SSDV-SEC450_Week 6 - Implement IOS IPSec Site-To-site VPN With Pre-shared Key

Introduction The Implementing IOS IPSec site-to-site VPN with pre-shared key

authentication module provides you with the instructions and Cisco hardware to

develop your hands on skills in the following topics:

1) Implement an IOS IPSec site-to-site VPN using CCP and the CLI

Lab Diagram

During your session you will have access to the following lab configuration.

Depending on the exercises you may or may not use all of the devices, but they are

shown here in the layout to get an overall understanding of the topology of the lab.

Connecting to your Lab

In this module you will be working on the following equipment to carry out the steps

defined in each exercise.

NYEDGE1

Internet

Frame-RelayWAN

PLABCSCO01Cisco Tools Server

NYACCESS1Cisco 2960-24Switch

NYCORE1Cisco 3750v2-24PSSwitch

NYCORE2Cisco 3750v2-24PSSwitch

NYWAN1Cisco 2911 Router

NWRKWAN1

LDNWAN1

NYEDGE1Cisco 2911 Router

NYEDGE2Cisco 2911 Router

Gi0/1

172.16.16.0/24

ISP1172.14.0.3/24

ISP2172.14.0.4/24

Gi0/0 Gi0/0

Gi0/1 Gi0/1

Fas1/0/1 Fas1/0/1Fas1/0/2Gi0/0

Fas1/0/23

Fas1/0/24

Fas1/0/22 Fas1/0/22

Fas0/24 Fas0/23

Fas0/1Lab Nic192.168.16.10/24

Fas1/0/12

CiscoIP Phone

Ser0/0/0

Ser0/0/0

Ser0/0/1

Ser0/1/1Ser0/1/0

Ser0/0/1

Ser0/0/0

Ser0/0/1

NYEDGE2

NYCORE1

NYCORE2

NYACCESS1

PLABCSCO01

Text in RED indicates a task that needs to be copied with the corresponding

answer(s) to the Lab Report.

Each exercise will detail which terminal you are required to work on to carry out the

steps.

During the boot up process an activity indicator will be displayed in the device name

tab:

Black - Powered Off

Orange - Working on your request

Green - Ready to access

If the remote terminal is not displayed automatically in the main window (or popup)

click the Connect icon located in the tools bar to start your session.

Copyright Notice

This document and its content is copyright of Practice-IT - © Practice-IT 2014. All rights reserved. Any

redistribution or reproduction of part or all of the contents in any form is prohibited other than the

following:

1) You may print or download to a local hard disk extracts for your personal and non-commercial use

only.

2) You may copy the content to individual third parties for their personal use, but only if you

acknowledge the website as the source of the material. You may not, except with our express written

permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any

other website or other form of electronic retrieval system.

Exercise 1 - Implement an IOS

IPSec site-to-site VPN using CCP

and the CLI In this exercise you will configure a site-to-site VPN using cisco CCP for NYEDGE1

and the CLI on NYEDGE2. VPNs are very common in the workplace as they either

provide a cost effective link across a public network (the Internet) or in some case

they can provide a secure connection across a private network.

Diagram

Configuring NYEDGE1 using CCP

Step 1

Ensure you have powered on PLABCSCO01 so that you can use the CCP software

located on this server.

Before proceeding, you need to make sure the resolution setting is good to work

around the CCP window. Click on Settings at window’s upper right corner.

Then, The Personal Setting window appears. This allows you to customize the

resolution and window type of the lab.

Make sure Open Microsoft devices in a popup window selection is On. Then, under

Resolution, click on Smaller or Bigger as needed until getting 1024x768 resolution.

Then, click Save. This resolution should be good to work with CCP software window.

You can always change the resolution to higher or lower as needed.

