CCIE is not a specialist. But the basis for an expert.: February 2010



Cisco IPSec SITE-TO-SITE
Diagram:
 (10.0.1.0/24)LAN-------[R1] atm0 ------ back to back ------ atm0 [R2]---LAN(10.0.2.0/24)
!========================================================================== 
[R1]

R1#sh run
Building configuration...

Current configuration : 1622 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!        
!
no ip domain lookup
!
!
!
username cisco password 0 cisco
!
!
controller DSL 0
mode atm
line-term co
line-mode 4-wire enhanced
dsl-mode shdsl symmetric annex B
line-rate 1024
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key VPNPASSWORD address 192.168.12.2
!
!        
crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
!
crypto map VPN-IPSEC 10 ipsec-isakmp
set peer 192.168.12.2
set transform-set TRANSFORM-1
match address ACL-VPN-CLIENT
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
ip address 192.168.12.1 255.255.255.0
ip access-group BLOCK-ANY-IN in
no atm ilmi-keepalive
pvc 0/100
 encapsulation aal5snap
!
crypto map VPN-IPSEC
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.0.1.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL-VPN-CLIENT
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended BLOCK-ANY-IN
permit ip host 192.168.12.2 host 192.168.12.1
ip access-list extended VPN-CLIENT
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
logging synchronous
login
!
scheduler max-task-time 5000
end
!==========================================================================
[R2]

R2#sh run
Building configuration...

Current configuration : 1588 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
!        
!
no ip domain lookup
!
!
!
username cisco password 0 cisco
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 4-wire enhanced
dsl-mode shdsl symmetric annex B
line-rate 1024
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key VPNPASSWORD address 192.168.12.1
!
!        
crypto ipsec transform-set TRANSFORM-1 esp-aes esp-sha-hmac
!
crypto map VPN-IPSEC 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set TRANSFORM-1
match address ACL-VPN-CLIENT
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
ip address 192.168.12.2 255.255.255.0
ip access-group BLOCK-ANY-IN in
no atm ilmi-keepalive
pvc 0/100
 encapsulation aal5snap
!
crypto map VPN-IPSEC
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.0.2.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL-VPN-CLIENT
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended BLOCK-ANY-IN
permit ip host 192.168.12.1 host 192.168.12.2
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
logging synchronous
login
!
scheduler max-task-time 5000
end

!==========================================================================
[VERIFY]

R1#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: ATM0
Session status: UP-ACTIVE    
Peer: 192.168.12.2 port 500 fvrf: (none) ivrf: (none)
     Phase1_id: 192.168.12.2
     Desc: (none)
 IKE SA: local 192.168.12.1/500 remote 192.168.12.2/500 Active
         Capabilities:(none) connid:1001 lifetime:23:48:32
 IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 10.0.2.0/255.255.255.0
       Active SAs: 2, origin: crypto map
       Inbound:  #pkts dec'ed 9 drop 0 life (KB/Sec) 4588216/2912
       Outbound: #pkts enc'ed 9 drop 1 life (KB/Sec) 4588216/2912

R1#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
      K - Keepalives, N - NAT-traversal
      X - IKE Extended Authentication
      psk - Preshared key, rsig - RSA signature
      renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1001  192.168.12.1    192.168.12.2             ACTIVE aes  sha  psk  5  23:51:15    
      Engine-id:Conn-id =  C87X_MBRD:1

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa detail

interface: ATM0
   Crypto map tag: VPN-IPSEC, local addr 192.168.12.1

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
  current_peer 192.168.12.2 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
   #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #pkts no sa (send) 1, #pkts invalid sa (rcv) 0
   #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
   #pkts invalid prot (recv) 0, #pkts verify failed: 0
   #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
   #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
   ##pkts replay failed (rcv): 0
   #pkts internal err (send): 0, #pkts internal err (recv) 0

    local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.12.2
    path mtu 4470, ip mtu 4470
    current outbound spi: 0x90625D97(2422365591)

    inbound esp sas:
     spi: 0xF592CE25(4120038949)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 1, flow_id: C87X_MBRD:1, crypto map: VPN-IPSEC
       sa timing: remaining key lifetime (k/sec): (4588216/3051)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
     spi: 0x90625D97(2422365591)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 2, flow_id: C87X_MBRD:2, crypto map: VPN-IPSEC
       sa timing: remaining key lifetime (k/sec): (4588216/3051)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE

    outbound ah sas:

    outbound pcp sas:
CCIE is not a specialist. But the basis for an expert.

Wednesday, February 10, 2010

[Cisco] Configuration Cisco IPSEC site-to-site

About Me

Blog Archive

Tags

My Favorite

My Blog List

Followers
