:39.050 Not at all. 03:39.680 --> 03:42.110 How did you know and how did it know? 03:42.590 --> 03:46.730 What does work end to end? 03:46.940 --> 03:49.830 What happens is that is the whole point. 03:49.850 --> 03:56.480 When 1.1.1.1 now will send a ping to ten .3.3.3. 03:57.710 --> 03:58.220 Okay. 04:00.060 --> 04:01.110 What happens here? 04:01.320 --> 04:02.280 Encapsulation. 04:02.880 --> 04:04.290 What is encapsulation? 04:06.850 --> 04:07.720 DSP is added. 04:09.970 --> 04:11.890 Even without configuring anything. 04:12.220 --> 04:12.920 How did it work? 04:12.940 --> 04:15.950 Come and ask if you didn't have any information regarding. 04:16.430 --> 04:20.560 But here I didn't think from 10.1 to 10.3 ping from the public to public. 04:21.790 --> 04:26.500 Right now you're talking about right now but as needed striping. 04:29.740 --> 04:34.930 Only from edges, only from the side edge router to the edge router from the public IP to the public 04:34.930 --> 04:35.140 IP. 04:35.920 --> 04:41.290 The once a week in setup, you will be able to, once the VPN is set up, your packet will look like 04:41.290 --> 04:41.950 this. 04:42.760 --> 04:43.720 Like what? 04:44.050 --> 04:56.680 This will be one 5112 one one 5123 dot this part will be encrypted hidden, right? 04:57.640 --> 05:01.930 So when this packet reaches our to which part of this packet does he see? 05:06.100 --> 05:11.980 R2 makes a routing decision based on this header, which is 12.1 to 23.3. 05:12.700 --> 05:19.150 Now, practically speaking, 23.3 will not be directly connected to this Internet ISP, so it will have 05:19.150 --> 05:26.230 to route it through across the whole globe until it reaches the destination, which is okay, because 05:26.230 --> 05:34.510 that whole routing will be done based on this header only from 12.1 to 23.3 where he doesn't even require 05:34.510 --> 05:35.110 12.1. 05:35.110 --> 05:37.240 He only needs to know where 23.3. 05:38.320 --> 05:43.210 So all of these routers in the middle, they'll try to take the packet to this destination. 05:44.170 --> 05:47.590 That's how I can simulate this cloud because that is what the cloud would do. 05:48.100 --> 05:49.150 It is the Internet. 05:49.660 --> 05:51.070 It has to behave like that. 05:52.390 --> 05:57.130 Once you send a packet for a destination address, it will take it to the destination address. 05:57.310 --> 06:00.830 When it reaches the destination address, then again, decapsulation happens. 06:00.850 --> 06:03.400 It sees what's inside the packet and so on and so forth. 06:05.590 --> 06:10.690 Okay, Now let's configure it again quickly. 06:11.290 --> 06:12.850 Just a recap of yesterday. 06:12.970 --> 06:14.080 What is step one 06:18.280 --> 06:28.960 Crypto Scam Policy and Encryption Reader's Authentication. 06:29.830 --> 06:33.340 Please share hash. 06:34.180 --> 06:37.360 Let's say MD5 or Sha and group. 06:39.790 --> 06:40.210 Correct. 06:41.050 --> 06:45.310 Second step packet number five. 06:45.340 --> 06:45.760 Right. 06:46.210 --> 06:49.330 Crypto camp key Cisco address. 06:49.330 --> 06:50.550 Which address is this? 06:52.270 --> 06:54.210 151 .13.. 06:56.080 --> 07:09.650 Step three is what transforms packet number seven and eight crypto IPsec Transform set key set esp esp 07:11.000 --> 07:13.070 MD5 any one of the 25. 07:17.900 --> 07:18.830 Step number four. 07:21.770 --> 07:23.990 Now I need to bring it to the crypto map. 07:23.990 --> 07:31.610 But crypto map requires one more extra step so that the crypto map is activated, which is access list 07:31.610 --> 07:40.790 101 permit IP from ten 110 going to ten 330. 07:43.700 --> 07:49.040 Finally, step step five is crypto map map ten. 07:49.370 --> 07:51.440 What is it linking IPsec to? 07:52.550 --> 07:52.820 That's it. 07:52.820 --> 07:56.570 Now the first thing you always do is match address. 07:56.570 --> 07:59.720 Now it doesn't have any order, but this is the order. 07:59.720 --> 08:00.500 It checks it in. 08:00.710 --> 08:04.010 The first thing that it checks is match address 101. 08:04.910 --> 08:05.780 Set. 08:07.340 --> 08:07.910 Transform. 08:07.910 --> 08:08.420 Set. 08:09.320 --> 08:09.500 Key. 08:09.530 --> 08:09.950 Set. 08:11.910 --> 08:12.660 Said. 08:12.660 --> 08:22.320 Here is which gets 151 .23. Step six Apply it on the interface interface. 08:22.530 --> 08:24.810 Zero zero crypto map. 08:27.910 --> 08:33.960 Then go to one paste it. 08:37.120 --> 08:37.750 Camp is on 08:40.660 --> 08:42.310 504,500 is on. 08:44.080 --> 08:45.040 Go to three. 08:52.780 --> 08:53.070 Sorry. 08:54.680 --> 08:55.190 Copy paste. 08:56.120 --> 09:02.510 Now on the other outer, I will go back and change the stuff which I need to change, but I'll keep 09:02.510 --> 09:04.850 this as for around because I want to create another channel. 09:05.750 --> 09:07.400 So this will be for our one. 09:18.190 --> 09:24.470 I'll just copy it, paste it, flip this part. 09:27.010 --> 09:27.150 Right. 09:27.350 --> 09:28.790 And this becomes what? 09:31.070 --> 09:33.560 12.1 Going from top to bottom. 09:33.560 --> 09:39.980 This is an encryption reshare hash due to crypto keys addresses. 09:40.790 --> 09:44.030 12.1 Talking about R3 from R3. 09:44.030 --> 09:46.880 The address is 12.1 correct. 09:47.000 --> 09:54.230 Then transform set to set again esp three does same, then your ACL will be flipped. 09:54.440 --> 09:55.370 So there it was. 09:55.370 --> 09:56.330 One, two, three. 09:56.360 --> 09:59.000 Here it's 3 to 1 match address is correct. 09:59.000 --> 10:00.170 What else do I need to change? 10:01.370 --> 10:08.990 Set pair command would be 12.1 and then crypto map copy. 10:15.390 --> 10:18.780 Customer by camp is on. 10:20.340 --> 10:21.580 What else do I need to do? 10:21.600 --> 10:23.820 I will open my wireshark check. 10:23.940 --> 10:29.670 Now, yesterday when I did this, I was using H and we saw how the packet looked like. 10:29.670 --> 10:30.480 Looks like. 10:30.600 --> 10:34.530 Today I'm going to do the same thing. 10:34.530 --> 10:36.390 But now I added esp. 10:36.420 --> 10:44.370 Have I just instead of using h header here I could have said h MD5 but i used esp header. 10:46.440 --> 10:47.870 He is the author. 10:47.950 --> 10:49.030 So let's try. 10:49.480 --> 10:53.230 How do you how do I make sure the interesting traffic passes through? 10:53.800 --> 10:56.650 I'll ping ten .1.1.1 with the source of ten dot. 10:58.540 --> 10:59.830 This is the interesting traffic, right? 11:00.220 --> 11:02.990 It will hit the interface the moment it hits the interface. 11:03.010 --> 11:04.540 The traffic will be triggered. 11:06.100 --> 11:09.970 So if I ping 10.1 directly, you, you, you, you, you. 11:10.300 --> 11:12.130 Who's sending me the use there? 11:12.130 --> 11:13.150 Not from this side. 11:13.150 --> 11:15.370 Let's do from one ping. 11:15.370 --> 11:16.660 Ten .3.3.3. 11:16.690 --> 11:17.460 It will not go through. 11:17.470 --> 11:17.860 Why. 11:17.890 --> 11:20.350 Because the service provider does not know where it is. 11:23.020 --> 11:32.530 Right now what I'm doing is if I'm sending a direct ping without the source address to ten .3.3.3, 11:32.560 --> 11:34.270 it is going to the interface. 11:34.570 --> 11:39.210 It does not match the interesting traffic, so it is not passed through the crypto map. 11:39.220 --> 11:42.970 If it is not passed through the crypto map, it goes straight to the ISP. 11:43.060 --> 11:45.040 The ISP says destination unreachable. 11:46.360 --> 11:50.100 But if I now use the source also what will happen? 11:50.110 --> 11:57.400 It will trigger the crypto map because match access list is successful. 11:57.400 --> 12:04.270 It will trigger the crypto map, attach the transform set, go up and check his policies. 12:04.270 --> 12:07.600 And the key and first thing is what is the first thing that he's going to do? 12:10.690 --> 12:18.880 The first packet that is going to leave from here is Icecap, which is a camp UDP 500 to 500. 12:20.230 --> 12:29.020 And in there will be what only one guy studied or one in there will be what policies. 12:29.020 --> 12:29.350 Right? 12:30.580 --> 12:31.540 There will be policies. 12:31.540 --> 12:35.920 So in the first packet I'll send policies and then the whole nine packet exchange. 12:35.920 --> 12:41.050 Until then my ping is going to be stop buffered. 12:41.740 --> 12:47.200 So if it takes more than two seconds, more than one packet, most of the times two packets get dropped, 12:47.680 --> 12:51.640 the first two packets get dropped because of the whole nine packet exchange. 12:52.630 --> 12:52.990 Right? 12:52.990 --> 12:58.510 So let's try interesting traffic source ten 111. 13:05.310 --> 13:06.240 Nine packets. 13:07.200 --> 13:07.710 Right. 13:08.700 --> 13:09.360 Policy. 13:10.110 --> 13:12.450 Policy and nouns. 13:12.930 --> 13:13.560 Nouns. 13:15.240 --> 13:15.600 Key. 13:15.780 --> 13:16.320 Key. 13:16.860 --> 13:18.480 Security Association. 13:18.480 --> 13:18.960 Transform. 13:18.960 --> 13:19.170 Set. 13:19.170 --> 13:19.650 Exchange. 13:19.650 --> 13:20.100 Transform. 13:20.100 --> 13:20.310 Set. 13:20.310 --> 13:23.040 Exchange and acknowledgement. 13:24.600 --> 13:24.960 Right. 