NYEDGE1 NYEDGE2

Gi0/1172.14.0.1/24

Gi0/1172.14.0.2/24

Loop 110.10.0.1/24

Loop 210.10.1.1/24

Loop 110.10.4.1/24

Loop 210.10.5.1/24

IPSEC Tunnel

Step 2

Once PLABCSCO01 is powered on, connect to the desktop and launch the Cisco

Configuration Professional (CCP) software, there is a shortcut on the desktop,

highlighted in the screenshot below.

When the software launches, you can safely ignore the Java message by clicking the

Later button.

When CCP launches, enter in the community settings for NYEDGE1 and NYEDGE2.

They have the IP addresses 192.168.16.1 and 192.168.16.2 respectively. They have

the same username and password of ciscosdm/ciscosdm

Check the Discover all devices checkbox in the bottom left of the window, then click

OK.

Step 3

Once the devices have been discovered, ensure 192.168.16.1 is highlighted (this is

NYEDGE1) and click the Configure button at the top.

Note: If you get a problem about a device being “undiscoverable” close CCP and

start over with Step 2. This can happen if the CCP software is unable to discover

the router because of network latency.

Expand Security > VPN then click the Site-to-Site VPN link.

On the right the task page will appear.

Ensure Create a site to site VPN folder tab is selected, and scroll down to click the

Launch the selected task button (you might need to have to scroll down the page).

Step 4

Once the wizard launches, click the Step-by-step wizard radio button then click

Next.

Step 5

On the VPN Connection information page, ensure the following settings are

configured:

Select the interface for this VPN connection: GigabitEthernet0/1

Peer identity: Ensure Peer with static IP address is selected

IP Address of the remote peer: 172.16.1.2

Authentication: Select Pre-shared Keys and use a password of cisco123

Once you are happy with the settings, click Next.

Step 6

At the IKE proposals page, click the Add button to add a new proposal so you

understand this process (we could accept the default proposal in the list).

Step 7

In the Add IKE Policy dialog box, configure the following settings:

Priority: 2

Authentication: PRE_SHARE

Encryption: AES_256

D-H Group: Group2

Hash: SHA_1

Lifetime: 24 0 0

Once you have entered in the details, click OK.

Step 8

Back on the IKE Proposals page, notice the new policy that has been added.

Click Next.

Step 9

At the Transform Set page, again so you understand the process, click Add.

Step 10

From the Add Transform Set dialog box, configure the following settings:

Name: Strong

Leave the checkbox checked for Data Integrity with encryption (ESP)

Integrity Algorithm: ESP_SHA_HMAC

Encryption Algorithm: ESP_AES_256

You can leave the advanced settings as default.

Once you are happy, click OK.

Step 11

Back on the Transform Set page, ensure your transform set called Strong is selected

then click Next.

Step 12

In the Traffic to protect page, you want to protect traffic going between loopback

1 and loopback 2 of each respective router, the subnets are as follows:

NYEDGE1: Loop 1 > 10.10.0.0/24

NYEDGE1: Loop 2 > 10.20.1.0/24

NYEDGE2: Loop 1 > 10.10.4.0/24

NYEDGE2: Loop 2 > 10.20.5.0/24

We can summarise these so as follows:

NYEDGE1: 10.10.0.0/23

NYEDGE2: 10.10.4.0/23

Enter in the information for the respective source and destination networks, this can

be seen in the screenshot below:

Once you have entered in the subnets, click Next.

Step 13

At the Summary of the Configuration page, click Finish.

Step 14

You need first to save the configuration to a file on the desktop.

On the Deliver Configuration to Device dialog box, click on Save to file.

Step 15

On the Save File dialog box, keep the default name (CC-CLI-dd-month-YYYY.txt).

Verify that Desktop button on the left is selected then click Save.

Step 16

Back on the Delivery Configuration to Device dialog box, then click Deliver.

Step 17

On the Commands Delivery Status dialog box, click OK.

Step 18

Once you have clicked OK you will notice that the state of the VPN is down.

Minimize CCP software.

