WEBVTT 00:01.920 --> 00:07.020 I'm going to create a tunnel between R4 and R1. 00:07.740 --> 00:11.740 Let's start from R1, the simple one, and let's see what configurations do I need. 00:14.000 --> 00:16.730 Step one policies. 00:25.680 --> 00:26.640 What policies? 00:30.280 --> 00:30.700 Then. 00:35.340 --> 00:35.930 Syndication. 00:41.750 --> 00:42.260 Step two. 00:42.290 --> 00:43.880 What is the address on step two? 00:47.710 --> 00:52.120 Address on the here will be 34 dot. 00:53.310 --> 00:53.570 Okay. 00:54.720 --> 00:54.920 Third. 01:06.950 --> 01:07.270 For. 01:13.960 --> 01:14.500 2010. 01:14.500 --> 01:15.370 440. 01:18.160 --> 01:20.080 Step five map. 01:25.410 --> 01:30.170 Match this one on one set. 01:32.730 --> 01:33.240 Transform. 01:33.240 --> 01:33.570 Set. 01:33.880 --> 01:34.210 Set. 01:35.980 --> 01:37.680 Set Here. 01:37.890 --> 01:41.880 151 .34.00. 01:42.600 --> 01:43.470 Crypto map. 01:44.820 --> 01:46.170 So from this end, it's okay. 01:46.890 --> 01:48.420 From this end, there is nothing different. 01:49.740 --> 01:50.490 It's pretty. 01:50.730 --> 01:54.000 Pretty much almost the same as I did it before. 01:54.630 --> 01:56.100 So I'll go in here. 02:11.360 --> 02:12.130 Okay. 02:13.150 --> 02:13.500 I see. 02:13.630 --> 02:15.700 Camp is off from this end. 02:15.730 --> 02:16.360 Is okay. 02:16.870 --> 02:18.100 What about the other side? 02:20.500 --> 02:22.040 What changes do I need to make? 02:22.060 --> 02:22.510 Policy. 02:22.510 --> 02:24.280 The same address. 02:29.610 --> 02:41.400 Uh, when you need the public IP or the private IP, it has to be the public IP has to be because for 02:41.400 --> 02:44.820 R4 to reach R1, he cannot reach it by the private address. 02:45.600 --> 02:48.030 It can only reach it if he uses the. 02:51.530 --> 02:52.070 Public, right? 02:52.100 --> 02:57.800 Obviously, I mean, on the Internet, the only way to reach R1 is from the public address and you can 02:57.800 --> 02:59.930 verify that also from R4. 03:00.830 --> 03:10.710 If I ping 15.1.13. ten, I can reach that R1 to make sure that it is actually reaching R1 debug IP, 03:10.730 --> 03:12.350 icmp ping. 03:16.480 --> 03:17.980 Coming all the way to. 03:19.300 --> 03:24.850 Obviously this source becomes 192, 168, 12.1 because of nothing to change is the destination. 03:24.850 --> 03:26.080 So it comes back to 12. 03:27.400 --> 03:34.990 So the address that you give on the other peer is 23 dot ten transforms at the same access. 03:34.990 --> 03:37.840 This will be reflected 03:40.540 --> 03:46.720 and said peer will again be what Interface Serial. 03:50.660 --> 03:55.010 Happy to do our food and. 03:58.000 --> 04:03.490 And then what I'll also do is debug. 04:05.940 --> 04:07.100 Crypto icicle. 04:09.500 --> 04:10.840 My nine packet exchange. 04:10.840 --> 04:11.710 I want to debug it. 04:12.700 --> 04:16.420 I want to see what all changes take place on R1. 04:16.660 --> 04:17.800 What packets are sent? 04:17.830 --> 04:20.380 What packets are received and so on and so forth. 04:21.430 --> 04:26.130 Also I'll run what Wireshark. 04:36.050 --> 04:36.650 Side by side. 04:38.300 --> 04:42.140 Keep it on here before nothing and after nothing. 04:44.270 --> 04:45.470 So two instances. 04:46.490 --> 04:47.270 One is here. 04:48.590 --> 04:49.400 The other one will be. 05:00.360 --> 05:02.880 Yeah, right, guys. 05:03.690 --> 05:05.970 Now let's initiate the tunnel. 05:07.680 --> 05:08.760 Before I do that. 05:12.150 --> 05:13.050 So access List. 05:14.520 --> 05:15.600 IP Access List. 05:15.630 --> 05:17.520 Extended Firewall. 05:17.520 --> 05:17.760 No. 05:17.790 --> 05:18.240 One. 05:18.690 --> 05:19.110 No. 05:19.140 --> 05:19.590 Ten. 05:19.860 --> 05:20.310 No. 05:20.340 --> 05:21.930 20 So it's denying everything. 05:24.990 --> 05:27.030 Deny all the connections are denied. 05:27.990 --> 05:28.410 Right. 05:28.530 --> 05:30.870 I will initiate the connection from outside again. 05:31.020 --> 05:35.310 Ping ten 111 with the source of ten will not go through. 05:35.460 --> 05:38.700 You will see that if it was 25, now it goes to 26. 05:42.600 --> 05:44.040 I will allow this traffic to go in. 05:45.810 --> 05:47.490 First, let's have a look at the exchange. 05:49.970 --> 05:52.640 As the camp is trying to come in but is getting dropped. 05:52.640 --> 06:01.730 Destination unreachable is going to waste destination from source 500 to 500 to 23.10 is trying to create 06:01.730 --> 06:03.020 a tunnel with 23.10. 06:03.020 --> 06:07.670 But since R2 is blocking it, it's not allowing it to come back in. 06:08.930 --> 06:11.000 What do I allow on the access list? 06:13.070 --> 06:15.200 123.1.4. 06:15.890 --> 06:16.730 Write it down again. 06:18.740 --> 06:22.760 How do I allow this through this packet? 06:22.760 --> 06:23.060 Through. 06:40.470 --> 06:43.250 Peson on their outrage. 06:44.810 --> 06:54.290 They changed that from 8.48.3 onwards and that gnat comes first in 8.4 onwards. 06:58.550 --> 07:00.140 In water construction. 07:20.920 --> 07:21.570 Did you find? 07:23.620 --> 07:24.320 So from the public. 07:24.320 --> 07:24.770 The public. 07:24.770 --> 07:25.340 But the public. 