WEBVTT 00:02.230 --> 00:04.060 So side to side tunnels using. 00:07.120 --> 00:11.080 This is going to be the whole purpose to create this tunnel. 00:21.300 --> 00:25.560 192 168.1.0 slash 24. 00:28.220 --> 00:28.640 LA. 00:28.730 --> 00:31.640 My job is the same thing as before. 00:31.760 --> 00:40.040 I want to make sure that 10.1 communicates to 10.3 right over the internet. 00:41.310 --> 00:44.060 Now is go long back. 00:44.750 --> 00:46.500 We've been using them from a long time. 00:46.520 --> 00:48.760 These are virtual tunnels, right? 00:49.130 --> 00:54.980 Which support connectivity between your private networks over your public cloud, without encryption, 00:54.980 --> 00:55.910 without anything. 00:56.270 --> 00:58.910 It's the most simplest form of a tunnel. 01:00.230 --> 01:01.250 Let's see how it's done. 01:01.280 --> 01:02.540 My config is done. 01:03.170 --> 01:06.860 151 .13.3 I can reach from R1 to R3. 01:09.500 --> 01:09.730 Okay. 01:10.760 --> 01:12.080 How do you create a tunnel? 01:14.020 --> 01:15.340 Interface Channel zero. 01:15.430 --> 01:18.790 Now, this zero can be any arbitrary number. 01:19.120 --> 01:20.170 It is a local number. 01:20.170 --> 01:22.030 It doesn't have to be the same on both sides. 01:22.600 --> 01:24.010 Just like loopback zero. 01:24.040 --> 01:24.870 Loopback one. 01:24.880 --> 01:26.470 It is also just a number. 01:27.130 --> 01:27.340 Right. 01:27.370 --> 01:28.360 So I'll choose zero. 01:29.530 --> 01:34.120 IP address 192 168 1.1. 01:37.700 --> 01:44.960 Another source is the public address, which is 151 .15.1. 01:45.050 --> 01:51.590 You could also say tunnel source fast Ethernet zero zero pointing towards the interfaces address tunnel 01:51.590 --> 01:52.460 destination. 01:54.400 --> 01:55.750 What is the final destination? 01:58.810 --> 02:00.280 23.3. 02:01.400 --> 02:10.540 But if you check your route now, you'll see a new connected interface in your running config. 02:11.890 --> 02:16.210 This interface has the address of 192 168 1.0. 02:18.100 --> 02:22.030 Let me go to the other side then I'll explain how it works. 02:22.540 --> 02:23.980 Here also I'll say Interface tunnel. 02:24.460 --> 02:27.850 I'll use one IP address. 02:27.850 --> 02:31.150 192168.1.21.3. 02:31.990 --> 02:39.790 Since it's our town source from here is what fast Ethernet zero zero tunnel destination since it's a 02:39.790 --> 02:44.680 remote destination cannot be fast, Ethernet cannot be a local interface, it has to be an IP address. 02:44.680 --> 02:45.970 So 12 dot one. 02:49.790 --> 02:53.990 To see your tunnel up in you paying the other end point of the tunnel. 02:58.180 --> 02:58.720 Too quick. 02:59.500 --> 03:00.460 How does this work? 03:04.240 --> 03:05.560 It's as simple as this. 03:06.370 --> 03:14.320 From one side, when you configure interface Channel zero, what you're actually doing is you're creating 03:14.320 --> 03:15.040 a public header. 03:18.830 --> 03:22.790 The public header that you are creating will be the source which you mentioned. 03:22.970 --> 03:25.040 The source was 12.1. 03:25.910 --> 03:30.710 The destination that you mentioned was what, 23.3. 03:31.670 --> 03:36.320 And on top of this will be a g r e header. 03:40.070 --> 03:41.570 What is this header attached? 03:47.480 --> 03:48.050 Of what? 03:51.390 --> 03:51.920 We're typing. 03:54.680 --> 03:55.670 Check your routing tables. 03:58.510 --> 03:59.800 If you check your routing table. 04:01.210 --> 04:02.590 Do you see this? 04:03.490 --> 04:04.510 What does this mean? 04:06.420 --> 04:08.310 When you're routing table, you see an interface. 04:08.310 --> 04:09.060 What does that mean? 04:11.680 --> 04:18.700 That means any traffic, anything that is going towards 151 .15.0 will leave from the interface fast 04:18.700 --> 04:19.630 Ethernet zero zero. 04:20.620 --> 04:24.100 Any traffic that is going towards ten 110, although it is a loopback. 04:24.100 --> 04:28.340 If it was an interface, it would mean that it is leaving from loopback zero. 04:28.360 --> 04:34.210 Similarly, any traffic going to the network of 192 168 1.0. 04:35.650 --> 04:39.190 So when I ping 192 168 1.2 where am I trying to go? 04:39.220 --> 04:40.720 I'm trying to go to this network. 04:41.470 --> 04:47.020 It's going to leave from tunnel zero is tunnel zero of physical interface. 04:47.650 --> 04:49.270 It's not a physical interface. 04:50.590 --> 04:54.100 So when he sees tunnel zero, he attaches to this tunnel zero. 04:55.360 --> 05:00.040 So Interface tunnel zero to this tunnel zero is attached. 05:00.310 --> 05:04.540 The source, the destination and the header. 05:06.250 --> 05:12.530 Which source Destination 12 .12 20 3.3 and the header is attached. 05:13.310 --> 05:16.150 We will move back to back. 05:17.810 --> 05:19.430 So it's not different from a loopback. 05:20.630 --> 05:21.140 It's not. 05:21.170 --> 05:22.250 It's just that loopback. 05:22.250 --> 05:25.130 When I ping loopback, he knows that it's directly connected to me. 05:25.130 --> 05:26.480 So he just pings himself. 05:27.350 --> 05:30.770 When he pings a loopback he pings himself when he sees a tunnel. 05:30.800 --> 05:31.250 Zero. 05:32.060 --> 05:34.130 Because loopback has no configuration, right? 05:34.580 --> 05:36.290 Blue back has no source, no destination. 05:36.290 --> 05:41.690 So he goes into the loopback, sees there's an IP and pings that IP here, when he sees tunnel zero, 05:41.690 --> 05:44.540 he goes into the configuration of tunnel zero checks out. 05:44.540 --> 05:45.350 What is the source? 05:45.350 --> 05:51.440 What is the destination that I need to attach attaches that with the header because the tunnel type 05:51.440 --> 05:53.210 by default is gray. 05:53.270 --> 06:04.160 We can change it, but by default the type is gray, so attaches the source, attaches the destination, 06:04.160 --> 06:05.560 attaches the gray header. 06:05.570 --> 06:12.050 Now any traffic that is going to the destination network of 192 168 1.0 will have that header attached 06:12.080 --> 06:12.920 on top of that. 06:13.340 --> 06:15.350 So your actual packet will look like this. 06:17.920 --> 06:27.160 The packet will be going from 192 168 .1. 1 to 192 168.1.2. 06:27.490 --> 06:32.200 This will be your actual header when it's supposed to make the routing decision of which interface to 06:32.200 --> 06:32.650 leave from. 06:32.650 --> 06:34.660 He finds out that is tunnel zero. 06:34.660 --> 06:36.460 When he sees that tunnel zero it attaches. 06:36.460 --> 06:36.940 What? 06:39.690 --> 06:43.680 And the source and destination, which is 12.1 to 23 dot. 06:44.970 --> 06:47.100 The packet leaves reaches R2. 06:47.560 --> 06:51.690 R2 makes the routing decision makes based on only the public source and public destination. 06:51.840 --> 06:55.160 Although he sees inside, he doesn't go inside. 06:55.170 --> 06:56.070 He doesn't need to. 06:57.630 --> 06:58.590 R2 is the internet. 06:59.100 --> 07:02.250 No, that is the whole problem. 07:03.660 --> 07:04.470 That is the whole problem. 07:04.470 --> 07:05.520 It's not encrypted. 07:05.910 --> 07:06.810 It's open. 07:08.040 --> 07:08.330 Right. 07:08.340 --> 07:11.400 Although it doesn't need the ISP doesn't need that part. 07:11.430 --> 07:17.160 It it does all its routing based on what public address it sees that the source is 12.1. 07:17.160 --> 07:19.050 The destination is 23.3. 07:19.080 --> 07:21.600 So it just forwards it to R3. 07:23.420 --> 07:25.030 All three will receive it. 07:25.600 --> 07:26.680 All three will see. 07:26.890 --> 07:28.770 12.12 23.3. 07:28.810 --> 07:30.190 What is R3 going to do? 07:31.360 --> 07:32.610 Open this part of the packet. 07:32.620 --> 07:34.540 The IP part hits. 07:34.540 --> 07:35.080 What? 07:38.290 --> 07:43.030 It's the jihadi compares the header that he received. 07:43.080 --> 07:44.670 Source was 12.1. 07:44.670 --> 07:47.040 Destination was 23.3. 07:47.040 --> 07:54.660 Compares it to the configuration on whatever configuration is there on our three show run interface. 