Jump to content






Photo - - - - -

IPSEC site to site

Posted by MSSK , 16 September 2013 · 9608 views

IPSEC site to site Issue

In this example we will configure IPSEC site to site VPN between R1 and R5 to gain connectivity between SW1 LAN and SW2 LAN , as well the simulation involved BGP peering in order to practice BGP relations and attributes

Configuration

R1
hostname R1

interface Loopback0
ip address 62.215.1.1 255.255.255.255

interface Serial0/0
ip address 62.215.12.1 255.255.255.0
encapsulation ppp

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
speed 100
full-duplex

router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 62.215.1.1 0.0.0.0 area 0
network 62.215.12.1 0.0.0.0 area 0

R2
hostname R2

interface Loopback0
ip address 62.215.2.2 255.255.255.255

interface Serial0/0
ip address 109.107.23.2 255.255.255.0

interface Serial0/1
ip address 62.215.12.2 255.255.255.0
encapsulation ppp

router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 62.215.2.2 0.0.0.0 area 0
network 62.215.12.2 0.0.0.0 area 0

R3
hostname R3

interface Serial0/0
ip address 109.107.23.3 255.255.255.0
encapsulation ppp

interface Serial0/1
ip address 109.107.34.3 255.255.255.0
encapsulation ppp

R4
hostname R4

interface Loopback0
ip address 212.118.4.4 255.255.255.255

interface Serial0/0
ip address 109.107.34.4 255.255.255.0
encapsulation ppp

interface Serial0/1
ip address 212.118.45.4 255.255.255.0
encapsulation ppp

router isis 1
net 49.0001.0000.0000.0004.00
is-type level-2-only

interface Loopback0
ip router isis 1

interface Serial0/1
ip router isis 1
encapsulation ppp

R5
hostname R5

R5#sh run int lo0
interface Loopback0
ip address 212.118.5.5 255.255.255.255
ip router isis 1

interface Serial0/0
ip address 212.118.45.5 255.255.255.0
ip router isis 1
encapsulation ppp

interface FastEthernet0/0
ip address 192.168.5.5 255.255.255.0
speed 100
full-duplex

router isis 1
net 49.0001.0000.0000.0005.00
is-type level-2-only

interface Loopback0
ip router isis 1

interface Serial0/0
ip router isis 1

BGP Configuration

R1
router bgp 100
no bgp default ipv4-unicast
neighbor 62.215.2.2 remote-as 100
neighbor 62.215.2.2 update-source Loopback0

address-family ipv4
  neighbor 62.215.2.2 activate
  network 62.215.1.1 mask 255.255.255.255

R2
router bgp 100
no bgp default ipv4-unicast
neighbor 62.215.1.1 remote-as 100
neighbor 62.215.1.1 update-source Loopback0
neighbor 109.107.23.3 remote-as 300

address-family ipv4
  neighbor 62.215.1.1 activate
  neighbor 62.215.1.1 next-hop-self
  neighbor 109.107.23.3 activate
  network 62.215.2.2 mask 255.255.255.255
  network 62.215.12.0 mask 255.255.255.0

R3
router bgp 300
no bgp default ipv4-unicast
neighbor 109.107.23.2 remote-as 100
neighbor 109.107.34.4 remote-as 200
!
address-family ipv4
  neighbor 109.107.23.2 activate
  neighbor 109.107.34.4 activate

R4
router bgp 200
no bgp default ipv4-unicast
neighbor 109.107.34.3 remote-as 300
neighbor 212.118.5.5 remote-as 200
neighbor 212.118.5.5 update-source Loopback0
address-family ipv4
  neighbor 109.107.34.3 activate
  neighbor 212.118.5.5 activate
  neighbor 212.118.5.5 next-hop-self
  network 212.118.4.4 mask 255.255.255.255
  network 212.118.45.0

R5
router bgp 200
no bgp default ipv4-unicast
neighbor 212.118.4.4 remote-as 200
neighbor 212.118.4.4 update-source Loopback0

address-family ipv4
  neighbor 212.118.4.4 activate
  no auto-summary
  no synchronization
  network 212.118.5.5 mask 255.255.255.255

