CCNP-IPSec VPN experiment case

Source: Internet
Author: User
Tags md5 hash

Lab requirements:
1. Build an environment based on the topology. The business trip staff use a real PC to bridge a router and connect to the ISP;
2. Traveling staff can access VLAN2 on the Headquarters Intranet through PPTP and access the WEB server on the ISP;
3. A IPSEC-VPN is required between the departments of the total score to securely transmit the traffic through the ISP, among which VLAN3 to VLAN4 requires 3DES encryption, MD5 hash; AES encryption and SHA hashing are used between VLAN3 and VLAN5, and DES encryption and MD5 hashing are used for other traffic;
4. Ensure that the Intranet of the general branch can access the ISP.
Tutorial topology:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G524a-0.jpg "/>
Tutorial steps:
1. Enable PAT in the total score
GW1:
GW1 (config) # ip nat inside source list 110 interface Serial1/0 overload
GW1 (config) # access-list 110 deny ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255
GW1 (config) # access-list 110 permit ip 172.16.0.0 0.0.255.255 any
GW1 (config) # ip route 0.0.0.0 0.0.0.0 Serial1/0
GW1 (config) # interface Loopback0
GW1 (config-if) # ip address 172.16.3.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Loopback1
GW1 (config-if) # ip address 172.16.2.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Serial1/0
GW1 (config-if) # ip address 201.1.1.2 255.255.255.0
GW1 (config-if) # ip nat outside
GW2:
GW2 (config) # ip nat inside source list 110 interface Serial1/0 overload
GW2 (config) # access-list 110 deny ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
GW2 (config) # access-list 110 permit ip 10.1.0.0 0.0.255.255 any
GW2 (config) # ip route 0.0.0.0 0.0.0.0 Serial1/0
GW2 (config) # interface Loopback0
GW2 (config-if) # ip address 10.1.4.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Loopback1
GW1 (config-if) # ip address 10.1.5.1 255.255.255.0
GW1 (config-if) # ip nat inside
GW1 (config) # interface Serial1/0
GW1 (config-if) # ip address 202.1.1.2 255.255.255.0
GW1 (config-if) # ip nat outside
Ping the server on the ISP:
R1 # ping 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.1, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 168/253/400 MS
2. Establish a IPSEC-VPN between the total departments
Define the traffic from VLAN3 to VLAN4:
GW1 (config) # access-list 101 permit ip 172.16.3.0 0.0.0.255 10.1.4.0 0.0.0.255
Define the traffic from VLAN3 to VLAN5:
GW1 (config) # access-list 102 permit ip 172.16.3.0 0.0.0.255 10.1.5.0 0.0.0.255
Define other traffic:
GW1 (config) # access-list 105 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255
IKE Phase 1:
GW1 (config) # crypto isakmp policy 1
GW1 (config-crypto) # authentication pre-share
GW1 (config-crypto) # encryption 3des
GW1 (config-crypto) # group 1
GW1 (config-crypto) # hash MD5
IKE Phase 2:
GW1 (config) # crypto isakmp key 0 cisco add 202.1.1.2
GW1 (config) # crypro ipsec transform-set sovand esp-md5-hamc esp-3des // MD5 hash, 3DES Encryption
GW1 (config) # crypro ipsec transform-set cisco esp-sha-hamc esp-aes // SHA hash, AES Encryption
GW1 (config) # crypro ipsec transform-set hjw esp-md5-hamc esp-des // MD5 hash, DES encryption
Define map:
GW1 (config) # crypto map ccnp 1 ipsec-isamap
GW1 (config-crypto) # match add 101 // traffic from VLAN3 to VLAN4
GW1 (config-crypto) # set peer 202.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set sovand // call the encryption algorithm GW1 (config) # int s0/1
GW1 (config-if) # crypto map ccnp // interface call MAP

GW1 (config) # crypto map ccnp 2 ipsec-isamap
GW1 (config-crypto) # match add 102 // traffic from VLAN3 to VLAN5
GW1 (config-crypto) # set peer 202.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set cisco // call the encryption algorithm

GW1 (config) # crypto map ccnp 3 ipsec-isamap
GW1 (config-crypto) # match add 105 // other traffic
GW1 (config-crypto) # set peer 202.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set hjw // call the encryption algorithm