07:30.860 --> 07:37.000 Based on extreme translation doesn't. 07:38.280 --> 07:39.690 But the text convection. 07:40.380 --> 07:40.650 Then. 08:05.970 --> 08:06.690 Let's call. 08:23.020 --> 08:24.010 I think 08:27.260 --> 08:27.770 it's the same. 08:28.070 --> 08:34.640 I use it's the same one I use public because UDP will be started public to public. 08:35.720 --> 08:36.020 Right. 08:36.320 --> 08:38.510 You believe me will be started from one public to another. 08:38.510 --> 08:39.020 Public. 08:39.030 --> 08:43.790 So when I go here, it will be the same packet. 08:43.820 --> 08:48.470 My original packet will be kept in the buffer going from 10.4 to 10.1. 08:48.890 --> 08:55.220 It will be buffered and then a UDP session will be established with the set pair command, with the 08:55.220 --> 08:58.820 access list, with the UDP pair address which you have specified. 08:58.820 --> 09:09.170 So going from one 51.30 4.4 to 23.10 from here because he doesn't know the actual address UDP 502. 09:13.830 --> 09:16.690 When you come to a router, you have two checks in there. 09:16.710 --> 09:18.060 The first check is the ACL check. 09:18.090 --> 09:19.260 Then you have natting happening. 09:21.220 --> 09:22.570 Still is right now blocking it. 09:22.580 --> 09:24.170 You have to allow it through the block. 09:24.500 --> 09:26.360 So you go to the ACL and you say, what? 09:26.720 --> 09:27.590 Permit this traffic. 09:27.590 --> 09:27.950 Which one? 09:27.950 --> 09:29.060 This, this, this and. 09:32.090 --> 09:34.850 You permit this and it will go through. 09:34.920 --> 09:37.460 So once it gets permitted, it goes to the gnat. 09:37.490 --> 09:38.330 The nat changes. 09:38.330 --> 09:39.080 Which part? 09:39.440 --> 09:40.660 23.10. 09:40.790 --> 09:41.300 It changes it. 09:41.300 --> 09:41.840 By what? 09:42.710 --> 09:48.680 192 168 .1.5.1. 09:49.250 --> 09:51.520 The packet reaches the other. 09:53.390 --> 09:53.840 Okay. 09:54.800 --> 09:56.840 Does this go to R2? 10:00.990 --> 10:02.580 IP access list. 10:02.850 --> 10:05.460 Extended firewall number. 10:05.460 --> 10:13.500 Let's say ten as a permit UDP from host 151 .34.4 to host. 10:13.500 --> 10:19.860 151 .23. ten Equal to source also. 10:25.660 --> 10:27.700 Okay, let's try the exchange again. 10:28.090 --> 10:30.100 Right now it was getting stuck in no exchange. 10:30.100 --> 10:33.520 So crypto now it won't because it has stopped trying. 10:33.520 --> 10:37.600 But earlier it would get stuck in no exchange because he did not get the reply for the first package. 10:38.050 --> 10:40.620 Now I'll do it again. 10:40.630 --> 10:41.970 Where do you think it will get stuck? 10:41.980 --> 10:43.570 What will be the state of the package? 10:48.400 --> 10:48.850 Yeah, my dad. 10:50.890 --> 10:53.080 What did I tell you about the exchange? 10:54.430 --> 10:56.020 Not to be detected. 10:56.050 --> 10:57.930 Where is that? 10:58.390 --> 10:59.080 Third and fourth. 10:59.110 --> 11:00.280 It will be detected. 11:01.240 --> 11:03.460 The change is made in the fifth package. 11:05.910 --> 11:07.920 Again, Trionfo will be in detection. 11:08.130 --> 11:08.910 The key exchange. 11:09.660 --> 11:11.040 Key exchange should show. 11:19.130 --> 11:23.270 Now, both will work the same way because the outside will be the same. 11:26.090 --> 11:27.590 Which means which packet is getting dropped. 11:30.860 --> 11:32.240 The fifth package is getting dropped. 11:32.460 --> 11:34.070 So you want to check the exchange? 11:34.400 --> 11:35.300 You can go in here. 11:35.660 --> 11:36.200 Yeah. 11:38.000 --> 11:38.880 No, not fourth. 11:39.590 --> 11:43.940 Fourth will be detection until fourth. 11:43.970 --> 11:44.300 See? 11:44.810 --> 11:46.100 Starting from here. 11:48.080 --> 11:50.840 This is the first packet with the policies. 11:50.840 --> 11:51.800 You know, Policies. 11:51.830 --> 11:53.840 Second packet with the policies. 11:53.870 --> 11:55.310 Let's check the third packet. 11:57.710 --> 11:59.420 We have key exchange and nonce. 11:59.720 --> 12:00.800 You also have what? 12:05.330 --> 12:06.210 From that detection. 12:08.980 --> 12:11.860 Those are not the what is included in there. 12:11.890 --> 12:13.480 What information is in that? 12:14.230 --> 12:16.150 The actual source of the packet. 12:16.480 --> 12:17.380 They won't show it here. 12:17.380 --> 12:19.600 It's not written open text. 12:20.110 --> 12:21.220 We won't show it to you there. 12:21.760 --> 12:25.570 But in there is the address, the actual address. 12:25.720 --> 12:27.160 It doesn't actually send the full address. 12:27.160 --> 12:32.480 It sends the hashing hash value of that address of that first address. 12:32.500 --> 12:37.870 Now, once you have that first address in there, the other side will get it and it will detect it. 12:38.280 --> 12:40.160 Mac, why do you need it both ways? 12:40.180 --> 12:41.960 Why do you need to wait for the fourth packet? 12:41.980 --> 12:46.000 Because when I'm the peer, you're the peer I'm sending you. 12:46.000 --> 12:47.560 I'm telling you, this is the source. 12:47.590 --> 12:50.530 When you reply back, you will tell me that that is happening, 12:53.350 --> 12:53.800 right? 