Loading...

Virtual Private Networks in Theory and Practice

Textbook 2018 195 Pages

Computer Science - IT-Security

Excerpt

Dedication

This book is dedicated to my parents and my family.

Acknowledgment

All books are the product of a team work and I thank all the members of the GRIN publisher: including the project editor, friends, seniors, colleagues, and my teachers.

I special acknowledge Dr. Muhammad Yousaf, Assistant Professor of Riphah Institute of Systems Engineering, Islamabad. He guided, motivated, and encouraged me in my research work.

I also acknowledge Miss. Muntaha Sohail, Lecturer in English Department, University of Sargodha, Sub-Campus Mandi Bahauddin. She minutely and skillfully proof red this book.

Table of Contents

Chapter 1 Introduction

1 Virtual Private Network..2

1.1 VPN Services..2

1.1.1 Confidentiality..2

1.1.2 Integrity..3

1.1.3 Authentication..3

1.1.4 Availability..4

1.1.5 Anti-Replay..4

1.2 VPN Advantages..4

1.2.1 Data Security..4

1.2.2 Private Network Access..4

1.2.3 Bandwidth..5

1.2.4 Cost Reduction..5

1.2.5 Deployment Flexibility..5

1.3 VPN Types..5

1.3.1 Remote Access VPN..5

1.3.2 Site-to-Site VPN..6

1.4 VPN Protocols..6

1.5 VPN Supported Devices..6

Chapter 2 PPTP VPN

2 PPTP VPN..8

2.1 PPTP Security..8

2.2 Encapsulation..9

2.3 Router as a PPTP VPN Server..10

2.3.1 Lab Objectives..10

2.3.2 Topology..10

2.3.3 Step-1 IP Addressing..10

2.3.4 Step-2 Configuring Static IP Routing..12

2.3.5 Step-3 Connectivity Testing..13

2.3.6 Step-4 Configuring Router as a PPTP VPN Server..14

2.3.7 Step-5 Configuring & Setting of PPTP VPN Client..15

2.3.8 Step-6 Connecting VPN Client..20

2.3.9 Step-7 Testing..22

Chapter 3 L2TP VPN

3 L2TP VPN..25

3.1 L2TP Security..26

3.2 Encapsulation..27

3.3 Router as a L2TP VPN Server..28

3.3.1 Lab Objectives..28

3.3.2 Topology..28

3.3.3 Step-1 IP Addressing..28

3.3.4 Step-2 Configuring Static IP Routing..30

3.3.5 Step-3 Configuring Router as a DNS Server..31

3.3.6 Step-4 Testing Connectivity..31

3.3.7 Step-5 Configuring Router as a L2TP VPN Server..33

3.3.8 Step-6 Configuring & Setting L2TP VPN Client..34

3.3.9 Step-7 Connecting VPN Client..36

3.3.10 Step-8 Testing..38

Chapter 4 L2TP over IPsec VPN

4 L2TP over IPsec VPN..42

4.1 L2TP over IPsec Security..42

4.2 Encapsulation..42

4.3 Router as an L2TP over IPsec VPN Server..44

4.3.1 Lab Objectives..44

4.3.2 Topology..44

4.3.3 Step-1 IP Addressing..44

4.3.4 Step-2 Configuring Static IP Routing..46

4.3.5 Step-3 Testing Connectivity..47

4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN..48

4.3.7 Step-5 Configuring & Setting L2TP over IPsec VPN Client..49

4.3.8 Step-6 Connecting VPN Client..70

4.3.9 Step-7 Testing..72

Chapter 5 IPsec VPN

5 IPsec VPN..79

5.1 IPsec Security Architecture..79

5.2 Encapsulation..81

5.3 Site-to-Site IPsec VPN b/w Routers..83

5.3.1 Lab Objectives..83

5.3.2 Topology..83

5.3.3 Step-1 IP Addressing..83

5.3.4 Step-2 Configuring Static IP Routing..86

5.3.5 Step-3 Configuring NAT..88

5.3.6 Step-4 Testing Connectivity..89

5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel..90

5.3.8 Step-6 Testing..92

5.4 Site-to-Site IPsec VPN b/w PIX & ASA..95

5.4.1 Lab Objectives..95

5.4.2 Topology..95

5.4.3 Step-1 IP Addressing..95

5.4.4 Step-2 Configuring Static IP Routing..99

5.4.5 Step-3 Testing Connectivity..100

5.4.6 Step-4 Configuring IPsec Tunnel..101

5.4.7 Step-5 Testing. 102

5.5 Remote Access IPsec VPN with Router (Easy VPN)..104

5.5.1 Lab Objectives..104

5.5.2 Topology..104

5.5.3 Step-1 IP Addressing..104

5.5.4 Step-2 Configuring Static IP Routing..106

5.5.5 Step-3 Testing Connectivity..107

5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel..107

5.5.7 Step-5 Installing & Setting CISCO IPsec VPN Client..109

5.5.8 Step-6 Connecting IPsec VPN Client..113

5.5.9 Step-7 Testing..115

5.6 Remote Access IPsec VPN with ASA (Easy VPN)..116

5.6.1 Lab Objectives..116

5.6.2 Topology..116

5.6.3 Step-1 IP Addressing..116

5.6.4 Step-2 Configuring NAT..118

5.6.5 Step-3 Configuring Static IP Routing..118

5.6.6 Step-4 Testing Connectivity..119

5.6.7 Step-5 Configuring ASA as IPsec VPN Server..120

5.6.8 Step-6 Configuring VPN Client..121

5.6.9 Step-7 Connecting VPN Client..121

5.6.10 Step-8 Testing..121

Chapter 6 GRE VPN

6 GRE VPN..124

6.1 GRE Security..124

6.2 Encapsulation..124

6.3 Site-to-Site IPsec over GRE VPN..125

6.3.1 Lab Objectives..125

6.3.2 Topology..125

6.3.3 Step-1 IP Addressing..125

6.3.4 Step-2 Configuring Static IP Routing..127

6.3.5 Step-3 Configuring NAT..128

6.3.6 Step-4 Testing Connectivity..129

6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel..130

6.3.8 Step-6 Testing..132

6.4 Site-to-Site IPsec over GRE VPN (Behind ASA)..136

6.4.1 Lab Objectives..136

6.4.2 Topology..136

6.4.3 Step-1 IP Addressing..136

6.4.4 Step-2 Configuring Static IP Routing..139

6.4.5 Step-3 Configuring NAT..141

6.4.6 Step-4 Testing Connectivity..142

6.4.7 Step-5 Configuring IPsec over GRE..142

6.4.8 Step-6 Testing..145

Chapter 7 DMVPN

7 DMVPN..147

7.1 DMVPN Security..147

7.2 Encapsulation..147

7.3 Dynamic Multipoint VPN (Hub & Spokes)..148

7.3.1 Lab Objectives..148

7.3.2 Topology..148

7.3.3 Step-1 IP Addressing..148

7.3.4 Step-2 Configuring Static IP Routing..151

7.3.5 Step-3 Testing Connectivity..152

7.3.6 Step-4 Configuring DMVPN Tunnel..153

7.3.7 Step-5 Testing..155

Chapter 8 SSL VPN

8 SSL VPN..159

8.1 SSL Security..159

8.2 SSL Encapsulation..160

8.3 Router as an SSL VPN Gateway..161

8.3.1 Lab Objectives..161

8.3.2 Topology..161

8.3.3 Step-1 IP Addressing..161

8.3.4 Step-2 Configuring Static IP Routing..163

8.3.5 Step-3 Configuring Router as a DNS Server..164

8.3.6 Step-4 Testing Connectivity..164

8.3.7 Step-5 Configuring Self-Signed Certificates..166

8.3.8 Step-6 Configuring SSL VPN Gateway..168

8.3.9 Step-7 Testing..169

Chapter 9 High Availability VPN

9 High Availability VPN..172

9.1 HSRP..172

9.2 VRRP..173

9.3 GLBP..173

9.4 Site-to-Site IPsec High Availability VPN with HSRP..174

9.4.1 Lab Objectives..174

9.4.2 Topology..174

9.4.3 Step-1 IP Addressing..174

9.4.4 Step-2 Configuring Static IP Routing..177

9.4.5 Step-3 Testing Connectivity..179

9.4.6 Step-4 Configuring HSRP..179

9.4.7 Step-5 Configuring IPsec VPN over HSRP..182

9.4.8 Step-6 Testing..184

References:..17286

Learning Outcomes

This book encompasses virtual private network technologies theoretical as well as practical. In this project, it demonstrates how the VPNs actually work and their practical implementation with different lab scenarios, step by step. The objective of this book is to teach the students and professionals in an easy way. In this book, a reader learns the theoretical knowledge of VPNs, but the practical implementation of several types of VPNs in his home and office.

There are several types of VPNs with different scenarios. After a study of this book, the reader will familiar with almost all type of VPN and can perform all these types of VPNs with different scenarios in his office and home.

1. Introduction

1 Virtual Private Network

Virtual Private Network (VPN) is a secure, reliable and logical connection that is created over a public network (Internet). CISCO defines a VPN as an encrypted connection between private networks over a public network [1]. It is a virtual connection but not a physical. It extends the private network across shared or public network. It enables a computer to send or receive data safely through shared or public network, it does not matter if it is directly connected to the private network. It is done by establishing a virtual connection through the Internet.

1.1 VPN Services

VPNs provide different types of security services through different security protocols. These services are:

1. Confidentiality

2. Integrity

3. Authentication

4. Availability

5. Anti-replay

1.1.1 Confidentiality

Confidentiality means secrecy. It is a technique in which original data may hide or replace with some other data. The concept behind is that the data is not disclosed to anyone intentionally or unintentionally during transmission. In network security, it is also called encryption. It is the process in which the plaintext (original text) is replaced or substituted with the help of certain encryption algorithm, key, and the mechanism. After this process, the plain text is converted into encrypted text (ciphertext). Encrypted text transmits over an insecure network. If somebody catches the encrypted text, it is not easy to understand it. On the receiving side, the reverse process of encryption takes place, it is called decryption. The same algorithm, key, and mechanism are used to decrypt the text and original text is extracted. There are several encryption algorithms. Some of them work character by character and remaining work block by block. There are two types of keys. Symmetric or asymmetric. In symmetric, the same key is used to encrypt or decrypt while in asymmetric, a pair of the key is used. One key is private key and the second key is called public key. The public key is used to encrypt the data if its private key is used to decrypt the data whereas the private key is used to encrypt the data if its public key is used to decrypt data. The mechanism means, the way or method defines how to drive the algorithm and key. Modern encryption algorithms are:

1. DES (Data Encryption Standard)

2. 3DES (Triple Data Encryption Standard)

3. AES (Advanced Encryption Standard)

1.1.2 Integrity

Integrity means originality. It is a technique to ensure that data is not modified or altered by an unauthorized person during the transmission. The data remains consistent, both internally and externally. It is guaranteed that data is received by the receiver in original and there is no any change in data during transmission. In network security, it is also called hashing. Hashing is one-way process in which a 32-bit long hash value is calculated from the data with a specific algorithm. This hash value also transmits while transmitting the data. On the receiver side, the receiver once again calculates the hash value of the received data with the same algorithm and compares this hash value with that value which came with data. If the value is same then its integrity is not compromised on the other hand, the hash value is different even one character then it indicates that its integrity is compromised. The receiver will discard his receiving data. Modern hashing algorithms are:

1. MD-5 (Message Digest)

2. SHA-1 (Secure Hash Algorithm)

1.1.3 Authentication

Authentication is a technique which verifies the identity of a user or a process. It restricts unauthorized users to access data or service. In this process, the credentials provided by the user are compared to those which are already saved in the database file. Moreover, the user is granted authorization for access if credentials match and the process is completed. If the credentials mismatch, the user is not granted access. Authentication is may be local or remote. In local authentication, the credentials are saved on the same machine while in remote authentication, user credentials are saved on another server. The receiver machine sends user credentials for checking either it is true or false to authentication server and responds. If the machine receives true by authentication server then it grants access and if it receives false then it denies access. For security purpose, Challenge Handshake Authentication Protocol (CHAP) is used between machine and authentication server. Modern remote authentication servers are:

1. TACACS (Terminal Access Controller Access Control System)

2. RADIUS (Remote Authentication Dial-In User Service)

1.1.4 Availability

Availability provides reliable and timely access to data and resources. Once a VPN is connected, its time period is 24 hours by default. It means that user can access data or services at any time during the VPN connection.

1.1.5 Anti-Replay

It is a technique in which the receiver verifies that each packet is unique and is not duplicate. In this process, sequence numbers are used with the packet and arranged all these packets on receiver side accordingly sequence numbers. If any duplicate packet is received then the receiver will discard.

1.2 VPN Advantages

VPN technology is heavily influenced the corporate sector by its many advantages. Due to these advantages, it is more popular and deployable technology in the industry. These advantages are:

1.2.1 Data Security

Public network (Internet) is not a secure network and it is not possible to secure it, as complete. It is very risky and easy to access or alter data by a third person (Intruder) when data moves across the public network. So, it is needed to secure data before transferring it over a public network. VPN allows data to encapsulate it into security header before transmitting transfer to its destination. When data is encapsulated in security header then it is not easy to access or alter data. On the receiving side, it is decapsulated.

1.2.2 Private Network Access

VPNs allow employees to securely access their company's private network or data while travelling outside the office or at home. Most of the employees work in branch offices and others employees work as teleworker in the market. They are away from the central sites and if they are needed to access company’s data or services for business operations so they can access it securely through VPN connection.

1.2.3 Bandwidth

Users or branch offices use leased lines such as E1, T1, Frame Relay or Asynchronous Transfer Mode (ATM) to access company’s data or services securely. These leased lines provide typically 128 Kbps, 256 Kbps, and 512 Kbps connection speeds. These leased lines are expensive. Users and branch offices require more bandwidth for their services or advance applications and its speed. The Internet Service Providers (ISPs) are providing relatively high-bandwidth IP connections, such as broadband Digital Subscriber Line (DSL) or cable access for VPN on shared bases.

1.2.4 Cost Reduction

ISPs are providing relatively high-bandwidth IP connections, such as broadband DSL or cable service on shared bases. As a result, many customers are migrating their primary WAN connectivity to these services or deploying such WAN alternatives as a secondary high-speed WAN circuit to augment their existing private network. These high-bandwidth and share bases IP connections are relatively lower cost as compared to leased lines.

1.2.5 Deployment Flexibility

VPNs can be quickly established wherever an Internet access connection is available. They offer a great degree of flexibility in connecting branch offices or even while traveling outside the office or at home.

1.3 VPN Types

VPN can be connected in different forms. A secure connection is created over a public network. Sometimes it is called as a tunnel. All traffic is passed through this tunnel. There are two basic types of VPN and they are:

1. Remote Access VPN

2. Site-to-Site VPN

1.3.1 Remote Access VPN

In remote access VPN type, a single user is connected to a private network and access its services and resources remotely. The connection between the user and the private network happens through the Internet, this connection is secure and private. Usually, home users or teleworkers use this type of VPN. The teleworkers or employees use a remote access VPN to connect to his/her company’s private network and remotely access files and resources on the private network while traveling.

1.3.2 Site-to-Site VPN

Site-to-Site VPN type is mostly used in the corporate network. In this type of VPN, company’s offices in different geographical locations, use Site-to-site VPN to connect the network with head office or another branch office. In this VPN type, a device acts as a gateway in one branch office and similarly in another branch office. The connection is established between the both. When the connection is established, then multiple users can use this connection in their branch offices.

1.4 VPN Protocols

As we know, communication is between two devices based upon Open Systems Interconnection (OSI model) reference model. It is a universal standard which is proposed by International Organization for Standardization (ISO) in 1984. It consists of seven layers. Each layer of this model performs specific tasks through several communication protocols. These communication protocols are classified into different forms according to these layers. These VPN protocols are also classified according to OSI model’s layers for security purposes. These VPN protocols are:

1. PPTP (Point-to-Point Tunneling Protocol)

2. L2TP (Layer 2 Tunneling Protocol)

3. IPsec (Internet Protocol Security)

4. L2TP over IPsec.

5. GRE (Generic Routing Encapsulation)

6. IPsec over GRE

7. TSL (Transport Layer Security)

8. SSL (Secure Sockets Layer)

1.5 VPN Support Devices

A dedicated VPN support device is VPN Concentrator. A VPN concentrator is a type of networking device that provides secure creation of VPN connections and delivery of messages between VPN nodes. However, some other devices like (Routers, multi-layer switches, PIX, ASA, PCs, smartphones and tablets) may also support VPN. These devices should have VPN support operating systems. Multiple vendors have designed such types of devices like CISCO, Juniper, Linksys, Microsoft, Linux, and Mac etc. The VPN service provided by these devices is said to be IOS based VPN. Moreover, in this guide, CISCO based devices (Router, PIX & ASA) and Window based PCs are used.

2 PPTP VPN

Point-to-Point Tunneling Protocol (PPTP) is one of the oldest VPN technique in network security. It was introduced by “Matthew Ramsay” in 1999 with the support of Microsoft. Its specification was described in RFC 2637 [2]. It basically extends the Point-to-Point Protocol (PPP). The PPP transfers multi-protocol datagrams over a point-to-point link. It uses dial-up networking method which is called Virtual Private Dial-up Network (VPDN). It is more suitable for remote access applications through VPN. It also supports LAN internetworking. It operates at layer 2 of the OSI model. It works as a client/server model which is simply configured. By default, the client is a software based system which is normally available in all Microsoft Windows, Linux and MAC operating systems. It remains most popular technology, especially on Microsoft Windows computers. It is connection oriented protocol and it uses TCP port 1723. In this tunneling technique, tunnels are created by following two steps:

1. First of all, the clients connect to their ISPs through using any service (dial-up, ISDN, DSL modem or LAN).

2. Secondly, PPTP creates a TCP session between client and server to establish a secure tunnel.

Once the PPTP tunnel is established between client and server then two types of information can be passed through a tunnel. Moreover, a unique Call ID value is assigned to each session for its identification.

