1. Assign IP addresses all routers
R1
conf t
hostname R1
int lo0
ip add 1.1.1.1 255.255.255.255
int e0/0
ip add 192.168.12.1 255.255.255.0
no sh
R2
conf t
hostname R2
int e0/0
ip add 192.168.12.2 255.255.255.0
no sh
int e0/1
ip add 192.168.23.2 255.255.255.0
no sh
R3
conf t
hostname R3
int lo0
ip add 3.3.3.3 255.255.255.255
int e0/0
ip add 192.168.23.3 255.255.255.0
no sh
2. Configure OSPF all routers
R1
router ospf 100
router-id 1.1.1.1
network 0.0.0.0 0.0.0.0 area 0
R2
router ospf 100
router-id 2.2.2.2
network 0.0.0.0 0.0.0.0 area 0
R3
router ospf 100
router-id 3.3.3.3
network 0.0.0.0 0.0.0.0 area 0
3. Configure an IPSEC connection between R1 and R2
Create a ISAKMP policy:
Authentication: pre-shared-key
Encryption: AES 256
Hashing: SHA
DH: Group 5
Lifetime: 3600
R1 and R3
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
4. Configure the pre-shared-key “VAULT” which you will use for the IPSEC connection
R1
crypto isakmp key VAULT address 192.168.23.3
R3
crypto isakmp key VAULT address 192.168.12.1
5.Configure the IPSEC transform-set:
Cipher: AES 256
ESP (Encapsulating Security Protcol)
Hashing: SHA
R1 & R3
crypto ipsec transform-set MYTRANS esp-aes 256 esp-sha-hmac
6. Change the IPSEC security association lifetime to 1800 seconds.
R1 & R3
crypto ipsec security-association lifetime seconds 1800
7. You need to encrypt traffic from R1’s Loopback0 interface destined to R2’s Loopback0 interface, create the correct access-list.
R1
access-list 100 permit ip 1.1.1.1 0.0.0.0 3.3.3.3 0.0.0.0
R3
access-list 100 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0
8. Create the correct crypto-map to finish the IPSEC configuration.
R1
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.3
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100
int e0/0
crypto map MYMAP
R3
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100
int e0/0
crypto map MYMAP
9.Verify the IPSEC configuration, you can use the following show/debug commands:
show crypto isakmp sa
show crypto ipsec sa
show crypto ipsec transform-set
show crypto map
show access-list
debug crypto isakmp
R1#ping 3.3.3.3 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/6 ms
R1#
R3#ping 1.1.1.1 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
R3#
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R1#
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R3#
R1
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.3
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100
int e0/0
crypto map MYMAP
R3
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100
int e0/0
crypto map MYMAP
9.Verify the IPSEC configuration, you can use the following show/debug commands:
show crypto isakmp sa
show crypto ipsec sa
show crypto ipsec transform-set
show crypto map
show access-list
debug crypto isakmp
R1#ping 3.3.3.3 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/6 ms
R1#
R3#ping 1.1.1.1 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
R3#
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R1#
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R3#
No comments:
Post a Comment