07:54.660 --> 08:04.950 Channel 011 compares it sees the destination is 12.1, the source is 23.3. 08:04.980 --> 08:12.000 So knows that it's meant for 192 168 1.3 network how also in its routing table it will have the same 08:12.000 --> 08:20.880 information traffic coming to this network this tunnel so forwards it to 192 168 1.0. 08:22.830 --> 08:27.780 It moves everything forwards it to 192 168 1.01.2. 08:27.780 --> 08:33.180 Basically to be more specific and the packet reaches its corresponding interface, which is loopback, 08:33.180 --> 08:39.870 which is actually virtual tunnel to virtual tunnel, but is the simplest form of making your private 08:39.900 --> 08:40.260 tunnel. 08:40.260 --> 08:45.750 Private networks communicate to each other the most simplest form, right? 08:45.750 --> 08:52.350 There is no encryption, no authentication, nothing anyone can mess up, mess around with this data. 08:52.620 --> 08:53.640 Anybody can. 08:56.300 --> 08:57.800 Right now. 08:57.800 --> 08:59.960 The question is what happens to the headers? 09:00.830 --> 09:02.930 How much overhead do you add? 09:05.930 --> 09:08.030 A header adds How much overhead? 09:12.130 --> 09:14.620 24 bytes of data. 09:16.480 --> 09:17.830 24 bytes of data. 09:18.910 --> 09:20.920 Drives for IP addresses. 09:20.920 --> 09:22.030 It uses 16. 09:22.330 --> 09:25.240 Then for its own header, it's eight bytes. 09:25.570 --> 09:26.560 Just keep that in mind. 09:26.590 --> 09:27.550 We'll need that later. 09:27.880 --> 09:29.530 Check it out from R1. 09:30.910 --> 09:33.040 I'll ping 151 .13.3. 09:33.070 --> 09:41.280 A normal ping from public to public costs me 114 bytes from public to public. 09:41.290 --> 09:48.880 But if I think 282 168.1.3 the same thing will cost me 138. 09:51.600 --> 09:51.860 Why? 09:51.900 --> 09:55.800 Because now I have an extra header on top of this 24 bytes of extra header. 10:00.530 --> 10:04.250 I have ICMP here, then I have the actual source and destination. 10:04.400 --> 10:11.210 When it reaches here, figures out my leaving interface is done zero as what? 10:12.890 --> 10:17.330 On top of that adds the source and destination, which is 23.3 to 12.1. 10:17.900 --> 10:22.820 And then the layer two stuff to reach the final destination. 10:27.490 --> 10:28.510 What is the use of this one? 10:28.630 --> 10:31.180 My private networks can communicate to each other. 10:32.620 --> 10:34.180 How right now they are not. 10:34.840 --> 10:36.070 Right now they're not right. 10:36.120 --> 10:42.460 So what I'm going to do, if you understand, you understand completely how Gary works based on the 10:42.460 --> 10:43.090 routing table. 10:43.090 --> 10:43.480 Right. 10:44.950 --> 10:51.190 He sees that anything going from this source, anything coming from 192 168 1.0 doesn't matter where 10:51.190 --> 10:52.150 it's trying to go. 10:53.290 --> 11:00.250 It is a normal side to side situation, private to private crypto maps using crypto maps. 11:00.250 --> 11:02.170 Yes, but it was complicated. 11:02.170 --> 11:02.320 Why? 11:02.350 --> 11:04.570 Because everything had to be defined with ACLs. 11:05.800 --> 11:07.900 The interesting traffic was to be defined with ACLs. 11:07.900 --> 11:08.290 Right. 11:08.320 --> 11:11.020 Here it's been defined via virtual interfaces. 11:13.190 --> 11:14.650 Is also known as. 11:15.060 --> 11:16.900 Yeah, no is something else. 11:18.170 --> 11:19.000 You guys something else? 11:19.000 --> 11:20.150 I'll explain what that is. 11:20.170 --> 11:21.820 We are moving towards that direction. 11:22.420 --> 11:22.870 Right? 11:22.870 --> 11:25.600 So now is this clear? 11:26.410 --> 11:29.110 Anything source if pink, for example. 11:29.140 --> 11:32.140 8.8.8.8 to the source of. 11:33.850 --> 11:37.440 To zero, right? 11:37.440 --> 11:40.500 It's some random address, but since the source is tunnel zero. 11:43.930 --> 11:45.730 You will see that this packet 11:48.370 --> 11:49.000 is not. 11:57.440 --> 12:02.510 The okay is the decision is based on the destination, right. 12:03.350 --> 12:07.520 The decision in the routing table is based on what the destination where you're trying to go. 12:07.520 --> 12:12.620 So basically right now, anything going to 102 168, 1.0 will go through the tunnel. 12:12.620 --> 12:20.160 But tell me what happens now if I enable multicast on this interface, will it go through the tunnel 12:20.160 --> 12:20.630 also? 12:22.430 --> 12:30.200 Right now, if you do show IP interface Tunnel zero, you'll see that it's not part of any multicast 12:30.200 --> 12:30.530 group. 12:34.820 --> 12:36.590 It's not part of any multicast group. 12:38.060 --> 12:44.660 What I'll do is I'll run router one and I'll use the command network. 12:44.690 --> 12:50.570 192 168 1.0.2. 12:50.570 --> 12:53.390 So what have I done? 13:00.250 --> 13:09.390 Have enabled multicast address on which interface 192 and only on 192 168 1.0, which is what the tunnel 13:09.390 --> 13:15.690 interface since it has multicast enabled, the traffic for your multicast is going to look like this 13:15.690 --> 13:19.500 192 168 .1.0 or 1.1. 13:19.500 --> 13:22.620 To be more specific, let's move this cable here. 13:23.340 --> 13:27.780 1.1 going to 224 .0.0. ten. 13:29.460 --> 13:34.410 If it was a physical interface, what would this mean if it was, for example, this interface? 13:34.440 --> 13:37.320 It would mean hello packets will be sent on this interface. 13:38.910 --> 13:41.130 The leaving interface will still be what? 13:43.790 --> 13:47.570 Similarly for these multicast addresses, what is the leaving interface going to be? 13:49.140 --> 13:49.790 Channel zero. 13:51.620 --> 13:55.630 These hello packets are going to be sent to air through the tunnel. 13:55.640 --> 13:56.000 Right? 13:56.000 --> 13:58.120 Because the tunnel is part of the multicast group. 13:58.130 --> 13:59.540 220 400 ten. 14:02.650 --> 14:02.950 Today. 14:06.420 --> 14:09.510 Sink it and see if you understand this. 14:11.990 --> 14:13.010 My interface. 14:13.010 --> 14:17.420 Channel zero is part of the multicast group to 20 400 ten. 14:17.450 --> 14:18.440 What does that mean? 14:19.430 --> 14:26.150 That means it can send and receive any packets which are based on these multicast addresses. 14:27.380 --> 14:35.810 Since it's EGP every five seconds it will send out hello packets with the destination of 220 400 ten. 14:36.020 --> 14:40.070 My question is, are these going to be tunneled or not? 14:47.250 --> 14:49.200 Are these going to be done like this or not? 14:51.790 --> 14:55.300 They will be because I wouldn't have spent enough energy to make a header like that. 14:57.120 --> 14:57.570 Take. 15:02.980 --> 15:04.030 Only that right now. 15:04.030 --> 15:04.410 Only that. 15:10.270 --> 15:11.980 170 2.1 68. 15:16.720 --> 15:17.080 No. 15:17.620 --> 15:18.910 Then that tunnel will not join. 15:18.930 --> 15:21.460 Yes, because I use this address. 15:21.460 --> 15:27.220 That is why the tunnel joined you saying if I had used a different address, would the tunnel have joined 15:27.220 --> 15:29.500 the multicast multicast address or not? 15:30.220 --> 15:30.970 It wouldn't have. 15:31.990 --> 15:34.390 So how does the routing protocol work? 15:34.390 --> 15:39.280 Whatever network command that you use, it goes to the running configuration routing. 15:39.340 --> 15:46.270 Sorry, the routing table in the routing table uses that network address, finds out the interface with 15:46.270 --> 15:50.290 respect to that address then enables IGP on that interface. 15:51.460 --> 15:55.900 How a routing protocol works is if you want to look at the process, it will open your routing table, 15:56.530 --> 15:59.740 show IP route in your routing table. 15:59.740 --> 16:04.660 It will go to that network that you've advertised and then check this interface in the end, which is 16:04.660 --> 16:11.620 tunnel zero, then go to tunnel zero and activate routing, basically make it join multicast group to 16:11.650 --> 16:12.860 20 400 ton. 16:13.030 --> 16:18.530 That's why in IPV six what they have done is they have reduced this step in IPV six. 16:18.530 --> 16:23.090 You don't have a network command, you just go to the interface and enable the routing on that interface. 