Make the same configuration on GW2:
Define the traffic from VLAN4 to VLAN3:
GW2 (config) # access-list 101 permit ip 10.1.4.0 0.0.0.255 172.16.3.0 0.0.0.255
Define the traffic from VLAN5 to VLAN3:
GW2 (config) # access-list 102 permit ip 10.1.5.0 0.0.0.255 172.16.3.0 0.0.0.255
Define other traffic:
GW2 (config) # access-list 105 permit ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
IKE Phase 1:
GW2 (config) # crypto isakmp policy 1
GW2 (config-crypto) # authentication pre-share
GW2 (config-crypto) # encryption 3des
GW2 (config-crypto) # group 1
GW2 (config-crypto) # hash MD5
IKE Phase 2:
GW2 (config) # crypto isakmp key 0 cisco add 201.1.1.2
GW2 (config) # crypro ipsec transform-set sovand esp-md5-hamc esp-3des // MD5 hash, 3DES Encryption
GW2 (config) # crypro ipsec transform-set cisco esp-sha-hamc esp-aes // SHA hash, AES Encryption
GW2 (config) # crypro ipsec transform-set hjw esp-md5-hamc esp-des // MD5 hash, DES encryption
Define map:
GW2 (config) # crypto map ccnp 1 ipsec-isamap
GW2 (config-crypto) # match add 101 // traffic from VLAN4 to VLAN3
GW2 (config-crypto) # set peer 201.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set sovand // call the encryption algorithm GW1 (config) # int s0/1
GW1 (config-if) # crypto map ccnp // interface call MAP

GW1 (config) # crypto map ccnp 2 ipsec-isamap
GW1 (config-crypto) # match add 102 // traffic from VLAN5 to VLAN3
GW1 (config-crypto) # set peer 201.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set cisco // call the encryption algorithm

GW1 (config) # crypto map ccnp 3 ipsec-isamap
GW1 (config-crypto) # match add 105 // other traffic
GW1 (config-crypto) # set peer 201.1.1.2 // destination Gateway
GW1 (config-crypto) # set transform-set hjw // call the encryption algorithm to test whether the VPN can communicate with each other:
GW1 # ping 10.1.4.1 source 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.1, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 216/237/260 MS

GW1 # ping 10.1.5.1 source 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.5.1, timeout is 2 seconds: Packet sent with a source address of 172.16.3.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 168/253/400 MS

GW2 # ping 172.16.3.1 source 10.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/275/384 MS

GW2 # ping 172.16.3.1 source 10.1.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: Packet sent with a source address of 10.1.5.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/252/288 MS

GW2 # show crypto engine connections active
ID Interface
1 Serial1/0 IP-Address
202.1.1.2 State set Algorithm Encry
HMAC_MD5 + 3DES_56_C pt Decrypt
0

0
2001 Serial1/0 202.1.1.2 set 3DES + MD5 0 9
2002 Serial1/0 202.1.1.2 set 3DES + MD5 9 0
2003 Serial1/0 202.1.1.2 set AES + SHA 0 9
2004 Serial1/0 202.1.1.2 set AES + SHA 9 0
We can see from the above that GW2 received a total of 9 3DES + MD5 encryption and decryption packets, as well as 9 AES + SHA encryption and decryption packets.
3. Configure PPTP
GW1 (config) # vpdn enable
GW1 (config) # vpdn-group cisco
GW1 (config-vpdn) # accept-dialin
GW1 (config-vpdn-acc-in) # protocal pptp
GW1 (config-vpdn-acc-in) # virtual-template 1
GW1 (config) # int virtual-template 1
GW1 (config-if) # ip unnmbered s0/0
GW1 (config-if) # ppp authen ms-chap
GW1 (config-if) # ppp encrpy mppe auto // encryption key
GW1 (config-if) # peer default ip add pool sovand // create an address pool name
GW1 (config) # ip local pool sovand 172.16.100.1 172.16.100.255 // create an address pool
GW1 (config) # username hsf-2011 privilege 15 pass qwaszx
4. Create a VPN connection on the PC and simulate it with a virtual machine)
Create a virtual private network in windows:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G53c8-1.jpg "/>
Start VPN Dialing:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G53401-2.jpg "/>
View VPN status: |
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G51961-3.jpg "/>
Test VPN access to the Intranet and Internet:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G52241-4.jpg "/>
After testing, the VPN can access both the Intranet and the Internet.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/022G545M-5.jpg "/>

This article is from the "Searching" blog. For more information, contact the author!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.