I've visited many countries mostly in Asia trying to set up client VPN connections and for our Point-of-Presence (POP) connection back to our HQ in Singapore. I started doing network security (with CCNA Security) back in 2012 and I'm now enjoying the traveling perks because of my network security skills. This is me at Petronas Towers in Kuala Lumpur Malaysia where I setup a
client site with MetroE as primary link and a DSL Internet as backup.
I've observed that many companies today are buying cheaper but secure WAN solution, especially those on a remote location. Companies also try to use VPN as a backup WAN solution.
It's fun educating my colleagues, mainly those who have routing and switching skills, about security terms, ASA firewall CLI (mostly on NAT) and recipes for creating IPsec VPNs. It also helps me reinforce my network security and ASA firewall knowledge. I always tell that the "official" security term is GRE over IPsec and the mnemonic I use is "GRE is covered by IPsec."
Branch(config)#interface loopback1
Branch(config-if)#
*Jan 3 23:37:17.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
Branch(config-if)#description Branch LAN
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#interface s0/0/1
Branch(config-if)#description Connection to ISP
Branch(config-if)#ip address 209.165.200.242 255.255.255.248
Branch(config-if)#bandwidth 64
Branch(config-if)#no shutdown
*Jan 3 23:38:07.179: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
HQ(config)#interface loopback1
HQ(config-if)#
*Jan 3 22:20:47.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
HQ(config-if)#description Headquarters LAN
HQ(config-if)#ip address 10.10.10.1 255.255.255.0
HQ(config-if)#interface s0/0/1
HQ(config-if)#description Connection to ISP
HQ(config-if)#ip address 209.165.200.226 255.255.255.248
HQ(config-if)#clock rate 64000
HQ(config-if)#bandwidth 64
HQ(config-if)#no shutdown
HQ(config-if)#
*Jan 3 22:21:55.527: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jan 3 22:21:56.527: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
ISP(config)#interface loopback1
ISP(config-if)#
*Jan 3 22:59:50.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
ISP(config-if)#description Simulating the Internet
ISP(config-if)#ip address 209.165.202.129 255.255.255.240
ISP(config-if)#interface s0/0/0
ISP(config-if)#description Connection to Branch
ISP(config-if)#ip address 209.165.200.241 255.255.255.248
ISP(config-if)#clock rate 64000
ISP(config-if)#bandwidth 64
ISP(config-if)#no shutdown
ISP(config-if)#
*Jan 3 23:00:53.167: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jan 3 23:00:54.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
ISP(config-if)#do ping 209.165.200.242
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.242, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
ISP(config-if)#interface s0/0/1
ISP(config-if)#description Connection to HQ
ISP(config-if)#ip address 209.165.200.225 255.255.255.248
ISP(config-if)#bandwidth 64
ISP(config-if)#no shutdown
ISP(config-if)#do ping 209.165.200.226
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
ISP(config-if)#exit
ISP(config)#ip route 209.165.200.232 255.255.255.248 serial0/0/1
ISP(config)#ip route 209.165.200.248 255.255.255.248 serial0/0/0
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 209.165.200.242 YES manual up up
Loopback1 192.168.1.1 YES manual up up
Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds: // NO LEARNED ROUTE
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds: // NO LEARNED ROUTE
.....
Success rate is 0 percent (0/5)
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set // NO DEFAULT ROUTE TO ISP
209.165.200.0/29 is subnetted, 1 subnets
C 209.165.200.240 is directly connected, Serial0/0/1
C 192.168.1.0/24 is directly connected, Loopback1
Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.241
HQ(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.225
Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address source 192.168.1.1 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 // ISP BLOCKS PRIVATE IP; NO NAT CONFIGURED
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Branch(config)#ip access-list extended BRANCH_NAT_ACL // SKIP NAT DUE TO ROUTER MEMORY ISSUE
Branch(config-ext-nacl)#remark ?
LINE Comment up to 100 characters
<cr>
Branch(config-ext-nacl)#remark Do not translate Branch LAN to HQ LAN addresses
Branch(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255 // FOR S2S IPSEC VPN
Branch(config-ext-nacl)#remark Translate LAN to all Internet destinations
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any // NAT ACL
Branch(config-ext-nacl)#exit
Branch(config)#ip nat ?