16:23.090 --> 16:27.830 Just say one enable is done, OSPF one enabled is done. 16:28.310 --> 16:33.080 So they have reduced this step of network command, then going in the routing table and doing all that. 16:35.310 --> 16:35.730 Okay. 16:36.840 --> 16:38.820 Is it clear on one side? 16:38.820 --> 16:39.030 Right. 16:39.030 --> 16:40.800 Let's have a look at the hello packets. 16:47.810 --> 16:48.970 These are your hellos. 16:49.250 --> 16:50.540 And this is not the yellow. 16:51.280 --> 16:53.650 This is a loop blue. 16:58.870 --> 17:11.950 1821681.1 going to 24 The outside there will always be the same 1.12 20 3.3 which will always make sure 17:11.950 --> 17:14.020 that this packet reaches R3. 17:14.110 --> 17:18.190 R3 will know how to open it because it has the same tunnel config. 17:18.760 --> 17:20.170 It will know how to open this packet. 17:21.040 --> 17:24.970 My job is to encapsulate it in a way so that it reaches the other side. 17:26.320 --> 17:26.860 Okay. 17:27.340 --> 17:34.230 Then here moving to R3, the outer one. 17:34.510 --> 17:38.260 Network 192 168 1.0.1. 17:40.030 --> 17:47.260 My neighbor is up, so IP neighbors neighbor is up. 17:49.740 --> 17:49.990 Correct. 17:50.700 --> 17:51.330 So I beat out. 17:51.330 --> 17:52.830 I will not see anything in that out. 17:53.910 --> 17:57.570 But what I will do now is I will advertise it. 17:57.780 --> 18:04.430 I will advertise a loopback Zero is already there, so I'll go to router one. 18:04.440 --> 18:07.590 I'll advertise ten 000. 18:08.610 --> 18:11.340 But I want you to see is something else. 18:17.110 --> 18:17.860 Swipe it out. 18:20.300 --> 18:21.110 10.1. 18:22.190 --> 18:23.330 Will it go through the tunnel? 18:26.290 --> 18:29.170 If I send a ping to ten 111, will it go through the tunnel? 18:29.320 --> 18:30.070 Why? 18:32.200 --> 18:33.400 Because the next hop is. 18:33.400 --> 18:33.910 What? 18:38.930 --> 18:41.530 The next stop is 192, 168, 1.1. 18:41.540 --> 18:45.740 And how is that that next hop reachable to me via tunnel one. 18:47.810 --> 18:55.970 So if I send a packet to ten .1.1.1 with a source of ten .3.3.3 this will go through the tunnel because 18:55.970 --> 19:03.920 the decision will be made made based on the next hop, which is 190 261.1 for me to reach 192 168 1.1 19:03.920 --> 19:10.100 and extra header has to be added which is the header on top, so your ping will still be the same. 19:11.960 --> 19:16.220 The ping will still be the same, but 138 same. 19:19.720 --> 19:20.920 We will have the same header. 19:20.920 --> 19:22.690 So 10.1 to 10.3. 19:23.120 --> 19:31.300 We're actually communicating from loopback to and then you have your on top public addresses on top 19:31.300 --> 19:31.540 of that. 19:36.050 --> 19:36.620 Questions. 19:40.710 --> 19:41.550 Any questions? 19:43.020 --> 19:43.620 Until now. 19:54.110 --> 19:54.860 In the packet. 19:54.860 --> 19:56.840 You won't see it in the packet. 19:56.840 --> 19:59.570 You won't see any tunnel lighting when you're pinging. 19:59.570 --> 20:03.110 Now you don't even need those tunnel IPS because now your job is done. 20:03.110 --> 20:05.270 Now your loopbacks are communicating to each other. 20:05.720 --> 20:06.920 You will never need them. 20:07.010 --> 20:09.590 You only created them to create a neighbor relationship. 20:11.940 --> 20:17.790 Right So my my packet will now go from for example, if you're talking about R1, it will go from ten 20:17.820 --> 20:24.320 one one 1 to 10 333. 20:25.440 --> 20:26.850 The packet will be formed like this. 20:26.850 --> 20:27.300 Right? 20:27.420 --> 20:29.360 All you need to know is what is the next hop. 20:29.370 --> 20:31.560 Next hop is 192 168 1.3. 20:32.190 --> 20:33.970 If that is the next hop, what do I need? 20:33.990 --> 20:34.680 I need the header. 20:34.680 --> 20:35.110 Which header? 20:35.130 --> 20:36.400 The header will always be the same. 20:36.420 --> 20:38.940 The decision is should I have the header or not? 20:38.970 --> 20:39.420 That's it. 20:39.990 --> 20:41.610 Header will always be 12.1. 20:41.610 --> 20:42.090 Yes. 20:42.120 --> 20:43.680 What about the 150 address? 20:44.670 --> 20:46.860 Wouldn't have been 150. 20:47.820 --> 20:52.350 150 is the public address that you purchased from the internet. 20:54.820 --> 20:58.500 Will require 153 and then 192. 21:00.390 --> 21:00.890 No, no, no. 21:00.930 --> 21:01.800 First it was. 21:01.830 --> 21:03.060 This is 150. 21:05.920 --> 21:07.720 That is the header that attaches, right? 21:09.340 --> 21:11.060 The outside header is attached. 21:11.080 --> 21:12.700 That's how it does the routing. 21:16.540 --> 21:17.050 Little was. 21:18.820 --> 21:20.800 Last time with the header. 21:20.800 --> 21:22.120 I made it in the reverse direction. 21:22.120 --> 21:24.510 I made it like this ten one. 21:24.520 --> 21:25.570 That's how I usually make it. 21:25.570 --> 21:26.890 But there was no space. 21:27.370 --> 21:30.280 Ten .1.1.12 ten .3.3.3. 21:30.310 --> 21:30.790 Right. 21:30.790 --> 21:41.080 And then on top of that I dashed the header, which is going from 12.12 from here. 21:41.110 --> 21:43.630 23.3 to 12 dot. 21:47.100 --> 21:48.720 Going from 10.1 to 10.3. 21:48.720 --> 21:49.170 So. 21:52.260 --> 21:57.690 The outsider will always, always be the same because that's how the guy you have configured it like 21:57.690 --> 21:59.610 that source is constant. 21:59.610 --> 22:00.660 Destination is constant. 22:00.660 --> 22:03.000 All you need to make sure is is it going through the tunnel or not? 22:03.030 --> 22:04.710 If it's going through the tunnel, attach this header. 22:06.300 --> 22:07.470 If it's not, then do not. 22:10.980 --> 22:16.810 Said if you try to ping 151 .1.1, just ping. 22:16.830 --> 22:19.860 151 .5.1 It will go straight. 22:21.210 --> 22:21.390 Why? 22:21.420 --> 22:26.070 Because the leaving interface will be F00 for this ping. 22:27.300 --> 22:31.280 The decision is solely made based on what destination are you trying to reach? 22:35.050 --> 22:35.290 Right. 22:35.530 --> 22:36.400 It is good. 22:36.430 --> 22:41.170 My loopbacks are communicating to each other everything is all right except for there is a small problem. 22:45.340 --> 22:49.210 Now this is going to form your base from now on until dmvpn. 22:52.130 --> 22:53.060 Think about it this way. 22:53.060 --> 22:55.730 We've already started the process of the MVP. 22:56.900 --> 23:00.230 This is just the basics, but we are moving towards that eventually. 23:02.540 --> 23:02.800 Okay. 23:02.990 --> 23:07.220 R1 What I'll do is I'll tell it ten, three, three, three. 23:07.670 --> 23:08.570 The source of loopback. 23:08.570 --> 23:08.870 Zero. 23:11.690 --> 23:16.310 I can't look back to look back going through the tunnel, right. 23:16.340 --> 23:19.940 The problem with this is it is open text. 23:19.940 --> 23:24.290 So if you just follow TCP stream, you will see everything in there. 23:27.140 --> 23:28.770 Well, it is capturing the data. 23:29.370 --> 23:32.430 You just follow the TCP stream because it's open text. 23:32.430 --> 23:33.100 Clear text. 23:33.120 --> 23:39.690 It can see everything that you're sending your passwords, Whatever is your password, Cisco. 23:43.160 --> 23:44.330 So dangerous. 23:45.170 --> 23:45.700 Good. 23:45.710 --> 23:51.290 Effective lets you communicate across the internet, but dangerous. 23:52.040 --> 23:58.760 Yes, it's better than crypto maps in a way that it's dynamic. 23:59.450 --> 24:06.350 When I say dynamic, what I mean to say is tomorrow if I have another site here ten .17. 11 all I need 24:06.350 --> 24:08.540 to do is just add it to the routing protocol. 24:08.750 --> 24:10.370 Everybody will receive it. 24:12.080 --> 24:14.720 Crypto maps saw there was a problem if you had more sites. 24:14.720 --> 24:18.240 Access lists got complicated from here to here, here to here. 24:18.240 --> 24:18.770 Hairpinning. 24:18.770 --> 24:20.810 So many different stuff here. 24:20.810 --> 24:22.880 One extra site will not cost you anything. 