Scribd Logo
Upload

Welcome to Scribd!

  • VPN Site To Site Packet Tracer 5

    Uploaded by

    R.s. Félix
    110 views2 pages
    Lab shows you how to type the right commands on both router sides using packet tracer 5. We will have the following topology Notice you will set static route between the two routers while on real live both will connected through ISP's.

    Original Description:

    Original Title

    VPN Site to Site Packet Tracer 5

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Lab shows you how to type the right commands on both router sides using packet tracer 5. We will have the following topology Notice you will set static route between the two routers while on real live both will connected through ISP's.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    110 views2 pages

    VPN Site To Site Packet Tracer 5

    Uploaded by

    R.s. Félix
    Lab shows you how to type the right commands on both router sides using packet tracer 5. We will have the following topology Notice you will set static route between the two routers while on real live both will connected through ISP's.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    10/9/2014 VPN site to site packet tracer 5.

    3 lab - The Cisco Learning Network


    https://learningnetwork.cisco.com/docs/DOC-10756 1/3
    Login Register Premium Library Contact Us/Help About Us Mobile View
    Connect with us on: Search the Learning Network
    Cisco Learning Home IT Careers Connections Certifications Learning Center Our Store
    Cisco Learning Home > Certifications > Security (CCNA Security) > IINS Exam > Documents
    Jusqu' IINS Exam documents dans
    Cr le: 19 dc. 2010 12:22 par Yasser Ramzy Auda - CCSI , CCNP R&S ,
    CCNP Security - Dernire modification: 19 dc. 2010 12:42 par Yasser
    Ramzy Auda - CCSI , CCNP R&S , CCNP Security
    VPN site to site packet tracer 5.3 lab
    VERSION 1
    79 Jaime
    first of all you need to study Well the concepts of IPSec , VPN types , CRYPTOLOGY before you
    read this document
    Its just show you how to type the right commands on both router sides using packet tracer 5.3
    We will have the following topology
    Notice you will set static route between the two routers while on real live both will connected
    through ISPs

    for router 1 we will type the following commands :
    Router(config)#crypto isakmp enable <=== enable IPsec
    Router(config)#crypto isakmp policy 1 <=== set new policy with number 1
    Router(config-isakmp)#authentication pre-share <=== using shred key authentication
    method (if use certification use rsa-sig instead of pre-share)
    Router(config-isakmp)#encryption aes <=== use symmetric encryption AES
    Router(config-isakmp)#hash sha <=== use hash alghorthim sha for data integrity
    Router(config-isakmp)#group 2 <=== use diffe helman group 2
    Router(config-isakmp)#exit
    Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used
    with next site , next site ip address 11.0.0.1 and note on packet tracer you use 0.0.0.0
    instead of subnetmask
    Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac <=== set
    transform set called yasser and esp is the protocol will be used , u can use AH on internal
    VPN
    Router(config)#crypto ipsec security-association lifetime seconds 86400 <=== key
    expire after 86400 seconds
    Router(config)#ip access-list extended ramzy <=== ACL
    called ramzy to tell which traffic will use the vpn tunnel
    Router(config-ext-nacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
    Router(config-ext-nacl)#exit
    Router(config)#crypto map auda 100 ipsec-isakmp <=== create crypto map
    called auda with seq number 100
    % NOTE: This new crypto map will remain disabled until a peer
    and a valid access list have been configured.
    Router(config-crypto-map)#match address ramzy <=== link above
    ACL to this crypto map
    Router(config-crypto-map)#set peer 11.0.0.1 <=== link next site ip
    address to this crypto map
    Router(config-crypto-map)#set pfs group2 <=== link DH group 2 to
    this crypto map
    Router(config-crypto-map)#set transform-set yasser <=== link
    above transform set to this crypto map
    Router(config-crypto-map)#ex
    Router(config)#int fa 0/1 <=== apply crypto map auda to interface
    face the next site link.
    Router(config-if)#crypto map auda
    *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
    Router(config-if)#do wr
    Building configuration...
    [OK]
    Router(config-if)#^Z
    Router#