12:54.010 --> 12:55.330 It's like this. 12:55.870 --> 12:57.270 So what happens in R1? 12:57.280 --> 13:00.300 Initiate the R1, initiate the connection. 13:00.310 --> 13:00.760 Same thing. 13:00.790 --> 13:01.420 Exact same thing. 13:03.220 --> 13:04.090 R1 doesn't know. 13:04.120 --> 13:06.520 See first packet goes policies. 13:06.860 --> 13:07.700 Second packet. 13:07.730 --> 13:12.590 He will still send 192 168 in the payload right it goes out here. 13:13.190 --> 13:16.040 R4 detects Nat in the fourth packet. 13:16.070 --> 13:17.990 He replies and tells him listen Nat is happening. 13:19.430 --> 13:23.720 R4 will tell him that's why you need the fourth packet so that the both sides know. 13:26.330 --> 13:26.930 Do you get it? 13:28.040 --> 13:28.280 Now? 13:28.280 --> 13:29.540 Detection is packet number three. 13:29.540 --> 13:35.150 So packet number three R1 will put his source in there and R4 will see when it receives when it is received 13:35.150 --> 13:35.990 at R4. 13:36.020 --> 13:36.740 R4 will see. 13:36.740 --> 13:38.120 Okay, that is happening. 13:38.840 --> 13:43.430 So R4 knows but R1 doesn't know they need to mutually decide on that. 13:43.430 --> 13:49.850 So R4 will reply back with the fourth packet in the payload and that will be yes, that has been detected. 13:49.970 --> 13:54.830 So from now on we will move to move to port number 4500. 13:56.630 --> 13:56.870 Right? 13:56.870 --> 14:02.420 You can see that in Wireshark also if you want to if you go in here, this was packet number. 14:02.420 --> 14:05.240 Fourth packet number fifth is this 128. 14:05.270 --> 14:09.380 If you check this source is 4500. 14:09.410 --> 14:10.700 Destination is. 14:14.180 --> 14:16.460 Source 45, destination 45. 14:17.150 --> 14:20.750 And this packet is dropped because you get an ICMP unreachable message. 14:22.900 --> 14:25.330 So it keeps on sending it again and again and again. 14:28.060 --> 14:28.270 Right. 14:28.990 --> 14:32.550 Since it's the first packet which gets stuck in exchange. 14:34.090 --> 14:34.660 Exchange. 14:36.190 --> 14:37.050 Is this clear? 14:37.680 --> 14:38.730 How do you allow this? 14:40.380 --> 14:42.460 So I allowed 500. 14:42.480 --> 14:45.000 I also need to allow 45. 14:47.700 --> 14:48.840 So I'll go to my ACL. 14:50.160 --> 14:51.360 I'll go back again. 14:51.480 --> 15:02.580 I'll say 20 permit UDP from host 151 .34.4 to host 151 .13.1 equal to 45. 15:08.110 --> 15:08.500 Now. 15:08.500 --> 15:09.760 How many packets will be allowed? 15:10.090 --> 15:11.440 Where will it get stuck? 15:13.210 --> 15:14.670 Will it get stuck in the middle? 15:17.680 --> 15:18.010 You say? 15:18.010 --> 15:18.850 Yes. 15:26.340 --> 15:26.850 Goes to. 15:28.490 --> 15:29.600 When that happens. 15:30.970 --> 15:31.570 In the end. 15:32.350 --> 15:33.850 No, I forgot to show you something else. 15:33.860 --> 15:34.230 Wait. 15:34.330 --> 15:36.040 Forgot to show you the actual stuff. 15:37.890 --> 15:39.900 This is the debug IPsec ICMP, right. 15:40.230 --> 15:41.460 Let's check the debug. 15:44.940 --> 15:49.620 Now I want to see exactly from the start clear crypto sessions. 15:54.250 --> 15:55.420 Let's remove this whole thing. 15:59.420 --> 16:00.760 The sessions. 16:04.910 --> 16:05.720 The tunnel is clear. 16:06.350 --> 16:09.860 I want to see the exchange which takes place because of debug. 16:09.860 --> 16:12.260 Because you won't have Wireshark available to you all the time. 16:13.790 --> 16:15.050 You ought to work on Debugs. 16:33.070 --> 16:34.180 I'll copy this. 16:36.080 --> 16:36.830 The links. 16:39.370 --> 16:42.460 From here and paste it here. 16:45.490 --> 16:50.080 These are the debugging messages, all of them, which happen when your camp is getting formed. 16:50.630 --> 16:50.820 Right. 16:50.830 --> 16:53.200 So you'll see a pair struct has been created. 16:53.200 --> 16:54.880 Local port that I'm using is 500. 16:54.880 --> 16:57.100 Destination port is 500 again. 16:57.520 --> 16:57.880 Right. 16:57.880 --> 16:59.770 I'm getting a message from the peer. 16:59.770 --> 17:06.820 My Isa camp is ready and there is a vendor id nati that has been detected a lot of things. 17:06.850 --> 17:08.260 The important part is not this. 17:08.460 --> 17:12.430 I'll show you what policies checking the transform set against the priority. 17:12.430 --> 17:15.430 So he gets the priority from there and he's checking it against this. 17:16.420 --> 17:16.840 Right. 17:16.840 --> 17:18.610 And he says it is acceptable. 17:18.970 --> 17:20.680 This is a camp policy. 17:20.680 --> 17:23.440 Whatever I'm receiving from the other side is acceptable to me. 17:23.770 --> 17:24.280 Right. 17:24.310 --> 17:28.750 Then the lifetime that they have agreed upon, 86,004. 17:28.780 --> 17:33.610 If the other side's lifetime is less, it doesn't mean that the negotiations will fail. 17:33.610 --> 17:35.470 The lower one will be negotiated. 17:36.340 --> 17:41.180 So the other side, if one of the side will choose the lifetime, let's say 12 hours, both of them 17:41.180 --> 17:42.470 will negotiate on 12 hours. 17:42.470 --> 17:43.640 That's what he's doing here. 17:44.510 --> 17:45.050 Okay. 17:45.080 --> 17:49.030 Then again, certain IDs which are not used constructed Nati. 17:52.120 --> 17:52.690 Is canceled. 