24:22.880 --> 24:24.890 Even if it's in the 1011 domain. 24:24.890 --> 24:27.770 You don't have to do anything because it's already advertised in here. 24:28.460 --> 24:30.140 You just need to put it there. 24:30.650 --> 24:31.850 Everybody will receive it. 24:37.300 --> 24:38.430 The only problem is what? 24:38.440 --> 24:39.370 Its open text. 24:39.650 --> 24:40.480 How do I protect it? 24:43.200 --> 24:43.800 I'll use it. 24:44.730 --> 24:45.780 Let's see how. 24:45.810 --> 24:47.350 Let's go ahead and start the steps. 24:47.370 --> 24:48.450 What is the first step? 24:52.050 --> 24:52.440 Crypto. 24:53.640 --> 24:54.870 It will always be the same. 24:55.590 --> 24:56.280 Your policies. 24:56.280 --> 24:58.220 You have to configure all the always your key. 24:58.230 --> 25:00.960 You have to configure always transform set. 25:00.960 --> 25:02.010 You have to configure all this. 25:02.400 --> 25:04.950 So this will be from now until the end of VPN. 25:07.840 --> 25:13.440 Yes, that part will have to do some different only that part authentication. 25:13.470 --> 25:17.340 Pre-shared Hash MD5 Group two. 25:19.320 --> 25:26.760 Step two crypto ice cap key is Cisco address address. 25:26.760 --> 25:30.660 You will give the public address of why? 25:30.780 --> 25:33.990 Because I am negotiations have to take place. 25:35.040 --> 25:36.900 Ice cap is always from public to public. 25:36.900 --> 25:40.170 Remember from this public to it will not go through the tunnel. 25:40.710 --> 25:44.620 That's a control separate control plane traffic that is negotiated separately. 25:46.930 --> 25:48.580 It will have a look at how that takes place. 25:48.580 --> 25:50.410 151 .23.3. 25:51.340 --> 25:56.800 Step three is what crypto IPsec. 25:57.680 --> 25:58.730 Transform set. 26:02.330 --> 26:11.750 ESG as ESG five step four access list is not there anymore. 26:11.750 --> 26:13.490 Crypto map is not there anymore. 26:13.520 --> 26:15.530 Now, it's much easier than that. 26:16.880 --> 26:19.730 Much, much easier than that crypto. 26:21.490 --> 26:22.000 IPsec. 26:22.780 --> 26:23.950 We call it profile. 26:25.990 --> 26:27.940 In the profile, I only call the Transform. 26:34.150 --> 26:35.080 Create a profile. 26:36.190 --> 26:43.210 And in that profile I only call what you can have multiple policies and programs in the profile. 26:43.390 --> 26:45.030 You can have multiple ones. 26:45.130 --> 26:46.840 You can only have one transform set. 26:48.650 --> 26:50.610 And what was this profiling like? 26:50.630 --> 26:52.130 I can have multiple policies. 26:54.590 --> 26:55.220 The first thing. 26:55.520 --> 26:58.410 When did we do that reading? 26:59.450 --> 27:01.250 You can have multiple policies. 27:01.250 --> 27:01.880 With what? 27:02.040 --> 27:09.530 For the first one, you can have different policies with different people, with different. 27:09.530 --> 27:10.400 That is this one. 27:10.850 --> 27:11.720 That is this one. 27:13.190 --> 27:19.310 So it's going to have different with different you can have ten, 20, 30, 40, 50, ten will go here, 27:19.460 --> 27:22.580 20, 30 will be here, 40, 50 will be somewhere else. 27:23.210 --> 27:25.100 So that's you configure different policies here. 27:25.940 --> 27:26.780 That's not the profile. 27:27.320 --> 27:31.190 Profile you apply for, check this out. 27:31.640 --> 27:33.110 You go to your tunnel zero. 27:34.220 --> 27:41.690 You say tunnel tunnel protection with IPsec profile and you call it I. 27:47.440 --> 27:50.650 What you're actually saying is the simplest of terms. 27:50.680 --> 27:53.890 What you're saying is you're giving the tunnel. 27:54.070 --> 27:58.630 You're telling him, okay, you are there, I know you're there, but I need to protect you using ESP, 27:58.660 --> 28:02.410 also esp, I've already configured. 28:04.270 --> 28:04.540 Right. 28:04.540 --> 28:06.490 So in the profile I'm calling the transform the. 28:06.790 --> 28:12.550 The transform set is calling ESP, but for the ESP to work first negotiation should happen. 28:14.770 --> 28:16.270 So the whole process will happen. 28:18.100 --> 28:18.490 Right? 28:18.790 --> 28:24.250 And the negotiations will happen based on which source and which IP based on the tunnel source internal 28:24.250 --> 28:24.520 IP. 28:25.150 --> 28:31.690 So your whole ICM will be negotiation negotiated based on your tunnel source tunnel destination. 28:32.320 --> 28:38.300 So you have a separate UDP going out based on your tunnel source as public headers UDP will be negotiated. 28:38.320 --> 28:42.160 Once that is negotiated, everything going through the tunnel will be protected using ESP. 28:43.570 --> 28:44.530 Let's check this. 28:45.340 --> 28:46.820 Let's go to r one again. 28:50.500 --> 28:52.600 Self-protection camp is on. 28:52.750 --> 28:53.520 Check this out. 28:53.530 --> 28:54.910 This is what I was talking about. 28:56.560 --> 28:57.820 The tunnel will go down. 28:58.990 --> 29:01.300 Your neighbor relationship will go down. 29:01.300 --> 29:01.780 Why? 29:04.060 --> 29:05.530 Because one side is encrypting. 29:05.530 --> 29:07.930 Now he's trying to create that. 29:09.070 --> 29:09.600 So. 29:13.670 --> 29:14.060 Happened. 29:14.100 --> 29:14.570 Weishaupt. 29:15.200 --> 29:20.420 The site is trying to create a campus show crypto as the other side is not responding. 29:21.920 --> 29:23.790 So you will not send out any packets. 29:23.810 --> 29:28.910 Now everything is buffered and stopped because Basecamp is not getting negotiated. 29:29.090 --> 29:29.990 If you go here. 29:43.130 --> 29:43.740 It might be. 29:57.250 --> 29:59.510 How the second package is going to look like. 29:59.540 --> 30:00.320 Can you tell me? 30:07.250 --> 30:08.990 As a compact, How is it going to look like? 30:11.840 --> 30:19.160 So this will be 151 .15.1 destination will be 151 .13.3 right inside there. 30:19.160 --> 30:21.260 UDP 500, UDP 500 and whatever. 30:52.620 --> 30:54.120 So something is up with Wireshark. 30:54.120 --> 30:55.140 But anyways. 30:57.210 --> 30:58.980 Let's first try on the other interface. 30:59.270 --> 31:00.510 Maybe this interface has a problem. 31:14.290 --> 31:17.440 As you can keep on trying and trying and trying. 31:17.470 --> 31:17.890 Why? 31:17.920 --> 31:18.250 Because. 31:18.250 --> 31:18.660 Hello. 31:18.670 --> 31:21.910 Every five seconds will keep on going out for that. 31:21.910 --> 31:22.170 Hello. 31:22.180 --> 31:25.240 He would require to do it, so I will keep on trying. 31:26.980 --> 31:27.780 It's connection. 31:27.790 --> 31:31.750 That's a good thing about your interface tunnels. 31:31.990 --> 31:34.390 Since you're running routing on it, you will see. 31:34.420 --> 31:34.660 Hello. 31:34.660 --> 31:38.410 Packets will always keep on going there, so make sure that the tunnel doesn't go down. 31:38.410 --> 31:39.730 But why are we meeting the. 31:40.150 --> 31:41.140 It's supposed to be eyes. 31:41.170 --> 31:43.980 Cameras is supposed to be in 15 seconds. 31:44.140 --> 31:45.880 Here is from three. 31:45.910 --> 31:46.450 Check this out. 31:46.930 --> 31:48.370 Not from one, two, three. 31:50.120 --> 31:57.440 So is the other that this idea will never leave until the negotiations take place now? 31:58.790 --> 32:00.210 The tunnel is protected. 32:00.230 --> 32:04.220 Means even no packet will go out of this traffic if it's not protected. 32:04.970 --> 32:09.740 For the protection he would require ESP or esp, he would require a scam to be negotiated. 32:11.590 --> 32:11.770 Okay. 32:12.120 --> 32:13.880 What do I need to do on the other side? 32:13.890 --> 32:14.580 Check this out. 32:14.610 --> 32:15.840 Everything will be the same. 32:15.840 --> 32:16.710 Except for. 32:20.590 --> 32:21.630 As see Kam Key. 32:21.660 --> 32:26.460 Cisco should be sent to 12.111. 32:26.460 --> 32:27.320 Yes. 32:27.330 --> 32:28.170 Thank you. 32:28.260 --> 32:29.760 Always make that mistake. 32:34.340 --> 32:36.380 So here, this is going to be tunnel one. 32:38.640 --> 32:39.460 Tunnel protection. 