13:24.990 --> 13:28.530 This is your actual tunnel. 13:30.150 --> 13:33.060 This is your actual data tunnel right here. 13:33.090 --> 13:35.400 When you see ESB here, this is the tunnel. 13:37.560 --> 13:37.770 Right. 13:37.770 --> 13:38.940 So this is the first tunnel. 13:38.940 --> 13:40.200 Icecap is your first tunnel. 13:40.440 --> 13:42.030 This is your IPsec tunnel. 13:43.740 --> 13:45.930 If you have a look at this, it's pretty ordinary. 13:46.920 --> 13:47.340 Why? 13:47.370 --> 13:48.780 Because you don't see anything in there. 13:49.560 --> 13:50.760 That is the beauty of it. 13:52.290 --> 13:59.520 You see the outside header, which is 12.1 to 23.3, but the actual actual message is going from 10.1 13:59.520 --> 14:00.360 to 10.3. 14:00.900 --> 14:02.200 You don't see that part. 14:06.790 --> 14:12.430 You only see an ESP header out there which is not available to you. 14:12.460 --> 14:15.010 Let me show you how this whole process works now. 14:15.040 --> 14:23.320 When this happens on on your R1, when the packet comes, it will look like this. 14:24.550 --> 14:27.100 I'm trying to go from ten 111. 14:27.100 --> 14:30.610 I'm trying to go to ten 333. 14:31.780 --> 14:32.080 Okay. 14:32.080 --> 14:33.100 I hit what. 14:33.700 --> 14:35.230 I hit the interface on the interface. 14:35.230 --> 14:38.050 There is a crypto map which says that this part should be encrypted. 14:38.740 --> 14:41.410 So it does the nine packet exchange to get what? 14:41.710 --> 14:43.870 What is the whole point of the nine packet exchange? 14:45.160 --> 14:46.030 Three things. 14:47.050 --> 14:48.040 He needs the key. 14:50.420 --> 14:57.380 But he has he needs to know which mechanism to use for encryption and what mechanism to use for hashing 14:58.310 --> 14:59.240 of the actual data. 14:59.530 --> 14:59.780 Right. 14:59.780 --> 15:02.060 So by the end of nine packets, he knows that. 15:02.060 --> 15:08.780 Okay, let's say this is using three Des and Sha from both ends. 15:08.780 --> 15:10.460 They will negotiate on the same thing, right? 15:11.420 --> 15:14.530 Ki, ki des. 15:15.170 --> 15:22.040 And so once he gets that information until this time, until he gets this information, 1 or 2 packets 15:22.070 --> 15:22.820 get dropped. 15:24.590 --> 15:26.210 Right now, he has this information. 15:26.210 --> 15:27.050 Now, what does he do? 15:27.080 --> 15:37.460 He uses the key using the algorithms and this header, which is the ESP header to encrypt the data. 15:42.080 --> 15:43.600 It also has something else. 15:43.600 --> 15:46.950 It has because it's a ping. 15:46.960 --> 15:48.490 So ICMP is hidden here. 15:52.040 --> 15:52.490 Is all. 15:55.870 --> 15:56.070 Right. 15:56.620 --> 15:58.690 But on top of that, what does he need? 15:59.110 --> 16:01.510 Because if he hides all, how will the routing take place? 16:01.510 --> 16:03.190 How will it reach the final destination? 16:03.580 --> 16:05.320 So he needs a public address. 16:05.890 --> 16:11.320 It uses the set payer option, which you already specified as 23.3. 16:11.350 --> 16:12.160 The source. 16:12.160 --> 16:16.300 It uses the interfaces public address from 12.1 to 23.3. 16:17.170 --> 16:19.420 Understand how he sets these two things. 16:19.960 --> 16:27.340 This part based on the set peer command and whichever interface is leaving from that will be your source. 16:28.000 --> 16:31.930 And then he doesn't have to care about anything because this routing is done by the internet and it 16:31.930 --> 16:34.300 reaches the final destination anyhow. 16:37.120 --> 16:38.620 You don't have to worry about that. 16:38.950 --> 16:40.630 It will reach the final destination. 16:40.930 --> 16:43.540 If it is on the Internet, it will reach the destination. 16:43.540 --> 16:46.540 But what happens when it reaches the destination? 16:46.930 --> 16:47.500 The guy. 16:47.530 --> 16:48.340 Does he have the key? 16:48.370 --> 16:51.970 First of all, he opens this because it's meant for him 23.3. 16:51.970 --> 16:55.750 So he opens this part, checks ESP to open ESP. 16:55.780 --> 16:56.590 What does he need? 16:58.750 --> 17:02.710 It is the key to open this whole thing. 17:03.670 --> 17:04.180 Three needs. 17:04.180 --> 17:06.160 What if he doesn't have the key? 17:06.190 --> 17:07.330 He won't be able to open it. 17:07.330 --> 17:09.250 That's why no one in the world can open it. 17:10.810 --> 17:12.440 Only if he has the key will open. 17:12.520 --> 17:13.150 He'll open it. 17:13.840 --> 17:14.830 He does have the key. 17:14.830 --> 17:16.570 So what he does is he opens the ESP. 17:21.550 --> 17:27.850 Finds the actual message, which is from 10.1 to 10.3, and it's an ICMP for forwards. 17:27.850 --> 17:35.170 That request to 10.3 says it's actually meant for the destination of the reverse process. 17:35.170 --> 17:35.860 Works the same. 17:37.470 --> 17:39.900 So on a weekend, there's no need for a nap. 17:40.350 --> 17:43.110 Without nap right now, there's no nothing happening. 17:43.110 --> 17:43.560 Right. 17:44.990 --> 17:46.770 So, I mean, this is. 17:48.980 --> 17:49.540 Not yet. 17:49.550 --> 17:50.300 There isn't. 17:51.290 --> 17:55.150 There may be setups when I'll show you where you require an axe. 17:55.160 --> 17:57.950 But in this case, no, you don't need. 17:57.980 --> 17:58.500 Why do you need. 17:58.520 --> 17:59.210 You don't need it. 17:59.240 --> 18:00.110 It's already hidden. 18:01.250 --> 18:05.630 Your actual private networks are already hidden behind the public addresses. 18:07.490 --> 18:11.600 When I say behind, they are encapsulated within the public address range. 18:12.800 --> 18:14.690 Any questions on how this works? 18:17.830 --> 18:18.820 Any questions? 18:23.810 --> 18:24.110 No. 18:25.100 --> 18:25.370 Clear. 18:26.720 --> 18:27.860 Shall we move forward then? 18:29.600 --> 18:35.210 What I'm going to do next is I'm going to attach a new site to this. 18:38.440 --> 18:39.450 I for. 18:43.350 --> 18:46.830 And with our four, I'm going to create a tunnel between R one and R four. 18:57.690 --> 18:58.560 The loopback. 18:59.850 --> 19:01.410 Ten .4.4.0. 19:05.970 --> 19:06.380 Okay. 19:11.370 --> 19:13.740 This is going to be 24.0. 19:40.410 --> 19:41.700 24.4 19:44.100 --> 19:45.840 know set a default route. 20:08.910 --> 20:11.940 Making sure that our one can reach. 20:16.110 --> 20:17.280 I forget which one. 20:21.870 --> 20:22.320 Okay. 20:24.060 --> 20:27.450 Also, I also need to do what I need to create that loop back on our for. 20:36.030 --> 20:38.820 Right so I the set up and ready. 20:41.070 --> 20:42.840 What do I do now on our phone? 20:43.080 --> 20:44.370 Help me out with this. 20:45.720 --> 20:47.190 I'll just configure it from here. 20:48.990 --> 20:49.590 Tell me. 20:50.580 --> 20:52.950 I need to create a tunnel between R1 and R4. 20:54.300 --> 21:05.700 The first thing is crypto scam policy, then encryption authentication hash. 21:06.000 --> 21:07.980 There I use Sha here, I'll use MD5. 21:10.210 --> 21:10.500 Okay. 21:10.710 --> 21:12.930 And I'll use five. 21:14.850 --> 21:16.170 Just remember what I used here. 21:16.230 --> 21:17.790 MD5 and Sha two five. 21:18.720 --> 21:21.030 Then all the three have the same can. 21:21.750 --> 21:22.950 That'll be easier. 21:24.210 --> 21:24.960 It is possible. 21:25.020 --> 21:25.770 But I want to show you. 21:25.770 --> 21:27.480 If it's not, how will you manage that? 21:28.980 --> 21:31.020 It's easier if all of them have the same policies. 21:31.050 --> 21:33.180 But let's do the other way. 21:35.320 --> 21:36.100 Second step. 21:39.350 --> 21:39.770 Yeah. 21:41.630 --> 21:45.500 I said, can you say school address? 21:45.590 --> 21:46.730 What is the address? 21:49.580 --> 21:50.140 150. 21:50.150 --> 21:51.170 You have your diagrams, right? 21:51.200 --> 21:58.100 151 .15. then IPsec transform set. 21:59.090 --> 22:03.650 I'll keep it as the same esp three as MD5. 22:03.770 --> 22:04.850 You can use MD5. 22:12.540 --> 22:12.960 Yes. 22:15.480 --> 22:24.570 And if I then access list 101 permit ten dot 22:27.210 --> 22:30.330 to ten .1.1.0 22:32.760 --> 22:33.120 IP. 22:36.270 --> 22:40.890 Finally crypto imap then. 22:44.930 --> 22:59.390 Crypto iMap, then IPsec and then set here is what, 12.1 match address 101 and then let set transform. 22:59.390 --> 23:02.750 The last step is apply to the interface. 23:10.450 --> 23:11.410 This is what I did. 23:28.570 --> 23:33.880 Crypto ICBM policy ten and the rest of the stuff is the same. 23:35.230 --> 23:36.130 Then the key. 23:40.330 --> 23:41.350 Then the transform set. 23:44.300 --> 23:44.970 The year 23:48.030 --> 23:53.820 the map and apply it to the interface just for record. 23:58.220 --> 23:58.910 I'm at ten 24:01.760 --> 24:02.510 and this is R4. 24:02.510 --> 24:11.060 R4 is separate, R4 is new, R1 is 1120 as as you like right now. 24:11.420 --> 24:15.260 I'll go back to R1 and this is the configuration which I've done on R1. 24:16.850 --> 24:20.120 I want to make sure what changes do I make need to make here? 24:20.300 --> 24:25.700 What things do I need to add so I can accommodate the newer tunnel? 