1. Control Messages: These messages directly pass through the tunnel to the client and server and finally tearing down the connections. The variety of these control messages are used to maintain the VPN connections whereas, some of these messages are shown in the Fig. 2.1 below.

2. Data Packets: It passes through the tunnel to the client and the client sends back.

2.1 PPTP Security

PPTP supports authentication, encryption and packet filtering. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used. MS-CHAPv1 is insecure. EAP-TLS is a superior choice. However, it requires a Public Key Infrastructure implementation for both client and server certificates. When MS-CHAPv1/v2 is used in PPTP then the payloads encrypt by using Microsoft Point-to-Point Encryption (MPPE). The MPPE supported 40-bits, 56-bits & 128-bits encryption. It enhances the confidentiality of PPP-encapsulated packets [3]. Packet filtering is implemented on VPN servers.

[Figures and tables are omitted from this preview.]

Figure 2.1 PPTP Control Messages

2.2 Encapsulation

PPTP encapsulates the PPP frames in IP packet. It uses TCP connection for tunnel management. The encapsulated PPP frames may encrypt, compress or the both as it is highlighted in the Fig. 2.2.

[Figures and tables are omitted from this preview.]

Figure 2.2 PPTP Encapsulation

In Oct. 2012, security of PPTP is broken and its usage is no longer and also not recommended by Microsoft [4].

2.3 Router as a PPTP VPN Server

2.3.1 Lab Objectives

- Assign IP addresses according to topology

- Configure IP Routing

- Test Connectivity

- Configure Router as a PPTP VPN Server

- Configure PC as a Microsoft PPTP VPN Client

- Try to Connect VPN Client

- Test VPN

2.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 2.3 PPTP VPN Setup

2.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 2.3. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.18 YES manual up up

FastEthernet0/1 203.0.113.33 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.16/28 is directly connected, FastEthernet0/0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

Branch:

Branch>enable

Branch#configure terminal

Branch(config)#interface fastEthernet 0/0

Branch(config-if)# ip address 203.0.113.34 255.255.255.240

Branch(config-if)#no shutdown

Branch(config-if)#exit

Branch(config)#interface fastEthernet 0/1

Branch(config-if)#ip address 192.168.1.1 255.255.255.0

Branch(config-if)#no shutdown

Branch(config-if)#^Z

Branch#

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Branch#

PC:

[Figures and tables are omitted from this preview.]

Figure 2.4 Client IP Address

2.3.4 Step-2 Configuring Static IP Routing

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C :\>

Branch:

Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

Branch(config)#exit

Branch#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

C 192.168.1.0/24 is directly connected, FastEthernet0/1

C 203.0.113.32/28 is directly connected, FastEthernet0/0

Branch#

2.3.5 Step-3 Connectivity Testing

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Request timed out.

Reply from 203.0.113.34: bytes=32 time=258ms TTL=254

Reply from 203.0.113.34: bytes=32 time=185ms TTL=254

Reply from 203.0.113.34: bytes=32 time=184ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 184ms, Maximum = 258ms, Average = 209ms

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Branch:

Branch#ping 203.0.113.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms

Branch#

2.3.6 Step-4 Configuring Router as a PPTP VPN Server

Branch(config)#vpdn enable

Branch(config)#vpdn-group pptp-vpn

Branch(config-vpdn)#accept-dialin

Branch(config-vpdn-acc-in)#protocol pptp

Branch(config-vpdn-acc-in)#virtual-template 1

Branch(config-vpdn-acc-in)#exit

Branch(config-vpdn)#exit

Branch(config)#

Branch(config)# ip local pool pptp-pool 172.16.1.10 172.16.1.50

Branch(config)#username test password 0 test

Branch(config)#interface virtual-template 1

Branch(config-if)#encapsulation ppp

Branch(config-if)# peer default ip address pool pptp-pool

Branch(config-if)#ip unnumbered fastEthernet 0/1

Branch(config-if)#no keepalive

Branch(config-if)#ppp encrypt mppe auto required

Branch(config-if)# ppp authentication ms-chap ms-chap-v2

Branch(config-if)#^Z

Branch#

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Virtual-Access1 unassigned YES unset down down

Virtual-Template1 192.168.1.1 YES unset down down

Branch#show vpdn group

VPDN group 1

Group session limit 65535 Active sessions 0 Active tunnels 0

VPDN group pptp-vpn

Group session limit 65535 Active sessions 0 Active tunnels 0

Branch#show vpdn session

%No active PPTP tunnels

2.3.7 Step-5 Configuring & Setting of PPTP VPN Client

1. Choose Start > Control Panel > Network & Sharing Center > Set up a New Connection

[Figures and tables are omitted from this preview.]

Figure 2.5 Set up a new Connection

2. After the Network Connection Wizard window appears, chooseConnect to a workplace & Click Next

[Figures and tables are omitted from this preview.]

Figure 2.6 Connect to a Workplace

3. Choose No, create a new connection & Click Next

[Figures and tables are omitted from this preview.]

Figure 2.7 Create new Connection

4. Select Use my Internet Connection

[Figures and tables are omitted from this preview.]

Figure 2.8 New Connection Name & IP Address

5. Choose Start > Control Panel > Network & Sharing Center > Change Adapter Settings and select the properties of the recently configured connection

[Figures and tables are omitted from this preview.]

Figure 2.9 Properties

6. Chose Security

[Figures and tables are omitted from this preview.]

Figure 2.10 Security

7. Under Type of VPN choose PPTP VPN, Choose Required Encryption from Data Encryption,Select Authentication Protocols and click OK

[Figures and tables are omitted from this preview.]

Figure 2.11 Select Properties

2.3.8 Step-6 Connecting VPN Client

1. Try to connect

[Figures and tables are omitted from this preview.]

Figure 2.12 Username & Password

2. Type username test & password test and click OK

[Figures and tables are omitted from this preview.]

Figure 2.13 Connecting

3. The verifying username and password window appears

[Figures and tables are omitted from this preview.]

Figure 2.14 Verifying

4. The registering your computer on the network window appears

[Figures and tables are omitted from this preview.]

Figure 2.15 Completing

5. When connected then it can check the status of the connection

[Figures and tables are omitted from this preview.]

Figure 2.16 Connection Status

2.3.9 Step-7 Testing

PC:

[Figures and tables are omitted from this preview.]

Figure 2.17 Connection Details

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=232ms TTL=255

Reply from 192.168.1.1: bytes=32 time=226ms TTL=255

Reply from 192.168.1.1: bytes=32 time=338ms TTL=255

Reply from 192.168.1.1: bytes=32 time=351ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 226ms, Maximum = 351ms, Average = 286ms

Branch:

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Virtual-Access1 192.168.1.1 YES unset up up

Virtual-Template1 192.168.1.1 YES unset down down

Branch#show interface virtual-access 1

Virtual-Access1 is up, line protocol is up

Hardware is Virtual Access interface

Interface is unnumbered. Using address of FastEthernet0/1 (192.168.1.1)

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Open

Open: IPCP, CCP

PPPoVPDN vaccess, cloned from Virtual-Template1

Vaccess status 0x44

Protocol pptp, tunnel id 36776, session id 20632, loopback not set

Keepalive not set

DTR is pulsed for 5 seconds on reset

Last input 00:05:07, output never, output hang never

Last clearing of "show interface" counters 00:22:57

Branch#show users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

Interface User Mode Idle Peer Address

Vi3 test PPPoVPDN 00:09:55 172.16.1.11

Branch#show vpdn session

PPTP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Intf Username State Last Chg Uniq ID

20632 256 36776 Vi3 test estabd 00:00:41 2

Branch#show vpdn tunnel pptp

PPTP Tunnel Information Total tunnels 1 sessions 1

LocID Rem. Name State Remote Address Port Sessions VPDN Group

36776 estabd 203.0.113.17 4993 1 1

Branch#show vpdn tunnel pptp transport

PPTP Tunnel Information Total tunnels 1 sessions 1

LocID Type Local Address Port Remote Address Port

36776 IP 203.0.113.34 1723 203.0.113.17 4993

Branch#show vpdn tunnel packets

PPTP Tunnel Information Total tunnels 1 sessions 1

LocID Pkts-In Pkts-Out Bytes-In Bytes-Out

36776 61 21 6679 521

Branch#

3 L2TP VPN

Layer 2 Tunneling Protocol (L2TP) was introduced with the combination of two tunneling protocols in 1999. Firstly, Layer 2 Forwarding (L2F) protocol by CISCO Systems and second is Point-to-Point Tunneling Protocol (PPTP) by Microsoft. It merges the best features of the both. In other words, it is an extension of PPTP. It was specified in RFC 2661 [5]. The L2F is a tunneling protocol and it was developed to establish VPN over the public network (Internet). It does not provide encryption by itself. It was specially designed to tunnel PPP traffic. In 2005, a new version of L2TP was introduced as L2TPv3 with additional security features, improved encapsulation and the ability to carry data links over the network. Its specification was described in RFC 3931 [6].

The entire L2TP packet including (payload & L2TP header) is sent within a User Datagram Protocol (UDP) with port number 1701. It is common to carry PPP session within an L2TP tunnel. It does not support strong authentication and confidentiality by itself. The IPsec protocol is often used with L2TP to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. L2TP allows creating a VPDN to connect remote clients to its corporate network by using different connecting services provided by ISPs. It operates at layer 2 of the OSI model. It works as a client/server model.

Two endpoints of the L2TP tunnel are called LAC (L2TP Access Concentrator) and LNS (L2TP Network Server). The LNS waits for new tunnels. The LAC remains between an LNS and a remote system and forwards packets to the server. Once the tunnel is established between peer then, the network traffic moves in bidirectional. The packets exchanged within the tunnel characterized as either it is controlled packet or it is a data packet, it is reliable for control packets and not reliable for data packets. If the reliability is desired for data packets then it is provided by another protocol running within the session of the tunnel.

In this tunneling technique as the tunnels are created by following two steps:

1. A control connection is established for a tunnel between LAC and LNS.

2. Secondly, a session is established between client and server.

During the setup of the L2TP tunnel, different types of control messages and data messages are exchanged between LAC and LNS. It is highlighted in the Fig. 3.1 below. The traffic of each session is secluded by L2TP. So, it is possible to setup multiple virtual networks against a single tunnel. The Maximum Transmission Unit (MTU) remains same. The Hello messages are sent to peer as control messages for keep alive after every 60 seconds.

[Figures and tables are omitted from this preview.]

Figure 3.1 Tunnel Setup

Once the tunnel is established, PPP frames from the remote systems are received at LAC. It encapsulates in L2TP and forwards to LNS over the appropriate tunnel.

3.1 L2TP Security

L2TP supports authentication and encryption. In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS, and PAP are used. When MS-CHAPv1/v2 is used then the payloads encrypt by using MPPE. It also supports Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES-256 bits). It enhances the confidentiality of PPP-encapsulated packets.

3.2 Encapsulation

Data messages are used to encapsulate the PPP frames. These frames are passed over unreliable data channels. Data is not retransmitted when a packet loss occurs. The entire PPP frame is encapsulated in L2TP header first and then L2TP frame is encapsulated in UDP header as it is shown in the Fig. 3.2 below.

[Figures and tables are omitted from this preview.]

Figure 3.2 L2TP Encapsulation

3.3 Router as a L2TP VPN Server

3.3.1 Lab Objectives

- Assign IP addresses according to topology

- Configure IP Routing

- Configure Router as a DNS Server

- Test Connectivity

- Configure Router as a L2TP VPN Server

- Configure PC as a Microsoft L2TP VPN Client

- Try to Connect VPN Client by Domain Name

- Test VPN

3.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 3.3 L2TP VPN Setup

3.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 3.3. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.18 YES manual up up

FastEthernet0/1 203.0.113.33 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.16/28 is directly connected, FastEthernet0/0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

Branch:

Branch>enable

Branch#configure terminal

Branch(config)#interface fastEthernet 0/0

Branch(config-if)# ip address 203.0.113.34 255.255.255.240

Branch(config-if)#no shutdown

Branch(config-if)#exit

Branch(config)#interface fastEthernet 0/1

Branch(config-if)#ip address 192.168.1.1 255.255.255.0

Branch(config-if)#no shutdown

Branch(config-if)#^Z

Branch#

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Branch#

PC:

Figure 3.4 Client IP Addressing

3.3.4 Step-2 Configuring Static IP Routing

Branch:

Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

Branch(config)#exit

Branch#

Branch#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

C 192.168.1.0/24 is directly connected, FastEthernet0/1

C 203.0.113.32/28 is directly connected, FastEthernet0/0

Branch#

3.3.5 Step-3 Configuring Router as a DNS Server

Internet:

Internet(config)#ip dns server

Internet(config)#ip name-server 203.0.113.18

Internet(config)#ip host l2tpvpn.com 203.0.113.34

Internet(config)#no ip domain-lookup

Internet(config)#exit

Internet#

Internet#show ip dns view

DNS View default parameters:

Logging is off

DNS Resolver settings:

Domain lookup is disabled

Default domain name: lab.local

Domain search list:

Lookup timeout: 3 seconds

Lookup retries: 2

Domain name-servers:

203.0.113.18

DNS Server settings:

Forwarding of queries is disabled

Forwarder timeout: 3 seconds

Forwarder retries: 2

Forwarder addresses:

3.3.6 Step-4 Testing Connectivity

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=333ms TTL=254

Reply from 203.0.113.34: bytes=32 time=242ms TTL=254

Reply from 203.0.113.34: bytes=32 time=338ms TTL=254

Reply from 203.0.113.34: bytes=32 time=265ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 242ms, Maximum = 338ms, Average = 294ms

C:\>ping l2tpvpn.com

Pinging l2tpvpn.com [203.0.113.34] with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=148ms TTL=254

Reply from 203.0.113.34: bytes=32 time=213ms TTL=254

Reply from 203.0.113.34: bytes=32 time=191ms TTL=254

Reply from 203.0.113.34: bytes=32 time=220ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 148ms, Maximum = 220ms, Average = 193ms

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Branch:

Branch#ping 203.0.113.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms

Branch#

Internet:

Internet#show ip dns statistics

DNS requests received = 2 ( 2 + 0 )

DNS requests dropped = 0 ( 0 + 0 )

DNS responses replied = 2 ( 2 + 0 )

Forwarder queue statistics:

Current size = 0

Maximum size = 5

Drops = 0

3.3.7 Step-5 Configuring Router as a L2TP VPN Server

Branch(config)#vpdn enable

Branch(config)#vpdn-group l2tp-vpn

Branch(config-vpdn)#accept-dialin

Branch(config-vpdn-acc-in)#protocol l2tp

Branch(config-vpdn-acc-in)#virtual-template 1

Branch(config-vpdn-acc-in)#exit

Branch(config-vpdn)#exit

Branch(config)#

Branch(config)# ip local pool l2tp-pool 172.16.1.1 172.16.1.50

Branch(config)#username test password 0 test

Branch(config)#interface virtual-template 1

Branch(config-if)#encapsulation ppp

Branch(config-if)# peer default ip address pool l2tp-pool

Branch(config-if)#ip unnumbered fastEthernet 0/1

Branch(config-if)#ppp encrypt mppe auto required

Branch(config-if)# ppp authentication ms-chap ms-chap-v2

Branch(config-if)#^Z

Branch#

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Virtual-Access1 unassigned YES unset down down

Virtual-Template1 192.168.1.1 YES unset down down

Branch#

Branch#show vpdn group

VPDN group l2tp-vpn

Group session limit 65535 Active sessions 0 Active tunnels 0

Branch#show vpdn tunnel l2tp

%No active L2TP tunnels

3.3.8 Step-6 Configuring & Setting L2TP VPN Client

1. Follow Step-5 in PPTP Lab

2. Type Hostname (l2tpvpn.com) instead of IP address

[Figures and tables are omitted from this preview.]

Figure 3.5 Properties

3. Chose Security

[Figures and tables are omitted from this preview.]

Figure 3.6 Security

4. Under Type of VPN choose L2TP VPN, Choose Required Encryption from Data Encryption, Select Authentication Protocols

[Figures and tables are omitted from this preview.]

Figure 3.7 Select Protocol

5. Click on Advanced Settings

[Figures and tables are omitted from this preview.]

Figure 3.8 Advance Setting

3.3.9 Step-7 Connecting VPN Client

1. After type username & password click connect

[Figures and tables are omitted from this preview.]

Figure 3.9 Connecting

2. The Verifying username and password window appears

[Figures and tables are omitted from this preview.]

Figure 3.10 Verifying

3. The Registering your computer on the network window appears

[Figures and tables are omitted from this preview.]

Figure 3.11 Completing

4. The Connection Status window appears

[Figures and tables are omitted from this preview.]

Figure 3.12 Connection Status

3.3.10 Step-8 Testing

PC:

[Figures and tables are omitted from this preview.]