32:39.870 --> 32:40.050 None. 32:42.300 --> 32:42.840 Check this out. 32:44.460 --> 32:45.360 Stop this. 32:49.480 --> 32:50.130 Collections. 32:52.560 --> 32:57.560 Jurassic Ham complete exchange took place from one to another. 32:57.570 --> 33:00.870 You're all nine packets and then ESP. 33:04.740 --> 33:11.130 Then I want to ping again now and I want to see if it's possible. 33:14.150 --> 33:14.870 It is possible. 33:14.900 --> 33:16.580 But check out the size of the pink. 33:17.120 --> 33:18.050 How much is it? 33:19.610 --> 33:21.530 How much was an original pink? 33:22.820 --> 33:23.990 114. 33:25.920 --> 33:27.520 Gary added 24 bytes. 33:27.530 --> 33:31.970 It became 138 on top of that. 33:31.970 --> 33:33.290 How much did you add again? 33:34.220 --> 33:38.630 52 bytes of ESP for each header. 33:41.390 --> 33:42.200 For protection. 33:44.200 --> 33:46.080 52 bytes of ESP. 33:48.010 --> 33:49.100 You see how much that is. 33:49.120 --> 33:52.720 But the good thing is everything that you do now. 33:58.710 --> 34:08.010 You don't need ssh you don't need for any kind of communication anymore because it's going through DSP. 34:13.140 --> 34:14.530 Going through his. 34:16.820 --> 34:18.680 How is your header looking like? 34:19.310 --> 34:20.480 Let's have a look at the header. 34:25.030 --> 34:28.180 The traffic is trying to go from ten 111 going to ten. 34:30.500 --> 34:31.850 Figures out the living interface. 34:31.850 --> 34:32.780 What is the living interface? 34:32.780 --> 34:33.560 Channel zero. 34:34.130 --> 34:35.090 Attaches What? 34:36.830 --> 34:39.830 The retract was in. 34:43.100 --> 34:48.740 Going from 12.1 to what attaches on top of that one. 34:50.510 --> 34:51.000 ESPN. 34:51.830 --> 34:53.210 Does it have an outside hitter? 34:53.210 --> 34:56.530 Also, it should have an outside hitter. 34:56.540 --> 34:56.690 Why? 34:56.720 --> 34:58.190 Because everything here will be. 35:02.450 --> 35:03.470 Everything will be hidden. 35:03.470 --> 35:06.980 So the Internet will not know how to communicate, how to route the packet. 35:06.980 --> 35:10.580 So for that he would also have 12.1 to 23.3. 35:10.610 --> 35:12.140 Where does he get this from? 35:14.210 --> 35:14.930 From the interface. 35:18.820 --> 35:20.430 From the interface again. 35:21.880 --> 35:26.080 So the same header is repeated two times inside here. 35:27.020 --> 35:27.160 The. 35:29.150 --> 35:31.560 No, I have not set any set pair command. 35:31.580 --> 35:33.770 Remember, there is no set pair. 35:33.980 --> 35:37.010 The key is not for the header. 35:37.040 --> 35:39.890 When you see the set key, that is not for the header. 35:39.890 --> 35:42.980 That is for the fifth packet in the fifth packet. 35:43.010 --> 35:48.080 He locally sees he locally sees 23.3 which key to send. 35:48.530 --> 35:50.060 He does not use that part. 35:51.080 --> 35:52.400 So you can have multiple keys. 35:52.400 --> 35:52.610 Right. 35:52.640 --> 35:54.770 He will see based on which header here he see. 35:54.770 --> 35:54.950 Okay. 35:54.950 --> 35:56.390 I'm going to 23.3. 35:56.420 --> 35:57.650 Which key should I send? 35:59.900 --> 36:03.230 You know, he doesn't have a set player, doesn't have a set player. 36:03.240 --> 36:05.910 He takes it from the tunnel, zero tunnel source, tunnel destination. 36:05.910 --> 36:14.220 He'll add on top of this again, that's why the added headers, that's where the added is. 36:16.230 --> 36:16.770 Right? 36:16.800 --> 36:17.310 Good. 36:17.730 --> 36:18.510 It's fine. 36:18.870 --> 36:20.640 It's very, very, very good. 36:20.850 --> 36:21.270 Why? 36:21.300 --> 36:23.910 Because now you have routing protocols plus IPsec. 36:26.370 --> 36:30.530 Earlier you had IPsec using crypto maps but no routing protocols. 36:30.540 --> 36:33.900 Then you had routing protocols, but no IPsec. 36:33.990 --> 36:35.520 Now you combine them together. 36:35.520 --> 36:39.750 But what how are you paying for it on header sizes? 36:41.940 --> 36:45.480 You're paying for both technologies together based on header your data. 36:47.310 --> 36:54.840 Your header, which was supposed to be a normal ping of 114, is now 190, which is a lot more than 36:54.840 --> 36:55.290 before. 36:57.570 --> 36:58.020 Okay. 36:59.890 --> 37:00.640 Any questions? 37:02.250 --> 37:06.240 No, we used to. 37:06.390 --> 37:08.520 Now we have found a better alternative. 37:09.180 --> 37:12.180 Out of this better alternative. 37:12.510 --> 37:14.520 What we'll do is. 37:14.550 --> 37:16.800 Do you see a redundancy in here somewhere? 37:20.240 --> 37:22.650 Do you see a redundancy in the header somewhere? 37:26.210 --> 37:27.890 This header is repeated, isn't it? 37:31.110 --> 37:33.330 Is there any point of this header being repeated? 37:33.360 --> 37:34.620 Will it help us? 37:34.740 --> 37:35.400 Will it help? 37:35.400 --> 37:41.760 Anybody know this extra header is not going to help anybody. 37:41.850 --> 37:46.110 It's just there when he opens it. 37:46.140 --> 37:51.180 When the guy comes in and opens it, he sees ESP, opens it, it gets the outside header again, It 37:51.180 --> 37:54.660 needs to open it without any use of it. 37:56.140 --> 37:57.510 We'll do the same thing again. 37:58.650 --> 38:00.360 How do I make sure this doesn't happen? 38:02.100 --> 38:03.990 This is known as. 38:07.390 --> 38:08.120 Transport mode. 38:08.140 --> 38:08.440 Dunham. 38:13.280 --> 38:15.830 By default, the mode of a tunnel is what? 38:16.190 --> 38:16.870 Tunnel mode. 38:16.880 --> 38:17.750 We call it tunnel mode. 38:17.780 --> 38:19.370 Tunnel mode means he doesn't care. 38:20.000 --> 38:22.310 Whatever he's using doesn't care. 38:22.310 --> 38:26.330 It just tunnels and goes through transport mode checks. 38:26.570 --> 38:28.850 Transport mode is intelligent. 38:29.330 --> 38:32.000 It checks when he's copying the header outside. 38:33.050 --> 38:35.960 It checks the header on the right and the header on the left. 38:35.990 --> 38:40.040 If it sees the same header on both sides, it will remove the inside one. 38:42.680 --> 38:45.140 Relieving you of 16 more bites. 38:48.190 --> 38:49.290 Do you understand? 38:51.090 --> 38:58.650 When it's attaching the outside public header, it checks is the inside header and the outside header 38:58.650 --> 38:59.200 the same? 38:59.220 --> 39:04.320 If it is the same, it will remove it and remove the inside header automatically. 39:07.200 --> 39:07.830 The whole thing. 39:11.190 --> 39:11.470 Correct. 39:12.570 --> 39:17.730 Let's try let's see what's done is done on the IPsec crypt is done under the transform settings. 39:18.750 --> 39:27.840 So I'll go to crypto IPsec Transform set D set esp three dash esp MD5. 39:30.410 --> 39:30.950 In here. 39:31.220 --> 39:32.510 I have only one option. 39:33.680 --> 39:34.340 It's called mold. 39:35.060 --> 39:36.610 Either tunnel or transport. 39:36.620 --> 39:37.940 I'll change it to transport. 39:41.150 --> 39:42.140 I'll go to the other side. 39:42.140 --> 39:50.510 Use the same the try Pisek transform set t set PSP three as PSP and five more. 39:52.670 --> 39:53.630 Okay, check it. 39:53.630 --> 40:00.110 You'll see that it has not changed changed crypto crypto IPsec in your IPsec in your inbound and outbound. 40:00.320 --> 40:02.060 It will show you what settings are in use. 40:04.620 --> 40:04.950 Right now. 40:04.950 --> 40:05.910 It's what channel? 40:07.500 --> 40:09.650 Both are internal, inbound and outbound. 40:09.660 --> 40:11.640 Both essays are in the tunnel mode. 40:12.990 --> 40:14.100 How do you fix this? 40:17.440 --> 40:23.110 I need to clear it because tunnel and transfer mode are negotiated in the beginning of the exchange. 40:23.620 --> 40:28.830 Clear Crypto is a scam. 40:31.890 --> 40:32.110 Yeah. 40:33.340 --> 40:34.620 And that was necessary. 40:39.560 --> 40:40.190 It will not be. 40:42.610 --> 40:49.000 As income needs to be refreshed because once the negotiations take place, as sessions see also you 40:49.000 --> 40:51.550 can session will clear the whole thing, 40:55.330 --> 40:56.500 clear crypto sessions. 