24:28.850 --> 24:36.230 The first rule that you have to remember is that on an interface of a router, you can only apply one 24:36.230 --> 24:36.830 crypto map. 24:44.520 --> 24:44.730 Yeah. 24:45.480 --> 24:46.320 I showed you yesterday. 24:46.530 --> 24:49.170 Someone asked me, what is the whole purpose of this tent? 24:50.700 --> 24:54.540 You can only apply what one crypto map per interface. 24:54.690 --> 24:58.710 If you can only apply one crypto map, how will you accommodate two tunnels? 24:59.010 --> 25:01.170 You have different sequence numbers on there. 25:01.650 --> 25:02.970 So when I have. 25:06.850 --> 25:10.480 When I have this crypto map here, I'll keep it as it is. 25:12.460 --> 25:22.000 I will create a new sequence number, let's say 2010, 20, 30, 40. 25:22.030 --> 25:22.480 Like that. 25:24.130 --> 25:27.130 Okay, I have a new sequence number here. 25:27.160 --> 25:28.930 The set payer address is what? 25:32.420 --> 25:34.370 24.4. 25:36.500 --> 25:37.880 What else changes? 25:39.110 --> 25:40.280 The ACL will change. 25:40.280 --> 25:40.430 Why? 25:40.460 --> 25:43.580 Because now the address is not 10.1 to 10.3, but it is. 25:43.580 --> 25:44.090 What? 25:44.880 --> 25:46.250 So I'll create another ACL. 25:47.270 --> 25:55.580 102 which permits from IP ten 110 going to ten 440. 25:57.920 --> 26:00.650 So here the ACL will not be 101 will be one zero. 26:02.150 --> 26:03.020 Transform set. 26:03.470 --> 26:05.060 I put the same thing on both sides. 26:05.060 --> 26:10.340 If I had not, I would have to change the transform set here and put the other one transform set to 26:10.370 --> 26:12.110 set one or T set two or set three. 26:14.180 --> 26:22.280 But since I'm using the same transform set on our four also if we check same three days an MD5 on our 26:22.280 --> 26:28.310 4 or 4, visualize it after three days and MD5. 26:29.030 --> 26:36.980 So here also the set is the same three days and MD5, so no need to change that. 26:38.000 --> 26:43.820 The difference between the how is it going to make sure which crypto map to use, which entry to use 26:43.850 --> 26:45.350 based on the ACL. 26:45.770 --> 26:51.410 The decision which crypto map to use is based on entirely based on the ACL. 26:51.740 --> 26:57.240 If it doesn't hit this ACL, it goes to the other one starting from top to bottom. 26:59.850 --> 27:05.440 But the only one thing that is missing is what I am policies. 27:05.460 --> 27:07.560 Earlier, I used this policy. 27:10.170 --> 27:11.330 Another one. 27:13.810 --> 27:16.720 If I use 101 only it is. 27:16.750 --> 27:17.050 Why? 27:17.080 --> 27:19.270 Because I want which traffic to encrypt. 27:20.350 --> 27:20.920 I'm sorry. 27:24.630 --> 27:24.770 What? 27:28.040 --> 27:34.910 You can play in a much different way here in the ten. 27:35.180 --> 27:38.480 See, in 110, you can only have one ACL. 27:39.680 --> 27:48.090 You can have both ACLs in there and I have two 2020s, but you can only have one pair, right? 27:48.110 --> 27:49.010 Set pair command. 27:50.330 --> 27:52.670 So you have two addresses, but it will only go to one 27:55.830 --> 27:56.840 set here. 27:57.500 --> 27:59.060 If you had dual set pair command. 27:59.060 --> 28:00.200 So you could have done that also. 28:00.200 --> 28:01.490 But that's what you're doing right now. 28:01.490 --> 28:04.790 You're saying if the traffic is going here, set this pair. 28:05.270 --> 28:10.550 If the traffic is going here, the pair should be only the right. 28:10.550 --> 28:11.390 So ACL changes. 28:11.390 --> 28:12.530 The pair also changes. 28:12.680 --> 28:17.810 I'm saying if the traffic is going to 10.3, my pair set pair address on the outside address should 28:17.810 --> 28:24.800 be 23.3 if it's going to this 1 or 2, which is 10.4, the outside address should be 24.4. 28:25.580 --> 28:26.210 Do you understand? 28:26.210 --> 28:29.010 When I say what I mean when I say outside address. 28:30.150 --> 28:35.460 When I say outside address, I'm talking about the header on the outside of the ESP because that is 28:35.460 --> 28:36.900 the one which does all the routing. 28:37.620 --> 28:45.420 So when I say set at 24.4, it is set outside header which will be routed across to the internet through 28:45.420 --> 28:46.650 the internet to the device. 28:49.020 --> 28:51.600 Okay, Clear, everyone. 28:52.020 --> 28:56.840 So the only thing that is missing, if you compare it to R4 is on R4. 28:56.850 --> 29:03.330 I use different set of policies and okay, let's say I will use a different key 29:06.570 --> 29:07.440 as many as you want, 29:10.680 --> 29:11.880 but iOS? 29:12.570 --> 29:13.620 I don't think so. 29:16.810 --> 29:18.600 That is on the think. 29:21.900 --> 29:22.230 Yeah. 29:22.650 --> 29:24.090 How much is the limitation? 29:24.330 --> 29:25.980 I think 100. 29:28.580 --> 29:31.820 If you buy a license for 100, let's check the version number. 29:32.210 --> 29:36.830 Maybe it gives that information in there, but I have not heard anything like that, I'm sure. 29:37.820 --> 29:37.980 Yeah. 29:38.480 --> 29:38.900 Okay. 29:49.530 --> 29:51.590 Maybe there is a possibility. 29:51.600 --> 29:53.890 I mean, that's how they do it for everything. 29:53.910 --> 29:55.260 That's how they make money. 29:57.450 --> 30:00.440 So what I've done is I've changed the key from this side also. 30:00.920 --> 30:02.610 Cisco one, two, three on R4. 30:03.510 --> 30:07.930 So you cannot create the you cannot create the tunnel with R4 if you don't have Cisco. 30:07.980 --> 30:08.460 One, two, three. 30:08.460 --> 30:10.590 As your PS3 pre-shared key. 30:10.710 --> 30:14.880 And I'll make this deliberate mistake on R1, I will keep the key as Cisco. 30:16.870 --> 30:17.110 Show. 30:19.890 --> 30:20.560 I see. 30:21.280 --> 30:24.800 Yes, I see. 30:24.810 --> 30:25.530 That is RSA. 30:26.040 --> 30:26.850 RSA signatures. 30:27.030 --> 30:27.480 You have. 30:27.480 --> 30:30.060 I told you you have a VPN on that server. 30:31.080 --> 30:31.860 You have to do that. 30:32.100 --> 30:33.060 That is the important one. 30:33.480 --> 30:35.130 That is the one which is used widely. 30:35.970 --> 30:36.180 Right? 30:38.010 --> 30:42.870 So what right now, what changes do I need to make on R1? 30:42.870 --> 30:43.800 That is the question. 30:44.730 --> 30:45.990 I'm using the key. 30:48.060 --> 30:49.290 Do I need a different key? 30:50.070 --> 30:55.770 I need a different key to go to 12.1 because the address has to be specified. 30:55.770 --> 31:07.320 I also need another key for 2024 dot, but I will deliberately keep it as Cisco because I want to show 31:07.320 --> 31:09.030 you the state of where the packet gets stuck. 31:09.030 --> 31:10.530 Where is the packet going to get stuck? 31:11.520 --> 31:18.180 Packet number, packet number five and six between hills and five. 31:18.210 --> 31:22.600 The other guy will not be able to send six, so he'll keep on sending three and four again. 31:22.900 --> 31:23.740 Three and four again. 31:23.770 --> 31:25.210 He'll send five, three and four again. 31:25.360 --> 31:27.310 Then five, four, five, four, five. 31:28.450 --> 31:28.870 Right. 31:28.870 --> 31:30.850 Also I need to do policies. 31:31.450 --> 31:34.030 So just like I did ten, I will do 31:36.490 --> 31:41.650 crypto scam 20 31:44.050 --> 31:47.320 encryption again, I'll just copy paste it from the other side. 31:47.710 --> 31:47.970 Okay. 31:47.980 --> 31:48.730 Am I doing it? 31:48.730 --> 31:49.770 Yeah, I'm doing it on the number. 31:51.890 --> 31:52.870 This is our for. 31:57.350 --> 31:58.760 I need to do the address here. 32:07.560 --> 32:07.830 Right. 32:08.010 --> 32:09.530 And the policies 32:12.570 --> 32:22.110 crypto camp policy 20 encryption I used was authentication 32:24.480 --> 32:29.490 hash I used and D5 and group I used. 32:31.410 --> 32:33.330 I keep it as what policy number 20. 32:36.360 --> 32:38.070 Keep it as policy number 20. 32:38.100 --> 32:42.540 Let's paste this part again on our one. 32:48.580 --> 32:54.190 So if you check your show, run crypto. 32:58.210 --> 33:02.920 You see, you have two policies, two sets of policies, not one, two. 33:03.370 --> 33:08.110 Now, when he creates a tunnel, when he sends policies, which one is he going to send? 33:08.110 --> 33:09.490 The ten one or the 21? 33:12.790 --> 33:15.790 The policies that he says is going to send both. 33:18.210 --> 33:19.380 When is creating the tunnel. 33:19.470 --> 33:24.150 See now the difference between R1 and the others is. 33:24.180 --> 33:26.670 R1 has two sets of policies. 33:26.670 --> 33:27.840 Policy number ten. 33:27.870 --> 33:28.980 Policy number. 33:30.900 --> 33:33.150 When he and this guy has only ten number. 33:34.320 --> 33:34.550 Right. 33:34.710 --> 33:41.160 When these are negotiating the first tunnel, the escape tunnel and the negotiation takes place. 33:41.280 --> 33:48.720 Both of these are going to be sent across in one packet in the first packet, both of these policies. 33:49.170 --> 33:52.290 Then it's for R3 to decide which one does he match. 33:53.250 --> 33:56.790 So the first thing that he's going to try is he's going to try with his lower number. 33:56.970 --> 33:58.800 So the lower number that is coming through. 