Step 19

From desktop of PLABCSCO01, right-click on the file CC-CLI-dd-month-YYYY.txt

that you just saved, and select Open.

Task 1: Take screenshot of the notepad window showing the VPN site-to-site

configuration file in router NYEDGE1. Include the screenshot in the Lab Report.

Continue to configure NYEDGE2.

Configuring NYEDGE2 using the CLI

Next we will configure the peer router NYEDGE2 using the CLI so that we have

covered off both configuration methods.

Step 1

Connect to NYEDGE2. If you reviewed the configuration script applied to NYEDGE1

then we ultimately need to make the same CLI changes by hand, this time reversing

some of the settings (ACL’s for example).

The first step is to configure the access-list, rather than using the naming convention

that CCP uses, we will create a named ACL called S2SNYEDGE1:

NYEDGE2>enable

NYEDGE2#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYEDGE2(config)#ip access-list extended S2SNYEDGE1

NYEDGE2(config-ext-nacl)#permit ip 10.10.4.0 0.0.1.255 10.10.0.0 0.0.1.255

NYEDGE2(config-ext-nacl)# exit

NYEDGE2(config)#

Step 2

Next we configure the same transform set that we built using CCP. Use the following

commands to configure this:

NYEDGE2(config)#crypto ipsec transform-set Strong esp-sha-hmac esp-aes 256

NYEDGE2(cfg-crypto-trans)# mode tunnel

NYEDGE2(config-crypto-trans)# exit

NYEDGE2(config)#

Step 3

Next we need to configure the crypto map. To do this use the following commands.

Note that you will get a warning message about the peer address - don’t worry

about this, as you will configure it during this step:

NYEDGE2(config)#crypto map NYEDGE1MAP 1 ipsec-isakmp

NYEDGE2(config-crypto-map)# set transform-set Strong

NYEDGE2(config-crypto-map)# set peer 172.16.1.1

NYEDGE2(config-crypto-map)# match address S2SNYEDGE1

NYEDGE2(config-crypto-map)# exit

NYEDGE2(config)#

Step 4

Next we need to configure the pre-shared key and map this to the Gi0/1 IP address

on NYEDGE1:

NYEDGE2(config)#crypto isakmp key cisco123 address 172.16.1.1

Step 5

Next we create the ISAKMP policy:

NYEDGE2(config)#crypto isakmp policy 1

NYEDGE2(config-isakmp)#authentication pre-share

NYEDGE2(config-isakmp)#encryption aes 256

NYEDGE2(config-isakmp)#hash sha

NYEDGE2(config-isakmp)#group 2

NYEDGE2(config-isakmp)#lifetime 86400

NYEDGE2(config-isakmp)#exit

NYEDGE2(config)#exit

Step 6

Finally we need to apply the crypto map to the interface (Gi0/1):



NYEDGE2(config)#interface gigabitEthernet 0/1

NYEDGE2(config-if)#crypto map NYEDGE1MAP

NYEDGE(config-if)#exit

NYEDGE(config)#exit

Verifying the VPN

Finally we want to verify that the VPN works. We need to initiate some traffic to test

this, first let’s look at some counters:

On NYEDGE1 use the show crypto ipsec sa command:

NYEDGE1>enable

NYEDGE1#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.254.0/0/0)

current_peer 172.16.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/ source 10.10.0.11

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

(Output omitted)

In the output you can see that no packets have been encrypted or decrypted. This is

helpful when diagnosing a VPN, as sometimes you can see packets being encrypted

but not decrypted or vice-versa.

Let’s initiate some traffic, ping from NYEDGE1 with a source IP address of 10.10.0.1

to 10.10.4.1:

NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

.....

Success rate is 0 percent (0/5)

Task 2: Take screenshot showing unsuccessful connectivity between 10.10.4.1

and 10.10.0.1. Include the screenshot in the Lab Report.

Notice the ping fails!