17:52.690 --> 17:53.260 Pignati. 17:53.290 --> 17:55.000 What is he constructing inside Natty? 17:55.300 --> 18:00.580 The actual source address and sending it to the other side. 18:00.610 --> 18:02.050 The other side receives it. 18:02.980 --> 18:04.330 Receive packet from the other side. 18:04.330 --> 18:04.860 500. 18:04.870 --> 18:05.500 500. 18:05.530 --> 18:09.670 In that packet will be the information that Nat is happening. 18:09.670 --> 18:14.460 So you will see that it says Nat detected or not found. 18:14.470 --> 18:14.610 Yeah. 18:14.650 --> 18:15.190 Right here. 18:16.030 --> 18:17.560 And it receives the packet back. 18:20.400 --> 18:21.150 Says what? 18:21.690 --> 18:23.340 This happens at the end of the fourth batch. 18:24.450 --> 18:28.080 He sees that the gnat has been found when he sees the gnat has been found. 18:28.110 --> 18:29.790 You see that he will move to. 18:32.570 --> 18:35.420 From 500 to thousand 500. 18:36.560 --> 18:38.390 So what happened and everything. 18:38.900 --> 18:40.580 I'll explain that right now. 18:40.580 --> 18:42.380 It's how it happens with UDP. 18:42.500 --> 18:46.460 So all nine packets of ISI, the first four will be 500. 18:46.550 --> 18:49.190 The rest of them will be 45. 18:50.210 --> 18:51.860 But what happens with ESP? 18:52.040 --> 18:53.420 That's what we want to see, right? 18:53.450 --> 18:55.010 Let's open it on Wireshark and see. 19:00.930 --> 19:03.070 Remember the color of ESPs used to be What? 19:06.730 --> 19:09.990 It used to be white, colorless. 19:11.010 --> 19:11.970 Now it's still blue. 19:12.330 --> 19:17.850 While it's still blue, If you open the packet and you have a look at it, you'll see something strange. 19:18.990 --> 19:19.930 IPV four. 19:21.420 --> 19:25.620 It used to be IPV four and ESP before. 19:25.620 --> 19:26.270 Before netting. 19:26.490 --> 19:27.030 Before netting. 19:27.930 --> 19:29.940 So it's using UDP four five. 19:30.420 --> 19:35.280 This is the UDP 4500 which is added, which is an extra Add. 19:36.270 --> 19:39.870 It's an add on between your IPV four and ESP. 19:43.070 --> 19:43.480 Right. 19:43.850 --> 19:46.090 Earlier it used to be IPV four and ISP. 19:46.100 --> 19:52.650 So in the ACL you used to specify permit this from source this to this, and the protocol is highest. 19:52.940 --> 19:54.770 Now it's not the same. 19:55.040 --> 20:04.550 Now it's permit from the source of 34.4 to the destination of 23.1 and 4500 to 4500. 20:04.550 --> 20:06.890 So if you permit that, it will go through the ACL. 20:08.480 --> 20:11.240 You don't have to worry about what is coming after that. 20:14.190 --> 20:15.040 Do you understand? 20:15.610 --> 20:20.200 When the ACL, when your actor is doing his routing, when he's making a routing decision, he does 20:20.200 --> 20:22.450 his decisions based on what the header? 20:23.080 --> 20:24.850 What header is visible to him? 20:27.760 --> 20:28.840 The public header, right? 20:34.830 --> 20:34.980 This. 20:38.390 --> 20:41.420 So when he does it, this header is visible to him. 20:44.060 --> 20:44.290 Right. 20:44.300 --> 20:50.030 Earlier it was IPv4 and this was not there. 20:53.720 --> 20:54.050 Right. 20:54.320 --> 21:00.120 So when you allow through the you allow IP address from this to this which protocol ESB protocol and 21:00.140 --> 21:00.560 is done. 21:01.640 --> 21:03.860 So is it let's say this. 21:03.860 --> 21:04.130 No. 21:04.940 --> 21:05.690 Why is it less safe? 21:06.920 --> 21:07.670 What is visible? 21:07.670 --> 21:09.290 This is just you added it. 21:10.430 --> 21:11.300 There is no extra. 21:11.330 --> 21:12.470 There is no information in here. 21:13.100 --> 21:15.700 It's not telling you what is the actual port number you're using inside. 21:17.000 --> 21:20.840 It's just there so that now when natting occurs, it will occur here. 21:20.840 --> 21:24.650 If padding occurs, you have an additional four 4500 for padding. 21:28.210 --> 21:31.680 You can change this 45, which will not affect the hash. 21:31.990 --> 21:38.050 Even if this was H here h will do hashing from here onwards. 21:38.080 --> 21:40.120 UDP encapsulation of IPsec packets. 21:41.740 --> 21:45.320 It will not go to the other headers because now you have H. 21:45.340 --> 21:47.830 You have given him a header on the right side, Left side. 21:47.830 --> 21:51.670 He already has the header, so we'll hash that part. 21:52.430 --> 21:54.520 So what, what do we have on the left side? 21:55.780 --> 21:58.750 The public access and let me write down the header here. 21:59.110 --> 22:01.000 See the header from coming from R4. 22:01.390 --> 22:02.470 It will look like this. 22:04.120 --> 22:07.810 Let's say ten .1.1.1.4.4.4. 22:08.140 --> 22:10.180 Going to ten .1.1.1. 22:10.180 --> 22:15.880 Now it can be ICMP or it can be anything, it can be TCP or ICMP or whatever you send it, right? 22:16.000 --> 22:17.590 It will be encapsulated using what? 22:19.900 --> 22:25.060 ESP but since that has been detected on top of this will also apply. 22:26.650 --> 22:30.580 First, it's called UDP encapsulation of IPsec packets then. 22:32.860 --> 22:35.950 450045. 