33:58.920 --> 34:06.390 So he's going to compare 10 to 10, then he's going to compare it to 20 and see which one matches with 34:06.390 --> 34:06.970 R3. 34:06.990 --> 34:08.070 Ten will match. 34:10.110 --> 34:16.050 For our for his ten will match with the 20 here which does not make much of a difference. 34:17.340 --> 34:19.890 Which is the first packet is going to be a little bigger. 34:20.280 --> 34:25.710 That's only the first packet, not the second packet, because the first packet I'll send all the policies. 34:25.740 --> 34:28.980 The second guy will choose one of them and reply with that one. 34:31.740 --> 34:34.050 That is the difference in the first packet. 34:34.080 --> 34:34.950 Second packet. 34:34.980 --> 34:35.760 No change. 34:35.790 --> 34:36.660 Third and fourth. 34:36.690 --> 34:37.550 Obviously nothing. 34:38.670 --> 34:41.100 Fifth and sixth is the pre-shared key. 34:42.000 --> 34:43.920 I've set the Pre-shared key here as Cisco. 34:43.950 --> 34:44.910 The other side as Cisco. 34:44.940 --> 34:45.720 One, two, three. 34:46.410 --> 34:51.270 So we should see the packet getting stopped in the fifth exchange. 34:52.260 --> 34:52.800 Correct. 34:52.830 --> 34:54.120 Let's try to do that. 34:54.420 --> 34:55.410 Let's go to R1. 35:00.080 --> 35:01.340 I'll Penguins address. 35:04.580 --> 35:11.150 Ten .4.4.4 with the source of and not one dot. 35:34.000 --> 35:43.090 I get number one, two, three, four, five, then four again C 4 or 2. 35:43.120 --> 35:43.510 Right. 35:44.170 --> 35:46.690 4 or 2 gets repeated again after five. 35:50.660 --> 35:50.870 See. 35:50.870 --> 35:52.840 One, two, three, four, three, four. 35:52.850 --> 35:56.600 Size is 4024025 is 134. 35:57.230 --> 35:59.180 Then the other packet you see is 402. 35:59.180 --> 35:59.360 Why? 35:59.390 --> 36:01.490 Because fourth got repeated again. 36:02.030 --> 36:04.160 This is the pre-shared key. 36:04.370 --> 36:05.030 There's a mismatch. 36:05.030 --> 36:05.240 Right? 36:05.240 --> 36:08.760 So the fifth packet I send Cisco, the other side is not accepting. 36:09.800 --> 36:11.330 Let's check the state of the packet. 36:11.330 --> 36:18.710 If you go to your show crypto, I say no state, I'll send the packet again. 36:23.820 --> 36:24.510 Key exchange. 36:27.230 --> 36:28.310 It is getting stuck. 36:28.310 --> 36:32.240 Where in the key exchange part. 36:32.600 --> 36:34.580 What is key exchange packet number five and. 36:37.680 --> 36:39.360 What are you trying to repeat? 36:39.360 --> 36:42.870 The experience is supposed to send the key again. 36:43.440 --> 36:43.860 Which key? 36:44.520 --> 36:44.820 The key. 36:45.180 --> 36:46.140 He sends the key. 36:46.380 --> 36:48.660 The other guy doesn't have the key to respond back. 36:48.690 --> 36:49.560 There's a mismatch. 36:49.560 --> 36:52.800 So he sends the previous packet back again because he wants him to send the key again. 36:53.430 --> 36:55.290 But he didn't see the packet. 36:56.010 --> 36:57.300 The fifth packet was there. 36:57.630 --> 37:00.030 This is the 134 is the fifth packet. 37:02.160 --> 37:03.330 This is one, two, three, four. 37:03.360 --> 37:04.380 Then one, two, three, four. 37:04.620 --> 37:06.210 This is the fifth packet I'm sending you. 37:06.240 --> 37:06.660 Then. 37:06.810 --> 37:08.160 Then you detect a mismatch. 37:08.160 --> 37:09.180 You send me forth again. 37:09.180 --> 37:11.310 So I know that the key is not wrong. 37:11.580 --> 37:12.080 Not right. 37:13.920 --> 37:14.340 Right. 37:14.340 --> 37:17.940 So when you go back here, how do I fix this? 37:18.030 --> 37:22.530 I'll go to R1 crypto Eichkamp Key. 37:22.830 --> 37:23.400 Cisco. 37:23.430 --> 37:24.270 One, two, three. 37:24.960 --> 37:29.190 Address is 151 .14. 37:31.830 --> 37:37.590 already exists, but it exists with Cisco, so I'll remove that one and paste this one again. 37:40.260 --> 37:40.620 Okay. 37:40.620 --> 37:41.850 Now let's try again. 37:42.480 --> 37:44.790 I'll start from R2 after this time. 37:45.930 --> 37:48.750 Ten 111 with the source of ten. 37:49.710 --> 37:50.520 444. 37:53.630 --> 37:56.720 Then successful exchange is good. 37:57.200 --> 37:58.520 The packets have been exchanged. 38:03.190 --> 38:05.820 Shouldn't have done it from there because I wanted to show you something. 38:09.240 --> 38:12.060 With one, with one person with one pair, only one. 38:13.080 --> 38:15.550 Obviously with one side, you will only have one, Right? 38:16.970 --> 38:18.150 The second side of. 38:19.890 --> 38:22.830 It's like, again, that's what I'm doing right now. 38:22.830 --> 38:26.130 If you check, I can. 38:26.130 --> 38:27.550 But here I need to use Cisco. 38:27.600 --> 38:28.050 One, two, three. 38:28.050 --> 38:28.710 From this end. 38:30.240 --> 38:31.200 I did that, right? 38:31.200 --> 38:32.580 I use Cisco one, two, three here. 38:32.580 --> 38:33.960 And R4 is also using Cisco. 38:33.960 --> 38:34.380 One, two, three. 38:36.240 --> 38:37.200 Where is the guy? 38:37.230 --> 38:38.520 R4 is also using Cisco. 38:38.520 --> 38:39.060 One, two, three. 38:50.550 --> 38:50.790 Right. 38:51.210 --> 38:52.110 That's what I'm doing right now. 38:53.010 --> 38:56.850 So going back 39:00.660 --> 39:03.000 the tunnel set up, I want to clear the tunnel. 39:03.030 --> 39:04.070 How do you clear the tunnel? 39:04.080 --> 39:05.490 You have to clear both your tunnels. 39:06.690 --> 39:07.230 Clear. 39:07.680 --> 39:09.990 Crypto scam will clear your first tunnel. 39:11.100 --> 39:15.150 Clear crypto sessions will clear everything. 39:19.030 --> 39:19.210 Okay. 39:23.600 --> 39:30.980 If you want to clear a specific tunnel crypto scam clear crypto scam, then you can specify the session 39:30.980 --> 39:31.220 ID. 39:33.270 --> 39:34.190 So for example. 39:34.190 --> 39:41.390 Yeah, every connection has an ID, so show crypto scams is see a connection id height right here. 39:42.830 --> 39:45.710 You just put that connection id it will remove that part. 39:47.570 --> 39:48.020 Okay. 39:48.410 --> 39:54.590 Now I want to send it again, but I want to originate this from R1 because I want to show you the policies. 39:55.630 --> 39:56.080 Thing. 39:56.920 --> 40:02.680 Ten .4.4.4 to the source of ten .1.1. 40:18.350 --> 40:19.040 It just happened. 40:38.980 --> 40:45.070 This side didn't clear clear crypto camp where crypto. 40:49.060 --> 40:49.690 Then, Nadia. 40:50.260 --> 40:50.670 I didn't. 40:50.680 --> 40:53.980 I thought I did, but I didn't get it from both ends. 40:57.200 --> 41:00.200 Then let's have a look at the exchange. 41:01.610 --> 41:04.070 The first packet, which is going from 1 to 4. 41:04.940 --> 41:08.000 Let's open that and see what's inside there from 1 to 4. 41:08.660 --> 41:11.540 Remember on one, I have two sets of policies, not one. 41:12.570 --> 41:13.040 Right. 41:16.040 --> 41:19.820 So when I send him the policies, I'm going to send him both sets of policies. 41:20.750 --> 41:23.000 First policy number ten, which has group two. 41:23.900 --> 41:27.110 Then policy number 20, which has group five. 41:27.830 --> 41:32.000 If I had ten sets of policies ten, 20, 30, 40, 50, I would send them all. 41:33.920 --> 41:40.700 And he chooses which one does he want to use right now is using this part. 41:41.360 --> 41:46.130 Let's check that to the other packet that he responds with. 41:56.070 --> 42:01.080 Chooses only one of the two, the one which matches on its side. 42:03.150 --> 42:05.550 So this is policy number ten, 20, 30. 42:05.580 --> 42:06.870 It's arbitrary, it's local. 42:08.160 --> 42:08.640 1020. 42:08.760 --> 42:09.630 It's just a number. 42:09.900 --> 42:12.000 What matters is what policies are you sending? 42:12.000 --> 42:14.400 What policies are you receiving from both sides? 42:17.050 --> 42:17.890 Any questions? 42:19.660 --> 42:20.200 No questions. 42:24.850 --> 42:26.410 Here for one side. 42:26.620 --> 42:27.280 The other side? 42:28.180 --> 42:28.810 Yes. 42:28.810 --> 42:29.860 The other side still exists. 42:29.890 --> 42:32.950 He thinks that the tunnel is up the other side. 42:33.040 --> 42:35.050 Still thinks that the tunnel is up. 42:35.590 --> 42:40.450 So he sends the traffic through the tunnel, but there is no one else on the other side to receive it. 42:41.470 --> 42:48.070 Now, the other thing that I want you to see is show this command show crypto camp. 42:49.090 --> 42:50.800 I think there's a command for detail. 42:51.850 --> 42:56.380 If you go to detail, it will show you the lifetime left in this tunnel. 42:56.380 --> 42:57.700 Right now, it's 23. 42:58.180 --> 43:00.460 It will show you the group that you're using. 43:00.460 --> 43:03.910 Number five, the SK. 43:04.270 --> 43:06.880 You're using authentication based on Pre-shared keys. 43:06.910 --> 43:09.700 Hash is MD5, encryption is 43:12.640 --> 43:20.590 right, the remote end and 24.4 local is 12.1. 43:20.590 --> 43:23.260 And your connection ID is this connection. 43:23.260 --> 43:27.970 ID will keep on changing every 24 hours because this tunnel will go down. 43:27.970 --> 43:31.780 Another tunnel will come up 1005 will become 1006. 43:31.780 --> 43:32.620 Why is it important? 