Figure 3.13 Connection Details

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=166ms TTL=255

Reply from 192.168.1.1: bytes=32 time=246ms TTL=255

Reply from 192.168.1.1: bytes=32 time=285ms TTL=255

Reply from 192.168.1.1: bytes=32 time=277ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 166ms, Maximum = 285ms, Average = 243ms

Branch:

Branch#ping 172.16.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/204/300 ms

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Virtual-Access1 unassigned YES unset down down

Virtual-Access2 unassigned YES unset up up

Virtual-Access3 192.168.1.1 YES unset up up

Virtual-Template1 192.168.1.1 YES unset down down

Branch#show interfaces virtual-access 3

Virtual-Access3 is up, line protocol is up

Hardware is Virtual Access interface

Interface is unnumbered. Using address of FastEthernet0/1 (192.168.1.1)

MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Open

Open: IPCP

PPPoVPDN vaccess, cloned from Virtual-Template1

Vaccess status 0x0

Protocol l2tp, tunnel id 35949, session id 29839

Keepalive set (10 sec)

40 packets input, 4522 bytes

15 packets output, 237 bytes

Last clearing of "show interface" counters never

Branch#show users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

Interface User Mode Idle Peer Address

Vi3 test PPPoVPDN 00:09:55 172.16.1.4

Branch#show vpdn group

VPDN group l2tp-vpn

Group session limit 65535 Active sessions 1 Active tunnels 1

Branch#show vpdn tunnel l2tp

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class

35949 1 zeeshan est 203.0.113.17 1 l2tp

Branch#show vpdn session l2tp state

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID Vcid

56894 1 35949 test, Vi3 est 00:10:24 6

Branch#show vpdn tunnel l2tp transport

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID Type Prot Local Address Port Remote Address Port

35949 UDP 17 203.0.113.34 1701 203.0.113.17 1701

Branch#show vpdn tunnel l2tp packets

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID Pkts-In Pkts-Out Bytes-In Bytes-Out

35949 154 114 8332 2477

4 L2TP over IPsec VPN

L2TP does not provide strong authentication and confidentiality by itself. It is often used with IPsec protocol to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as L2TP/IPsec. The IPsec is a protocol suite which is used at upper layer (network layer) to provide secure communication between two peers [7]. This protocol provides IP Security Architecture, Internet Key Exchange (IKE), IPsec Authentication Header (AH) and IPsec Encapsulation Security Payload (ESP). The IKE is the key management protocol while AH and ESP are used to protect IP traffic. It would be discussed in detail in the next part.

4.1 L2TP over IPsec Security

L2TP is used over IPsec then its security is high. The client negotiates the IPsec Security Association (SA) usually through IKE. It is carried out over UDP with port 500. It uses a pre-shared key, public key or certificates for authentication. Transport mode of IPsec is used in this security mechanism. IPsec supports a variety of encryption standards like (DES, 3DES & AES) for data confidentiality. It also supports a range of data integrity protocols like (MD-5 & SHA).

4.2 Encapsulation

The connection is established between two endpoints. Here, L2TP packets are encapsulated by IPsec header as it is displayed in the Fig. 4.1 below.

[Figures and tables are omitted from this preview.]

Figure 4.1 L2TP over IPsec Encapsulation

Since L2TP packet is wrapped within the IPsec header and it does not gather any information about the internal L2TP packet. So, it is not necessary to open UDP port 1701 on firewalls between the endpoints. The inner packet is not acted upon until after IPsec data has been decrypted and stripped which only takes place at the endpoints.

4.3 Router as an L2TP over IPsec VPN Server

4.3.1 Lab Objectives

- Assign IP addresses according to topology

- Configure IP Routing

- Test Connectivity

- Configure Router as an L2TP over IPsec VPN Server

- Configure PC as a Microsoft L2TP over IPsec VPN Client

- Try to Connect VPN Client

- Test VPN

4.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 4.2 L2TP over IPsec VPN Setup

4.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 4.2. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.18 YES manual up up

FastEthernet0/1 203.0.113.33 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.16/28 is directly connected, FastEthernet0/0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

Branch:

Branch>enable

Branch#configure terminal

Branch(config)#interface fastEthernet 0/0

Branch(config-if)# ip address 203.0.113.34 255.255.255.240

Branch(config-if)#no shutdown

Branch(config-if)#exit

Branch(config)#interface fastEthernet 0/1

Branch(config-if)#ip address 192.168.1.1 255.255.255.0

Branch(config-if)#no shutdown

Branch(config-if)#^Z

Branch#

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Branch#

PC:

[Figures and tables are omitted from this preview.]

Figure 4.3 Client IP Addressing

4.3.4 Step-2 Configuring Static IP Routing

Branch:

Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

Branch(config)#exit

Branch#

Branch#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

C 192.168.1.0/24 is directly connected, FastEthernet0/1

C 203.0.113.32/28 is directly connected, FastEthernet0/0

Branch#

4.3.5 Step-3 Testing Connectivity

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=333ms TTL=254

Reply from 203.0.113.34: bytes=32 time=242ms TTL=254

Reply from 203.0.113.34: bytes=32 time=338ms TTL=254

Reply from 203.0.113.34: bytes=32 time=265ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 242ms, Maximum = 338ms, Average = 294ms

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Branch:

Branch#ping 203.0.113.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms

4.3.6 Step-4 Configuring Router as an L2TP over IPsec VPN

Branch(config)#vpdn enable

Branch(config)#vpdn-group l2tp-vpn

Branch(config-vpdn)#accept-dialin

Branch(config-vpdn-acc-in)#protocol l2tp

Branch(config-vpdn-acc-in)#virtual-template 1

Branch(config-vpdn-acc-in)#exit

Branch(config-vpdn)#exit

Branch(config)#

Branch(config)# ip local pool l2tp-pool 172.16.1.1 172.16.1.50

Branch(config)#username test password 0 test

Branch(config)#interface virtual-template 1

Branch(config-if)#encapsulation ppp

Branch(config-if)# peer default ip address pool l2tp-pool

Branch(config-if)#ip unnumbered fastEthernet 0/1

Branch(config-if)# ppp authentication ms-chap ms-chap-v2

Branch(config-if)#exit

Branch(config)#crypto isakmp policy 5

Branch(config-isakmp)#encryption 3des

Branch(config-isakmp)#hash sha

Branch(config-isakmp)#authentication pre-share

Branch(config-isakmp)#group 2

Branch(config-isakmp)#exit

Branch(config)#

Branch(config)# crypto isakmp key l2tpipsec address 0.0.0.0 0.0.0.0

Branch(config)# crypto ipsec transform-set tset esp-3des esp-sha-hmac

Branch(cfg-crypto-trans)#mode transport

Branch(cfg-crypto-trans)#exit

Branch(config)#crypto dynamic-map dmap 10

Branch(config-crypto-map)#set transform-set tset

Branch(config-crypto-map)#exit

Branch(config)# crypto map l2tpmap 10 ipsec-isakmp dynamic dmap

Branch(config)#interface fastEthernet 0/0

Branch(config-if)#crypto map l2tpmap

Branch(config-if)#^Z

Branch#

4.3.7 Step-5 Configuring & Setting L2TP over IPsec VPN Client

1. Follow Step-6 in L2TP Lab.

2. Click on Advanced Settings and enter the pre-shared key

[Figures and tables are omitted from this preview.]

Figure 4.4 Advanced Properties

3. (Optional, if the operating system is old like Windows XP/2000). Execute mmc.exe command in Run to manage IP security policy.

[Figures and tables are omitted from this preview.]

Figure 4.5 Run

4. Add IP Security Policy Management by choosing Add/Remove Snap-in from File.

[Figures and tables are omitted from this preview.]

Figure 4.6 Console

5. Choose IP Security Policy Management and click Add.

[Figures and tables are omitted from this preview.]

Figure 4.7 Add or Remove

6. When the following screen appears, please choose a Local computer and click Finish.

[Figures and tables are omitted from this preview.]

Figure 4.8 Select Domain

7. The IP Security Policy Management is added in Snap-in Click OK.

[Figures and tables are omitted from this preview.]

Figure 4.9 Add IP Security Policies

8. The IP Security Policy Management is added click OK

[Figures and tables are omitted from this preview.]

Figure 4.10 IP Security Policy Management

9. Select Create IP Security Policy to create a policy for IPSec-VPN from Action.

[Figures and tables are omitted from this preview.]

Figure 4.11 Console

10. When the IP Security Policy Wizard appears, please click Next.

[Figures and tables are omitted from this preview.]

Figure 4.12 IP Security Policy Wizard

11. Type a suitable name in the name field, such as “ L2TP over IPsec” and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.13 IP Security Policy Name

12. Uncheck Activate the default response rule and Click Next.

[Figures and tables are omitted from this preview.]

Figure 4.14 Request for Secure Communication

13. When the following window appears, please check Edit properties and click Finish.

[Figures and tables are omitted from this preview.]

Figure 4.15 Completing IP Security Policy

14. Open IPsec Properties window, there is a default rule “<Dynamic>”. Please click Add.

[Figures and tables are omitted from this preview.]

Figure 4.16 Filter Rules

15. When the Security Rule Wizard appears, please click Next.

[Figures and tables are omitted from this preview.]

Figure 4.17 Creating New Security Rule

16. Select this rule does not specify a tunnel and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.18 Tunnel Endpoint

17. Select All network connections and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.19 Network Type

18. Add an IP Filter list to this rule by clicking Add .

[Figures and tables are omitted from this preview.]

Figure 4.20 Add New Filter List

19. Type IPsec Out as the name and click Add.

[Figures and tables are omitted from this preview.]

Figure 4.21 IP Filter List for Outside

20. When the IP Filter Wizard appears, please click Next.

[Figures and tables are omitted from this preview.]

Figure 4.22 New IP Filter Wizard

21. Type Filter Description and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.23 IP Filter Description

22. Choose A specific IP Address & type the IP address as (Source) and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.24 IP Traffic Source

23. Choose A specific IP Address & type the IP address as (Destination) and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.25 IP Traffic Destination

24. Choose UDP as the protocol type. Click Next.

[Figures and tables are omitted from this preview.]

Figure 4.26 IP Protocol Types

25. Set the port no. as 1701 and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.27 IP Protocol Ports

26. Checkbox Edit properties and Click Finish to completing the IP filter wizard.

[Figures and tables are omitted from this preview.]

Figure 4.28 Completing IP Filter Wizard

27. Click OK to finish the settings.

[Figures and tables are omitted from this preview.]

Figure 4.29 IP Filter Properties

28. Click OK to finish the settings.

[Figures and tables are omitted from this preview.]

Figure 4.30 IP Filter List

29. Choose IPsec Out in the IP Filter list and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.31 IPsec Filter List

30. Click Add to set up action for this rule.

[Figures and tables are omitted from this preview.]

Figure 4.32 New Filter Rule

31. The Filter Action Wizard will appear, then. Please click Next.

[Figures and tables are omitted from this preview.]

Figure 4.33 New IP Security Filter Wizard

32. Type IPsec Out as the name and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.34 Filter Action Name

33. Choose Negotiate security and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.35 General Options

34. Choose Do not communicate…. and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.36 Communicating with Computers

35. Choose Encryption and Integrity and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.37 IP Traffic Security Policies

36. Uncheck Edit properties and click Finish.

[Figures and tables are omitted from this preview.]

Figure 4.38 Completing IP Security Filter Wizard

37. Select IPsec Out from IP Filter list, and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.39 Filter Action

38. Type key as an Authentication Method (preshared key) and Click Next.

[Figures and tables are omitted from this preview.]

Figure 4.40 Authentication Method

39. Choose IPsec Out for Filter Action, and click Next.

[Figures and tables are omitted from this preview.]

Figure 4.41 Completing Security Rule

40. Now you can see IPsec Out rule. Click OK.

[Figures and tables are omitted from this preview.]

Figure 4.42 IPsec Rules

41. Click IP Security Policies on Local Computer

[Figures and tables are omitted from this preview.]

Figure 4.43 New Created Security Policy

42. Choose L2TP over IPsec > Assign from the Console screen.

[Figures and tables are omitted from this preview.]

Figure 4.44 Assigned Policy

43. Now you can see that the policy is activated.

[Figures and tables are omitted from this preview.]

Figure 4.45 Policy Activated

44. Save Setting.

4.3.8 Step-6 Connecting VPN Client

1. After type username & password click connect

[Figures and tables are omitted from this preview.]

Figure 4.46 Connecting

2. The Verifying username and password window appears

[Figures and tables are omitted from this preview.]

Figure 4.47 Verifying

3. The Registering your computer on the network window appears

[Figures and tables are omitted from this preview.]

Figure 4.48 Completing

4. The Connection Status window

[Figures and tables are omitted from this preview.]

Figure 4.49 Connection Status

4.3.9 Step-7 Testing

PC:

[Figures and tables are omitted from this preview.]

Figure 4.50 Connection Details

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=237ms TTL=255

Reply from 192.168.1.1: bytes=32 time=360ms TTL=255

Reply from 192.168.1.1: bytes=32 time=340ms TTL=255

Reply from 192.168.1.1: bytes=32 time=314ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 237ms, Maximum = 360ms, Average = 312ms

Branch:

Branch#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!.!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 184/210/248 ms

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Virtual-Access1 unassigned YES unset down down

Virtual-Access2 unassigned YES unset up up

Virtual-Access2.1 192.168.1.1 YES unset up up

Virtual-Template1 192.168.1.1 YES unset down down

Branch#show vpdn group

VPDN group l2tp

Group session limit 65535 Active sessions 1 Active tunnels 1

Branch#show vpdn tunnel l2tp state

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID RemTunID Local Name Remote Name State Last-Chg

47589 1 Branch zeeshan est 00:10:55

Branch#show vpdn tunnel l2tp summary

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class

47589 1 zeeshan est 203.0.113.17 1 l2tp

Branch#show vpdn tunnel transport

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID Type Prot Local Address Port Remote Address Port

47589 UDP 17 203.0.113.34 1701 203.0.113.17 1701

Branch#show interfaces virtual-access 2.1

Virtual-Access2.1 is up, line protocol is up

Hardware is Virtual Access interface

Interface is unnumbered. Using address of FastEthernet0/1 (192.168.1.1)

MTU 1500 bytes, BW 10000 Kbit/sec, DLY 100000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation PPP, LCP Open

Open: IPCP

PPPoVPDN vaccess, cloned from Virtual-Template1

Vaccess status 0x0

Protocol l2tp, tunnel id 47589, session id 981

Keepalive set (10 sec)

151 packets input, 8066 bytes

132 packets output, 3575 bytes

Last clearing of "show interface" counters never

Branch#show vpdn tunnel packets

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID Pkts-In Pkts-Out Bytes-In Bytes-Out

47589 215 215 13074 6727

Branch#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 203.0.113.17 port 500

IKE SA: local 203.0.113.34/500 remote 203.0.113.17/500 Active

IPSEC FLOW: permit 17 host 203.0.113.34 host 203.0.113.17 port 1701

Active SAs: 2, origin: dynamic crypto map

Branch#show crypto session brief

Status: A-Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

K - No IKE

ivrf = (none)

Peer I/F Username Group/Phase1_id Uptime Status

203.0.113.17 Fa0/0 203.0.113.17 00:12:02 UA

Branch#show crypto isakmp key

Keyring Hostname/Address Preshared Key

default 0.0.0.0 [0.0.0.0 ] l2tpipsec

Branch#show crypto isakmp sa count

Active ISAKMP SA's: 1

Standby ISAKMP SA's: 0

Currently being negotiated ISAKMP SA's: 0

Dead ISAKMP SA's: 0

Branch#show crypto isakmp peers

Peer: 203.0.113.17 Port: 500 Local: 203.0.113.34

Phase1 id: 203.0.113.17

Branch#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

203.0.113.34 203.0.113.17 QM_IDLE 1001 ACTIVE

Branch#show crypto ipsec transform-set

Transform set tset: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }

will negotiate = { Transport, },

Branch#show crypto isakmp policy

Global IKE policy

Protection suite of priority 5

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Branch#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: l2tp, local addr 203.0.113.34

protected vrf: (none)

local ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/17/0)

remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/17/1701)

current_peer 203.0.113.17 port 500

PERMIT, flags={}

#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19

#pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

local crypto endpt.: 203.0.113.34, remote crypto endpt.: 203.0.113.17

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xB495FFE2(3029729250)

PFS (Y/N): N, DH group: none

[Output omitted]

PC:

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=237ms TTL=255

Reply from 192.168.1.1: bytes=32 time=360ms TTL=255

Reply from 192.168.1.1: bytes=32 time=340ms TTL=255

Reply from 192.168.1.1: bytes=32 time=314ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 237ms, Maximum = 360ms, Average = 312ms

Branch#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: l2tp, local addr 203.0.113.34

protected vrf: (none)

local ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/17/0)

remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/17/1701)

current_peer 203.0.113.17 port 500

PERMIT, flags={}

#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49

#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Branch#show crypto map

Crypto Map "l2tpmap" 10 ipsec-isakmp

Dynamic map template tag: dmap

Crypto Map "l2tpmap" 65536 ipsec-isakmp

Peer = 203.0.113.17

Extended IP access list

access-list permit udp host 203.0.113.34 host 203.0.113.17 port = 1701

dynamic (created from dynamic map dmap/10)

Current peer: 203.0.113.17

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={

tset: { esp-3des esp-sha-hmac } ,

}

Interfaces using crypto map l2tpmap:

FastEthernet0/0

5 IPsec VPN

Internet Protocol Security (IPsec) is a network security protocol suite. It provides strong authentication, data encryption, data origin authentication and data integrity features. It can use as network-to-network, host-to-host, and host-to-network over the public network (Internet). It works at the network layer of the OSI model to provide end-to-end security. In 1992, IETF started to create an open and freely available security protocol for Internet Protocol (IP). It is officially standardized by IETF. It was specified in RFC 1825 [8]. The IP is used at the network layer of the OSI model to deliver datagrams over the public network. There are two versions of IP: IPv4 and IPv6. IPv4 is a 32-bits while IPv6 is a 128-bits IP addressing protocol. The Network Address Translation (NAT) is used with IPv4 in private networks to save the public IP addresses as well as to provide security in a way that it hides the public addresses during communication. Today, NAT is widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels [9].

The fast growth of the Internet has shattered the IPv4 addresses. In 1990, the IETF has introduced IPv6 protocol with new features in terms of simple header format, larger address space, built-in security, efficient routing and better QoS [10]. The Internet Service Providers (ISPs) are trying to replace their IPv4 networks with IPv6 gradually. This transition is very slow because there are millions of devices in around the world. IPv6 is a next-generation IP network. IPsec provides security to both versions of IP. In this project, the focus is on IPv4.

