Site to site VPN Experiment
1.1 description
This experiment uses two routers to test the VPN configuration. Of course, you can also use a PC to a vro, a PC to a VPN concentrator, or a PC to a firewall. All of these support VPN. While we use IPsec VPN in VPN is more secure and reliable.
1.1.1. Experiment description
When preparing an ipsec vpn, follow these steps:
1. R1 sends incoming traffic to R2 (sets the incoming traffic to ACL)
Ii. R1 and R2 negotiate IKE phase 1 (phase 1)
* Determine the Key Distribution Method
* Confirm the verification method.
* Determine the ISAKMP policy of the Peer (encryption algorithm, hash algorithm, and ike sa survival)
Third, R1 and R2 negotiate with IKE Stage 2 (phase 2)
4. IPsec channel interaction information
Fifth, enable the Group channel automatically when no data is sent.
1.1.2. Topology
R1 and R2 are two routers connected through the internet (but the experiment is directly connected through the serial port). The loopback 0 of R1 simulates the intranet of R1, the loopback 0 of R2 simulates the internal network of R2. Finally, the loopback of both sides is interconnected through VPN.
1.1.3. Basic preparation
R1 ======================================
Host R1
No ip domain-lookup
Line con 0
Logg sy
Exec-time 0 0
!
Int s1/1
Ip add 200.200.100.1 255.255.255.252
No sh
Int loopback 0
Ip add 10.1.1.1 255.255.255.0
Exit
R2 ======================================
Host R2
No ip domain-lookup
Line con 0
Logg sy
Exec-time 0 0
!
Int s1/0
Ip add 200.200.100.2 255.255.255.252
Cl ra 56000
No sh
Int loopback 0
Ip add 10.2.2.1 255.255.255.0
Exit
!
1.1.4 VPN configuration
R1 ============================================== ============
Access-list 101 permit ip host 10.1.1.1 host 10.2.2.1 //
Crypto isakmp policy 1
Authentication pre-share
Hash md5
Exit
!
Crypto isakmp key 0 cisco address 200.200.100.2 255.255.255.0
!
Crypto ipsec transform-set shanghai esp-des esp-md5-hmac
!
Crypto map vpn_to_shanghai 10 ipsec-isakmp
Match add 101
Set peer 200.200.100.2
Set transform shanghai
!
Ip route 10.2.2.0 255.255.255.0 200.200.100.2
Int s1/1
Crypto map vpn_to_shanghai
R2 ============================================== ==========
Access-list 101 permit ip host 10.2.2.1 host 10.1.1.1
Crypto isakmp policy 1
Authentication pre-share
Hash md5
Exit
!
Crypto isakmp key 0 cisco address 200.200.100.1 255.255.255.0
!
Crypto ipsec transform-set shanghai esp-des esp-md5-hmac
!
Crypto map vpn_to_shanghai 10 ipsec-isakmp
Match add 101
Set peer 200.200.100.1
Set transform shanghai
!
Ip route 10.1.1.0 255.255.255.0 200.200.100.1
!
Int s1/0
Crypto map vpn_to_shanghai
!
1.1.5. Verification
Expand ping 10.2.2.1 on R1
R1 # ping
Protocol [ip]:
Target IP address: 10.2.2.1
Repeat count [5]:
Datemedisize [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: loo 0
Type of service [0]:
Set DF bit in IP header? [No]:
Validate reply data? [No]:
Data pattern [0 xABCD]:
Loose, Strict, Record, Timestamp, Verbose [none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 172/238/288 MS
R1 # show crypto map
Crypto Map "vpn_to_shanghai" 10 ipsec-isakmp
Peer = 200.200.100.2
Extended IP address access list 101
Access-list 101 permit ip host 10.1.1.1 host 10.2.2.1
Current peer: 200.200.100.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets = {
Shanghai,
}
Interfaces using crypto map vpn_to_shanghai:
Serial1/1
R1 # show crypto ipsec sa
Interface: Serial1/1
Crypto map tag: vpn_to_shanghai, local addr 200.200.100.1
Protected vrf: (none)
Local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
Remote ident (addr/mask/prot/port): (10.2.2.1/255.255.255.255/0/0)
Current_peer 200.200.100.2 port 500
PERMIT, flags = {origin_is_acl ,}
# Pkts encaps: 3, # pkts encrypt: 3, # pkts digest: 3
# Pkts decaps: 3, # pkts decrypt: 3, # pkts verify: 3
# Pkts compressed: 0, # pkts decompressed: 0
# Pkts not compressed: 0, # pkts compr. failed: 0
# Pkts not decompressed: 0, # pkts decompress failed: 0
# Send errors 2, # recv errors 0
Local crypto endpt.: 200.200.100.1, remote crypto endpt.: 200.200.100.2
Path mtu 1500, ip mtu 1500
Current outbound spi: 0x0000f1abd (3313441469)
Inbound esp sas:
Spi: 0x9C8542B5 (2625979061)
Transform: esp-des esp-md5-hmac,
In use settings = {Tunnel ,}
Conn id: 2001, flow_id: SW: 1, crypto map: vpn_to_shanghai
Sa timing: remaining key lifetime (k/sec): (4416419/3493)
IV size: 8 bytes
Replay detection support: Y
Status: ACTIVE
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Spi: 0x0000f1abd (3313441469)
Transform: esp-des esp-md5-hmac,
In use settings = {Tunnel ,}
Conn id: 2002, flow_id: SW: 2, crypto map: vpn_to_shanghai
Sa timing: remaining key lifetime (k/sec): (4416419/3492)
IV size: 8 bytes
Replay detection support: Y
Status: ACTIVE
Outbound ah sas:
Outbound pcp sas:
R1 # show crypto isakmp sa
Dst src state conn-id slot status
200.200.100.2 200.200.100.1 QM_IDLE 1 0 ACTIVE