43:32.620 --> 43:38.350 Because, say, for example, you go back home today, you come back in the morning tomorrow, and you 43:38.350 --> 43:42.880 check the connection ID it goes from 100 5 to 1 006. 43:42.880 --> 43:47.350 If it has gone to gone to 1015, what does that mean? 43:47.980 --> 43:51.400 In 24 hours, the tunnel has gone up and down ten times. 43:51.400 --> 43:52.510 That means something is wrong. 43:52.720 --> 43:56.830 That's why connection ID helps you to keep track of what tunnels were where. 43:59.880 --> 44:00.100 Right. 44:00.300 --> 44:04.980 And then what you have is engine is don't have to worry about that. 44:05.100 --> 44:08.250 So Crypto IPsec is the one which you care about. 44:09.900 --> 44:11.050 Crypto IPsec. 44:16.240 --> 44:18.640 Jihadi jihadi 44:21.160 --> 44:23.350 because this has certain limitations. 44:24.400 --> 44:28.720 What I want to give the message behind the Westinghouse. 44:30.590 --> 44:32.360 Not really another router. 44:32.360 --> 44:37.850 If you want, you can do that but gives you certain more advantages which IPsec doesn't. 44:37.850 --> 44:41.300 But I don't want to talk about the negatives of IPsec crypto map right now. 44:41.750 --> 44:48.260 Let's focus on the positives, then I'll show you how GRE gives you something which this guy doesn't. 44:50.300 --> 44:50.550 Right. 44:50.570 --> 44:53.840 But before that, we have to move certain steps and then we can reach them. 44:56.140 --> 44:59.680 For my understanding, I require an extra standard. 44:59.710 --> 45:01.240 But what is that for? 45:01.240 --> 45:06.130 What if you create a of shops? 45:07.810 --> 45:11.140 Not all the interesting traffic will go through the town. 45:12.490 --> 45:14.200 The rest will go through public address. 45:15.130 --> 45:17.930 So you'll protect your tunnel separately with IPsec. 45:18.220 --> 45:21.760 So your interesting traffic at that time will not be defined by an ACL. 45:21.790 --> 45:25.870 It will be defined by the split. 45:25.870 --> 45:26.950 Tunneling is something else. 45:26.960 --> 45:29.320 Split tunneling is you use it an easy VPN. 45:29.800 --> 45:36.130 But we have ages since until we reach VPN from now, we have a lot to cover until we reach there. 45:37.120 --> 45:37.620 Right? 45:37.630 --> 45:38.110 Right. 45:38.110 --> 45:41.200 Now check this out. 45:42.610 --> 45:44.050 This is your IPsec se. 45:44.650 --> 45:48.190 Make sure that you understand the important points of where to check what? 45:49.420 --> 45:51.310 Okay, first things first. 45:51.340 --> 45:52.900 This part tells you what 45:55.550 --> 46:01.100 what is getting encrypted traffic going from 10.1 to 10.3 is getting encrypted. 46:02.330 --> 46:02.870 Okay. 46:03.920 --> 46:05.420 Local address. 46:06.230 --> 46:10.790 The map is applied to which interface S00. 46:11.720 --> 46:18.320 The local address of that which by local address he means public address on that interface is 12.1. 46:18.680 --> 46:24.320 This tunnel is going from where 10.1 to 10 dot until now. 46:24.320 --> 46:26.210 How many packets have passed through this? 46:27.320 --> 46:27.920 Zero. 46:29.810 --> 46:31.670 Local endpoint and remote endpoint. 46:31.700 --> 46:38.240 This is nothing but the outside header that is going to be used for the traffic going from 10.1 to 10.3. 46:40.550 --> 46:40.760 Right. 46:40.760 --> 46:50.390 So if you want to draw it graphically for the traffic going from ten .1.1. 0 to 10 .3.3.0. 46:53.170 --> 46:59.800 The outside header is going to be, what, 151 12.1 going to 47:01.870 --> 47:03.340 23.3. 47:03.340 --> 47:09.400 And obviously this will be covered using and you'll see that right now we don't know what it is right 47:09.400 --> 47:09.580 now. 47:09.580 --> 47:11.230 We don't know what it's going to be covered with. 47:11.230 --> 47:18.220 But if you go down there, you should see right now it's not applied, obviously, but you'll see inbound 47:18.550 --> 47:19.510 and outbound ESP. 47:22.290 --> 47:22.470 Right. 47:22.470 --> 47:25.770 So this you know that this is going to be what? 47:30.850 --> 47:33.490 Lyngby as if it was, it would show you. 47:34.450 --> 47:42.160 Here it would be inbound and outbound and inbound outbound because inbound for decrypting, outbound 47:42.160 --> 47:42.820 for encrypting. 47:44.920 --> 47:45.130 Right? 47:45.130 --> 47:47.980 So you'll see that these these parts are always going to be the same. 47:49.480 --> 47:51.100 Tonight, more infections. 47:53.780 --> 47:54.260 I'm sorry. 47:56.450 --> 48:04.220 I think the hashing and encrypting of reading some Java you can read, but how will you get understand 48:04.220 --> 48:06.080 what it means from Java? 48:08.090 --> 48:09.380 This is not showing what. 48:11.840 --> 48:13.950 It was it was not known. 48:14.010 --> 48:14.350 See? 48:14.440 --> 48:14.830 Check. 48:16.390 --> 48:18.910 And there it is able to show you. 48:18.910 --> 48:21.340 But in which sense? 48:21.880 --> 48:23.050 That is the question. 48:25.770 --> 48:26.550 That's it. 48:27.720 --> 48:29.730 All hidden behind this one number. 48:34.130 --> 48:34.730 That's it. 48:39.700 --> 48:40.690 It is compressed. 48:42.280 --> 48:42.940 It is compressed. 48:42.940 --> 48:44.820 But in what sense is it compressed? 48:45.190 --> 48:48.340 All of your information is here behind this somewhere. 48:50.830 --> 48:51.580 Something like that. 48:51.580 --> 48:56.080 Yeah, but it's not really you're not compressing your data, so it's not like the size of the packet 48:56.080 --> 48:59.080 will get slow, will get less sun like that. 48:59.080 --> 49:00.430 The size will still be the same. 49:00.430 --> 49:07.570 But maybe behind this x there's a lot of meaning behind one x in his own language. 49:08.500 --> 49:08.980 Yeah. 49:10.000 --> 49:15.610 And the decryption part he will know about what it is with the key and this decrypted encrypted data. 49:15.610 --> 49:18.220 He knows how to encrypt and decrypt. 49:18.220 --> 49:19.960 But your jabber is here if you want to check it. 49:21.810 --> 49:21.960 Yeah. 49:22.210 --> 49:23.050 All of this. 49:23.080 --> 49:24.070 All of this. 49:24.700 --> 49:27.520 All of these values F11 for all of this. 49:30.080 --> 49:30.560 Okay. 49:31.670 --> 49:36.380 Now going back, you also have something called the SP number here, right? 49:37.100 --> 49:37.910 Keep this in mind. 49:43.390 --> 49:44.080 It should. 49:44.090 --> 49:44.710 It should. 49:44.720 --> 49:48.140 That's why we have grief in this. 49:48.140 --> 49:48.630 It doesn't. 49:48.650 --> 49:52.160 The area has something called keep alive sin, keep alive. 49:53.900 --> 49:56.600 Dead prey detection is there, but you have to enable it separately. 49:57.500 --> 49:59.210 Yeah, there should be. 49:59.210 --> 50:01.910 But it's it's as complicated. 50:01.910 --> 50:03.950 That's why crypto maps are not preferred. 50:04.970 --> 50:09.590 If you want to create site to site tunnels, crypto maps are not preferred as much as tunnels. 50:11.090 --> 50:13.790 And then there's certain advancements of tunnels also. 50:13.790 --> 50:17.060 But that's a topic for tomorrow, right? 50:18.920 --> 50:21.710 Support for the numbers. 50:21.710 --> 50:22.250 Yes. 50:22.370 --> 50:28.670 So that numbers are there so that what you can do is you can manage two different tunnels separately 50:29.390 --> 50:31.430 or one right now has two tunnels coming in. 50:31.730 --> 50:33.920 It needs to manage the traffic of both of them. 50:34.160 --> 50:35.120 How will it make sure? 50:35.120 --> 50:39.440 Because when the packet is coming in, it will be coming in as ESP. 50:39.440 --> 50:44.140 When it sees that ESP packet, how is it how does it know which tunnel does it belong? 50:44.810 --> 50:47.930 So it keeps track of both the tunnels using our three four tunnels. 50:47.930 --> 50:48.680 Using what? 50:48.830 --> 50:50.630 The numbers on those tunnels. 50:50.900 --> 50:52.430 That's how it remembers. 50:55.280 --> 51:02.190 Good that translation would be different because they're the addresses are given to send the traffic 51:02.780 --> 51:05.190 where it goes and where is it coming back? 51:05.520 --> 51:07.920 Yeah, something like that. 51:09.510 --> 51:10.210 Indexing. 51:10.230 --> 51:15.450 So just to remember, just to differentiate between the two, because you might have seen I mean, in 51:15.450 --> 51:17.670 real life perspective, there's a lot of tunnels coming in. 51:17.700 --> 51:20.250 It's not more than that. 51:21.240 --> 51:22.740 We have not done dmvpn yet. 51:23.370 --> 51:25.590 There are thousands of spokes connected together. 51:26.370 --> 51:26.750 Right? 51:26.760 --> 51:29.130 So there'll be 1000 sites connecting together. 51:29.790 --> 51:31.890 So you'll have to keep track of all of them. 51:34.330 --> 51:37.090 Like that, right? 51:37.090 --> 51:38.770 So you don't do it. 51:38.800 --> 51:42.330 The router does it for you, but for for doing that, it requires what? 51:42.380 --> 51:44.950 That number uses that. 51:46.480 --> 51:46.960 Okay. 51:47.470 --> 51:49.360 Let's check the other details in here. 51:51.220 --> 51:51.680 The package. 51:51.760 --> 51:52.930 Now I'm taking the actual tunnel. 51:52.930 --> 51:53.890 The first one is not there. 