5.1 IPsec Security Architecture

IPsec is an open standard protocol suite. It uses different types of protocols to provide security. These protocols are: Authentication Header (AH), Encapsulating Security Payloads (ESP), Security Associations (SA), Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE & IKEv2).

The AH provides the connectionless data integrity, data origin authentication for IP datagrams and protection against replays [11]. It does not encrypt data packets. The text is transported in clear text. Data integrity means, it assures that the data will not alter during the transmission over the network. Before sending the data, it calculates 32-bits numeric and unique hash value of data by using different hashing algorithms like (MD5, SHA-1) and sends this hash value along with data. Hashing is a one-way process [12]. On the receiving side, it verifies the hash value by re-calculating the hash value of the received data. If both hash values are equal then it means that the integrity of the data is maintained and there is no any tampering with data during transmission over the network while if the hash value does not same then it means that the integrity has intercepted and the receiver will discard the data. The anti-replay protection ensures that each packet must be unique and no duplication by using sequence numbers. The origin authentication means that to know who is on another side. The device on the other side of the tunnel must be verified before the path is considered secure. The sender sends data (certificate) after encryption with its private key and that data is verified at receiver end by decrypt with sender’s public key for authentication. There are three authentication methods:

1. Pre-shared Key

2. RSA Signature

3. RSA Encryption Nonce

In pre-shared key authentication, the same key is used to configure each peer in IPsec. In RSA signature authentication, different keys (private key & public key) are used to encrypt or decrypt digitally. It is also called digital certificates. These digital signature and digital certificates are forwarded to the other side. Finally, RSA encryption nonce authentication, nonce (a random number generated by the peer) is encrypted and exchanged between peers, this nonce is used during the authentication peer process.

The ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service and limited traffic flow confidentiality [13]. The set of services, is provided, depends on options selected at the time of Security Association (SA) establishment. It encrypts the payload to provide confidentiality. It supports several encryption algorithms. Most of the algorithms are symmetric. The DES (56-bits) is a basic and symmetric encryption algorithm, however, it also supports 3DES and AES for stronger encryption. The ESP can be used alone or with the combination of AH.

The SA is a logical group of security parameters. It is used to establish and share security attributes between two entities to provide secure communication. These attributes are cryptographic algorithm, mode and encryption key. The SA is established by using ISAKMP.

The ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations [14]. It only provides a framework for authentication and key exchange. It is implemented by manual configuration with pre-shared key or IKE.

During the establishment of a secure connection between two nodes, it is needed to share some security parameters such as keys over the network. Two methods are used for key exchange: manual and automatic. Manual method does not secure nor scales well [15]. Therefore, a protocol is needed to exchange or establish security parameters dynamically. The IKE is the protocol used to set up a security association dynamically. It uses X.509 certificates for authentication either pre-shared or distributed and a “Diffie–Hellman” key exchange algorithm to share a secret key between nodes over the public network.

5.2 Encapsulation

IPsec can be configured in two different modes and they are:

1. Transport Mode

2. Tunnel Mode

The transport mode is used to provide end-to-end security. The communication between a client and a server is the best example of end-to-end. In this mode, only the payload of the IP packet is usually encrypted or authenticated. The original IP header is not encrypted nor modified except that the IP protocol field is changed to ESP (50) or AH (51). The payload is encapsulated by the IPsec ESP headers & trailers as it is displayed in the Fig.5.1. It is usually used when another tunneling protocol (like GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the other tunnel packets. The IPsec protects the GRE or L2TP tunnel traffic in transport mode. The ESP is identified in the original IP header with an IP protocol ID of 50.

[Figures and tables are omitted from this preview.]

Figure 5.1 Transport Mode IPsec Encapsulation

The tunnel mode is the default mode. It is used to provide security between gateways (Router, PIX or ASA). In this mode, the entire original IP packet is protected. The entire IP packet is encapsulated with IPsec ESP headers & trailers, adds a new IP header and sends it to the other side of the tunnel as it is shown in the Fig. 5.2. The ESP is identified in the New IP header with an IP protocol ID of 50. The tunnel mode supports NAT traversal.

[Figures and tables are omitted from this preview.]

Figure 5.2 Tunnel Mode IPsec Encapsulation

5.3 Site-to-Site IPsec VPN b/w Routers

5.3.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Configure NAT

- Test Connectivity

- Configure IPsec VPN Tunnel on both sides

- Test VPN

5.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 5.3 Site-to-Site IPsec VPN Setup

5.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PCs as mentioned above in topological diagram 5.3. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.33 YES manual up up

FastEthernet0/1 203.0.113.18 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.32/28 is directly connected, FastEthernet0/0

C 203.0.113.16/28 is directly connected, FastEthernet0/1

Branch-1:

Branch-1>enable

Branch-1#configure terminal

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)# ip address 203.0.113.17 255.255.255.240

Branch-1(config-if)#no shutdown

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)# ip address 192.168.1.1 255.255.255.0

Branch-1(config-if)#no shutdown

Branch-1(config-if)#^Z

Branch-1#

Branch-1#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.17 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Branch-1#

Branch-2:

Branch-2>enable

Branch-2#configure terminal

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)# ip address 203.0.113.34 255.255.255.240

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0

Branch-2(config-if)#no shutdown

Branch-2(config-if)#^Z

Branch-2#

Branch-2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.2.1 YES manual up up

FastEthernet0/1 203.0.113.34 YES manual up up

Branch-2#

PC-1:

[Figures and tables are omitted from this preview.]

Figure 5.4 PC-1 IP Addressing

PC-2:

[Figures and tables are omitted from this preview.]

Figure 5.5 PC-2 IP Addressing

5.3.4 Step-2 Configuring Static IP Routing

Branch-1:

Branch-1#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

. . . . .

Success rate is 0 percent (0/5)

Branch-1#

Branch-1(config)# ip route 203.0.113.32 255.255.255.240 203.0.113.18

Branch-1(config)#exit

Branch-1#

Branch-1#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

203.0.113.0/28 is subnetted, 2 subnets

S 203.0.113.32 [1/0] via 203.0.113.18

C 203.0.113.16 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

Branch-1#

Branch-2:

Branch-2(config)# ip route 203.0.113.16 255.255.255.240 203.0.113.33

Branch-2(config)#exit

Branch-2#

Branch-2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

203.0.113.0/28 is subnetted, 2 subnets

C 203.0.113.32 is directly connected, FastEthernet0/1

S 203.0.113.16 [1/0] via 203.0.113.33

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Branch-2#

Branch-2#ping 203.0.113.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/63/124 ms

Branch-2#

5.3.5 Step-3 Configuring NAT

PC-1:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C :\>

Branch-1:

Branch-1(config)# ip nat inside source list 10 interface fastEthernet 0/0 overload

Branch-1(config)# access-list 10 permit 192.168.1.0 0.0.0.255

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)#ip nat outside

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)#ip nat inside

Branch-1(config-if)#^Z

Branch-1#

Branch-2:

Branch-2(config)# ip nat inside source list 20 interface fastEthernet 0/1 overload

Branch-2(config)# access-list 20 permit 192.168.2.0 0.0.0.255

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)#ip nat outside

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)#ip nat inside

Branch-2(config-if)#^Z

Branch-2#

PC-1

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=387ms TTL=254

Reply from 203.0.113.34: bytes=32 time=147ms TTL=254

Reply from 203.0.113.34: bytes=32 time=91ms TTL=254

Reply from 203.0.113.34: bytes=32 time=98ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 91ms, Maximum = 387ms, Average = 180ms

C :\>

Branch-1:

Branch-1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 203.0.113.17:1280 192.168.1.2:1280 203.0.113.34:1280 203.0.113.34:1280

Branch-1#show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)

Outside interfaces:

FastEthernet0/0

Inside interfaces:

FastEthernet0/1

Hits: 19 Misses: 3

Expired translations: 2

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 10 interface FastEthernet0/0 refcount 1

Branch-1#

5.3.6 Step-4 Testing Connectivity

PC-1:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=91ms TTL=254

Reply from 203.0.113.34: bytes=32 time=89ms TTL=254

Reply from 203.0.113.34: bytes=32 time=79ms TTL=254

Reply from 203.0.113.34: bytes=32 time=89ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 79ms, Maximum = 91ms, Average = 87ms

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C :\>

5.3.7 Step-5 Configuring Site-to-Site IPsec VPN Tunnel

Branch-1:

Branch-1(config)#crypto isakmp policy 10

Branch-1(config-isakmp)#encryption des

Branch-1(config-isakmp)#hash md5

Branch-1(config-isakmp)#authentication pre-share

Branch-1(config-isakmp)#group 2

Branch-1(config-isakmp)#exit

Branch-1(config)# crypto isakmp key testipsecvpn address 203.0.113.34

Branch-1(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

Branch-1(cfg-crypto-trans)#exit

Branch-1(config)#crypto map smap 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-1(config-crypto-map)#set peer 203.0.113.34

Branch-1(config-crypto-map)#set transform-set tset

Branch-1(config-crypto-map)#match address 101

Branch-1(config-crypto-map)#exit

Branch-1(config)#ip access-list extended 101

Branch-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any

Branch-1(config-ext-nacl)#exit

Branch-1(config)# ip route 192.168.2.0 255.255.255.0 203.0.113.18

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)#crypto map smap

Branch-1(config-if)#^Z

Branch-1#

Branch-2:

Branch-2(config)#crypto isakmp policy 10

Branch-2(config-isakmp)#encryption des

Branch-2(config-isakmp)#hash md5

Branch-2(config-isakmp)#authentication pre-share

Branch-2(config-isakmp)#group 2

Branch-2(config-isakmp)#exit

Branch-2(config)# crypto isakmp key testipsecvpn address 203.0.113.17

Branch-2(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

Branch-2(cfg-crypto-trans)#exit

Branch-2(config)#crypto map smap 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-2(config-crypto-map)#set peer 203.0.113.17

Branch-2(config-crypto-map)#set transform-set tset

Branch-2(config-crypto-map)#match address 102

Branch-2(config-crypto-map)#exit

Branch-2(config)#ip access-list extended 102

Branch-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 any

Branch-2(config-ext-nacl)#exit

Branch-2(config)# ip route 192.168.1.0 255.255.255.0 203.0.113.33

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)#crypto map smap

Branch-2(config-if)#^Z

Branch-2#

5.3.8 Step-6 Testing

PC-1:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=112ms TTL=254

Reply from 203.0.113.34: bytes=32 time=89ms TTL=254

Reply from 203.0.113.34: bytes=32 time=98ms TTL=254

Reply from 203.0.113.34: bytes=32 time=74ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 74ms, Maximum = 112ms, Average = 93ms

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=90ms TTL=254

Reply from 203.0.113.34: bytes=32 time=105ms TTL=254

Reply from 203.0.113.34: bytes=32 time=90ms TTL=254

Reply from 203.0.113.34: bytes=32 time=90ms TTL=254

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 105ms, Average = 93ms

C:\>

Branch-1:

Branch-1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 203.0.113.17:1280 192.168.1.2:1280 192.168.2.1:1280 192.168.2.1:1280

icmp 203.0.113.17:1280 192.168.1.2:1280 203.0.113.34:1280 203.0.113.34:1280

Branch-1#show crypto isakmp sa

dst src state conn-id slot

203.0.113.34 203.0.113.17 QM_IDLE 1 0

Branch-1#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: smap, local addr. 203.0.113.17

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 203.0.113.34

PERMIT, flags={origin_is_acl,}

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest 7

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 203.0.113.17, remote crypto endpt.: 203.0.113.34

path mtu 1500, media mtu 1500

[Output omitted]

Branch-1#show crypto isakmp policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56-bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Branch-1#show crypto map

Crypto Map "smap" 10 ipsec-isakmp

Peer = 203.0.113.34

Extended IP access list 101

access-list 101 permit ip any any

Current peer: 203.0.113.34

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ tset, }

Interfaces using crypto map smap:

FastEthernet0/0

Branch-1#show crypto ipsec transform-set

Transform set tset: { esp-des esp-md5-hmac }

will negotiate = { Tunnel, },

5.4 Site-to-Site IPsec VPN b/w PIX & ASA

5.4.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Test Connectivity

- Configure IPsec Tunnel on both Sides

- Test VPN

5.4.2 Topology

[Figures and tables are omitted from this preview.]

Figure 5.6 Site-to-Site IPsec VPN Setup

5.4.3 Step-1 IP Addressing

Assign IP addresses as given above in topological diagram 5.6 on router’s interfaces, PIX and ASA. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface Ethernet 0/0

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface Ethernet 0/1

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 203.0.113.18 YES NVRAM up up

Ethernet0/1 203.0.113.33 YES NVRAM up up

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.16/28 is directly connected, Ethernet0/0

C 203.0.113.32/28 is directly connected, Ethernet0/1

Internet#

PIX:

pixfirewall>enable

pixfirewall#show version

Cisco PIX Security Appliance Software Version 8.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders

System image file is "Unknown, monitor mode TFTP booted image"

Config file at boot was "startup-config"

pixfirewall up 7 secs

Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 00ab.15a8.0c00, irq 9

1: Ext: Ethernet1 : address is 0000.abc1.3101, irq 11

pixfirewall#configuration terminal

pixfirewall(config)#interface ethernet 1

pixfirewall(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

pixfirewall(config-if)#no shutdown

pixfirewall(config-if)# ip address 192.168.2.1 255.255.255.0

pixfirewall(config-if)#exit

pixfirewall(config)#interface ethernet 0

pixfirewall(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

pixfirewall(config-if)#no shutdown

pixfirewall(config-if)# ip address 203.0.113.34 255.255.255.240

pixfirewall(config-if)#exit

pixfirewall(config)#exit

pixfirewall#

pixfirewall#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.2.0 255.255.255.0 is directly connected, inside

C 203.0.113.32 255.255.255.240 is directly connected, outside

pixfirewall#show interface ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0 203.0.113.34 YES manual up up

Ethernet1 192.168.2.1 YES manual up up

pixfirewall#

ASA:

ciscoasa>enable

ciscoasa#show version

Cisco Adaptive Security Appliance Software Version 8.0(2)

Compiled on Fri 15-Jun-07 19:29 by builders

System image file is "Unknown, monitor mode tftp booted image"

Config file at boot was "startup-config"

ciscoasa up 8 secs

Hardware: ASA5520, 128 MB RAM, CPU Pentium II 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

0: Ext: Ethernet0/0 : address is 00ab.b46c.e500, irq 255

1: Ext: Ethernet0/1 : address is 0000.abb2.3f01, irq 255

ciscoasa#configure terminal

ciscoasa(config)#interface ethernet 0/0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 203.0.113.17 255.255.255.240

ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/1

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config-if)#exit

ciscoasa(config)#exit

ciscoasa#

ciscoasa#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 203.0.113.16 255.255.255.240 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

ciscoasa#show interface ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 203.0.113.17 YES manual up up

Ethernet0/1 192.168.1.1 YES manual up up

ciscoasa#

5.4.4 Step-2 Configuring Static IP Routing

PIX:

pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.33

pixfirewall(config)# access-list 101 permit icmp any any

pixfirewall(config)# access-group 101 in interface outside

pixfirewall(config)#exit

pixfirewall#

pixfirewall#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

C 192.168.2.0 255.255.255.0 is directly connected, inside

C 203.0.113.32 255.255.255.240 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.33, outside

ASA:

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.18

ciscoasa(config)#access-list 101 permit icmp any any

ciscoasa(config)#access-group 101 in interface outside

ciscoasa(config)#exit

ciscoasa#

ciscoasa#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.18 to network 0.0.0.0

C 203.0.113.16 255.255.255.240 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.18, outside

5.4.5 Step-3 Testing Connectivity

ASA:

ciscoasa#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/50 ms

ciscoasa#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa#

PIX:

pixfirewall#ping 203.0.113.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/80 ms

pixfirewall#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

?????

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/72/80 ms

Pixfirewall#

5.4.6 Step-4 Configuring IPsec Tunnel

ASA:

ciscoasa(config)#crypto isakmp enable outside

ciscoasa(config)#crypto isakmp policy 10

ciscoasa(config-isakmp-policy)#authentication pre-share

ciscoasa(config-isakmp-policy)#encryption des

ciscoasa(config-isakmp-policy)#hash md5

ciscoasa(config-isakmp-policy)#group 2

ciscoasa(config-isakmp-policy)#exit

ciscoasa(config)# access-list smap extended permit ip any any

ciscoasa(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

ciscoasa(config)#crypto map smap 1 match address smap

ciscoasa(config)# crypto map smap 1 set peer 203.0.113.34

ciscoasa(config)# crypto map smap 1 set transform-set tset

ciscoasa(config)#crypto map smap interface outside

ciscoasa(config)# tunnel-group 203.0.113.34 type ipsec-l2l

ciscoasa(config)# tunnel-group 203.0.113.34 ipsec-attributes

ciscoasa(config-tunnel-ipsec)#pre-shared-key cisco

ciscoasa(config-tunnel-ipsec)#exit

ciscoasa(config)#exit

ciscoasa#

PIX:

pixfirewall(config)#isakmp enable outside

pixfirewall(config)#isakmp policy 10

pixfirewall(config-isakmp-policy)#authentication pre-share

pixfirewall(config-isakmp-policy)#encryption des

pixfirewall(config-isakmp-policy)#hash md5

pixfirewall(config-isakmp-policy)#group 2

pixfirewall(config-isakmp-policy)#exit

pixfirewall(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

pixfirewall(config)#access-list 105 permit ip any any

pixfirewall(config)# crypto map smap 1 match address 105

pixfirewall(config)# crypto map smap 1 set peer 203.0.113.17

pixfirewall(config)# crypto map smap 1 set transform-set tset

pixfirewall(config)#crypto map smap interface outside

pixfirewall(config)# isakmp key cisco address 203.0.113.17 netmask 255.255.255.255

pixfirewall(config)#exit

pixfirewall#

5.4.7 Step-5 Testing

ASA:

ciscoasa#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

?!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 30/50/80 ms

ciscoasa#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/52/80 ms

ciscoasa#show crypto ipsec sa

interface: outside

Crypto map tag: smap, seq num: 1, local addr: 203.0.113.17

access-list smap permit ip any any

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 203.0.113.34

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 203.0.113.17, remote crypto endpt.: 203.0.113.34

[Output ommitted]

ciscoasa#show crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 203.0.113.34

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ciscoasa#

PIX:

pixfirewall#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 90/126/170 ms

pixfirewall#

5.5 Remote Access IPsec VPN with Router (Easy VPN)

5.5.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Test Connectivity

- Configure Router as an IPsec VPN Server

- Install & Configure CISCO IPsec VPN Client

- Connect VPN Client

- Test VPN

5.5.2 Topology

[Figures and tables are omitted from this preview.]