    for router 0 we will type the following commands :
    Router(config)#crypto isakmp enable
    Router(config)#crypto isakmp policy 1
    Router(config-isakmp)#authentication pre-share
    Router(config-isakmp)#encryption aes
    Router(config-isakmp)#group 2
    Router(config-isakmp)#hash sha
    Router(config-isakmp)#exit
    Router(config)#crypto isakmp key 0 address 11.0.0.2 0.0.0.0
    Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac
    Router(config)#crypto ipsec security-association lifetime seconds 86400
    Router(config)#ip access-list extended ramzy
    Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255
    Router(config-ext-nacl)#exit
    Router(config)#crypto map auda 100 ipsec-isakmp
    % NOTE: This new crypto map will remain disabled until a peer
    and a valid access list have been configured.
    Router(config-crypto-map)#match address ramzy
    Router(config-crypto-map)#set peer 11.0.0.2
    Router(config-crypto-map)#set pfs group2
    Router(config-crypto-map)#set transform-set yasser
    Router(config-crypto-map)#exit
    Router(config)#interface fastEthernet 0/1
    Certifications
    Show All
    ENTRY
    ASSOCIATE
    Data Center (CCNA Data Center)
    Design (CCDA)
    Routing & Switching (CCNA)
    Security (CCNA Security)
    Syllabus
    Data Sheets and Literature
    IINS Exam
    Exam Logic Tool
    SP Operations (CCNA SP Ops)
    Service Provider (CCNA SP)
    Video (CCNA Video)
    Voice (CCNA Voice)
    Wireless (CCNA Wireless)
    PROFESSIONAL
    EXPERT
    ARCHITECT
    SPECIALIST
    POLICIES| REFERENCE|
    TOOLS
    Actions
    Register / Login to participate in
    the community & access resources
    like:
    Register for free now.
    IT Training Videos and
    Seminars
    Cisco Certification Study Groups
    Cisco Certification Exam Topics
    Learn more about The Cisco
    Learning Network and our
    Premium Subscription options.
    Afficher :
    Tous
    Dfini comme signet par
    (13)
    D'autres liens comparables
    router to router vpn... cli step
    by step
    dmvpn w/ipsec
    gre w/crypto...
    Gateway-to-gateway VPN with
    preshared secrets
    DF Bit Override With IPsec
    VPNs
    Plus parYasser Ramzy
    Auda - CCSI , CCNP R&S ,
    CCNP Security
    Afficher le profil de Yasser
    Ramzy Auda - CCSI , CCNP R&S ,
    CCNP Security
    AAA Lab using Packet tracer
    5.3
    Languages:
    10/9/2014 VPN site to site packet tracer 5.3 lab - The Cisco Learning Network
    https://learningnetwork.cisco.com/docs/DOC-10756 2/3
    Router(config-if)#crypto map auda
    *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
    Router(config-if)#exit
    Router(config)#do wr
    Building configuration...
    [OK]
    Router(config)#

    now lets go to router 0 and do some show commands :

    Router#show crypto Isakmp policy

    Global IKE policy
    Protection suite of priority 1
    encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #2 (1024 bit)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: DES - Data Encryption Standard (56 bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 86400 seconds, no volume limit
    Router#


    Router#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id slot status
    11.0.0.1 11.0.0.2 QM_IDLE 1062 0 ACTIVE

    IPv6 Crypto ISAKMP SA

    Router#

    Router#show crypto map
    Crypto Map auda 100 ipsec-isakmp
    Peer = 11.0.0.1
    Extended IP access list ramzy
    access-list ramzy permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
    Current peer: 11.0.0.1
    Security association lifetime: 4608000 kilobytes/86400 seconds
    PFS (Y/N): Y
    Transform sets={
    yasser,
    }
    Interfaces using crypto map auda:
    FastEthernet0/1

    Router#

    Router#sh crypto ipsec transform-set
    Transform set yasser: { { esp-aes esp-sha-hmac }
    will negotiate = { Tunnel, },


    Router#


    now lets make pc0 ping pc1

    Router#show crypto ipsec sa

    interface: FastEthernet0/1
    Crypto map tag: auda, local addr 11.0.0.2

    protected vrf: (none)
    local ident (addr/mask/prot/port): (12.0.0.0/255.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
    current_peer 11.0.0.1 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 0
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

    local crypto endpt.: 11.0.0.2, remote crypto endpt.:11.0.0.1
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
    current outbound spi: 0x12D96D50(316239184)

    inbound esp sas:
    spi: 0x590D14F4(1494029556)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 2004, flow_id: FPGA:1, crypto map: auda
    sa timing: remaining key lifetime (k/sec): (4525504/86170)
    IV size: 16 bytes
    replay detection support: N
    Status: ACTIVE

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
    spi: 0x12D96D50(316239184)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 2005, flow_id: FPGA:1, crypto map: auda
    sa timing: remaining key lifetime (k/sec): (4525504/86170)
    IV size: 16 bytes
    replay detection support: N
    Status: ACTIVE

    outbound ah sas:

    outbound pcp sas:


    packet tracer file :


    yasser ramzy auda
    CCNA,CCNA security,CCNA voice ,CCDA,CCNP,CCIP,CCNP security (CCSP).

    You might also like