Cisco ipsec dynamic encryption Configuration

CiscoRouter configurationIPSCEDynamic Encryption

Lab environment:

Company A Headquarters router A and branch router B VPN communication, using three-layer IPSEC-VPN, due to the branch using DLINK VPN equipment, cannot set IP, Headquarters decided to deploy dynamic IPSEC Encryption, the current topology is as follows: 1.1.1.0/24 simulate the internal network segment of the headquarters, and 2.2.2.0/24 simulate the internal network segment of the branch.

1 And headquarters Configuration:Interface cipher address 1.1.1.1 255.255.255.0 // set the communication point between IPinterface Serial0/0ip address 255.255.shutcrypto map ccnpip route 0.0.0.0 0.0.0.0 255.// the encryption points must communicate with each other. crypto isakmp policy 10 encr 3 deshash md5authentication pre-sharegroup 2 crypto isakmp key 6 ciscoh3c address 0.0.0.0 0.0.0.0 // The center has a fixed IP address, the Branch does not have a fixed IP due to device reasons, the key must match the crypto ipsec transform-set ccna esp-3des esp-md5-hmac Mode tunnelcrypto dynamic-map ccnp 10 // dynamic encryption configuration set transform-set ccna // The center does not set the streams of interest and PEER, but uses an automatic negotiation policy, the subsequent testing network must start from the branch, otherwise the testing will fail. Crypto map ccnp 10 ipsec-isakmp dynamic ccnp 2 Internet router configuration:Int s0/0ip add 218.16.1.2 255.255.255.0no shutint s0/1ip add 222.16.1.2 255.255.255.0no shut 3 And branches:Int loopback 0ip add 2.2.2.2 ipvs0/1ip add 222.16.1.1 unzip shutcrypto map ccnpip route 0.0.0.0 0.0.0.0 unzip isakmp policy 10 encr 3 deshash unzip pre-Issue 2 crypto isakmp key 6 encrypt address issue/Branch the Organization must have an IP address to the headquarters, it cannot take 0 as full as the headquarters, otherwise, the two ends cannot negotiate crypto ipsec transform-set ccna esp-3des tunnelcrypto map ccnp 10 ipsec-isakmp // configure set peer transaction transform-set ccnamatch address 101access-list 101 permit ip 2.2.2.0 0.0.255 1.1.1.0 0.0.0.255 // configure the interest stream for the Branch 4 Test: (1) Headquarters PING Branches:R1 # ping 2.2.2.2 source 1.1.1.1 repeat 100 Type escape sequence to abort. sending 100,100 -byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: packet sent with a source address of 1.1.1.1 ................................ ........................................ ............................ success rate is 0 percent (0/100) // because the Headquarters does not know how to negotiate with the branch, there is no branch IP Address (2) Branch PING Headquarters:R3 # ping 1.1.1.1 source 2.2.2.2Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 .!!!! // PING is allowed because the policies have been negotiated. (3) Headquarters PING again Branches:R1 # ping 2.2.2.2 source 1.1.1.1 repeat 50 Type escape sequence to abort. sending 50,100 -byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: packet sent with a source address of 1.1.1.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!! // PING is successful because the negotiation has been completed. (4) Show ISAKMP Association negotiation:R1 # show crypto isakmp sadst src state conn-id slot status218.16.1.1 222.16.1.1 QM_IDLE 1 0 ACTIVE (5) Show IPSEC Association negotiation:R1 # show crypto ipsec sainterface: Serial0/0 Crypto map tag: ccnp, local addr 218.16.1.1 protected vrf: (none) local ident (addr/mask/prot/port ): (1.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0) current_peer 222.16.1.1 port 500 PERMIT, flags ={}# pkts encaps: 139, # pkts encrypt: 139, # pkts digest: 139 # pkts decaps: 139, # pkts decrypt: 139, # pkts verify: 139 # pkts compressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0 # pkts not decompressed: 0, # pkts decompress failed: 0 # send errors 0, # recv errors 0 local crypto endpt.: 218.16.1.1, remote crypto endpt.: 222.16.1.1 path mtu 1500, ip mtu 1500 current outbound spi: 0x94AE7A86 (2494462598) inbound esp sas: spi: 0xB64162 (11944290) transform: esp-3des esp-md5-hmac, in use settings = {Tunnel ,} conn id: 2001, flow_id: 1, crypto map: ccnp sa timing: remaining key lifetime (k/sec): (4563637/3497) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x94AE7A86 (2494462598) transform: esp-3des esp-md5-hmac, in use settings = {Tunnel,} conn id: 2002, flow_id: 2, crypto map: ccnp sa timing: remaining key lifetime (k/sec): (4563637/3490) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:   (6) Display the interface encryption and decryption status:R1 # show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Serial0/0 218.16.1.1 set HMAC_MD5 + limit 0 02001 Serial0/0 218.16.1.1 set 3DES + MD5 0 1392002 Serial0/0 218.16.1.1 set 3DES + MD5. 139 0