22:37.060 --> 22:40.870 And then your actual IP header, which is like the public header. 22:44.600 --> 22:45.180 Yes. 22:45.850 --> 22:46.810 Yes. 22:47.000 --> 22:49.130 Now, this is this packet is for the external. 22:49.250 --> 22:53.480 They can play around with it, do whatever they want with this part of the traffic, which is going 22:53.480 --> 22:57.680 from 34.4 to 23 dot ten. 22:58.040 --> 23:03.530 Since this packet is not hashed, it's open and the port numbers earlier. 23:03.530 --> 23:09.410 Remember the problem with ESP was there was no port number available so I could not do padding because 23:09.410 --> 23:11.750 it was IP, then ESP and then encryption. 23:11.780 --> 23:14.360 There's nothing in the middle where I could pack for padding. 23:14.360 --> 23:15.370 You need port numbers. 23:15.380 --> 23:17.570 That's why I added those port numbers on top of this. 23:17.570 --> 23:20.420 This is why did I add a UDP on top of that one? 23:20.420 --> 23:24.680 Because I want to prevent the H because H does it on the right and the left. 23:24.680 --> 23:26.450 So H would do it for this guy also. 23:26.450 --> 23:27.230 And this guy also. 23:28.220 --> 23:29.150 That's why I give him this. 23:29.150 --> 23:30.170 And this is never changed. 23:30.170 --> 23:32.240 Even if fighting is happening, this part will change. 23:33.610 --> 23:33.790 Good. 23:35.320 --> 23:35.620 Sorry. 23:38.030 --> 23:38.510 Empty you. 23:40.700 --> 23:44.770 You think this is empty? 23:45.850 --> 23:46.240 Yeah. 23:46.810 --> 23:49.630 It has no valuable information in there. 23:53.970 --> 23:54.330 Thank you. 23:55.100 --> 23:55.800 Oh, there's another one. 23:59.260 --> 24:00.390 The 4501. 24:00.420 --> 24:00.750 This one. 24:04.710 --> 24:05.100 Something. 24:05.850 --> 24:06.600 There's nothing in there. 24:07.300 --> 24:10.180 Just an empty header right there for. 24:15.080 --> 24:16.730 Okay, let's do it. 24:19.750 --> 24:21.280 What happens when you have Batman? 24:23.110 --> 24:23.270 And. 24:24.510 --> 24:25.310 Uh huh. 24:25.610 --> 24:29.110 Okay, so in batting, what you would do is. 24:31.450 --> 24:32.950 You would have this address. 24:36.780 --> 24:41.370 You have this address bound to a padded address. 24:41.370 --> 24:47.370 151 .23. Let's say the interface address at port number you bind it to, for example, 500. 24:49.770 --> 24:49.870 Right. 24:49.920 --> 24:51.990 So when you create a tunnel from here, you will be creating it. 24:51.990 --> 24:52.520 With whom? 24:53.940 --> 24:54.570 500. 24:54.600 --> 24:59.490 When the actual tunnel is created, whatever traffic is going out from now, whatever traffic will come 24:59.490 --> 25:00.270 out from here. 25:00.390 --> 25:01.050 Right. 25:01.080 --> 25:04.410 Let's say I want to. 25:06.890 --> 25:08.720 Create a tunnel and I want to send traffic. 25:08.750 --> 25:09.560 The tunnel is up. 25:09.770 --> 25:12.890 I want to send traffic to ten .4.4.4, which is telnet. 25:15.950 --> 25:17.300 Horizontal Internet traffic, right. 25:18.320 --> 25:19.760 You net detection is on. 25:21.290 --> 25:22.550 Batting is happening here. 25:23.030 --> 25:29.660 So my traffic will go from 150 .1., let's say not. 25:29.660 --> 25:35.600 Well, let's say my traffic is going from 192.168.15.1. 25:35.600 --> 25:36.350 Going to. 25:38.670 --> 25:41.570 34.4 Searsport. 25:42.870 --> 25:46.590 4500 destination port the UDP. 25:47.940 --> 25:54.570 And then the actual ESP which is protected from then on when it hits the router. 25:55.170 --> 25:59.790 The moment it hits the router, the router doesn't just change this, it changes this with the interface 25:59.790 --> 26:04.230 address in pad in case a pad which is one dot 20 3.2. 26:04.440 --> 26:14.370 It also changes which part the source code to any random number 1024 and then the packet will move to 26:14.370 --> 26:15.720 where to four. 26:16.350 --> 26:18.600 If it was ESP, this was not available to him. 26:19.740 --> 26:22.410 These port numbers were not available to him so he could not do it. 26:22.440 --> 26:23.340 He would drop the packet. 26:31.560 --> 26:31.770 Great. 26:34.670 --> 26:36.750 They is the reply. 26:36.770 --> 26:37.250 Yeah. 26:37.550 --> 26:38.600 The reply will come. 26:38.600 --> 26:39.140 To what? 26:40.280 --> 26:45.230 Coming from 4502 when this packet hits the router. 26:46.580 --> 26:47.960 What is the router going to do? 26:49.140 --> 26:50.420 Change it back to what? 26:51.470 --> 26:52.340 Remove this. 26:52.370 --> 26:53.510 Change it back to. 26:54.950 --> 26:58.100 So when the packet goes to R1, it will still be 45. 26:59.710 --> 27:04.700 This is for the telnet for is inside esp. 27:05.780 --> 27:07.460 That is right there inside esp. 27:07.460 --> 27:09.170 So that decapsulation it does. 27:09.200 --> 27:14.090 Then he finds the actual port number and then he sends to the actual number that is hidden behind the 27:14.090 --> 27:14.320 ESP. 27:16.830 --> 27:17.700 Any questions? 27:18.960 --> 27:19.560 Detection. 27:23.230 --> 27:26.940 In in for initiated traffic. 27:26.980 --> 27:29.190 You want to see how it looks like from afar? 27:31.650 --> 27:32.400 Yes. 27:34.330 --> 27:34.710 Alpha. 