Figure 5.7 Remote Access IPsec VPN Setup

5.5.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PCs as mentioned above in topological diagram 5.7. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.33 YES manual up up

FastEthernet0/1 203.0.113.18 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.32/28 is directly connected, FastEthernet0/0

C 203.0.113.16/28 is directly connected, FastEthernet0/1

H.Office:

H.Office>enable

H.Office#configure terminal

H.Office(config)#interface fastEthernet 0/1

H.Office(config-if)# ip address 203.0.113.34 255.255.255.240

H.Office(config-if)#no shutdown

H.Office(config-if)#exit

H.Office(config)#interface fastEthernet 0/0

H.Office(config-if)# ip address 192.168.1.1 255.255.255.0

H.Office(config-if)#no shutdown

H.Office(config-if)#^Z

H.Office#

H.Office#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

FastEthernet0/1 203.0.113.34 YES manual up up

H.Office#

PC:

Figure 5.8 Client IP Addressing

5.5.4 Step-2 Configuring Static IP Routing

H.Office:

H.Office(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

H.Office(config)#exit

H.Office#

H.Office#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

C 192.168.2.0/24 is directly connected, FastEthernet0/0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

H.Office#

5.5.5 Step-3 Testing Connectivity

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=149ms TTL=253

Reply from 203.0.113.34: bytes=32 time=83ms TTL=253

Reply from 203.0.113.34: bytes=32 time=75ms TTL=253

Reply from 203.0.113.34: bytes=32 time=66ms TTL=253

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 66ms, Maximum = 149ms, Average = 93ms

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C :\>

5.5.6 Step-4 Configuring Remote Access IPsec VPN Tunnel

H.Office:

H.Office(config)#username test password 0 test

H.Office(config)#aaa new-model

H.Office(config)# aaa authentication login IPSec_VPN local

H.Office(config)# aaa authorization network IPSec_VPN local

H.Office(config)# ip local pool vpn-pool 192.168.1.10 192.168.1.50

H.Office(config)#ip route 192.168.1.0 255.255.255.0 fastEthernet 0/1

H.Office(config)#crypto isakmp policy 10

H.Office(config-isakmp)#encryption des

H.Office(config-isakmp)#hash md5

H.Office(config-isakmp)#authentication pre-share

H.Office(config-isakmp)#group 2

H.Office(config-isakmp)#exit

H.Office(config)#

H.Office(config)# crypto isakmp client configuration group testipsec

H.Office(config-isakmp-group)#key abcde

H.Office(config-isakmp-group)#pool vpn-pool

H.Office(config-isakmp-group)#netmask 255.255.255.0

H.Office(config-isakmp-group)#exit

H.Office(config)#

H.Office(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

H.Office(cfg-crypto-trans)#exit

H.Office(config)#

H.Office(config)#crypto dynamic-map dmap 10

H.Office(config-crypto-map)#set transform-set tset

H.Office(config-crypto-map)#reverse-route

H.Office(config-crypto-map)#exit

H.Office(config)#

H.Office(config)# crypto map smap 10 ipsec-isakmp dynamic dmap

H.Office(config)# crypto map smap isakmp authorization list IPSec_VPN

H.Office(config)# crypto map smap client authentication list IPSec_VPN

H.Office(config)# crypto map smap client configuration address respond

H.Office(config)#interface fastEthernet 0/1

H.Office(config-if)#crypto map smap

H.Office(config-if)#^Z

H.Office#

5.5.7 Step-5 Installing & Setting CISCO IPsec VPN Client

1. Download and run executable file of VPN client. Installation Wizard.

[Figures and tables are omitted from this preview.]

Figure 5.9 CISCO VPN Client Installing Wizard

2. Accept License Agreement and Click Next.

[Figures and tables are omitted from this preview.]

Figure 5.10 License Agreement

3. Select Destination Folder and Click Next

[Figures and tables are omitted from this preview.]

Figure 5.11 Folder Setting

4. Click Next and to Begin Installation

[Figures and tables are omitted from this preview.]

Figure 5.12 Installing Application

5. Installation is Starting

[Figures and tables are omitted from this preview.]

Figure 5.13 Installing

6. The installation has been completed successfully

[Figures and tables are omitted from this preview.]

Figure 5.14 Completed

7. After installing, Open VPN Client

[Figures and tables are omitted from this preview.]

Figure 5.15 VPN Client Interface

8. Select Connection Entries > New

[Figures and tables are omitted from this preview.]

Figure 5.16 New Setting

9. Fill in the details of your new connection and Save

[Figures and tables are omitted from this preview.]

Figure 5.17 Client Disconnect Status

5.5.8 Step-6 Connecting IPsec VPN Client

1. Select the newly created connection and click Connect

[Figures and tables are omitted from this preview.]

Figure 5.18 Connecting

2. Contacting the Security Gateway, if connect, then require authentication

[Figures and tables are omitted from this preview.]

Figure 5.19 Authentication

3. Enter Username & Password, which you configured on Server

[Figures and tables are omitted from this preview.]

Figure 5.20 User Name & Password

4. If Username & Password verified, Status: Connected

[Figures and tables are omitted from this preview.]

Figure 5.21 Connected Status

5.5.9 Step-7 Testing

1. Once the connection is successfully established select Statistics from the Status menu to verify the details of the tunnel

[Figures and tables are omitted from this preview.]

Figure 5.22 Tunnel Details

PC:

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=149ms TTL=253

Reply from 192.168.1.1: bytes=32 time=83ms TTL=253

Reply from 192.168.1.1: bytes=32 time=75ms TTL=253

Reply from 192.168.1.1: bytes=32 time=66ms TTL=253

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 66ms, Maximum = 149ms, Average = 93ms

5.6 Remote Access IPsec VPN with ASA (Easy VPN)

5.6.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure NAT

- Configure IP Routing

- Test Connectivity

- Configure ASA as an IPsec VPN Server

- Install & Configure CISCO IPsec VPN Client

- Connect VPN Client

- Test VPN

5.6.2 Topology

[Figures and tables are omitted from this preview.]

Figure 5.23 Remote Access IPsec VPN Setup

5.6.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces, ASA, and PC as mentioned above in topological diagram 5.23. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface ethernet 0/0

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface ethernet 0/1

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 203.0.113.33 YES manual up up

Ethernet0/1 203.0.113.18 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.32/28 is directly connected, Ethernet0/0

C 203.0.113.16/28 is directly connected, Ethernet0/1

ASA:

ciscoasa>enable

ciscoasa#configure terminal

ciscoasa(config)#interface ethernet 0/0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 203.0.113.34 255.255.255.240

ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/1

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0

ciscoasa(config-if)#exit

ciscoasa(config)#exit

ciscoasa#

ciscoasa#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 203.0.113.32 255.255.255.240 is directly connected, outside

C 192.168.2.0 255.255.255.0 is directly connected, inside

ciscoasa#show interface ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 203.0.113.34 YES manual up up

Ethernet0/1 192.168.2.1 YES manual up up

ciscoasa#

5.6.4 Step-2 Configuring NAT

ciscoasa(config)# nat (inside) 1 192.168.2.0 255.255.255.0

ciscoasa(config)#global (outside) 1 interface

INFO: outside interface address added to PAT pool

ciscoasa(config)#exit

ciscoasa#

ciscoasa#show nat

NAT policies on Interface inside:

match ip inside 192.168.2.0 255.255.255.0 outside any

dynamic translation to pool 1 (203.0.113.34 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.2.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

ciscoasa#

5.6.5 Step-3 Configuring Static IP Routing

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.33

ciscoasa(config)#access-list 101 permit icmp any any

ciscoasa(config)#access-group 101 in interface outside

ciscoasa(config)#exit

ciscoasa#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

C 203.0.113.32 255.255.255.240 is directly connected, outside

C 192.168.2.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.33, outside

ciscoasa#

5.6.6 Step-4 Testing Connectivity

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=140ms TTL=254

Reply from 203.0.113.34: bytes=32 time=39ms TTL=254

Reply from 203.0.113.34: bytes=32 time=128ms TTL=254

Reply from 203.0.113.34: bytes=32 time=32ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 32ms, Maximum = 140ms, Average = 84ms

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

5.6.7 Step-5 Configuring ASA as IPsec VPN Server

ciscoasa(config)#group-policy test internal

ciscoasa(config)#group-policy test attributes

ciscoasa(config-group-policy)#exit

ciscoasa(config)#username ahmad password 12345

ciscoasa(config)#username ahmad attributes

ciscoasa(config-username)#exit

ciscoasa(config)#

ciscoasa(config)#isakmp enable outside

ciscoasa(config)#crypto isakmp policy 10

ciscoasa(config-isakmp-policy)#authentication pre-share

ciscoasa(config-isakmp-policy)#encryption des

ciscoasa(config-isakmp-policy)#hash md5

ciscoasa(config-isakmp-policy)#group 2

ciscoasa(config-isakmp-policy)#exit

ciscoasa(config)#

ciscoasa(config)# ip local pool mypool 172.16.1.1-172.16.1.50

ciscoasa(config)#tunnel-group mygroup type ipsec-ra

ciscoasa(config)#tunnel-group mygroup ipsec-attributes

ciscoasa(config-tunnel-ipsec)#pre-shared-key cisco

ciscoasa(config-tunnel-ipsec)#exit

ciscoasa(config)# tunnel-group mygroup general-attributes

ciscoasa(config-tunnel-general)#address-pool mypool

ciscoasa(config-tunnel-general)#exit

ciscoasa(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

ciscoasa(config)# crypto dynamic-map dmap 10 set transform-set tset

ciscoasa(config)# crypto map smap 10 ipsec-isakmp dynamic dmap

ciscoasa(config)#crypto map smap interface outside

ciscoasa(config)#aaa-server myserver protocol tacacs+

ciscoasa(config-aaa-server-group)#exit

ciscoasa(config)# aaa-server myserver (inside) host 192.168.2.2 cisco

ciscoasa(config-aaa-server-host)#exit

ciscoasa(config)#tunnel-group test type ipsec-ra

ciscoasa(config)#tunnel-group test general-attributes

ciscoasa(config-tunnel-general)# authentication-server-group myserver

ciscoasa(config-tunnel-general)#exit

ciscoasa(config)# access-list 110 permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0

ciscoasa(config)#nat (inside) 0 access-list 110

ciscoasa(config)#exit

ciscoasa#

5.6.8 Step-6 Configuring VPN Client

Configure CISCO VPN client setting such that group name, username and password information according to above mention in step-5 setting. Setting detail is available in previous lab.

5.6.9 Step-7 Connecting VPN Client

Now, try to connect VPN client and enter username and password according to defined in this lab.

5.6.10 Step-8 Testing

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=149ms TTL=253

Reply from 203.0.113.34: bytes=32 time=83ms TTL=253

Reply from 203.0.113.34: bytes=32 time=75ms TTL=253

Reply from 203.0.113.34: bytes=32 time=66ms TTL=253

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 66ms, Maximum = 149ms, Average = 93ms

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=90ms TTL=254

Reply from 203.0.113.34: bytes=32 time=105ms TTL=254

Reply from 203.0.113.34: bytes=32 time=90ms TTL=254

Reply from 203.0.113.34: bytes=32 time=90ms TTL=254

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 105ms, Average = 93ms

C:\>

1. Once the connection is successfully established select Statistics from the Status menu to verify the details of the tunnel

[Figures and tables are omitted from this preview.]

Figure 5.24 Tunnel Details

6 GRE VPN

Generic Routing Encapsulation (GRE) is a generic and point-to-point tunnel. It is developed by CISCO systems. It is a static tunnel. Generic means, it allows many other protocols to be encapsulated in IP [16]. It works at the network layer of the OSI reference model. Its specification was described in RFC 2784.

6.1 GRE Security

GRE provides a stateless, private connection. It is not considered a secure protocol because it does not use encryption like the IP Security (IPsec). It works with other protocol to provide security. The IPsec protocol is often used with GRE to provide strong confidentiality, authentication, and integrity. The combination of these two protocols is generally known as IPsec over GRE. When GRE traffic is passed through a firewall then the firewall will block this type of traffic by default. A network administrator needs to open protocol type 47 datagrams which are coming or going to the remote tunnel endpoints.

6.2 Encapsulation

A GRE header causes an extra overhead of 8 to 16 bytes. In the first phase, the payload is encapsulated in a GRE header as it is shown in the Fig. 6.1. In the second phase, the resulting GRE packet once again encapsulated in some other protocol (IPv4) header then it is forwarded. The outer protocol header is also called delivery protocol. GRE sets 47 value in the protocol field of IPv4 header. Both endpoints are pre-configured. The source and destination IPv4 addresses of the tunnel are defined during configuration.

[Figures and tables are omitted from this preview.]

Figure 6.1 GRE Encapsulation

6.3 Site-to-Site IPsec over GRE VPN

6.3.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Configure NAT

- Test Connectivity

- Configure IPsec over GRE VPN Tunnel on both sides

- Test VPN

6.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 6.2 Site-to-Site IPsec over GRE VPN Setup

6.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PCs as mentioned above in topological diagram 6.2. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.33 YES manual up up

FastEthernet0/1 203.0.113.18 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.16/28 is directly connected, FastEthernet0/1

C 203.0.113.32/28 is directly connected, FastEthernet0/0

Branch-1:

Branch-1>enable

Branch-1#configure terminal

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)# ip address 203.0.113.17 255.255.255.240

Branch-1(config-if)#no shutdown

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)# ip address 192.168.1.1 255.255.255.0

Branch-1(config-if)#no shutdown

Branch-1(config-if)#^Z

Branch-1#

Branch-1#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.17 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Branch-1#

Branch-2:

Branch-2>enable

Branch-2#configure terminal

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)# ip address 203.0.113.34 255.255.255.240

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0

Branch-2(config-if)#no shutdown

Branch-2(config-if)#^Z

Branch-2#

Branch-2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.2.1 YES manual up up

FastEthernet0/1 203.0.113.34 YES manual up up

Branch-2#

6.3.4 Step-2 Configuring Static IP Routing

Branch-1:

Branch-1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.18

Branch-1(config)#exit

Branch-1#

Branch-1#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.18 to network 0.0.0.0

C 203.0.113.16/28 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 [1/0] via 203.0.113.18

Branch-1#

Branch-2:

Branch-2(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

Branch-2(config)#exit

Branch-2#

Branch-2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

C 192.168.2.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

Branch-2#

6.3.5 Step-3 Configuring NAT

Branch-1:

Branch-1(config)# ip nat inside source route-map nat interface fastEthernet 0/0 overload

Branch-1(config)#ip access-list extended 110

Branch-1(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Branch-1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any

Branch-1(config-ext-nacl)#exit

Branch-1(config)#

Branch-1(config)#route-map nat permit 10

Branch-1(config-route-map)#match ip address 110

Branch-1(config-route-map)#exit

Branch-1(config)

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)#ip nat outside

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)#ip nat inside

Branch-1(config-if)#^Z

Branch-1#

Branch-2:

Branch-2(config)# ip nat inside source route-map nat interface fastEthernet 0/1 overload

Branch-2(config)#ip access-list extended 110

Branch-2(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Branch-2(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any

Branch-2(config-ext-nacl)#exit

Branch-2(config)#

Branch-2(config)#route-map nat permit 10

Branch-2(config-route-map)#match ip address 110

Branch-2(config-route-map)#exit

Branch-2(config)#

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)#ip nat outside

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)#ip nat inside

Branch-2(config-if)#^Z

Branch-2#

6.3.6 Step-4 Testing Connectivity

Branch-1:

Branch-1#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/75/96 ms

Branch-1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Branch-1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 203.0.113.17:512 192.168.1.1:512 203.0.113.34:512 203.0.113.34:512

Branch-1#

6.3.7 Step-5 Configuring Site-to-Site IPSec over GRE Tunnel

Branch-1:

Branch-1(config)#crypto isakmp policy 10

Branch-1(config-isakmp)#encryption des

Branch-1(config-isakmp)#hash md5

Branch-1(config-isakmp)#authentication pre-share

Branch-1(config-isakmp)#group 2

Branch-1(config-isakmp)#exit

Branch-1(config)# crypto isakmp key testkey address 203.0.113.34

Branch-1(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

Branch-1(cfg-crypto-trans)#exit

Branch-1(config)#crypto map smap 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-1(config-crypto-map)#set peer 203.0.113.34

Branch-1(config-crypto-map)#set transform-set tset

Branch-1(config-crypto-map)#match address 101

Branch-1(config-crypto-map)#exit

Branch-1(config)#ip access-list extended 101

Branch-1(config-ext-nacl)# permit gre host 203.0.113.17 host 203.0.113.34

Branch-1(config-ext-nacl)#exit

Branch-1(config)#interface tunnel 0

Branch-1(config-if)#ip address 172.16.1.1 255.255.0.0

Branch-1(config-if)#tunnel source 203.0.113.17

Branch-1(config-if)#tunnel destination 203.0.113.34

Branch-1(config-if)#tunnel mode gre ip

Branch-1(config-if)#crymto map smap

Branch-1(config-if)#no shutdown

Branch-1(config-if)#exit

Branch-1(config)#ip access-list extended 105

Branch-1(config-ext-nacl)#permit gre host 203.0.113.34 host 203.0.113.17

Branch-1(config-ext-nacl)#permit esp host 203.0.113.34 host 203.0.113.17

Branch-1(config-ext-nacl)#permit udp host 203.0.113.34 eq isakmp host 203.0.113.17

Branch-1(config-ext-nacl)#deny ip any any log

Branch-1(config-ext-nacl)#exit

Branch-1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)#crypto map smap

Branch-1(config-if)#ip access-group 105 in

Branch-1(config-if)#^Z

Branch-1#

Branch-2:

Branch-2(config)#crypto isakmp policy 20

Branch-2(config-isakmp)#encryption des

Branch-2(config-isakmp)#hash md5

Branch-2(config-isakmp)#authentication pre-share

Branch-2(config-isakmp)#group 2

Branch-2(config-isakmp)#exit

Branch-2(config)# crypto isakmp key testkey address 203.0.113.17

Branch-2(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

Branch-2(cfg-crypto-trans)#exit

Branch-2(config)#crypto map smap 20 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-2(config-crypto-map)#set peer 203.0.113.17

Branch-2(config-crypto-map)#set transform-set tset

Branch-2(config-crypto-map)#match address 102

Branch-2(config-crypto-map)#exit

Branch-2(config)#ip access-list extended 102

Branch-2(config-ext-nacl)# permit gre host 203.0.113.34 host 203.0.113.17

Branch-2(config-ext-nacl)#exit

Branch-2(config)#interface tunnel 0

Branch-2(config-if)#ip address 172.16.1.2 255.255.0.0

Branch-2(config-if)#tunnel source 203.0.113.34

Branch-2(config-if)#tunnel destination 203.0.113.17

Branch-2(config-if)#tunnel mode gre ip

Branch-2(config-if)#crymto map smap

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#ip access-list extended 105

Branch-2(config-ext-nacl)#permit gre host 203.0.113.17 host 203.0.113.34

Branch-2(config-ext-nacl)#permit esp host 203.0.113.17 host 203.0.113.34

Branch-2(config-ext-nacl)#permit udp host 203.0.113.17 eq isakmp host 203.0.113.34

Branch-2(config-ext-nacl)#deny ip any any log

Branch-2(config-ext-nacl)#exit

Branch-2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)#crypto map smap

Branch-2(config-if)#ip access-group 105 in

Branch-2(config-if)#^Z

Branch-2#

6.3.8 Step-6 Testing

PC:

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Request timed out.