40:57.850 --> 41:04.810 Now the mode is what transport inbound outbound from here also. 41:09.890 --> 41:11.420 The more it is transport. 41:13.560 --> 41:14.040 Good enough. 41:19.040 --> 41:19.820 Mixed as in. 41:22.810 --> 41:23.770 No, no. 41:24.280 --> 41:26.950 This negotiated Bodin's negotiated. 41:27.700 --> 41:30.850 What I want you to check is if I bring three, three, three. 41:31.720 --> 41:32.380 The source of ten. 41:32.380 --> 41:33.040 One, one one. 41:35.140 --> 41:44.950 170 the size of the packet, confirming that the 16 bytes have been removed from the IP address. 41:49.600 --> 41:49.870 Okay. 41:52.250 --> 41:53.710 134 is the hello package. 41:55.480 --> 41:56.080 Hello, Package. 41:59.700 --> 41:59.950 Let. 42:03.950 --> 42:08.840 Have reduced the size of my score over IPsec. 42:10.160 --> 42:12.500 The whole process is called over IPsec. 42:14.720 --> 42:21.260 I've reduced the size of my over IPsec by 16 bytes, but if you have a look at the header now, there 42:21.260 --> 42:24.830 is still a little bit of gray in here. 42:25.340 --> 42:26.270 I really need it now. 42:27.560 --> 42:29.390 So I'm just using ESP anyways. 42:29.420 --> 42:30.350 Do I need gray? 42:31.550 --> 42:37.130 I don't need those eight bytes anymore because when I open it I will see esp will open it and find what 42:37.490 --> 42:38.510 the actual header. 42:38.810 --> 42:41.360 This was not possible for a long, long time. 42:44.370 --> 42:46.970 A lot of for a long time this was not possible. 42:46.980 --> 42:48.750 But then IPsec was developed. 42:50.400 --> 42:55.800 IPsec was developed to work exactly like GUI without GUI. 42:56.070 --> 42:56.400 Yeah. 42:56.850 --> 43:01.140 If you don't have the now, you take the tunnel. 43:03.390 --> 43:04.290 That's what I'm saying. 43:05.040 --> 43:06.870 To do that ESP came forward. 43:08.250 --> 43:15.960 ESP came forward, did exactly the same thing that used to do exact same things as used to do using 43:15.960 --> 43:17.010 the ESP header. 43:18.030 --> 43:20.640 This type of tunnel was not called a tunnel. 43:20.640 --> 43:24.790 It was called a static virtual tunnel interface and SVT. 43:28.400 --> 43:30.650 The one where I'll remove Zarina. 43:31.550 --> 43:32.000 How? 43:32.180 --> 43:36.410 I'll basically configure the tunnel and tell him, Listen, this tunnel is not a tunnel anymore. 43:36.860 --> 43:39.720 This tunnel is a pure IPsec tunnel. 43:39.750 --> 43:43.790 When I say a pure IPsec tunnel, what I'm saying is there is no gray in here. 43:44.810 --> 43:51.200 It's a public address, then ESP, then your actual address, the actual source and destination. 43:55.080 --> 43:55.410 Sorry. 43:57.840 --> 44:04.350 The before it was there was a header on top of this one, a normal header. 44:05.250 --> 44:06.780 Then there was a public address here. 44:06.780 --> 44:09.300 When I did transport mode, it removed the public address. 44:09.570 --> 44:15.810 Now I'm going to configure this whole tunnel as a pure IPsec tunnel. 44:16.350 --> 44:19.020 So what I'll do is I'll go to Interface Tunnel zero. 44:19.260 --> 44:20.220 I'll say tunnel mode. 44:20.640 --> 44:26.750 IPsec IPV four tunnel mode is not by default. 44:27.010 --> 44:27.960 The mode is what? 44:29.880 --> 44:32.370 It's a tunnel, so it attaches the header. 44:33.120 --> 44:36.960 But if I change the mode completely now it is not going to attach the header. 44:37.470 --> 44:44.790 I'll say tunnel mode IPsec ipv from one end from the other side also. 44:46.820 --> 44:51.110 From the one tunnel mode IPsec IP. 44:56.230 --> 44:57.490 Now let's ping again. 45:00.040 --> 45:01.420 Check out the size of the pinks. 45:03.220 --> 45:04.570 166. 45:05.350 --> 45:06.940 Eight more bites have been reduced. 45:11.560 --> 45:13.560 Eight more bytes have been reduced. 45:15.220 --> 45:17.440 The header eight bytes. 45:18.190 --> 45:22.210 Then 16 of the IP header in total 24. 45:24.430 --> 45:24.580 Right. 45:24.640 --> 45:26.650 So if you think about it now. 45:29.160 --> 45:31.590 Now, your traffic has no on top of this. 45:32.220 --> 45:34.470 Now, it's not is not there anymore. 45:34.920 --> 45:35.280 It's not. 45:36.340 --> 45:41.930 If you didn't use, like you said, what would be the use of if I didn't use IPsec? 45:42.810 --> 45:46.530 If you're not protecting the tunnels with IPv6, then that is the question. 45:46.530 --> 45:47.970 That is what I wanted to show you. 45:48.120 --> 45:51.420 If I don't use tunnel protection now, will this tunnel work? 45:53.040 --> 45:56.970 It will not work because we needed a header. 45:58.140 --> 46:05.520 The normal GRE when you communicate from ten .1.1.12.3.3.3. 46:05.520 --> 46:10.600 The header that is added is which one which is standalone does not require anything. 46:10.620 --> 46:11.700 So it bites standalone. 46:13.020 --> 46:15.060 But now it's a pure IPsec tunnel. 46:15.060 --> 46:16.320 So what am I using here? 46:21.670 --> 46:24.880 ESP but for this esp what do I require? 46:27.310 --> 46:28.240 Tunnel protection. 46:29.500 --> 46:35.350 That is the only one thing that you need to configure that is different from here. 46:35.350 --> 46:39.910 You need to protect the tunnel using tunnel protection so the source and destination will obviously 46:39.910 --> 46:43.960 will be the same, which is 12.1 to 23.3. 46:46.300 --> 46:54.580 But since you require ESP, since you definitely require ESP, you would also require what protection? 46:54.580 --> 46:57.550 If you remove that tunnel protection, your tunnel will go down. 46:57.550 --> 47:01.960 That was not the case with Gary, even without protection. 47:01.980 --> 47:04.300 Used to work, right? 47:04.330 --> 47:05.280 We saw OpenText. 47:05.290 --> 47:11.530 We could see Telnet messages and everything used to work even without the protection. 47:11.530 --> 47:15.910 Protection just added extra security if you're using a pure IPsec tunnel. 47:16.630 --> 47:17.590 What are you saying? 47:17.590 --> 47:19.600 You're saying I'm protecting it using IPsec. 47:23.190 --> 47:23.520 Right. 47:23.520 --> 47:25.470 And for IPsec, which header do you need? 47:26.010 --> 47:28.050 ESP h. 47:29.670 --> 47:31.110 H will work. 47:31.620 --> 47:35.610 H will work, but it will only protect give you authentication. 47:36.150 --> 47:36.550 Let's try. 47:39.330 --> 47:42.910 I will go to this site as a crypto IPsec. 47:42.940 --> 47:44.750 Before that, I want to show you this show. 47:44.770 --> 47:45.700 Crypto IPsec. 47:47.020 --> 47:55.480 The mode I change to what transport it has gone back to even though in the running configuration. 47:59.980 --> 48:02.710 Even though the running configuration you'll see the mode is still transport. 48:06.200 --> 48:08.390 You can configure the mode as transport. 48:09.350 --> 48:15.110 It will try to do what the transport mode tells it to do, but if it cannot do that, it will move back 48:15.110 --> 48:15.950 to the tunnel mode. 48:17.450 --> 48:18.860 Why did it happen right now? 48:18.860 --> 48:20.750 Because I said there is no gree anymore. 48:21.590 --> 48:23.260 This packet is not right. 48:24.260 --> 48:26.180 The header on the inside and the outside. 48:26.180 --> 48:27.260 Are they the same now? 48:33.760 --> 48:42.880 DSP is attached here on the outside of ESP is what, 12.1 and 23 dot the inside and the outside, are 48:42.880 --> 48:43.570 they the same? 48:43.930 --> 48:44.980 Same address. 48:45.400 --> 48:47.230 Will you be able to remove anything from here? 48:50.470 --> 48:51.580 Earlier it was different. 48:52.120 --> 48:54.130 Earlier, he was adding himself on top of jihad. 48:55.840 --> 48:57.790 So the public and public was same on both sides. 48:57.790 --> 48:59.020 So he removed the inside one. 48:59.170 --> 49:05.530 Now he's just attaching himself to the private network inside and outside hitter, a completely different. 49:05.710 --> 49:07.030 He's not able to remove anything. 49:08.420 --> 49:09.590 He's not able to remove any. 49:09.610 --> 49:11.050 He will go back to the tunnel. 