51:53.890 --> 51:54.550 It's not up. 51:54.550 --> 51:55.660 That's why zero zero. 51:56.440 --> 52:03.910 I'm not saying interesting traffic through it encapsulated and encapsulated four packets encapsulated 52:03.940 --> 52:11.950 four D capsulated, four encrypted, four decrypted, four hashed and four verified. 52:15.110 --> 52:15.470 Okay. 52:17.940 --> 52:21.750 But usually most of the times if you see one of them going up, all of them go up. 52:22.560 --> 52:24.270 So the whole counter goes up and down. 52:25.140 --> 52:28.410 Either all three will not work or 1 or 1 of them will not work. 52:28.440 --> 52:29.040 Yes. 52:29.070 --> 52:34.860 If there is tampering happening, if there is tampering happening across the way, someone is tampering 52:34.860 --> 52:37.290 with the data you digest and verify will fail. 52:39.420 --> 52:41.550 Because when you send the data, someone will tamper it. 52:41.550 --> 52:44.850 And when it reaches the other side, he will not be able to verify it. 52:45.510 --> 52:46.800 So it will not accept it. 52:46.830 --> 52:49.230 It will show you that the packet has not been verified. 52:51.610 --> 52:52.120 Okay. 52:53.500 --> 52:54.010 Digest. 52:54.010 --> 52:54.370 Verify. 52:54.610 --> 52:55.590 You know the difference, right? 52:55.600 --> 52:58.510 Encrypt and decrypt is different than digest and verify. 52:58.840 --> 53:00.990 Digest and verified is for integrity. 53:01.000 --> 53:03.580 Encrypt and decrypt is for scrambling of the data. 53:05.230 --> 53:06.850 Then you have compression. 53:06.880 --> 53:08.320 Not important right now. 53:08.350 --> 53:14.110 You have you also have something known as path empty ipmt. 53:17.200 --> 53:18.850 MTA is important in IT sector. 53:20.320 --> 53:25.260 By default, it uses the normal MTA of the interface, which is 1500 maximum transmission unit. 53:25.270 --> 53:28.750 So if it goes more than 1500 it will break the packet into fragments. 53:29.680 --> 53:32.440 ESP will to break it into fragments. 53:33.370 --> 53:33.900 Right. 53:33.910 --> 53:38.710 But sometimes what happens is now sometimes when you're in production, you see that everything is working 53:38.710 --> 53:43.360 fine, but the tunnel traffic through your tunnel, when the traffic is going through, your tunnel 53:43.360 --> 53:50.230 is going very slow, goes slow, and you wouldn't be able because everything will be configured properly 53:50.230 --> 53:51.880 and you wouldn't be able to verify why. 53:51.910 --> 53:54.940 One of the reasons could be the MTA. 53:54.970 --> 54:05.560 Here is what, 1500 somewhere somewhere else along the way is going along the way, maybe somewhere 54:05.560 --> 54:09.190 the MTA is less, which is not an issue because path you will find that out. 54:09.730 --> 54:16.150 But what usually happens is there is a switch or something in the middle which might be doing tagging, 54:16.150 --> 54:21.280 maybe double tagging and adding its own tags on top of that. 54:21.460 --> 54:28.240 Now since this is ESP, no one can open this packet when you're tagging it and you're sending 1500 once 54:28.480 --> 54:31.780 if you tag it 15 one four is okay. 54:31.780 --> 54:39.790 If it goes more than that 1518 from your end is okay, you're sending it at 1500, but when it reaches 54:39.790 --> 54:43.030 some other point, tagging is happening. 54:43.030 --> 54:47.230 When it gets tagged, the size increases goes more than 151. 54:47.230 --> 54:49.570 For the moment that happens. 54:50.650 --> 54:51.130 Fragment. 54:53.540 --> 54:53.710 Right. 54:54.290 --> 54:57.800 Fragmentation occurs and that fragmentation is difficult. 54:57.800 --> 54:58.280 Why? 54:58.280 --> 55:00.410 It happens on the IP layer, Yes, that's fine. 55:00.410 --> 55:02.470 Obviously, then it goes to the other side. 55:02.480 --> 55:05.690 IP layer also fragments and brings it back up again. 55:05.690 --> 55:12.440 But your tunnel was now is getting encrypted, is getting hashed, is getting broken down then is getting 55:12.650 --> 55:17.120 connected back up again so your tunnel will definitely get get slow. 55:19.040 --> 55:19.460 Okay. 55:19.460 --> 55:20.870 In that case, how will you prevent that? 55:20.870 --> 55:22.880 You will reduce the MTU on this side? 55:23.520 --> 55:23.620 Yes. 55:23.750 --> 55:23.950 Okay. 55:24.470 --> 55:29.420 So that the encrypt the breaking down of the tunnel happens from here, not in the middle. 55:29.450 --> 55:33.710 You want that to happen from here before encryption, not after encryption. 55:33.710 --> 55:36.800 If it happens after encryption, it will make your tunnel slow. 55:37.760 --> 55:39.860 So come it comes. 55:39.980 --> 55:44.660 Compensate for that time before you reduce the force byte or eight bytes. 55:44.660 --> 55:48.470 You make it one for eight zero or something like that before it leaves the tunnel. 55:49.910 --> 55:50.340 Right. 55:51.110 --> 55:51.770 Have to. 55:53.520 --> 55:53.790 I mean, 55:56.970 --> 55:58.110 why does Tunnel have to break? 55:58.200 --> 55:59.220 The tunnel doesn't break it. 55:59.400 --> 56:00.720 C tunnel is here. 56:01.020 --> 56:01.980 I create my. 56:01.980 --> 56:03.030 I create my packet. 56:03.300 --> 56:05.040 It's one 500 bytes. 56:05.070 --> 56:05.400 Right. 56:05.430 --> 56:08.700 But when it goes to a frame, right, there is a switch in the middle. 56:08.730 --> 56:09.720 Who is tagging it? 56:10.140 --> 56:13.440 When it gets tagged, additional bytes are added on top. 56:13.680 --> 56:18.360 When the frame was 1514, which was okay because the frame was added to it. 56:18.360 --> 56:21.780 But if an additional tag is added, another four bytes will be added. 56:21.780 --> 56:25.740 It will become 1518 is only 1514. 56:25.980 --> 56:26.280 Right. 56:26.280 --> 56:28.890 If it goes 1518, it will not be allowed to go through. 56:28.890 --> 56:29.730 So it is broken down. 56:31.710 --> 56:32.520 It will be broken down. 56:32.520 --> 56:34.770 If it's broken down, it gets slower. 56:37.020 --> 56:37.470 Okay. 56:37.470 --> 56:42.060 In that case, now you will not see that happening, but that will require your gut. 56:42.570 --> 56:44.460 You should know that tagging is happening along the way. 56:44.460 --> 56:45.570 The packets are big. 56:45.570 --> 56:46.860 That's why it's getting slow. 56:46.860 --> 56:48.390 So reduce the empty. 56:52.770 --> 56:55.890 It does double tagging does happen on the ISPs also. 56:56.040 --> 56:58.500 So those things also, that's why it happens. 56:58.500 --> 57:00.780 That's why it's one of the most common problems in ICT sector. 57:01.260 --> 57:05.490 This part, usually we do that for the double pack tagging part. 57:05.520 --> 57:09.630 We reduce the MTA so that it comes to level. 57:12.250 --> 57:19.600 Development of the field to increase M2. 57:20.260 --> 57:23.680 You can do it here, but you don't have control on all the routers out there, right? 57:23.770 --> 57:25.450 You don't have control over your ISP. 57:25.480 --> 57:27.430 So I can increase the M2 from my end. 57:27.460 --> 57:31.810 But the general principle of everybody, everybody is using it at 1500. 57:32.230 --> 57:33.190 It's a standard. 57:33.730 --> 57:39.850 So when you send it from here, you are okay, you send it at 1700, but your ISP will have it 15. 57:39.850 --> 57:40.840 So he will break it down. 57:42.370 --> 57:42.930 It will break down. 57:42.940 --> 57:46.210 The standard is 1500 everywhere along the way. 57:48.650 --> 57:48.920 Okay. 57:50.150 --> 57:50.660 Use 57:53.600 --> 57:58.370 18 1518 with the tag is 18, but with the double tag it will become 22. 58:01.710 --> 58:03.210 2018. 58:03.240 --> 58:03.510 Yes. 58:03.510 --> 58:05.250 Then you add the the frame. 58:05.940 --> 58:06.990 You add the frame. 58:10.070 --> 58:12.860 1515. 58:12.890 --> 58:13.280 Double two. 58:13.310 --> 58:15.110 Will we see without the tag? 58:15.110 --> 58:15.610 It's How much? 58:15.620 --> 58:16.550 1514. 58:17.390 --> 58:18.890 Without the time, the frame 58:20.810 --> 58:24.230 1518 Without the frame. 58:24.260 --> 58:24.920 With the frame. 58:29.670 --> 58:30.540 Default is 18. 58:31.170 --> 58:31.530 All right. 58:31.530 --> 58:32.300 So it's 18. 58:32.310 --> 58:37.020 So you add four byte becomes what, one, five, two, two, and then you add four more. 58:37.020 --> 58:40.200 If you're doing double tagging becomes 1526. 58:40.890 --> 58:42.450 The whole point is double tagging, right? 58:44.100 --> 58:45.210 The whole point is double tagging. 58:45.210 --> 58:46.530 If one tag is there is okay. 58:46.530 --> 58:48.960 I mean, you accommodate for one tag. 58:49.320 --> 58:52.500 Everybody knows that because frame it's a standard. 58:52.500 --> 58:54.480 If there is a frame and a tag, it's fine. 58:54.660 --> 58:59.550 But if you are adding another tag on top of that one, which usually does happen, so another tag will 58:59.550 --> 59:02.100 be added most of the times. 59:02.400 --> 59:06.600 Again, yeah, that's what increases the latency. 59:07.290 --> 59:10.590 Most of the times it doesn't happen, but it will. 59:10.590 --> 59:14.830 I mean, if you're in production, if you have 100 tunnels out of those hundreds, you might see 5 or 59:14.830 --> 59:18.690 6 which are down because of the empty based on which ISP they are going out. 59:20.940 --> 59:21.160 Right. 