Reply from 192.168.2.1: bytes=32 time=332ms TTL=254

Reply from 192.168.2.1: bytes=32 time=100ms TTL=254

Reply from 192.168.2.1: bytes=32 time=109ms TTL=254

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 100ms, Maximum = 332ms, Average = 180ms

Branch-1:

Branch-1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/173/608 ms

Branch-1#

Branch-2:

Branch-2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/92/168 ms

Branch-2#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: smap, local addr. 203.0.113.34

local ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/47/0)

current_peer: 203.0.113.17

PERMIT, flags={origin_is_acl,parent_is_transport,}

#pkts encaps: 17, #pkts encrypt: 17, #pkts digest 17

#pkts decaps: 17, #pkts decrypt: 17, #pkts verify 17

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 203.0.113.34, remote crypto endpt.: 203.0.113.17

path mtu 1514, media mtu 1514

current outbound spi: 277182E8

inbound esp sas:

spi: 0x71E0A045(1910546501)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: smap

sa timing: remaining key lifetime (k/sec): (4607999/3451)

IV size: 8 bytes

[Output omitted]

Branch-2#show crypto isakmp sa

dst src state conn-id slot

203.0.113.17 203.0.113.34 QM_IDLE 1 0

Branch-2#show crypto ipsec transform-set

Transform set tset: { esp-des esp-md5-hmac }

will negotiate = { Tunnel, },

Branch-2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

C 172.16.0.0/16 is directly connected, Tunnel0

S 192.168.1.0/24 [1/0] via 172.16.1.1

C 192.168.2.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

Branch-2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.2.1 YES manual up up

FastEthernet0/1 203.0.113.34 YES manual up up

Tunnel0 172.16.1.2 YES manual up up

Branch-2#show interface tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.16.1.2/16

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 203.0.113.34, destination 203.0.113.17

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Checksumming of packets disabled, fast tunneling enabled

Last input 00:07:04, output 00:07:04, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue :0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

17 packets input, 1828 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

17 packets output, 1828 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Branch-2#show ip access-lists

Extended IP access list 102

permit gre host 203.0.113.34 host 203.0.113.17 (34 matches)

Extended IP access list 105

permit gre host 203.0.113.17 host 203.0.113.34 (17 matches)

permit esp host 203.0.113.17 host 203.0.113.34 (17 matches)

permit udp host 203.0.113.17 eq isakmp host 203.0.113.34 (10 matches)

deny ip any any log

Extended IP access list 110

deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 any

6.4 Site-to-Site IPsec over GRE VPN (Behind ASA)

6.4.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Configure NAT

- Test Connectivity

- Configure IPsec over GRE VPN Tunnel on both sides

- Test VPN

6.4.2 Topology

[Figures and tables are omitted from this preview.]

Figure 6.3 Site-to-Site IPsec over GRE VPN Setup

6.4.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces, ASA and PCs as mentioned above in topological diagram 6.3. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface Ethernet 1/1

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.18 YES NVRAM up up

Ethernet1/1 203.0.113.33 YES NVRAM up up

Internet#

Internet#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

203.0.113.0/28 is subnetted, 2 subnets

C 203.0.113.32 is directly connected, Ethernet1/1

C 203.0.113.16 is directly connected, FastEthernet0/0

Internet#

Branch-1:

Branch-1>enable

Branch-1#configure terminal

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)# ip address 203.0.113.17 255.255.255.240

Branch-1(config-if)#no shutdown

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)# ip address 192.168.1.1 255.255.255.0

Branch-1(config-if)#no shutdown

Branch-1(config-if)#^Z

Branch-1#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.17 YES NVRAM up up

FastEthernet0/1 192.168.1.1 YES NVRAM up up

Branch-1#show ip route connected

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.16 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

Branch-1#

ASA:

ciscoasa>enable

ciscoasa#configure terminal

ciscoasa(config)#interface ethernet 0/0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 203.0.113.34 255.255.255.240

ciscoasa(config-if)#exit

ciscoasa(config)#interface ethernet 0/1

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 203.0.113.65 255.255.255.240

ciscoasa(config-if)#exit

ciscoasa(config)#exit

ciscoasa#

ciscoasa#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 203.0.113.32 255.255.255.240 is directly connected, outside

C 203.0.113.64 255.255.255.240 is directly connected, inside

ciscoasa#show interface ip brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 203.0.113.34 YES manual up up

Ethernet0/1 203.0.113.65 YES manual up up

ciscoasa#

Branch-2:

Branch-2>enable

Branch-2#configure terminal

Branch-2(config)#interface Ethernet 0/0

Branch-2(config-if)# ip address 203.0.113.66 255.255.255.240

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 1/0

Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0

Branch-2(config-if)#no shutdown

Branch-2(config-if)#^Z

Branch-2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 203.0.113.66 YES NVRAM up up

FastEthernet1/0 192.168.2.1 YES NVRAM up up

Branch-2#show ip route connected

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.64 is directly connected, Ethernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet1/0

Branch-2#

6.4.4 Step-2 Configuring Static IP Routing

Branch-1:

Branch-1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.18

Branch-1(config)#exit

Branch-1#

Branch-1#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.18 to network 0.0.0.0

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.16 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 [1/0] via 203.0.113.18

Branch-1#

Branch-2:

Branch-2(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.65

Branch-2(config)#exit

Branch-2#

Branch-2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.65 to network 0.0.0.0

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.64 is directly connected, Ethernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 203.0.113.65

Branch-2#

ASA:

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.0.113.33

ciscoasa(config)#exit

ciscoasa#

ciscoasa#show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

C 203.0.113.32 255.255.255.240 is directly connected, outside

C 203.0.113.64 255.255.255.240 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 203.0.113.33, outside

ciscoasa#

Internet:

Internet(config)# ip route 203.0.113.64 255.255.255.240 203.0.113.34

Internet(config-if)#exit

Internet#

6.4.5 Step-3 Configuring NAT

Branch-1:

Branch-1 (config)# ip nat inside source list 10 interface fastEthernet 0/0 overload

Branch-1(config)# access-list 10 permit 192.168.1.0 0.0.0.255

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)#ip nat outside

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)#ip nat inside

Branch-1(config-if)#^Z

Branch-1#

Branch-2:

Branch-2 (config)# ip nat inside source list 10 interface Ethernet 0/0 overload

Branch-2(config)# access-list 10 permit 192.168.2.0 0.0.0.255

Branch-2(config)#interface Ethernet 0/0

Branch-2(config-if)#ip nat outside

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 1/0

Branch-2(config-if)#ip nat inside

Branch-2(config-if)#^Z

Branch-2#

ASA:

ciscoasa(config)#nat (inside) 0 0 0

ciscoasa(config)#access-list 101 permit icmp any any

ciscoasa(config)#access-group 101 in interface outside

ciscoasa(config)#exit

ciscoasa#

6.4.6 Step-4 Testing Connectivity

Branch-1:

Branch-1#ping 203.0.113.66

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.66, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/81/136 ms

Branch-1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

6.4.7 Step-5 Configuring IPsec over GRE

Branch-1:

Branch-1(config)#crypto isakmp policy 10

Branch-1(config-isakmp)#encryption des

Branch-1(config-isakmp)#hash md5

Branch-1(config-isakmp)#authentication pre-share

Branch-1(config-isakmp)#group 2

Branch-1(config-isakmp)#exit

Branch-1(config)# crypto isakmp key testkey address 203.0.113.66

Branch-1(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

Branch-1(cfg-crypto-trans)#exit

Branch-1(config)#crypto map smap 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-1(config-crypto-map)#set peer 203.0.113.66

Branch-1(config-crypto-map)#set transform-set tset

Branch-1(config-crypto-map)#match address 101

Branch-1(config-crypto-map)#exit

Branch-1(config)#ip access-list extended 101

Branch-1(config-ext-nacl)# permit gre host 203.0.113.17 host 203.0.113.66

Branch-1(config-ext-nacl)#exit

Branch-1(config)#interface tunnel 0

Branch-1(config-if)#ip address 172.16.1.1 255.255.0.0

Branch-1(config-if)#tunnel source 203.0.113.17

Branch-1(config-if)#tunnel destination 203.0.113.66

Branch-1(config-if)#tunnel mode gre ip

Branch-1(config-if)#crymto map smap

Branch-1(config-if)#no shutdown

Branch-1(config-if)#exit

Branch-1(config)#ip access-list extended 105

Branch-1(config-ext-nacl)#permit gre host 203.0.113.66 host 203.0.113.17

Branch-1(config-ext-nacl)#permit esp host 203.0.113.66 host 203.0.113.17

Branch-1(config-ext-nacl)#permit udp host 203.0.113.66 eq isakmp host 203.0.113.17

Branch-1(config-ext-nacl)#exit

Branch-1(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)#crypto map smap

Branch-1(config-if)#ip access-group 105 in

Branch-1(config-if)#^Z

Branch-1#

Branch-2:

Branch-2(config)#crypto isakmp policy 10

Branch-2(config-isakmp)#encryption des

Branch-2(config-isakmp)#hash md5

Branch-2(config-isakmp)#authentication pre-share

Branch-2(config-isakmp)#group 2

Branch-2(config-isakmp)#exit

Branch-2(config)# crypto isakmp key testkey address 203.0.113.17

Branch-2(config)# crypto ipsec transform-set tset esp-des esp-md5-hmac

Branch-2(cfg-crypto-trans)#exit

Branch-2(config)#crypto map smap 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-2(config-crypto-map)#set peer 203.0.113.17

Branch-2(config-crypto-map)#set transform-set tset

Branch-2(config-crypto-map)#match address 101

Branch-2(config-crypto-map)#exit

Branch-2(config)#ip access-list extended 101

Branch-2(config-ext-nacl)# permit gre host 203.0.113.66 host 203.0.113.17

Branch-2(config-ext-nacl)#exit

Branch-2(config)#interface tunnel 0

Branch-2(config-if)#ip address 172.16.1.2 255.255.0.0

Branch-2(config-if)#tunnel source 203.0.113.66

Branch-2(config-if)#tunnel destination 203.0.113.17

Branch-2(config-if)#tunnel mode gre ip

Branch-2(config-if)#crymto map smap

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#ip access-list extended 105

Branch-2(config-ext-nacl)#permit gre host 203.0.113.17 host 203.0.113.66

Branch-2(config-ext-nacl)#permit esp host 203.0.113.17 host 203.0.113.66

Branch-2(config-ext-nacl)#permit udp host 203.0.113.17 eq isakmp host 203.0.113.66

Branch-2(config-ext-nacl)#exit

Branch-2(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1

Branch-2(config)#interface Ethernet 0/0

Branch-2(config-if)#crypto map smap

Branch-2(config-if)#ip access-group 105 in

Branch-2(config-if)#^Z

Branch-2#

ASA:

ciscoasa(config)# access-list 101 permit udp host 203.0.113.17 eq isakmp host 203.0.113.66 eq isakmp

ciscoasa(config)# access-list 101 permit esp host 203.0.113.17 host 203.0.113.66

ciscoasa(config)#exit

6.4.8 Step-6 Testing

Branch-2:

Branch-2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 56/95/164 ms

Branch-2#show crypto isakmp sa

dst src state onn-id slot

203.0.113.17 203.0.113.66 QM_IDLE 1 0

Branch-2#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: smap, local addr. 203.0.113.66

local ident (addr/mask/prot/port): (203.0.113.66/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/47/0)

current_peer: 203.0.113.17

PERMIT, flags={origin_is_acl,parent_is_transport,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 203.0.113.66, remote crypto endpt.: 203.0.113.17

path mtu 1500, media mtu 1500

current outbound spi: 45541C21

7 DMVPN

Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a VPN. It is configured almost on all brands of IOS-based routers. It works as a hub & spokes. The spokes are connected with hub over a public network. It is said to be a partial mesh. The DMVPN uses Next Hop Resolution Protocol (NHRP) as a signaling mechanism over the hub & spokes tunnels to trigger the spokes to discover each other and build dynamic tunnels [17]. In a hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. Each spoke has a permanent tunnel to the hub. Each spoke is registered as a client of the NHRP server. When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the destination (target) spoke. However, spoke-to-spoke tunnel is built over the multipoint GRE interface. The spoke-to-spoke links are established on the demand whenever there is traffic between the spokes. It provides scalability in a large network. Routing protocols are configured in large-scale networks to complete routing dynamically and quickly.

7.1 DMVPN Security

DMVPN uses GRE with IPsec security architecture to provide strong authentication, confidentiality, and integration.

7.2 Encapsulation

All data traffic, NHRP frames and other control traffic are needed to be protected in DMVPN. In order to efficiently support Layer 2 based protocols, all packets and frames must be encapsulated in GRE first; the resulting GRE packet then must be protected by IPsec as it is displayed in the Fig. 7.1. Usually, transport mode of the IPsec is used.

[Figures and tables are omitted from this preview.]

Figure 7.1 GRE Encapsulation

7.3 Dynamic Multipoint VPN (Hub & Spokes)

7.3.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Test Connectivity

- Configure DMVPN Tunnels

- Test VPN

7.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 7.2 DMVPN Setup

7.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces as mentioned above in topological diagram 7.2. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 1/0

Internet(config-if)# ip address 203.0.113.65 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.33 YES manual up up

FastEthernet0/1 203.0.113.18 YES manual up up

FastEthernet1/0 203.0.113.65 YES manual up up

Internet#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

203.0.113.0/28 is subnetted, 3 subnets

C 203.0.113.32 is directly connected, FastEthernet0/0

C 203.0.113.16 is directly connected, FastEthernet0/1

C 203.0.113.64 is directly connected, FastEthernet1/0

Internet#

HQ;

HQ>enable

HQ#configure terminal

HQ(config)#interface fastEthernet 0/0

HQ(config-if)#ip address 203.0.113.17 255.255.255.240

HQ(config-if)#no shutdown

HQ(config-if)#exit

HQ(config)#interface fastEthernet 0/1

HQ(config-if)#ip address 192.168.1.1 255.255.255.0

HQ(config-if)#no shutdown

HQ(config-if)#^Z

HQ#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.17 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

HQ#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.16 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

HQ#

Branch-1:

Branch-1>enable

Branch-1#configure terminal

Branch-1(config)#interface fastEthernet 0/1

Branch-1(config-if)# ip address 203.0.113.34 255.255.255.240

Branch-1(config-if)#no shutdown

Branch-1(config-if)#exit

Branch-1(config)#interface fastEthernet 0/0

Branch-1(config-if)# ip address 192.168.2.1 255.255.255.0

Branch-1(config-if)#no shutdown

Branch-1(config-if)#^Z

Branch-1#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.2.1 YES manual up up

FastEthernet0/1 203.0.113.34 YES manual up up

Branch-1#show ip route connected

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.32 is directly connected, FastEthernet0/1

C 192.168.2.0/24 is directly connected, FastEthernet0/0

Branch-1#

Branch-2:

Branch-2>enable

Branch-2#configure terminal

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)# ip address 203.0.113.66 255.255.255.240

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)# ip address 192.168.3.1 255.255.255.0

Branch-2(config-if)#no shutdown

Branch-2(config-if)#^Z

Branch-2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.66 YES manual up up

FastEthernet0/1 192.168.3.1 YES manual up up

Branch-2#show ip route connected

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.64 is directly connected, FastEthernet0/0

C 192.168.3.0/24 is directly connected, FastEthernet0/1

Branch-2#

7.3.4 Step-2 Configuring Static IP Routing

HQ:

HQ(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.18

HQ(config)#exit

HQ#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.18 to network 0.0.0.0

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.16 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 [1/0] via 203.0.113.18

HQ#

Branch-1:

Branch-1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

Branch-1(config)#exit

Branch-2:

Branch-2(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.65

Branch-2(config)#exit

Branch-2#

7.3.5 Step-3 Testing Connectivity

HQ:

HQ#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

..!!!