49:12.880 --> 49:18.850 Even if you configure it to have transport mode, it will still not work on transport mode. 49:18.850 --> 49:20.740 It will still go back to tunnel. 49:20.980 --> 49:22.210 You have to understand that. 49:25.100 --> 49:26.120 That's how it works. 49:26.390 --> 49:28.670 That's how you can configure a transport. 49:29.090 --> 49:34.160 You can configure a router in transport mode, but if it cannot make that move, if it cannot remove 49:34.160 --> 49:35.660 the header, it will still stay in tunnel. 49:42.500 --> 49:49.270 Yes, the standard mode is used in a lamp and it's used usually in private entrances. 49:49.710 --> 49:52.500 The and then this tunnel mode is. 49:53.210 --> 49:55.680 And what does that actually mean? 49:56.460 --> 49:58.800 Well, it actually I'll explain that in get VPN. 49:59.970 --> 50:04.080 When you're doing get VPN, we're actually doing private to private communication. 50:04.890 --> 50:08.190 So a private cloud, that's where it's mostly used. 50:10.530 --> 50:14.310 That's why they say that transport mode is for private to private communication. 50:14.310 --> 50:14.660 Right. 50:14.670 --> 50:15.300 Private land. 50:16.170 --> 50:16.890 I'll explain that. 50:18.840 --> 50:19.140 The right. 50:19.140 --> 50:21.600 Now, even if you're using, you can use transport mode. 50:22.320 --> 50:24.210 But the thing is, we would not use anymore. 50:24.240 --> 50:24.420 Why? 50:24.450 --> 50:27.780 Because now you have to. 50:30.950 --> 50:39.290 The FBI requires all that requires see what a times requires is this if you only have a pure tunnel, 50:39.530 --> 50:46.400 it's like this interface Tunnel zero IP address 1921681.1 The Mask. 50:48.400 --> 50:57.340 Dinosaurs is 150 .1.1.1 tunnel destination is 150 .1.23.3. 50:57.370 --> 50:58.120 That's it. 50:58.120 --> 50:59.830 That's all a tunnel requires. 51:00.160 --> 51:01.780 What does an IPsec require? 51:05.740 --> 51:06.550 Same thing. 51:09.560 --> 51:14.810 But tunnel mode IPsec for census IPsec Tunnel. 51:14.900 --> 51:17.630 Also require tunnel protection. 51:19.040 --> 51:20.330 IPsec Profile. 51:20.470 --> 51:20.780 High. 51:28.390 --> 51:28.690 Here. 51:28.690 --> 51:30.040 I don't need a header by default. 51:30.340 --> 51:32.050 Header is available to the first tunnel. 51:32.320 --> 51:35.260 The second tunnel does require a header because it's not. 51:35.860 --> 51:37.060 Gary has been removed. 51:38.240 --> 51:40.300 So if I remove protection the tunnel will not come up. 51:41.650 --> 51:42.730 You can give it a try. 51:42.760 --> 51:43.450 You can give it a try. 51:43.570 --> 51:46.950 But before that let's change the to change this to H. 51:56.880 --> 51:58.830 Modena from the other side also. 52:34.540 --> 52:34.850 Yeah. 52:35.080 --> 52:35.420 Tonight. 52:35.830 --> 52:36.850 I don't think it'll work. 52:39.930 --> 52:40.500 Let's try. 52:49.930 --> 52:50.930 It requires ESPN. 52:52.000 --> 52:52.570 It is down. 52:53.590 --> 52:54.610 It does require ESPN. 53:03.560 --> 53:04.630 That is attached as required. 53:05.390 --> 53:06.260 It is very old. 53:08.390 --> 53:13.070 I don't think anyone would even think about using it because ESP gives you the same. 53:13.120 --> 53:13.550 So there you go. 53:14.030 --> 53:15.320 ESP gives you the same. 53:15.320 --> 53:15.560 What? 53:16.760 --> 53:19.670 The same features, the same MD5, the same. 53:19.670 --> 53:23.000 Sha is given as the ESP header. 53:23.300 --> 53:24.050 Let's see. 53:24.320 --> 53:24.560 Yeah. 53:25.220 --> 53:27.680 And then that it's open. 53:29.750 --> 53:30.290 It works. 53:30.290 --> 53:31.610 Same same process. 53:32.360 --> 53:33.470 So the destination. 53:33.470 --> 53:37.580 But it's just like a header, right? 53:37.610 --> 53:41.750 Instead of now you have to open. 53:45.610 --> 53:46.980 Not encrypted. 53:47.450 --> 53:50.500 So it's just like the same old which you had before. 53:51.310 --> 53:55.570 If you think NC three three with a source of ten 111. 53:58.500 --> 53:59.100 150. 54:00.660 --> 54:01.800 Jerry was 138. 54:01.830 --> 54:02.880 This is 158. 54:04.770 --> 54:06.600 But this gives you integrity. 54:06.990 --> 54:09.630 Only integrity if you would. 54:09.630 --> 54:10.160 If you would. 54:10.170 --> 54:15.000 But most of the times what you would do is use ESP for only integrity if you want. 54:17.040 --> 54:18.300 You can use it to. 54:19.510 --> 54:21.020 Yeah, he is. 54:22.300 --> 54:25.600 First encryption, then hashing. 54:27.220 --> 54:27.760 So you'll see. 54:27.790 --> 54:28.690 Hashing happening. 54:29.770 --> 54:32.650 You'll see the header first, which will be encrypted. 54:32.650 --> 54:37.930 On top of that, you'll see it and then you'll see the rest of the stuff like. 54:39.510 --> 54:44.820 The same IPsec ESP for CSP three days and a MD5. 54:45.130 --> 54:51.030 So instead of using esp, esp three days and esp MD5, we will use esp one and for the other one. 54:51.030 --> 54:55.710 So esp encryption should be done using esp authentication should be done using age. 54:57.950 --> 54:58.190 Right. 54:58.400 --> 55:00.950 But again, production will always use. 55:02.030 --> 55:02.750 Most of the time. 55:04.750 --> 55:04.990 Right. 55:06.410 --> 55:07.250 Any questions? 55:09.290 --> 55:11.990 If I remove the protection, the tunnel will not come up. 55:13.850 --> 55:15.110 No tunnel protection. 55:15.110 --> 55:16.790 IPsec profile. 55:16.830 --> 55:19.300 I Whatever. 55:19.460 --> 55:21.620 No matter what you do, the tunnel will go off. 55:22.610 --> 55:24.380 As the camp is off, everything is down. 55:24.380 --> 55:25.700 The tunnel will not come up. 55:27.590 --> 55:29.010 Show IP interface. 55:29.420 --> 55:30.140 It will be down. 55:30.140 --> 55:30.890 It will stay down. 55:31.790 --> 55:32.270 There is no. 55:32.690 --> 55:33.830 There is no way it will come up. 55:33.830 --> 55:33.980 Why? 55:34.010 --> 55:35.050 Because now it will. 55:35.090 --> 55:38.750 Since it's an IPsec tunnel, it would require that ESP to work. 55:40.860 --> 55:42.990 It would need that header for that header it needs. 55:43.230 --> 55:45.630 Can you turn it off already? 55:46.140 --> 55:47.220 It will not work without it. 55:48.480 --> 55:50.250 If it was again, I'm repeating this again. 55:50.250 --> 55:52.800 If it was, it does not require anything like that. 55:53.760 --> 55:57.060 But since it's a protected tunnel, it does require all of these details. 55:58.570 --> 55:58.990 Okay. 56:04.870 --> 56:05.510 Yes. 56:08.010 --> 56:08.440 Yes. 56:08.470 --> 56:09.060 With IPsec. 56:09.070 --> 56:09.970 We always use that. 56:12.790 --> 56:13.230 No, no, no. 56:13.230 --> 56:16.320 Now with I think 12 dot 212 dot two. 56:16.770 --> 56:16.910 Yeah. 56:19.590 --> 56:20.580 Show IP Interface Brief. 56:22.680 --> 56:23.250 Should be up. 56:28.110 --> 56:31.440 Okay, we got down because it did not have the header to attach. 56:37.090 --> 56:41.790 That's virtual templates not done in virtual templates. 56:42.440 --> 56:42.980 That's easy. 56:45.580 --> 56:45.820 Okay. 56:46.780 --> 56:47.830 Any other questions? 56:57.000 --> 56:59.910 Let me go back about it will go back to. 57:03.150 --> 57:08.280 He doesn't have that bias when you're when you're going through the mode of IPsec IPv4. 57:08.280 --> 57:08.730 Right. 57:08.760 --> 57:11.610 You're considering that is not there anymore. 57:12.450 --> 57:14.820 So 24 bytes of are not there anymore. 57:15.660 --> 57:21.450 So earlier when it used to attach, when you change the mode of the tunnel, what you're basically doing 57:21.450 --> 57:24.300 is earlier the mode was right. 57:24.600 --> 57:29.010 So when it then 111 going to ten 333. 57:30.880 --> 57:33.310 When it checks the leaving interface, it sees tunnel zero. 57:33.340 --> 57:34.570 What is the mode of that tunnel? 57:35.770 --> 57:37.960 So based on that, he would attach a header. 57:39.100 --> 57:40.720 But now what is the mode? 57:43.030 --> 57:43.750 IPsec. 57:43.780 --> 57:44.500 IPv4. 57:45.940 --> 57:46.900 The tunnel is not. 57:47.230 --> 57:48.040 Now it's IPsec. 