27:34.740 --> 27:35.390 Alpha is what? 27:35.400 --> 27:35.910 Static. 27:36.420 --> 27:37.710 Starting the exchange. 27:37.710 --> 27:38.280 Same. 27:38.790 --> 27:42.630 There'll be no change if he goes to. 27:42.630 --> 27:48.000 Let's say he's coming from 150 .1. 23 dot sorry. 27:48.030 --> 27:55.770 30 4.4 going to 151 dot 23 dot 20 3.1 ten. 27:57.390 --> 27:57.680 Right. 27:57.690 --> 28:03.000 And starting from first they'll start for 500 to 500, the first part for UDP. 28:03.000 --> 28:08.670 Then they will negotiate it, they will negotiate it, then they'll come back and start the exchange 28:08.670 --> 28:13.530 onwards 4500 to 4500. 28:14.370 --> 28:16.920 Here the destination will always be 4500. 28:16.920 --> 28:23.170 And since here, since here, you're using 4500 for R1, you will bind the two ports. 28:23.170 --> 28:26.590 You will keep 504,500 open so that no one else uses it. 28:28.700 --> 28:28.870 Right. 28:28.880 --> 28:32.390 When the packet hits 45, he will not change 45 to anywhere. 28:32.390 --> 28:34.490 He'll keep it as 45 and move it back to. 28:37.190 --> 28:38.810 You don't want 45 to change, right? 28:39.740 --> 28:45.020 The destination port here should not change, but the packet is coming back in y. 28:45.020 --> 28:50.900 When it reaches R1, it should reach at which port number r1 will only understand it if he's coming 28:50.900 --> 28:52.190 back at 4500. 28:54.620 --> 28:55.640 Fighting happens when? 28:56.510 --> 28:57.710 What is the whole point of fact? 28:58.400 --> 29:00.650 People can go out coming in. 29:00.680 --> 29:01.970 It doesn't affect anything. 29:02.780 --> 29:04.460 It's that going out. 29:04.760 --> 29:07.820 I want the source to be changed to an address. 29:11.380 --> 29:11.740 I do. 29:12.640 --> 29:13.090 I do. 29:14.440 --> 29:15.150 I do. 29:15.160 --> 29:20.380 I am using pads so that whoever is coming out can use the interface address. 29:23.580 --> 29:24.040 Y z. 29:24.570 --> 29:25.740 Static part, right? 29:26.010 --> 29:27.120 Have you done static part? 29:27.640 --> 29:28.890 What does static part do? 29:28.920 --> 29:32.730 You link the outside addresses one port number to a service inside. 29:34.020 --> 29:42.960 So 151 dot 20 3.2 port number 4500 is linked to 192 168 12.1 14 port number four 4500. 29:43.440 --> 29:45.810 So anything is coming to 4500. 29:45.930 --> 29:47.820 It will go into 4500 on R1. 29:47.820 --> 29:49.230 You will also do it for 500. 29:50.220 --> 29:53.070 So if it's coming on 500 or 4500, you'll move it. 29:53.070 --> 29:58.380 Where to R1 at port 504,500 respectively. 29:59.300 --> 30:01.940 And in the future it will be thousands. 30:03.260 --> 30:04.250 That is going out. 30:05.210 --> 30:05.550 Going out. 30:05.600 --> 30:06.090 Going out. 30:06.320 --> 30:07.490 The packet that goes out. 30:08.900 --> 30:09.590 That packet. 30:09.620 --> 30:09.920 Yes. 30:09.920 --> 30:15.740 If the return comes to that older port number that he used, this will change after. 30:16.920 --> 30:17.570 After what? 30:19.610 --> 30:20.840 Why is it different? 30:20.900 --> 30:21.620 It's supposed to be. 30:22.820 --> 30:23.180 This one. 30:24.140 --> 30:25.100 Even from Marco. 30:25.130 --> 30:27.920 To see the problem with this. 30:28.430 --> 30:29.510 When you're going from R4. 30:29.900 --> 30:30.110 Right? 30:30.110 --> 30:31.130 When you're going from R4. 30:31.160 --> 30:33.260 He said that we initiate the tunnel from outside. 30:34.040 --> 30:39.080 If you're initiating the tunnel from outside, do you know what source port number is open here on R1? 30:39.530 --> 30:40.760 You don't know the source port. 30:41.000 --> 30:44.990 So what you do is you bind 4505 hundred from here to outside. 30:45.740 --> 30:52.940 You say if I send a packet on R2, you say if I send a packet to R2 address at port number 4500, that 30:52.940 --> 30:56.420 port that should be forwarded to R1 at port number 4500. 30:57.620 --> 31:04.350 And you say if I forward the packet to 500, that should be again forwarded to 192 168 12.1 at port 31:04.350 --> 31:05.910 number one 500. 31:06.810 --> 31:12.060 So from outside I will still send it on five 4500, but when it reaches here it knows 4500. 31:12.060 --> 31:18.180 He has to put he removes it and put it back back again, but he moves it back to R1 static packet. 31:21.250 --> 31:21.820 Do you understand 31:24.670 --> 31:25.030 where 31:27.970 --> 31:29.500 there's another router who does what? 31:29.530 --> 31:29.990 Nothing. 31:33.280 --> 31:34.030 There's another outage. 31:34.060 --> 31:34.390 Yeah. 31:37.150 --> 31:38.680 Then he'll do his own normal routing. 31:39.560 --> 31:44.830 If there's another router here, let's say our seven connected to whom? 31:46.240 --> 31:47.260 Yeah, that's what I'm saying. 31:47.620 --> 31:47.820 Okay. 31:47.830 --> 31:49.300 Between these two, there's another outage. 31:51.470 --> 31:51.770 Yeah. 31:52.910 --> 31:53.600 I have another out. 31:53.630 --> 31:57.650 Okay, then what about. 32:00.470 --> 32:02.760 What is the port number is 45. 32:02.780 --> 32:03.860 It will always go to our. 32:09.140 --> 32:10.910 There is another VPN configured on. 32:13.250 --> 32:14.690 Then you will have to use policy. 