59:21.480 --> 59:28.380 Based on the because you don't know how they're dealing your packet since you have to be careful with 59:28.380 --> 59:28.560 that. 59:30.270 --> 59:30.510 Right. 59:30.510 --> 59:33.300 How will you troubleshoot everything first, check everything else. 59:33.300 --> 59:36.980 If everything else is okay working now, you won't know what's happening on the other side of the ISP. 59:37.350 --> 59:41.970 It use the M2 21480 works. 59:41.970 --> 59:42.300 Okay. 59:43.830 --> 59:44.310 Okay. 59:45.570 --> 59:48.120 So you're fragmenting before getting encryption. 59:49.380 --> 59:53.850 The other thing is inbound and outbound. 59:55.650 --> 59:57.210 This is just the same thing. 59:57.390 --> 1:00:00.540 It will show you how much is the remaining lifetime in your key. 1:00:01.410 --> 1:00:03.720 This is the total number of kilo bits. 1:00:04.380 --> 1:00:06.210 This is in bits. 1:00:06.210 --> 1:00:13.620 So if you have these many bits, if this amount of traffic goes through the tunnel, this amount of 1:00:13.620 --> 1:00:17.730 traffic goes through the tunnel, you get what the key is refreshed. 1:00:21.090 --> 1:00:23.940 So it's both things I told you not a lot of data should go out. 1:00:25.110 --> 1:00:26.530 Not a lot of data should go out. 1:00:26.550 --> 1:00:29.160 Plus the time. 1:00:29.160 --> 1:00:29.580 One hour. 1:00:29.910 --> 1:00:32.580 So one of the two, whichever comes first. 1:00:34.500 --> 1:00:36.600 Whichever of the two comes first. 1:00:40.740 --> 1:00:44.670 Four four, 711, one, two. 1:00:49.430 --> 1:00:52.790 4336 bytes 4.4 MB. 1:00:52.910 --> 1:00:59.300 Now, again, if you compare it, if you look at documentation, there are certain documentations which 1:00:59.300 --> 1:01:04.220 say it's four GB, some no 400 MB BS and some say it's four MB. 1:01:04.250 --> 1:01:12.500 But there is still debate about what this actually is, the total number of traffic which can go through 1:01:12.500 --> 1:01:15.650 the tunnel, total amount of traffic which can go through. 1:01:15.950 --> 1:01:23.360 Let's actually let's actually go through this IPsec Cisco 1:01:26.960 --> 1:01:27.230 Tunnel. 1:01:40.830 --> 1:01:42.800 460800 KBS. 1:01:45.820 --> 1:01:46.960 460800. 1:01:47.520 --> 1:01:48.220 That is how much? 1:01:59.350 --> 1:02:00.010 Kilobytes. 1:02:02.050 --> 1:02:05.380 Gibbs cannot be dismissed. 1:02:06.310 --> 1:02:06.610 Okay. 1:02:06.610 --> 1:02:06.800 Yeah. 1:02:06.820 --> 1:02:10.100 Divided by slow bytes. 1:02:10.300 --> 1:02:11.830 I did the configuration wrong. 1:02:11.830 --> 1:02:14.800 I configured it to be as bits, not bits. 1:02:14.830 --> 1:02:15.640 Kilo bits. 1:02:15.640 --> 1:02:16.270 So 1:02:16.270 --> 1:02:26.800 (406) 460-8000 1:02:27.370 --> 1:02:40.030 divided by 1024 will give you an mb BS 4500 MB traffic which can go through sorry by default through 1:02:40.030 --> 1:02:42.460 the tunnel if 4500 MB goes through. 1:02:45.060 --> 1:02:46.180 It will change the key. 1:02:46.990 --> 1:02:51.190 So it's two things either one hour or 4500. 1:02:51.460 --> 1:02:53.680 Traffic going through a 4500. 1:02:53.890 --> 1:02:55.450 Traffic goes through the tunnel. 1:02:57.790 --> 1:02:58.540 It will shift. 1:02:58.960 --> 1:02:59.740 It'll make the shift. 1:03:01.420 --> 1:03:04.990 You can you can change the Security Association lifetime. 1:03:04.990 --> 1:03:07.480 You can change the security doors. 1:03:07.600 --> 1:03:10.060 You can change the lifetime in seconds. 1:03:10.300 --> 1:03:12.610 You can change it in kilobytes. 1:03:13.450 --> 1:03:14.740 It's not bits, it's bytes. 1:03:17.530 --> 1:03:19.810 The kind of data, not really. 1:03:19.990 --> 1:03:23.110 But you can set up a restriction using your ACL. 1:03:24.160 --> 1:03:27.250 You can say ACL permit only traffic, say TCP from here to here. 1:03:27.370 --> 1:03:29.440 That is the only traffic that will go through the tunnel. 1:03:34.250 --> 1:03:35.450 So it's up to you. 1:03:35.600 --> 1:03:36.500 As long as that. 1:03:36.990 --> 1:03:39.910 As long as that ACL is hit, it'll go through. 1:03:39.920 --> 1:03:43.580 So when you're using TCP, you'll use the port number, TCP port 23. 1:03:43.580 --> 1:03:46.310 So only Telnet traffic will go through the tunnel to the other side. 1:03:48.080 --> 1:03:48.600 Okay. 1:03:48.620 --> 1:03:56.790 Another thing right here is it's just a question, right. 1:03:56.810 --> 1:03:58.370 We'll take a break after this. 1:03:58.370 --> 1:04:04.190 And you would try to do it on your notebooks or wherever you're doing it and just let me know if this 1:04:04.250 --> 1:04:06.470 there is a possibility that this will work. 1:04:08.330 --> 1:04:13.970 10.3 is sending its traffic to 10.1 to the tunnel. 1:04:14.600 --> 1:04:16.850 The ACL here is 10.3 to 10.1. 1:04:17.290 --> 1:04:19.700 Whatever to that ACL. 1:04:19.730 --> 1:04:22.940 I add another entry to the same ACL. 1:04:23.060 --> 1:04:27.890 I say traffic going from 10.3 to 10.4. 1:04:30.560 --> 1:04:32.480 Should also go to R1. 1:04:36.040 --> 1:04:40.420 I'll send that traffic also to R1 and R1. 1:04:41.230 --> 1:04:44.020 I'll say traffic if the source is 10.3. 1:04:44.050 --> 1:04:46.130 Destination is 10.4. 1:04:46.150 --> 1:04:47.200 Send it where? 1:04:52.390 --> 1:04:53.020 Two are for. 1:04:55.630 --> 1:04:56.470 Is it possible? 1:04:58.740 --> 1:04:59.950 Should be possible, right? 1:05:02.300 --> 1:05:02.600 Today. 1:05:03.740 --> 1:05:04.810 I want you now. 1:05:04.820 --> 1:05:06.330 I told you the concept, right? 1:05:06.350 --> 1:05:13.070 I want you to write the access lists, which I would require to do this from R3, R1 and R4. 1:05:15.140 --> 1:05:15.970 There's only one tunnel. 1:05:15.980 --> 1:05:22.930 There's only going to be two tunnels, one between R1 and R2 and one between R1 and R2 three. 1:05:22.940 --> 1:05:28.670 But I want R3 and R4 to communicate to each other through R1. 1:05:32.990 --> 1:05:35.180 Someone can directly connect. 1:05:38.760 --> 1:05:42.240 Not right now, but right now it will drop. 1:05:42.270 --> 1:05:42.750 Definitely. 1:05:44.490 --> 1:05:44.970 Definitely. 1:05:45.480 --> 1:05:46.650 There is no ACL matching. 1:05:48.810 --> 1:05:54.000 One more thing I want to note column content for. 1:05:54.090 --> 1:05:54.630 Yes. 1:05:54.660 --> 1:05:55.350 For directions. 1:05:56.070 --> 1:06:00.060 You have to do it both right here. 1:06:00.090 --> 1:06:03.540 Only here are for as well. 1:06:06.440 --> 1:06:07.250 For our food as well. 1:06:07.910 --> 1:06:08.990 Because our food needs to reply. 1:06:09.020 --> 1:06:09.290 Right. 1:06:09.830 --> 1:06:10.550 Reply to whom? 1:06:12.590 --> 1:06:16.670 So from 10.3 to 10.1 will be one which will be here. 1:06:17.240 --> 1:06:20.330 Here I need to from 10.3 to 10.4. 1:06:20.360 --> 1:06:21.380 Going from this tunnel. 1:06:24.710 --> 1:06:25.550 That would be. 1:06:25.550 --> 1:06:26.450 That would be risky. 1:06:27.050 --> 1:06:27.590 That would be risky. 1:06:27.620 --> 1:06:28.280 You can do that. 1:06:28.280 --> 1:06:29.990 But we need to be more specific. 1:06:30.680 --> 1:06:34.280 You can do that also, but that will be for all the traffic, right? 1:06:34.730 --> 1:06:37.250 So what you could do, think about it. 1:06:38.540 --> 1:06:43.550 I can have two different R3 and R4, just one here pointing to. 1:06:43.970 --> 1:06:47.780 That's the thing from R1, I have two pairs only from R3. 1:06:47.780 --> 1:06:49.340 I have one pair here and one pair here. 1:06:50.540 --> 1:06:51.440 Both are pointing to. 1:06:53.900 --> 1:06:58.910 So from here, one ACL is for 10.4 to 10.1 from here, 10.3 to 10.1. 1:07:00.120 --> 1:07:03.510 It is speak for 200. 1:07:04.460 --> 1:07:06.590 Also they will not be any reply. 1:07:06.620 --> 1:07:09.680 Echo reply request will go and reply will not come back. 1:07:10.400 --> 1:07:13.100 So it will reach R3, but R3 will not be able to reply. 1:07:13.100 --> 1:07:16.070 So R3 will see decryption is happening, but no encryption. 1:07:18.050 --> 1:07:18.530 On one side. 1:07:18.530 --> 1:07:20.540 There will be decryption one side, there will be encryption. 1:07:20.660 --> 1:07:23.330 Again, let me tell you something about troubleshooting. 1:07:23.540 --> 1:07:32.520 When you're troubleshooting your IPsec VPNs, if your Isakmp Schmeidl is on, if you're already in a 1:07:32.810 --> 1:07:36.770 schmiedl and when you're troubleshooting, what do you mean by schmiedl? 1:07:36.770 --> 1:07:39.560 Which part of this will be correct and which part can be wrong? 1:07:41.510 --> 1:07:42.710 This will be correct. 1:07:42.860 --> 1:07:44.330 Your key will be correct. 1:07:44.360 --> 1:07:45.920 Your transform set will be correct. 1:07:46.460 --> 1:07:49.760 So if your first tunnel is coming up, all these three are correct. 1:07:49.760 --> 1:07:51.140 Do not check those parts. 1:07:52.100 --> 1:07:55.880 But if your first tunnel is not coming up, there is a mistake here. 1:07:59.080 --> 1:07:59.330 Right. 1:07:59.380 --> 1:08:05.530 If you're not getting anything at all, if when you do your show crypto campus, you cannot see anything 1:08:05.530 --> 1:08:05.800 at all. 1:08:05.800 --> 1:08:09.250 It's empty, black completely at that point. 