R1#sh ip bgp
BGP table version is 9, local router ID is 62.215.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
   r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network   Next Hop     Metric LocPrf Weight Path
*> 62.215.1.1/32    0.0.0.0   0 32768 i
r>i62.215.2.2/32    62.215.2.2    0    100   0 i
r>i62.215.12.0/24   62.215.2.2    0    100   0 i
*>i212.118.4.4/32   62.215.2.2    0    100   0 300 200 i
*>i212.118.5.5/32   62.215.2.2    0    100   0 300 200 i
*>i212.118.45.0 62.215.2.2    0    100   0 300 200 i

R1#ping 212.118.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.118.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/12/32 ms
R1#ping 212.118.45.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.118.45.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms

R5#sh ip bgp
BGP table version is 9, local router ID is 212.118.5.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
  r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network   Next Hop     Metric LocPrf Weight Path
*>i62.215.1.1/32    212.118.4.4   0    100   0 300 100 i
*>i62.215.2.2/32    212.118.4.4   0    100   0 300 100 i
*>i62.215.12.0/24   212.118.4.4   0    100   0 300 100 i
r>i212.118.4.4/32   212.118.4.4   0    100   0 i
*> 212.118.5.5/32   0.0.0.0   0 32768 i
r>i212.118.45.0 212.118.4.4   0    100   0 i

R5#ping 62.215.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 62.215.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/16 ms
R5#ping 62.215.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 62.215.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/21/32 ms

VPN Configuration

R1
crypto isakmp policy 1
encr aes 128
hash sha
authentication pre-share
group 2
lifetime 86400

crypto isakmp key 6 cisco address 212.118.45.5 no-xauth

crypto ipsec transform-set SET esp-aes esp-sha-hmac

crypto map MAP 1 ipsec-isakmp
set peer 212.118.45.5
set transform-set SET
match address 100

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

interface Serial0/0
crypto map MAP

ip route 192.168.5.0 255.255.255.0 62.215.12.2

R5
crypto isakmp policy 1
encr aes 128
hash sha
authentication pre-share
group 2
lifetime 86400

crypto isakmp key 6 cisco address 62.215.12.1 no-xauth

crypto ipsec transform-set SET esp-aes esp-sha-hmac

crypto map MAP 1 ipsec-isakmp
set peer 62.215.12.1
set transform-set SET
match address 105

access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

interface Serial0/0
crypto map MAP

ip route 192.168.1.0 255.255.255.0 212.118.45.4

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state   conn-id slot status
62.215.12.1 212.118.45.5    QM_IDLE    1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state   conn-id slot status
62.215.12.1 212.118.45.5    QM_IDLE    1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa   

interface: Serial0/0
    Crypto map tag: MAP, local addr 62.215.12.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer 212.118.45.5 port 500
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: 62.215.12.1, remote crypto endpt.: 212.118.45.5
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x4DE15982(1306614146)

inbound esp sas:
  spi: 0x6B417577(1799452023)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 1, flow_id: 1, crypto map: MAP
    sa timing: remaining key lifetime (k/sec): (4421195/6)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE
  spi: 0xF46F0AD7(4100917975)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 3, flow_id: 3, crypto map: MAP
    sa timing: remaining key lifetime (k/sec): (4415971/3417)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
  spi: 0xC7E81C23(3353877539)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 2, flow_id: 2, crypto map: MAP
    sa timing: remaining key lifetime (k/sec): (4421195/6)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE
  spi: 0x4DE15982(1306614146)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 4, flow_id: 4, crypto map: MAP
    sa timing: remaining key lifetime (k/sec): (4415971/3417)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R5#sh crypto ipsec sa

interface: Serial0/0
    Crypto map tag: MAP, local addr 212.118.45.5

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 62.215.12.1 port 500
PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

local crypto endpt.: 212.118.45.5, remote crypto endpt.: 62.215.12.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xF46F0AD7(4100917975)

inbound esp sas:
  spi: 0x4DE15982(1306614146)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 3, flow_id: 3, crypto map: MAP
    sa timing: remaining key lifetime (k/sec): (4546732/3403)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
  spi: 0xF46F0AD7(4100917975)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 4, flow_id: 4, crypto map: MAP
    sa timing: remaining key lifetime (k/sec): (4546732/3403)
    IV size: 16 bytes
     replay detection support: Y
    Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#ping 192.168.5.5 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/32 ms

R5#ping 192.168.1.1 source 192.168.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms




April 2017

S M T W T F S
      1
2345678
9101112131415
16171819202122
2324252627 28 29
30      

Recent Entries

Recent Comments

Tags

    Search My Blog

    Categories

    Organization

    Community

    Downloads

    Test Providers

    Site Info


    Go to top