Success rate is 60 percent (3/5), round-trip min/avg/max = 20/120/264 ms

HQ#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

HQ#

7.3.6 Step-4 Configuring DMVPN Tunnel

HQ:

HQ(config)#crypto isakmp policy 10

HQ(config-isakmp)#encryption 3des

HQ(config-isakmp)#hash md5

HQ(config-isakmp)#authentication pre-share

HQ(config-isakmp)#group 2

HQ(config-isakmp)#exit

HQ(config)#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0

HQ(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac

HQ(cfg-crypto-trans)#exit

HQ(config)#crypto ipsec profile dmvpn

HQ(ipsec-profile)#set transform-set tset

HQ(ipsec-profile)#exit

HQ(config)#interface tunnel 0

HQ(config-if)#ip address 172.16.1.1 255.255.255.0

HQ(config-if)#tunnel mode gre multipoint

HQ(config-if)#tunnel source 203.0.113.17

HQ(config-if)#ip nhrp map multicast dynamic

HQ(config-if)#ip nhrp network-id 1

HQ(config-if)#ip nhrp authentication DMVPN

HQ(config-if)# no ip next-hop-self eigrp 1 HQ(config-if)#no ip split-horizon eigrp 1

HQ(config-if)#tunnel protection ipsec profile dmvpn

HQ(config-if)#exit

HQ(config)#router eigrp 1

HQ(config-router)#no auto-summary

HQ(config-router)#network 172.16.1.0 0.0.0.255

HQ(config-router)#network 192.168.1.0 0.0.0.255

HQ(config-router)#^Z

HQ#

Branch-1:

Branch-1(config)#crypto isakmp policy 10

Branch-1(config-isakmp)#encryption 3des

Branch-1(config-isakmp)#hash md5

Branch-1(config-isakmp)#authentication pre-share

Branch-1(config-isakmp)#group 2

Branch-1(config-isakmp)#exit

Branch-1(config)#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0

Branch-1(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac

Branch-1(cfg-crypto-trans)#exit

Branch-1(config)#crypto ipsec profile dmvpn

Branch-1(ipsec-profile)#set transform-set tset

Branch-1(ipsec-profile)#exit

Branch-1(config)#interface tunnel 0

Branch-1(config-if)#ip address 172.16.1.2 255.255.255.0

Branch-1(config-if)#tunnel mode gre multipoint

Branch-1(config-if)#tunnel source 203.0.113.34

Branch-1(config-if)#ip nhrp map 172.16.1.1 203.0.113.17

Branch-1(config-if)#ip nhrp map multicast 203.0.113.17

Branch-1(config-if)#ip nhrp nhs 172.16.1.1

Branch-1(config-if)#ip nhrp network-id 1

Branch-1(config-if)#ip nhrp authentication DMVPN

Branch-1(config-if)# no ip next-hop-self eigrp 1 Branch-1(config-if)#no ip split-horizon eigrp 1

Branch-1(config-if)# tunnel protection ipsec profile dmvpn

Branch-1(config-if)#exit

Branch-1(config)#router eigrp 1

Branch-1(config-router)#no auto-summary

Branch-1(config-router)#network 172.16.1.0 0.0.0.255

Branch-1(config-router)#network 192.168.2.0 0.0.0.255

Branch-1(config-router)#^Z

Branch-1#

Branch-2:

Branch-2(config)#crypto isakmp policy 10

Branch-2(config-isakmp)#encryption 3des

Branch-2(config-isakmp)#hash md5

Branch-2(config-isakmp)#authentication pre-share

Branch-2(config-isakmp)#group 2

Branch-2(config-isakmp)#exit

Branch-2(config)#crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0

Branch-2(config)#crypto ipsec transform-set tset esp-3des esp-md5-hmac

Branch-2(cfg-crypto-trans)#exit

Branch-2(config)#crypto ipsec profile dmvpn

Branch-2(ipsec-profile)#set transform-set tset

Branch-2(ipsec-profile)#exit

Branch-2(config)#interface tunnel 0

Branch-2(config-if)#ip address 172.16.1.3 255.255.255.0

Branch-2(config-if)#tunnel mode gre multipoint

Branch-2(config-if)#tunnel source 203.0.113.66

Branch-2(config-if)#ip nhrp map 172.16.1.1 203.0.113.17

Branch-2(config-if)#ip nhrp map multicast 203.0.113.17

Branch-2(config-if)#ip nhrp nhs 172.16.1.1

Branch-2(config-if)#ip nhrp network-id 1

Branch-2(config-if)#ip nhrp authentication DMVPN

Branch-2(config-if)# no ip next-hop-self eigrp 1 Branch-2(config-if)#no ip split-horizon eigrp 1

Branch-2(config-if)# tunnel protection ipsec profile dmvpn

Branch-2(config-if)#exit

Branch-2(config)#router eigrp 1

Branch-2(config-router)#no auto-summary

Branch-2(config-router)#network 172.16.1.0 0.0.0.255

Branch-2(config-router)#network 192.168.3.0 0.0.0.255

Branch-2(config-router)#^Z

Branch-2#

7.3.7 Step-5 Testing

HQ:

HQ#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.17 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Tunnel0 172.16.1.1 YES manual up up

HQ#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 88/100/124 ms

HQ#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/88/108 ms

HQ#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 203.0.113.18 to network 0.0.0.0

203.0.113.0/28 is subnetted, 1 subnets

C 203.0.113.16 is directly connected, FastEthernet0/0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Tunnel0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

D 192.168.2.0/24 [90/297270016] via 172.16.1.2, 00:00:04, Tunnel0

D 192.168.3.0/24 [90/297270016] via 172.16.1.3, 00:00:04, Tunnel0

S* 0.0.0.0/0 [1/0] via 203.0.113.18

HQ#show crypto isakmp sa

dst src state conn-id slot status

203.0.113.17 203.0.113.34 QM_IDLE 3 0 ACTIVE

203.0.113.17 203.0.113.66 QM_IDLE 4 0 ACTIVE

HQ#show crypto ipsec sa

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 203.0.113.17

protected vrf: (none)

local ident (addr/mask/prot/port): (203.0.113.17/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (203.0.113.34/255.255.255.255/47/0)

current_peer 203.0.113.34 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 135, #pkts encrypt: 135, #pkts digest: 135

#pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Branch-2:

Branch-2#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 172/191/224 ms

Branch-2#

8 SSL VPN

Secure Socket Layer VPN is proposed by IETF. It is used with a standard web browser. It does not require any special client software installation on the end user's computer. It allows remote users to access web applications, client-server applications and internal network connections over the public network (Internet) without any special client software. SSL VPN offers adaptability, ease of use and granular control for a range of users on a variety of computers accessing resources through many locations. The primary goal of the SSL protocol is to provide privacy and reliability between two communicating applications. The protocol is composed of two layers [18]. One is transport layer and second is application layer. Its specification was described in RFC 6101. The SSL record protocol is used for encapsulation of various higher level protocols. One advantage of SSL is that it is an application protocol independent. There are two major types of SSL VPN.

1. SSL Portal VPN

2. SSL Tunnel VPN

In SSL portal VPN, the end user can access multiple network services securely through a single SSL connection to a website. The site is called a portal because it has only one door for multiple resources. The remote user can access VPN gateway using any modern web browser for authentication defined by the gateway.

In SSL tunnel VPN, the end user can access multiple network services including applications and protocols securely that are not web-based through a tunnel.

8.1 SSL Security

SSL provides strong encryption, authentication and integrity services. Initially, a handshake process is done to define a secret key then after encryption is used. Symmetric or asymmetric cryptographic techniques are used to ensure the data encryption. DES or 3DES are symmetric encryption algorithms in which the same key is used for encryption or decryption. In asymmetric encryption type, RSA algorithm and a key pair are used for encryption or description. Peer authentication is also based on the symmetric or asymmetric. The few third-party certificates are also used to peer authentication. Message transport includes a message integrity check using a key Message Authentication Code (MAC). Secure hash functions (e.g., SHA & MD5) are used for MAC computations.

8.2 SSL Encapsulation

In SSL VPN, the application data is received in chunks or blocks. The Message Authentication Code (MAC) is attached with blocks and is encapsulated into an object called record as it is displayed in Fig 8.1 below. The record consists of 5 bytes long header.

[Figures and tables are omitted from this preview.]

Figure 8.1 SSL Encapsulation

8.3 Router as an SSL VPN Gateway

8.3.1 Lab Objectives

- Assign IP addresses according to topology

- Configure IP Routing

- Configure Router as a DNS Server

- Test Connectivity

- Configure Router as a Self-Signed Certificate

- Configure Router as an SSL VPN Gateway

- Test VPN

8.3.2 Topology

[Figures and tables are omitted from this preview.]

Figure 8.2 SSL VPN Setup

8.3.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 8.2. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.18 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.18 YES manual up up

FastEthernet0/1 203.0.113.33 YES manual up up

Internet#

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.16/28 is directly connected, FastEthernet0/0

C 203.0.113.32/28 is directly connected, FastEthernet0/1

Branch:

Branch>enable

Branch#configure terminal

Branch(config)#interface fastEthernet 0/0

Branch(config-if)# ip address 203.0.113.34 255.255.255.240

Branch(config-if)#no shutdown

Branch(config-if)#exit

Branch(config)#interface fastEthernet 0/1

Branch(config-if)#ip address 192.168.1.1 255.255.255.0

Branch(config-if)#no shutdown

Branch(config-if)#^Z

Branch#

Branch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.1.1 YES manual up up

Branch#

PC:

[Figures and tables are omitted from this preview.]

Figure 8.3 Client IP Addressing

8.3.4 Step-2 Configuring Static IP Routing

Branch:

Branch(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.33

Branch(config)#exit

Branch#

Branch#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 203.0.113.33

C 192.168.1.0/24 is directly connected, FastEthernet0/1

C 203.0.113.32/28 is directly connected, FastEthernet0/0

Branch#

8.3.5 Step-3 Configuring Router as a DNS Server

Internet:

Internet(config)#ip dns server

Internet(config)#ip name-server 203.0.113.18

Internet(config)#ip host mysslvpn.com 203.0.113.34

Internet(config)#no ip domain-lookup

Internet(config)#exit

Internet#

Internet#show ip dns view

DNS View default parameters:

Logging is off

DNS Resolver settings:

Domain lookup is disabled

Default domain name:

Domain search list:

Lookup timeout: 3 seconds

Lookup retries: 2

Domain name-servers:

203.0.113.18

DNS Server settings:

Forwarding of queries is disabled

Forwarder timeout: 3 seconds

Forwarder retries: 2

Forwarder addresses:

8.3.6 Step-4 Testing Connectivity

PC:

C:\>ping 203.0.113.34

Pinging 203.0.113.34 with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=333ms TTL=254

Reply from 203.0.113.34: bytes=32 time=242ms TTL=254

Reply from 203.0.113.34: bytes=32 time=338ms TTL=254

Reply from 203.0.113.34: bytes=32 time=265ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 242ms, Maximum = 338ms, Average = 294ms

C:\>ping mysslvpn.com

Pinging mysslvpn.com [203.0.113.34] with 32 bytes of data:

Reply from 203.0.113.34: bytes=32 time=148ms TTL=254

Reply from 203.0.113.34: bytes=32 time=213ms TTL=254

Reply from 203.0.113.34: bytes=32 time=191ms TTL=254

Reply from 203.0.113.34: bytes=32 time=220ms TTL=254

Ping statistics for 203.0.113.34:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 148ms, Maximum = 220ms, Average = 193ms

C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Reply from 203.0.113.18: Destination host unreachable.

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Branch:

Branch#ping 203.0.113.17

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.17, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 112/183/284 ms

Branch#

Internet:

Internet#show ip dns statistics

DNS requests received = 2 ( 2 + 0 )

DNS requests dropped = 0 ( 0 + 0 )

DNS responses replied = 2 ( 2 + 0 )

Forwarder queue statistics:

Current size = 0

Maximum size = 5

Drops = 0

8.3.7 Step-5 Configuring Self-Signed Certificates

Branch(config)#ip domain-name mysslvpn.com

Branch(config)# crypto key generate rsa general-keys modulus 2048 label mykey exportable

The name for the keys will be: mykey

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be exportable...

%SSH-5-ENABLED: SSH 1.99 has been enabled

Branch(config)#crypto pki trustpoint mytpoint

Branch(ca-trustpoint)#enrollment selfsigned

Branch(ca-trustpoint)# subject-name O=Test, CN=www.mysslvpn.com

Branch(ca-trustpoint)#revocation-check none

Branch(ca-trustpoint)#rsakeypair mykey

Branch(ca-trustpoint)#exit

Branch(config)#crypto pki enroll mytpoint

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

Branch#wr

Building configuration...

%SYS-5-CONFIG_I: Configured from console by test on console

[OK]

Branch#dir nvram:

Directory of nvram:/

120 -rw- 1271 <no date> startup-config

121 ---- 3574 <no date> private-config

122 -rw- 1271 <no date> underlying-config

1 ---- 34 <no date> persistent-data

2 -rw- 4 <no date> rf_cold_starts

3 -rw- 0 <no date> ifIndex-table

4 -rw- 910 <no date> Branchmysslv#1.cer

129016 bytes total (120023 bytes free)

Branch#show crypto pki certificates

Router Self-Signed Certificate

Status: Available

Certificate Serial Number: 01

Certificate Usage: General Purpose

Issuer:

hostname=Branch.mysslvpn.com

o=Test

cn=www.mysslvpn.com

Subject:

Name: Branch.mysslvpn.com

hostname=Branch.mysslvpn.com

o=Test

cn=www.mysslvpn.com

Validity Date:

start date: 09:14:40 UTC Dec 8 2017

end date: 00:00:00 UTC Jan 1 2020

Associated Trustpoints: mytpoint

Branch#show crypto pki trustpoints

Trustpoint mytpoint:

Subject Name:

hostname=Branch.mysslvpn.com

o=Test

cn=www.mysslvpn.com

Serial Number: 01

Persistent self-signed certificate trust point

Branch#show crypto key mypubkey rsa

% Key pair was generated at: 09:05:01 UTC Dec 8 2017

Key name: mykey

Storage Device: private-config

Usage: General Purpose Key

Key is exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00C27356 1DBEC35E 9AD93A92 1D7F900B F6191658 B33A48C4 7CFE0260 7320BBD8

3DDF0352 2D81800A 0A3186EE 38D2E194 40C209FF A9A36196 C5E96042 22D94614

A5B16CA0 A4C71156 AEDD4B05 CF241A6E 8130BE77 183FCA7A 912AC410 D0D0F6D6

63C038D7 2A96607D CD5996EC E9849279 968B49B9 A39478AC 44E8FED5 C9FEB2F2

49E7BBAB 5646741E C8175D3D 3A536887 A58340DD A30FC1DC 716FC383 88850C3A

C59CA025 11CD6594 ADE15C7C 7D2AA5EE 29AF9A24 E2BB8E6A 8357BFE2 0650AC0F

81BD83C1 C15F3060 39C4BEE6 AE0742E6 1D486F35 676E5AD8 CEED3EBC 469AC530

F568ED80 310807CA C9140D5F 6CA2795C DBA56A64 923FA546 F74E6E71 3DAB903E

73020301 0001

% Key pair was generated at: 09:05:04 UTC Dec 8 2017

Key name: mykey.server

Temporary key

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C72948 9A3F5CB4

E6E466A4 E8B07977 FE68505C BCF1635A C8E601EC 4964D226 4F896D3E 0E638C24

0CF8C33A 4149B5E9 195CFE74 413EFDAC 03C2C4C7 58DA54BB CE7BC235 50F85210

36DAA02A 36827059 514C511B A0269AFF 82F1FBFC B779C8C3 03020301 0001

8.3.8 Step-6 Configuring SSL VPN Gateway

Branch:

Branch(config)#aaa new-model

Branch(config)#username test password 0 test

Branch(config)#aaa authentication login default local

Branch(config)#webvpn gateway mysslgateway

Branch(config-webvpn-gateway)# ip address 203.0.113.34 port 443

Branch(config-webvpn-gateway)#http-redirect port 80

Branch(config-webvpn-gateway)#ssl trustpoint mytpoint

Branch(config-webvpn-gateway)#inservice

Branch(config-webvpn-gateway)#exit

Branch(config)#webvpn context mycontext

Branch(config-webvpn-context)#gateway mysslgateway

Branch(config-webvpn-context)# ssl authenticate verify all

Branch(config-webvpn-context)#max-users 100

Branch(config-webvpn-context)#inservice

%SSLVPN-5-UPDOWN: sslvpn context : mycontext changed state to UP

Branch(config-webvpn-context)# login-message "Welcome to mysslvpn.com"

Branch(config-webvpn-context)# policy group mydefaultpolicy

Branch(config-webvpn-group)#url-list "Clientless VPN"

Branch(config-webvpn-group)#exit

Branch(config-webvpn-context)# default-group-policy mydefaultpolicy

Branch(config-webvpn-context)# url-list "Clientless VPN"

Branch(config-webvpn-url)#heading "Clientless VPN"

Branch(config-webvpn-url)# url-text "Web Server" url-value “ http://203.0.113.34”

Branch(config-webvpn-url)#exit

8.3.9 Step-7 Testing

PC:

[Figures and tables are omitted from this preview.]

Figure 8.4 before Certificate

[Figures and tables are omitted from this preview.]