Viewing the output of the show crypto ipsec sa command still shows no encrypted

packets. Actually we need to go back to basics, as there are no routes on the router!

Add routes on both routers:

NYEDGE1



NYEDGE1(config)#ip route 10.10.4.0 255.255.254.0 172.16.1.2


NYEDGE2



NYEDGE2(config)#ip route 10.10.0.0 255.255.254.0 172.16.1.1

Retry the ping from NYEDGE1:

NYEDGE1#ping ip 10.10.4.1 source 10.10.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.4.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Task 3: Take screenshot showing successful connectivity between 10.10.4.1 and

10.10.0.1. Include the screenshot in the Lab Report.

How do we know the packets are encrypted?

NYEDGE1#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.254.0/0/0)

current_peer 172.16.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

(Output omitted)

Notice that the counters for encrypted and decrypted packets have gone up by 4,

and notice that our ping replied 4 times.

Task 4: Take screenshot of command show crypto ipsec sa output showing 4

packets encrypted and decrypted. Include the screenshot in the Lab Report.

You can also use the debug crypto engine packet command. However, word of

extreme caution - this is a fairly noisy debug, so do not use it in a production

environment unless you really know what you are doing!

Enable this debug on NYEDGE2, then re-issue a ping from NYEDGE1:

Here is a snippet of the output on NYEDGE2:


NYEDGE2#debug crypto engine packet

Crypto Engine Packet debugging is on

NYEDGE2#

*Aug 1 16:03:29.819: crypto_sb_oce_alloc_fwd_handle: created forw_handle=3D49B0D0 using oce=0 type=0 for pak=2181FBC8, track=3D9F3E

FC

*Aug 1 16:03:29.819: Before decryption:

0E220990: 4500 00A806C4 0000FE32 E..(.D..~2

0E2209A0: 5B3CAC10 0101AC10 01023C52 BA310000 [<,...,...0E2209B0: 000A42D6 C0C3D03B 3855B1EA E1B8CDEA ..BV@CP;8U1ja8Mj

0E2209C0: 4317F58F B01B C.u.0. ...

*Aug 1 16:03:29.819: After decryption:

0E2209C0: 4500 00640046 0000FF01 A33D0A0A E..d.F....#=..

0E2209D0: 00010A0A 04010800 AF2E000E 00000000 ......../.......

0E2209E0: 00000045 CEC8ABCD ABCDABCD ABCDABCD ...ENH+M+M+M+M+M

0E2209F0: ABCD +M ...

(Output omitted)

Turn the debug off on NYEDGE2:

NYEDGE2#u all

All possible debugging has been turned off

NYEDGE2#

Task 5: Take screenshot of NYEDGE2 CLI showing debugging bottom output.

Include the screenshot in the Lab Report.

Switch over to PLABCSCO01 device.

In the CCP software, on the toolbar click Monitor.

Then expand out in the tree structure, Security > VPN Status and select IPSec

Tunnels

On the VPN Status pane, notice the details about the IPSec Tunnel you created.

You have successfully built a VPN using both the CLI and CCP software!

Task 6: Take screenshot of CCP software in PLABCSCO01 monitoring encrypted

and decrypted packets CLI. Include the screenshot in the Lab Report.

Summary You covered the following activities in this module:

Using the CCP software to build half of a site-to-site VPN between two

routers.

You configured the second half of the site-to-site VPN using the CLI.

You confirmed the configuration of the VPN by testing it and seeing the

packets being encrypted and decrypted.

You also monitored the VPN status using the CCP software.

This concludes Implementing IOS IPSec site-to-site VPN with pre-shared key

authentication Lab. Save the Lab Report, and submit it to the iLab DropBox in

week 6.

SSDV-SEC450_Week 6 - Implement IOS IPSec Site-To-site VPN With Pre-shared Key

Documents

Transcript of SSDV-SEC450_Week 6 - Implement IOS IPSec Site-To-site VPN With Pre-shared Key