32:14.690 --> 32:14.930 Nat. 32:16.370 --> 32:17.030 In policy. 32:17.030 --> 32:22.160 Nat, you have to say if it's coming from 34, then it should go to R1. 32:22.490 --> 32:27.740 If it's coming from 34 and it's coming to port number 4505 hundred, it should go to R1. 32:27.770 --> 32:31.910 If it's coming from some other router, the one which you have created the tunnel with and it's going 32:31.910 --> 32:37.490 to 4505 hundred, it should go to policy BBR 32:40.490 --> 32:42.980 that with Nat you need to do it for nothing. 32:45.370 --> 32:45.810 No, no, no. 32:45.830 --> 32:46.580 This is a policy. 32:46.580 --> 32:51.590 Nat When you say Nat inside source, you say change it here using access list. 32:57.570 --> 33:00.400 And then I don't want to change the next hop. 33:00.420 --> 33:02.490 He says, I want to change the map. 33:02.520 --> 33:06.900 See, what he's trying to say is, when you do that, right, what are you doing with Pat? 33:06.930 --> 33:18.990 You're saying 151 dot 20 3.2 Port number 500 should take me to 192.168.15.1 Port number 500. 33:19.890 --> 33:23.060 And they also say one 51.23. 33:23.070 --> 33:30.060 If someone is coming at 4500, you should also take me to the same one at 4500 so that the exchange 33:30.060 --> 33:30.570 is complete. 33:30.600 --> 33:31.590 This is pat static. 33:31.590 --> 33:34.890 Pat static statically bind these two together. 33:35.970 --> 33:43.020 What you could also do is you could say, okay, if it comes here, not only this, I have a condition 33:43.020 --> 33:55.530 now, if his destination is this and his source is 151 dot 30 4.0, if these two match in an access 33:55.530 --> 33:56.550 list, I'll specify it. 33:56.590 --> 34:00.910 If it's coming from this source to this destination or this source to this destination, it should be 34:00.910 --> 34:08.140 noted on 2192.168.25.1 Port number 500 or 4500. 34:09.020 --> 34:09.520 I'm not. 34:11.480 --> 34:13.280 And as it comes. 34:13.460 --> 34:18.770 I'll also say if it's coming to the same port numbers using a different source from the outside. 34:18.980 --> 34:24.910 If the source is different, then it should take me to the other outer R2, which is also running 540 34:24.920 --> 34:25.400 500. 34:27.560 --> 34:28.400 Policy that. 34:40.350 --> 34:42.630 With policy night you can policy. 34:44.970 --> 34:46.290 That's why I said policy, right? 34:53.960 --> 34:55.160 Have you ever seen policy? 34:55.160 --> 34:56.210 Not how it works. 34:57.080 --> 34:59.570 Policy not write policy that works in this scenario. 34:59.570 --> 35:00.560 That's the exact scenario. 35:04.560 --> 35:06.350 I think that will not work. 35:06.350 --> 35:08.900 Dynamic pad static part is not work. 35:08.930 --> 35:12.800 That's why I said those ones will not because one port number, you'll only be able to bind it to one 35:12.800 --> 35:13.370 source. 35:13.520 --> 35:20.270 But if you use the source as an access list and you send that to this address only if the access list 35:20.270 --> 35:20.930 matches. 35:21.320 --> 35:22.580 I'll show you how that is done. 35:23.450 --> 35:31.370 The command for that is you would say IP nat inside source static. 35:31.400 --> 35:36.500 You also have an address for an access list. 35:37.730 --> 35:39.080 Source list. 35:41.070 --> 35:46.770 If the source is the access list and the access list, you specify exactly coming from this source to 35:46.770 --> 35:47.430 this destination. 35:47.430 --> 35:53.610 If that matches, if the list is, let's say 101, then the destination should be what either the pool 35:53.610 --> 35:58.890 or the interface address source will be from that particular address. 35:58.890 --> 36:01.650 Destination will be port number 504,500. 36:01.650 --> 36:05.100 Both if it's 500, then you keep it at 500. 36:05.100 --> 36:07.770 If it's 4500, you'll keep it at 4500. 36:13.340 --> 36:13.830 And you? 36:18.610 --> 36:22.140 Just didn't have a sweet table. 36:23.240 --> 36:24.730 But we will take. 36:24.820 --> 36:25.170 Yeah. 36:25.300 --> 36:26.350 According to the table. 36:29.020 --> 36:29.710 Yes. 36:31.950 --> 36:32.530 I think. 36:37.790 --> 36:38.420 And that. 36:41.840 --> 36:44.180 Not if you're only using static. 36:44.480 --> 36:44.810 No. 36:45.320 --> 36:46.430 With static fat? 36:46.460 --> 36:48.470 No, but it is possible to do that. 36:53.840 --> 36:56.520 That is also that is also a kind of fact. 36:57.900 --> 36:59.100 That is also a kind of fact. 36:59.460 --> 37:03.690 Which is an additional they have added on to pad normal static pad. 37:03.720 --> 37:04.440 You cannot. 37:04.470 --> 37:05.910 That's why they brought policy. 37:05.910 --> 37:08.250 Nat Right. 37:09.810 --> 37:15.090 Nat Nat would not happen anyways, but it would happen with one host. 37:15.090 --> 37:19.460 But now you have two hosts to host also pad will fail. 37:19.470 --> 37:26.700 So what comes further is policy pad policy now where you can specify if it's from this source to destination, 37:26.910 --> 37:29.040 this destination, then change it. 37:30.630 --> 37:31.170 Okay. 37:31.590 --> 37:38.160 It's easier On the firewall firewall, they have something known as twice Nat All right. 