Figure 8.5 after Certificate

Branch:

Branch#show webvpn gateway

Gateway Name Admin Operation

------------ ----- ---------

mysslgateway up up

Branch#show webvpn context

Codes: AS - Admin Status, OS - Operation Status

VHost - Virtual Host

Context Name Gateway Domain/VHost VRF AS OS

------------ ------- ------------ ------- ---- --------

mycontext mysslgat - - up up

Branch#

9 High Availability VPN

High availability VPN is a feature that enables a device (router) to avoid single point of failure. It provides redundancy in the network. It provides continuously processing and forwarding packets if one point is failed. Multiple links are used in parallel to provide high availability. One link works as active or primary while the second link works as standby or backup. Standby link immediately works as active automatically if active link goes down. This feature is most valuable in the corporate sector. These two links may also work together for load balancing. There are several high availability service provider protocols, such as:

1. HSRP

2. VRRP

3. GLBP

9.1 HSRP

Hot Standby Router Protocol (HSRP) is a CISCO proprietary redundancy protocol. It allows two or more routers to work together to represent a single IP address for a particular network. It is not a routing protocol. It allows for almost immediate failover to a secondary interface when the primary interface is not available. The virtual IP address is used as a gateway for hosts in the network. The host that uses the HSRP address as a gateway never knows the actual physical IP or MAC address of the routers in the group. Only the virtual IP address that was created within the HSRP configuration along with a virtual MAC address is known to other hosts on the network. Its specification was described in RFC 2281 [19]. It has two versions.

In HSRP, a group of routers is configured as a standby group. This group is based on a single virtual IP address. In this standby group, one router is active and second is standby. Selection of active router is based upon priority. High priority router will win the election. By default, priority is 100. If the priority is same on all routers then, the selection is based upon IP addresses. With highest IP address will win the election. This election process is consists of 6 different states (Initial, Learn, Listen, Speak, Standby & Active). HSRP uses UDP with port number 1985 for messages. It uses multicast address 224.0.0.2 with TTL 1. If active router fails, standby router will become active. If first primary router comes back up and returns to service, standby will continue to stay active. There are times when you may always want the first primary to be in an active state in the HSRP group. CISCO provides a way for users to control this by using the preempt command. Preempt forces a router to be active after recovering from a failure.

RRI (Reverse Router Injection) is a feature designed to simplify network design for VPNs which requires redundancy and routing. When routes are created, they are injected into any dynamic routing protocol and distributed to surrounding devices. RRI works with both dynamic and static crypto maps.

9.2 VRRP

The Virtual Router Redundancy Protocol (VRRP) is also a redundancy protocol. It is an open standard and described in RFC 3768 by IETF [20]. It provides a function similar to the proprietary protocols "Hot Standby Router Protocol" and "IP Standby Protocol". That’s why, CISCO claims that a similar protocol with essentially the same facility is patented and licensed. It uses multicast address 224.0.0.18 and IP protocol number 112. It creates virtual routers which are an abstract representation of multiple routers, i.e. master and backup routers, acting as a group. The default priority is 100 in this protocol. In the group, one router is master and second is back up. Election of the master router is based upon priority. With highest priority router will win the election.

9.3 GLBP

Gateway Load Balancing Protocol (GLBP) is a CISCO proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality. By default, GLBP load balance is in round-robin style. GLBP elects one AVG (Active Virtual Gateway) for each group. The second best AVG is placed in the standby state and all other members are placed in the listening state. By default, GLBP router uses the multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP port number 3222.

9.4 Site-to-Site IPsec High Availability VPN with HSRP

9.4.1 Lab Objectives

- Assign IP addresses according to the topology

- Configure IP Routing

- Test Connectivity

- Configure HSRP

- Configure Site-to-Site IPsec VPN

- Testing

9.4.2 Topology

[Figures and tables are omitted from this preview.]

Figure 9.1 Site-to-Site IPsec High Availability VPN Setup

9.4.3 Step-1 IP Addressing

Assign IP addresses on router’s interfaces and PC as mentioned above in topological diagram 9.1. Interfaces must be enabled in UP & running state.

Internet:

Internet>enable

Internet#configure terminal

Internet(config)#interface fastEthernet 0/0

Internet(config-if)# ip address 203.0.113.33 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#exit

Internet(config)#interface fastEthernet 0/1

Internet(config-if)# ip address 203.0.113.19 255.255.255.240

Internet(config-if)#no shutdown

Internet(config-if)#^Z

Internet#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.33 YES manual up up

FastEthernet0/1 203.0.113.19 YES manual up up

Internet#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

C 203.0.113.32/28 is directly connected, FastEthernet0/0

C 203.0.113.16/28 is directly connected, FastEthernet0/1

PC:

[Figures and tables are omitted from this preview.]

Figure 9.2 Client IP Addresing

Primary:

Primary>enable

Primary#configure terminal

Primary(config)#interface fastEthernet 0/0

Primary(config-if)# ip address 192.168.1.2 255.255.255.0

Primary(config-if)#no shutdown

Primary(config-if)#exit

Primary(config)#interface fastEthernet 0/1

Primary(config-if)# ip address 203.0.113.17 255.255.255.240

Primary(config-if)#no shutdown

Primary(config-if)#^Z

Primary#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.2 YES manual up up

FastEthernet0/1 203.0.113.17 YES manual up up

Primary#

Secondary:

Secondary>enable

Secondary#configure terminal

Secondary(config)#interface fastEthernet 0/0

Secondary(config-if)# ip address 192.168.1.3 255.255.255.0

Secondary(config-if)#no shutdown

Secondary(config-if)#exit

Secondary(config)#interface fastEthernet 0/1

Secondary(config-if)# ip address 203.0.113.18 255.255.255.240

Secondary(config-if)#no shutdown

Secondary(config-if)#^Z

Secondary#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.3 YES manual up up

FastEthernet0/1 203.0.113.18 YES manual up up

Secondary#

Branch-2:

Branch-2>enable

Branch-2#configure terminal

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)# ip address 203.0.113.34 255.255.255.240

Branch-2(config-if)#no shutdown

Branch-2(config-if)#exit

Branch-2(config)#interface fastEthernet 0/1

Branch-2(config-if)# ip address 192.168.2.1 255.255.255.0

Branch-2(config-if)#no shutdown

Branch-2(config-if)#^Z

Branch-2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 203.0.113.34 YES manual up up

FastEthernet0/1 192.168.2.1 YES manual up up

Branch-2#

9.4.4 Step-2 Configuring Static IP Routing

Branch-2:

Branch-2(config)# ip route 203.0.113.16 255.255.255.240 203.0.113.33

Branch-2(config)#exit

Branch-2#

Branch-2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.33 to network 0.0.0.0

C 203.0.113.32/28 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

S* 203.0.113.16/28 [1/0] via 203.0.113.33

Branch-2#

Primary:

Primary(config)# ip route 203.0.113.32 255.255.255.240 203.0.113.19

Primary(config)#exit

Primary#

Primary#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.19 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 203.0.113.16/28 is directly connected, FastEthernet0/1

S* 203.0.113.32/28 [1/0] via 203.0.113.19

Primary#

Secondary:

Secondary(config)# ip route 203.0.113.32 255.255.255.240 203.0.113.19

Secondary(config)#exit

Secondary#

Secondary#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 203.0.113.19 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 203.0.113.16/28 is directly connected, FastEthernet0/1

S* 203.0.113.32/28 [1/0] via 203.0.113.19

Secondary#

9.4.5 Step-3 Testing Connectivity

Primary:

Primary#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 60/75/96 ms

Primary#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

Secondary:

Secondary#ping 203.0.113.34

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 203.0.113.34, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/75/96 ms

Secondary#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

9.4.6 Step-4 Configuring HSRP

Primary:

Primary(config)#interface fastEthernet 0/0

Primary(config-if)#standby 1 ip 192.168.1.5

Primary(config-if)#standby 1 priority 200

Primary(config-if)#standby 1 preempt

Primary(config-if)#standby 1 name inside

Primary(config-if)# standby 1 track fastEthernet 0/0 110

Primary(config-if)#exit

Primary(config)#interface fastEthernet 0/1

Primary(config-if)#standby 2 ip 203.0.113.20

Primary(config-if)#standby 2 priority 200

Primary(config-if)#standby 2 preempt

Primary(config-if)#standby 2 name HAVPN

Primary(config-if)# standby 2 track fastEthernet 0/1 110

Primary(config-if)#exit

Primary(config)#

Secondary:

Secondary(config)#interface fastEthernet 0/0

Secondary(config-if)#standby 1 ip 192.168.1.5

Secondary(config-if)#standby 1 preempt

Secondary(config-if)#standby 1 name inside

Secondary(config-if)#exit

Secondary(config)#interface fastEthernet 0/1

Secondary(config-if)#standby 2 ip 203.0.113.20

Secondary(config-if)#standby 2 preempt

Secondary(config-if)#standby 2 name HAVPN

Secondary(config-if)#exit

Secondary(config)#

Primary:

Primary#show standby

FastEthernet0/0 - Group 1

State is Active

2 state changes, last state change 00:03:20

Virtual IP address is 192.168.1.5

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.276 secs

Preemption enabled, min delay 0 sec, sync delay 0 sec

Active router is local

Standby router is 192.168.1.3, priority 100 (expires in 7.676 sec)

Priority 200 (configured 200)

Group name is "inside" (cfgd)

FastEthernet0/1 - Group 2

State is Active

2 state changes, last state change 00:02:44

Virtual IP address is 203.0.113.20

Active virtual MAC address is 0000.0c07.ac02

Local virtual MAC address is 0000.0c07.ac02 (default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.268 secs

Preemption enabled, min delay 0 sec, sync delay 0 sec

Active router is local

Standby router is 203.0.113.18, priority 100 (expires in 8.132 sec)

Priority 200 (configured 200)

Group name is "HAVPN" (cfgd)

Primary#

Secondary:

Secondary#show standby

FastEthernet0/0 - Group 1

State is Standby

1 state change, last state change 00:00:30

Virtual IP address is 192.168.1.5

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.052 secs

Preemption enabled, min delay 0 sec, sync delay 0 sec

Active router is 192.168.1.2, priority 200 (expires in 7.792 sec)

Standby router is local

Priority 100 (default 100)

Group name is "inside" (cfgd)

FastEthernet0/1 - Group 2

State is Standby

1 state change, last state change 00:00:05

Virtual IP address is 203.0.113.20

Active virtual MAC address is 0000.0c07.ac02

Local virtual MAC address is 0000.0c07.ac02 (default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.464 secs

Preemption enabled, min delay 0 sec, sync delay 0 sec

Active router is 203.0.113.17, priority 200 (expires in 7.780 sec)

Standby router is local

Priority 100 (default 100)

Group name is "HAVPN" (cfgd)

Secondary#

9.4.7 Step-5 Configuring IPsec VPN over HSRP

Primary:

Primary(config)#crypto isakmp policy 10

Primary(config-isakmp)#encryption 3des

Primary(config-isakmp)#hash md5

Primary(config-isakmp)#authentication pre-share

Primary(config-isakmp)#group 2

Primary(config-isakmp)#exit

Primary(config)# crypto isakmp key 0 testhaipsecvpn address 0.0.0.0

Primary(config)# crypto ipsec transform-set tset esp-3des esp-md5-hmac

Primary(cfg-crypto-trans)#exit

Primary(config)#crypto dynamic-map dmap 10

Primary(config-crypto-map)#set transform-set tset

Primary(config-crypto-map)#match address 101

Primary(config-crypto-map)#reverse-route

Primary(config-crypto-map)#exit

Primary(config)#

Primary(config)#ip access-list extended 101

Primary(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any

Primary(config-ext-nacl)#exit

Primary(config)# ip route 192.168.2.0 255.255.255.0 203.0.113.19

Primary(config)# crypto map smap 10 ipsec-isakmp dynamic dmap

Primary(config)#interface fastEthernet 0/1

Primary(config-if)#crypto map smap redundancy HAVPN

Primary(config-if)#^Z

Primary#

Secondary:

Secondary(config)#crypto isakmp policy 10

Secondary(config-isakmp)#encryption 3des

Secondary(config-isakmp)#hash md5

Secondary(config-isakmp)#authentication pre-share

Secondary(config-isakmp)#group 2

Secondary(config-isakmp)#exit

Secondary(config)# crypto isakmp key 0 testhaipsecvpn address 0.0.0.0

Secondary(config)# crypto ipsec transform-set tset esp-3des esp-md5-hmac

Secondary(cfg-crypto-trans)#exit

Secondary(config)#crypto dynamic-map dmap 10

Secondary(config-crypto-map)#set transform-set tset

Secondary(config-crypto-map)#match address 101

Secondary(config-crypto-map)#reverse-route

Secondary(config-crypto-map)#exit

Secondary(config)#

Secondary(config)#ip access-list extended 101

Secondary(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any

Secondary(config-ext-nacl)#exit

Secondary(config)# ip route 192.168.2.0 255.255.255.0 203.0.113.19

Secondary(config)# crypto map smap 10 ipsec-isakmp dynamic dmap

Secondary(config)#interface fastEthernet 0/1

Secondary(config-if)#crypto map smap redundancy HAVPN

Secondary(config-if)#^Z

Secondary#

Branch-2:

Branch-2(config)#crypto isakmp policy 10

Branch-2(config-isakmp)#encryption 3des

Branch-2(config-isakmp)#hash md5

Branch-2(config-isakmp)#authentication pre-share

Branch-2(config-isakmp)#group 2

Branch-2(config-isakmp)#exit

Branch-2(config)# crypto isakmp key 0 testhaipsecvpn address 203.0.113.20

Branch-2(config)# crypto ipsec transform-set tset esp-3des esp-md5-hmac

Branch-2(cfg-crypto-trans)#exit

Branch-2(config)#crypto map smap 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Branch-2(config-crypto-map)#set peer 203.0.113.20

Branch-2(config-crypto-map)#set transform-set tset

Branch-2(config-crypto-map)#match address 102

Branch-2(config-crypto-map)#exit

Branch-2(config)#ip access-list extended 102

Branch-2(config-ext-nacl)# permit ip any 192.168.1 .0 0.0.0.255

Branch-2(config-ext-nacl)#exit

Branch-2(config)# ip route 192.168.1.0 255.255.255.0 203.0.113.33

Branch-2(config)#interface fastEthernet 0/0

Branch-2(config-if)#crypto map smap

Branch-2(config-if)#^Z

Branch-2#

9.4.8 Step-6 Testing

C:\>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time=72ms TTL=254

Reply from 192.168.2.1: bytes=32 time=78ms TTL=254

Reply from 192.168.2.1: bytes=32 time=78ms TTL=254

Reply from 192.168.2.1: bytes=32 time=78ms TTL=254

Ping statistics for 192.168.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 72ms, Maximum = 78ms, Average = 76ms

Branch-2:

Branch-2#show crypto isakmp sa

dst src state conn-id slot

203.0.113.20 203.0.113.34 QM_IDLE 1 0

Branch-2#show crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: smap, local addr. 203.0.113.34

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 203.0.113.20

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8

#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 8

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 203.0.113.34, remote crypto endpt.: 203.0.113.20

path mtu 1500, media mtu 1500

current outbound spi: 5F896143

Branch-2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/88/136 ms

Branch-2#

References:

[1] G. De Laet and G. Schauwers, “Network security fundamentals”, Cisco Press, 2005.

[2] K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, and G. Zorn, "Point-to-point tunneling protocol (PPTP)," 2070-1721, RFC 2637, 1999.

[3] G. Zorn and G. S. Pall, "Microsoft Point-to-Point Encryption (MPPE) Protocol", RFC 3078, 2001.

[4] http://www.h-online.com/security/news/item/Microsoft-says-don-t-use-PPTP-and-MS-CHAP-1672257.html

[5] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, and B. Palter, "Layer two tunneling protocol (L2TP)", 2070-1721, RFC 2661, 1999.

[6] J. Lau, M. Townsley, and I. Goyret, "Layer Two Tunneling Protocol-Version 3 (L2TPv3)", Network Working Group, RFC 3931, 2005.

[7] B. Patel, B. Aboba, W. Dixon, G. Zorn, and S. Booth, "Securing L2TP using IPsec", 2070-1721, RFC 3193, 2001.

[8] R. Atkinson, "Security Architecture for the Internet Protocol”, Obsoleted by RFC 2401 [KA98a]. Status: PROPOSED STANDARD, RFC 1825, 1995.

[9] B. Aboba and W. Dixon, "IPsec-network address translation (NAT) compatibility requirements", RFC 3715, 2004.

[10] S. E. Deering and R. Hinden, "Internet protocol, version 6 (IPv6) specification," RFC 2460, 1998.

[11] S. Kent, R. Atkinson, and I. A. Header, "IP Authentication Header”, RFC 2402, 1998.

[12] G. De Laet and G. Schauwers, “Network security fundamentals”, Cisco Press, 2005.

[13] S. Kent, "IP encapsulating security payload (ESP)", RFC 4303, 2005.

[14] D. Maughan, M. Schertler, M. Schneider, and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)”, RFC 2408, 1998.

[15] C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)”, RFC 5996, 2010.

[16] D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina, "Generic Routing Encapsulation (GRE)", IETF, RFC 2784, 2000.

[17] F. Detienne, M. Kumar, and M. Sullenberger, “Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00”, CISCO, 2013.

[18] A. Freier, P. Karlton, and P. Kocher, "The secure sockets layer (SSL) protocol version 3.0," 2011.

[19] D. Li, P. Morton, T. Li, and B. Cole, "Cisco Hot Standby Router Protocol (HSRP)", RFC, 2281, 1998.

[20] R. Hinden, "Virtual Router Redundancy Protocol (VRRP)", RFC, 3768, 2004.

Details

Pages
195
Year
2018
ISBN (Book)
9783668668966
File size
3.8 MB
Language
English
Catalog Number
v417385
Grade
A
Tags
VPN PPTP L2TP IPsec SSL DMVPN

Author

Share

Previous

Title: Virtual Private Networks in Theory and Practice