57:48.070 --> 57:49.680 Now he's not going to attack here. 57:49.690 --> 57:55.090 Now he's going to attach what straight up ESP then protect it. 57:58.350 --> 57:59.610 The Tamil board has changed. 58:03.130 --> 58:03.970 Do you understand? 58:04.150 --> 58:09.400 Now, when he goes to the tunnel and he sees the leaving interface based on that, he makes the decision 58:09.400 --> 58:15.850 of should I, which which header should I ask for here? 58:15.850 --> 58:16.480 You don't need that. 58:16.810 --> 58:18.550 Even if you put it, it will not take it. 58:18.580 --> 58:19.270 It will go to the. 58:22.160 --> 58:23.030 Any questions? 58:25.460 --> 58:25.700 Said. 58:33.710 --> 58:34.210 Obesity. 58:38.360 --> 58:42.890 If you want to create a tunnel with the device which is inside the network, not with the edge. 58:43.910 --> 58:49.220 If a device is not on the edge, if it's inside of the network somewhere, you want to create a tunnel 58:49.220 --> 58:50.030 with that. 58:50.240 --> 58:52.880 But can you create it with the private address from here? 58:52.880 --> 58:55.130 You don't have any ability to the private address of that. 58:55.130 --> 58:56.360 So how will you create the tunnel? 58:56.690 --> 59:00.970 You will add that and give that device a public address. 59:00.980 --> 59:03.470 So then now your device can communicate to that. 59:12.180 --> 59:12.720 If you want. 59:13.680 --> 59:16.050 If you want to create from me, I'm online. 59:16.800 --> 59:17.040 Right? 59:17.040 --> 59:18.030 I have an edge. 59:18.030 --> 59:21.630 I have connected a direct connection from the Internet to my router. 59:21.960 --> 59:23.010 I'm using that address. 59:23.010 --> 59:23.940 It's well and good. 59:23.940 --> 59:29.520 I want to create a tunnel with a device right here inside Networkers. 59:29.580 --> 59:29.880 Right. 59:29.880 --> 59:32.040 So there's one router right here. 59:32.040 --> 59:33.270 I want to create it with that. 59:33.270 --> 59:38.010 But I know that this whole network, there's only one public pipe which is on the edge. 59:39.120 --> 59:40.170 How do I represent this? 59:40.170 --> 59:42.120 How do I create that with this device? 59:42.450 --> 59:47.610 I'll give it an address on the outside, on the public address so nothing will happen for this device. 59:47.610 --> 59:51.990 And then whoever is sitting at home can communicate to this device through that public address. 59:54.670 --> 59:55.060 What? 59:58.550 --> 59:58.940 Yeah. 1:00:01.720 --> 1:00:01.900 Yeah. 1:00:07.140 --> 1:00:09.240 Uh, to the other side. 1:00:11.060 --> 1:00:11.480 So. 1:00:13.590 --> 1:00:13.790 One. 1:00:17.550 --> 1:00:17.820 No. 1:00:24.500 --> 1:00:26.180 I cannot hear you properly. 1:00:34.660 --> 1:00:38.890 Yeah, it is what it is not. 1:00:41.330 --> 1:00:42.710 As one vote is not required. 1:00:45.600 --> 1:00:46.130 Yeah. 1:00:48.550 --> 1:00:49.720 And what is the edge? 1:00:49.750 --> 1:00:52.090 What do you call what do you guys call the edge? 1:00:53.050 --> 1:00:54.100 Have you done SARS? 1:00:54.370 --> 1:00:55.420 What is the edge? 1:00:56.650 --> 1:00:57.130 End user. 1:00:59.650 --> 1:01:01.480 End of the end of what? 1:01:03.220 --> 1:01:04.840 What do you mean by end of the network? 1:01:05.560 --> 1:01:08.320 Access to Edge. 1:01:08.470 --> 1:01:16.720 When I talk about Edge, I talk about this router, the Edge router, which is connected to the internet, 1:01:18.970 --> 1:01:23.590 but devices are access that are access devices towards the end. 1:01:24.160 --> 1:01:31.570 Well, that's if you talk about an Http language edge is the edge devices, the last devices towards 1:01:31.570 --> 1:01:32.650 the end of the Http, right? 1:01:32.650 --> 1:01:35.650 So you configure them as access port, right? 1:01:35.650 --> 1:01:37.330 But these are perimeter routers, right? 1:01:38.290 --> 1:01:39.640 Call them edge routers also. 1:01:40.120 --> 1:01:41.260 What do they do? 1:01:42.070 --> 1:01:46.090 They're connected to the Internet, so their job is to natting and everything. 1:01:46.090 --> 1:01:47.290 Right? 1:01:47.290 --> 1:01:49.570 Let's say this is the address that it has Now. 1:01:49.570 --> 1:01:50.920 You have devices inside. 1:01:51.580 --> 1:01:54.520 Among those devices, you have a router here, right? 1:01:54.550 --> 1:01:57.670 You're also connected to another edge from a different company. 1:01:59.960 --> 1:02:03.200 You want to create a tunnel between this guy and this guy? 1:02:03.230 --> 1:02:04.250 How will you create it? 1:02:05.990 --> 1:02:07.130 You want to create a tunnel like that? 1:02:09.420 --> 1:02:09.960 How do you create? 1:02:11.700 --> 1:02:17.970 What is the first basic thing that you need to do before you create the basic connectivity? 1:02:18.000 --> 1:02:19.070 Layer three Connectivity. 1:02:19.080 --> 1:02:24.570 So this guy should be able to ping, but will he be able to ping because this is going to have a private 1:02:24.570 --> 1:02:25.170 address? 1:02:30.250 --> 1:02:30.640 This is done. 1:02:30.670 --> 1:02:30.910 Once. 1:02:32.200 --> 1:02:33.530 It will have a private address. 1:02:33.550 --> 1:02:35.890 Will I be able to send a packet from here to here? 1:02:36.940 --> 1:02:37.540 Unless I do. 1:02:37.570 --> 1:02:37.780 What? 1:02:38.860 --> 1:02:42.970 Unless this network, this router is represented on this address as a Nat database. 1:02:43.000 --> 1:02:46.150 So let's say 151 dot 20 dot one. 1:02:47.200 --> 1:02:51.850 When this router will send a packet to 151 .1.1 his packet will go to. 1:02:52.330 --> 1:02:53.920 After that everything is the same. 1:02:54.790 --> 1:02:59.410 You just need to make sure that your first step is complete, which is making sure that connectivity 1:02:59.410 --> 1:03:00.910 between the two routers is. 1:03:05.560 --> 1:03:07.630 You know that? 1:03:07.630 --> 1:03:08.200 Yes. 1:03:12.020 --> 1:03:12.230 Yeah. 1:03:14.540 --> 1:03:17.940 This is going back to our static analysis. 1:03:18.510 --> 1:03:19.350 This is static math. 1:03:22.110 --> 1:03:23.430 That part will be possible. 1:03:23.460 --> 1:03:25.560 Also will be possible. 1:03:25.770 --> 1:03:27.690 But for Pat, what do you need to do? 1:03:29.610 --> 1:03:35.250 You need to pat this to the address of 151 point 20.10 at port number 500. 1:03:35.250 --> 1:03:35.970 And. 1:03:38.020 --> 1:03:42.340 For these guys 500 and static. 1:03:43.030 --> 1:03:44.920 So that takes place. 1:03:45.460 --> 1:03:47.980 Once your camp takes place, you will also go through. 1:03:53.080 --> 1:03:53.590 Okay. 1:03:55.670 --> 1:03:58.280 The camp will take place, but there will be a problem. 1:03:59.390 --> 1:04:00.230 How about you speak? 1:04:03.060 --> 1:04:07.520 Is we will go from 151 .26. x going to. 1:04:13.980 --> 1:04:15.540 There'll be no translation. 1:04:16.880 --> 1:04:17.580 Oh, yeah, it will. 1:04:17.670 --> 1:04:18.750 It will take this. 1:04:19.170 --> 1:04:25.290 It will work because we will have UDP 4500 on the outside that will also be patterned on to 4500. 1:04:25.890 --> 1:04:27.270 So it will take place with that. 1:04:28.920 --> 1:04:37.530 So right here will be like how ESP on top of that will be 45 to 45. 1:04:39.330 --> 1:04:43.290 The packet will come to 45 here which will be forwarded to 45 inside. 1:04:43.890 --> 1:04:44.970 So we'll go to the actual. 1:04:47.980 --> 1:04:49.380 That's what energy is, right? 1:04:54.460 --> 1:05:00.940 And yet I think the problem with when you say it's not working, we'll have to figure that out. 1:05:01.600 --> 1:05:02.160 We'll have to see. 1:05:02.170 --> 1:05:03.670 You said that it's not working right. 1:05:03.730 --> 1:05:06.850 With when you do when you it didn't work. 1:05:06.880 --> 1:05:07.540 We'll have to see 1:05:11.620 --> 1:05:13.360 what the age brackets 1:05:16.840 --> 1:05:19.750 shouldn't be the case shouldn't be the case. 1:05:19.750 --> 1:05:20.260 We'll check. 1:05:20.800 --> 1:05:21.820 We'll check after the break. 1:05:21.850 --> 1:05:22.720 Let's take a break. 1:05:23.770 --> 1:05:24.820 This is done. 1:05:25.190 --> 1:05:26.020 Then we are moving. 1:05:26.020 --> 1:05:30.490 The next topic is, if you understand this, the next topic will be.