37:38.160 --> 37:39.630 So you can do that there. 37:39.630 --> 37:42.870 If you're using Nat King on a firewall, you can do it there. 37:42.870 --> 37:44.640 Also on the router is also possible. 37:46.830 --> 37:48.480 Okay, Clear. 37:48.570 --> 37:49.110 Is this clear? 37:49.110 --> 37:55.800 The whole concept of Nat, the detection happens in three and four. 37:55.830 --> 38:01.530 The process which happens after that is known as Nat Nat Traversal. 38:03.690 --> 38:05.400 We are traversing now through Nat. 38:05.550 --> 38:08.460 Nat is happening, but we are still traversing using the tunnel. 38:10.920 --> 38:11.310 Okay. 38:13.670 --> 38:14.450 See also. 38:17.170 --> 38:18.500 No, no, no. 38:18.520 --> 38:19.000 That's different. 38:19.110 --> 38:19.930 That's nine zero. 38:20.060 --> 38:20.740 That's one of our. 38:22.090 --> 38:23.090 That's our identity. 38:23.160 --> 38:23.320 That. 38:27.790 --> 38:31.480 Right, Nat Traversal, Because nothing was happening, right? 38:31.780 --> 38:34.030 My ISP would not be able to do nothing. 38:34.910 --> 38:35.800 ESB was. 38:35.800 --> 38:38.820 ESB did not have nothing. 38:40.960 --> 38:41.890 Yeah, I think so. 38:42.520 --> 38:43.630 It wouldn't do nothing. 38:43.660 --> 38:44.930 ESB would do that. 38:46.710 --> 38:47.030 Yes. 39:00.820 --> 39:01.270 Complicated. 39:03.990 --> 39:06.630 So that's what it does automatically. 39:07.500 --> 39:09.780 It uses I don't specify 500. 39:09.780 --> 39:12.450 Also, do I specify 500 anywhere? 39:13.230 --> 39:14.640 I do not specify 500. 39:15.690 --> 39:16.770 It automatically goes. 39:16.980 --> 39:18.720 It will always go to 4500. 39:18.720 --> 39:21.660 It will not go to 4600 or 40 501. 39:21.660 --> 39:27.570 The protocol is defined in a way so that when it doesn't go 500, it goes to 4500. 39:27.600 --> 39:35.550 If you check your access list, it is also called non icecap something non icecap list non 500 icecap 39:37.770 --> 39:40.860 port number 4500 is also called non 500. 39:41.040 --> 39:43.320 Non 500 means 4500 icecap. 39:43.860 --> 39:46.850 So I starts the traffic traffic. 39:47.790 --> 39:51.050 Apple would reply to the 2005. 39:51.500 --> 39:53.940 Yeah, but it's hard for such traffic. 39:54.600 --> 39:59.480 The traffic is at 45 is only 4000. 39:59.820 --> 40:00.360 Yes. 40:00.540 --> 40:02.190 The thing is you wouldn't even do that. 40:02.190 --> 40:08.890 The most times when you do this you'll always reserve port numbers for into out reserve 505 hundred. 40:08.890 --> 40:11.710 So when he's going out he's not fat will happen. 40:11.710 --> 40:14.350 But if he's going from 500 he will be stuck with 500. 40:14.350 --> 40:19.450 He'll give him 500 also or to make it will work without that also. 40:19.450 --> 40:22.210 But that will mean that you can only initiate the tunnel from inside. 40:22.210 --> 40:26.320 For this case, you would still need to do it if you want to enable from the outside. 40:26.440 --> 40:31.780 If you don't book the port numbers for 4000 504,500, you would not be able to create the tunnel from 40:31.780 --> 40:32.110 outside. 40:34.080 --> 40:34.290 Right. 40:34.290 --> 40:36.920 Because when 4500 comes here, he doesn't know what to map. 40:37.950 --> 40:39.240 So he would drop the packet. 40:39.750 --> 40:48.390 So in any case, the better scenario would be you bind 192 168 12.1 to port number 504,500 on the outside 40:48.400 --> 40:48.750 address. 40:51.000 --> 40:52.230 Then it's possible. 40:53.860 --> 41:06.400 Static statically bind this to 23.0 1020 3.2 at port number 540 500. 41:09.020 --> 41:15.410 So they should take me to 192 168 .2.14 Number 4500. 41:18.790 --> 41:21.240 182 168 12.1 code number. 41:27.840 --> 41:28.070 Right. 41:29.860 --> 41:30.730 One more thing. 41:31.090 --> 41:33.040 If you check your show, Crypto IPsec. 41:37.430 --> 41:40.310 You should see in that the port numbers that you're using. 41:41.990 --> 41:43.160 And I've not changed it. 41:43.340 --> 41:43.970 I'll change it in. 41:44.990 --> 41:46.090 Here, you will not see it. 41:46.100 --> 41:47.690 You'll see it under the interfaces. 41:47.990 --> 41:49.130 I'll show you how to do that. 41:53.360 --> 41:54.710 The board that it's using. 41:54.710 --> 41:58.160 IPsec The board that my IPsec is using is which one? 41:58.610 --> 41:59.090 45. 42:00.380 --> 42:02.180 Because now it's UDP encapsulation. 42:03.860 --> 42:04.100 Good. 42:06.580 --> 42:06.950 What be. 42:09.030 --> 42:14.850 But we shall not checkpoint It's different and some other firewalls is different. 42:15.780 --> 42:24.180 This is also same same for 8.2 onwards it changed, but before 8.2 it was ACL first, then Nat, but 42:24.180 --> 42:29.040 that caused problems later because you had to use the Nat addresses, not the real ones. 42:29.040 --> 42:30.900 So they moved it back to 8.4. 42:31.370 --> 42:32.250 They did nothing. 42:32.250 --> 42:34.650 That's a different scenario, right? 42:36.150 --> 42:36.370 Okay. 42:39.430 --> 42:39.690 Oh. 42:42.230 --> 42:42.560 Okay. 42:43.400 --> 42:43.850 It's all right. 42:43.910 --> 42:45.710 Thought the recording was not happening, but that's.