1:08:09.280 --> 1:08:16.060 That means you have not either applied the crypto map or you applied it on the wrong interface or your 1:08:16.060 --> 1:08:24.040 interesting traffic is not matching route would be if your tunnel is coming up, the first tunnel is 1:08:24.040 --> 1:08:24.670 coming up. 1:08:25.510 --> 1:08:27.460 Your encryption decryption is not happening. 1:08:30.090 --> 1:08:32.490 If your tunnel is up, the first tunnel is up. 1:08:33.180 --> 1:08:33.520 Right. 1:08:33.630 --> 1:08:36.270 But your encryption and decryption is not happening. 1:08:36.270 --> 1:08:39.820 The possibility would be you don't have the routes to those destinations. 1:08:39.840 --> 1:08:41.580 Let me explain how that could be. 1:08:42.210 --> 1:08:46.010 If you have R1 and R3 right now, let's say R3 was not here anymore. 1:08:46.020 --> 1:08:47.220 It was not there at all. 1:08:48.900 --> 1:08:57.270 When from this side I send a packet, I'm sending it from where ten dot going to first negotiations 1:08:57.270 --> 1:08:58.370 will become begin. 1:08:58.380 --> 1:09:06.120 Negotiations will be complete done because negotiations require what public to public communication 1:09:06.870 --> 1:09:07.380 policies are. 1:09:07.380 --> 1:09:07.980 Okay. 1:09:08.220 --> 1:09:08.880 Tunnel is form. 1:09:09.090 --> 1:09:14.400 Then when the actual traffic goes through the tunnel, the traffic goes from 10.1 to obviously it will 1:09:14.400 --> 1:09:16.620 be encapsulated when it reaches the other side. 1:09:16.620 --> 1:09:19.140 It will be encapsulated when it decapsulation it. 1:09:19.170 --> 1:09:20.790 It sees that it wants to go to. 1:09:21.240 --> 1:09:22.830 He doesn't have 10.3. 1:09:24.680 --> 1:09:25.920 There is no 10.3. 1:09:25.920 --> 1:09:27.840 The packets are going to be dropped. 1:09:28.020 --> 1:09:30.190 So the return traffic will not come. 1:09:30.520 --> 1:09:34.240 You will see decryption is happening, but encryption will not happen. 1:09:34.240 --> 1:09:36.430 It will never happen because the network doesn't exist. 1:09:36.970 --> 1:09:38.470 You don't have the route to that network. 1:09:38.470 --> 1:09:40.750 If you don't have the route, you will not know what to do with it. 1:09:41.260 --> 1:09:42.520 So you'll drop it. 1:09:44.050 --> 1:09:46.960 So you'll see encryption is one way decryption is on the other way. 1:09:46.960 --> 1:09:52.750 If obviously this network also was not here with him, no decryption, no encryptions will just just 1:09:52.750 --> 1:09:53.290 be there. 1:09:56.230 --> 1:10:02.200 So if you see one side encrypting one side, not encrypting the route on the packet, on wherever you 1:10:02.200 --> 1:10:07.840 see, it's not decrypting, it's not encrypting the side, which you see is not encrypting. 1:10:07.840 --> 1:10:10.840 That means that side does not have the route to the net. 1:10:12.700 --> 1:10:12.880 Okay. 1:10:12.880 --> 1:10:14.140 These are very important steps. 1:10:15.550 --> 1:10:21.310 So IPsec will show you how many packets are decrypted and encrypted. 1:10:22.180 --> 1:10:23.260 You'll see it here, Right. 1:10:23.290 --> 1:10:25.930 The best way to check your tunnels is not the full tunnel. 1:10:25.960 --> 1:10:26.980 You always check. 1:10:26.980 --> 1:10:35.560 The first thing that I always do is show crypto IPsec sa, section gaps, two tunnels. 1:10:36.100 --> 1:10:37.350 First tunnel is not up. 1:10:37.360 --> 1:10:38.980 The second tunnel for encrypted. 1:10:39.010 --> 1:10:39.880 For decrypted. 1:10:39.910 --> 1:10:41.620 Let me show you this on here. 1:10:41.620 --> 1:10:44.860 I'll remove interface loopback zero. 1:10:45.910 --> 1:10:49.750 So ten dot three is not there from Nelson packet to ten dot. 1:10:53.980 --> 1:10:55.650 You see a packet will not go through. 1:10:56.130 --> 1:11:00.170 But so crypto camp is committed. 1:11:00.930 --> 1:11:01.890 So your first tunnel is up. 1:11:01.890 --> 1:11:06.390 The second is not so crypto IPsec sa section caps. 1:11:09.060 --> 1:11:10.260 Three packets encapsulated. 1:11:11.220 --> 1:11:11.640 Zero. 1:11:11.700 --> 1:11:13.870 Encapsulated D capsulated. 1:11:13.890 --> 1:11:14.610 Zero means what? 1:11:14.640 --> 1:11:15.930 Nothing is coming back. 1:11:16.890 --> 1:11:17.730 I'm sending. 1:11:17.730 --> 1:11:19.380 Nothing is coming back. 1:11:19.380 --> 1:11:20.550 Let's check on our three. 1:11:22.050 --> 1:11:28.800 So crypto IPsec section gaps in the old one. 1:11:29.580 --> 1:11:32.450 Right now it will not encapsulate any. 1:11:32.490 --> 1:11:33.810 So if you keep sending him, 1:11:36.750 --> 1:11:37.410 you can do what? 1:11:39.960 --> 1:11:40.560 I'm sorry. 1:11:40.720 --> 1:11:43.140 What we do. 1:11:44.380 --> 1:11:48.150 Clear counter on this on the. 1:11:48.180 --> 1:11:48.600 Okay. 1:11:48.600 --> 1:11:50.160 So crypto IPsec. 1:11:50.400 --> 1:11:51.690 Let me see this first. 1:11:53.050 --> 1:11:53.730 Scabs. 1:11:53.970 --> 1:11:54.570 Zero zero. 1:11:54.570 --> 1:11:54.960 Right. 1:11:55.230 --> 1:11:55.740 Clear. 1:11:57.990 --> 1:12:00.300 IPsec Clear Crypto. 1:12:02.220 --> 1:12:03.600 I don't want to clear it down. 1:12:03.600 --> 1:12:09.810 I think there should be something say counters so crypto 1:12:10.080 --> 1:12:17.280 6001 here and start from here. 1:12:17.280 --> 1:12:21.570 I'll send again and you'll see that one side will be five, the other side will be zero. 1:12:21.570 --> 1:12:25.860 So from this end you'll see decryption is happening, but no encryption. 1:12:28.720 --> 1:12:31.510 Because it doesn't have the network, so it doesn't get a return packet. 1:12:34.830 --> 1:12:36.090 I removed the loopback three. 1:12:36.570 --> 1:12:38.730 I removed 10.3 network. 1:12:41.040 --> 1:12:42.300 10.3 was not there. 1:12:43.170 --> 1:12:48.570 Decryptions are happening, but encryptions will not happen because I don't have the route to come back. 1:12:48.750 --> 1:12:53.640 These are very important troubleshooting steps because this is where you get stuck when you're creating 1:12:53.640 --> 1:12:54.570 a tunnel or something like that. 1:12:54.570 --> 1:12:59.340 These are the small things that you'll see once encrypting once not decrypting tunnel is one. 1:12:59.340 --> 1:13:01.110 Part of the tunnel is up, the other is not. 1:13:02.670 --> 1:13:03.690 So two important things. 1:13:03.690 --> 1:13:08.760 If your tunnel is up, there's a problem either with your access list or with your out. 1:13:10.020 --> 1:13:10.370 Right. 1:13:10.440 --> 1:13:14.910 If your is not coming up at all either you're not applied the crypto map anywhere. 1:13:16.020 --> 1:13:16.460 Right. 1:13:16.470 --> 1:13:17.280 Or you're interesting. 1:13:17.280 --> 1:13:18.900 Traffic is not hitting the interface. 1:13:18.900 --> 1:13:21.090 So there may be a problem with the routing too. 1:13:22.290 --> 1:13:22.760 Okay. 1:13:22.770 --> 1:13:27.660 If your app is getting stuck in a stage, you are more than more perfect than me. 1:13:27.690 --> 1:13:32.340 On knowing what's wrong with that if it gets stuck along the way, right? 1:13:32.730 --> 1:13:35.110 You know, first and the second packet, fourth and the fifth. 1:13:35.170 --> 1:13:37.570 Fifth and the sixth, seventh and the eighth. 1:13:39.310 --> 1:13:40.150 That's it. 1:13:40.270 --> 1:13:41.770 That's your IPsec. 1:13:42.310 --> 1:13:48.490 If you can figure this out, it's done because everything is based on IPsec. 1:13:48.520 --> 1:13:49.000 Yes. 1:13:58.700 --> 1:14:01.130 It will not do double tracking because of double tagging. 1:14:01.160 --> 1:14:04.910 It will go more than that and then it will be broken down into fragments. 1:14:05.360 --> 1:14:06.930 So you have. 1:14:10.900 --> 1:14:16.300 After that and the actual traffic goes, your traffic that is going out first packet will not because 1:14:16.300 --> 1:14:17.560 those are small packets. 1:14:18.160 --> 1:14:25.660 The first packets are very small, 400 bytes, 400, 300 bytes maximum I think is 454 or 2 bytes for 1:14:25.660 --> 1:14:28.660 the which has the rest of the packets are very small. 1:14:29.500 --> 1:14:37.570 So now how do you how do you know how we have to how. 1:14:40.500 --> 1:14:42.670 That is M2. 1:14:42.710 --> 1:14:44.330 You change it on IPsec. 1:14:45.770 --> 1:14:46.330 IPsec. 1:14:46.490 --> 1:14:49.990 There is a command, which is Crypto IPsec M2 for that interface path M2. 1:14:50.060 --> 1:14:51.150 Also you can change. 1:14:51.170 --> 1:14:52.460 I'll show you that as a lab. 1:14:53.810 --> 1:14:57.860 I'll show you that as a lab, I'll decrease the M2 on one of the interfaces and I'll show you how the 1:14:57.860 --> 1:14:58.700 path will go down. 1:15:00.290 --> 1:15:02.870 I'll create a separate When I'm doing that, we'll do both together. 1:15:03.410 --> 1:15:05.000 Nat and IPsec M2. 1:15:05.090 --> 1:15:05.930 We'll do it together. 1:15:07.800 --> 1:15:10.710 Okay, Claire, Any questions with this? 1:15:12.310 --> 1:15:12.600 Good. 1:15:13.480 --> 1:15:13.620 Right. 1:15:13.660 --> 1:15:14.380 Let's take a break. 1:15:14.380 --> 1:15:16.450 And after that, let's do the hairpin. 1:15:18.890 --> 1:15:19.460 Yes.