Stateful Stateful NAT configuration commands
create Create flow entries
inside Inside address translation
log NAT Logging
outside Outside address translation
piggyback-support NAT Piggybacking Support
pool Define pool of addresses
portmap Define portmap of portranges
service Special translation for application using non-standard
port
sip-sbc SIP Session Border Controller commands
source Source address translation
translation NAT translation entry configuration
Branch(config)#ip nat pool ?
WORD Pool name
Branch(config)#ip nat pool BRANCH_NAT_POOL ?
A.B.C.D Start IP address
netmask Specify the network mask
prefix-length Specify the prefix length
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 ?
A.B.C.D End IP address
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 ?
netmask Specify the network mask
prefix-length Specify the prefix length
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 prefix-length ?
<1-32> Prefix length
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 prefix-length 29
Branch(config)#
*Jan 3 23:56:03.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
Branch(config)#ip nat inside ?
destination Destination address translation
source Source address translation
Branch(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
Branch(config)#ip nat inside source list ?
<1-2699> Access list number for local addresses
WORD Access list name for local addresses
Branch(config)#ip nat inside source list BRANCH_NAT_ACL ?
interface Specify interface for global address
pool Name pool of global addresses
Branch(config)#ip nat inside source list BRANCH_NAT_ACL pool ?
WORD Pool name for global addresses
Branch(config)#ip nat inside source list BRANCH_NAT_ACL pool BRANCH_NAT_POOL
Branch(config)#interface loopback1
Branch(config-if)#ip nat inside
Branch(config-if)#interface s0/0/1
Branch(config-if)#ip nat outside
Branch(config-if)#end
Branch#ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 // ISP CAN'T ROUTE PINGS TO PRIVATE IP ON HQ; IPsecVPN IS NEEDED TO PROTECT TRAFFIC TRAVERSING THE PUBLIC INTERNET
.....
Success rate is 0 percent (0/5)
Branch(config)#crypto ?
ca Certification authority
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
Branch(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
Branch(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
Branch(config)#crypto isakmp policy 1 // ISAKMP POLICY FOR PHASE 1
Branch(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
Branch(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
Branch(config-isakmp)#encryption aes
Branch(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
2 Diffie-Hellman group 2 (1024 bit)
5 Diffie-Hellman group 5 (1536 bit)
Branch(config-isakmp)#group 2
Branch(config-isakmp)#exit
Branch(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
Branch(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
Branch(config)#crypto isakmp key cisco123 ?
address define shared key with IP address
hostname define shared key with hostname
Branch(config)#crypto isakmp key cisco123 address 209.165.200.226
Branch(config)#crypto ipsec ?
client Configure a client
default Default transform-set
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
Branch(config)#crypto ipsec transform-set ?
WORD Transform set tag
Branch(config)#crypto ipsec transform-set HQ-VPN ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
Branch(config)#crypto ipsec transform-set HQ-VPN esp-3des ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
Branch(config)#crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac // IPSEC POLICY FOR PHASE 2
Branch(cfg-crypto-trans)#exit
Branch(config)#crypto map ?
WORD Crypto map tag
Branch(config)#crypto map HQ-MAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
Branch(config)#crypto map HQ-MAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
Branch(config)#crypto map HQ-MAP 10 ipsec-isakmp // VPN TUNNEL INFO
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
Branch(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
Branch(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
Branch(config-crypto-map)#set peer 209.165.200.226
Branch(config-crypto-map)#set transform-set ?
WORD Proposal tag
Branch(config-crypto-map)#set transform-set HQ-VPN
Branch(config-crypto-map)#match ?
address Match address of packets to encrypt.
Branch(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
Branch(config-crypto-map)#match address HQ-VPN-ACL
Branch(config-crypto-map)#exit
Branch(config)#ip access-list extended HQ-VPN-ACL
Branch(config-ext-nacl)#remark Branch to HQ traffic to trigger VPN
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255 // CRYPTO ACL
Branch(config-ext-nacl)#exit
Branch(config)#interface s0/0/1
Branch(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
Branch(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
Branch(config-if)#crypto map HQ-MAP // APPLY CRYPTO MAP
*Jan 4 00:15:42.747: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
HQ(config)#crypto isakmp policy 1
HQ(config-isakmp)#encryption aes
HQ(config-isakmp)#authentication pre-share
HQ(config-isakmp)#group 2
HQ(config-isakmp)#exit
HQ(config)#crypto isakmp key cisco123 address 209.165.200.242
HQ(config)#crypto ipsec transform-set BRANCH-VPN esp-3des esp-sha-hmac
HQ(cfg-crypto-trans)#exit
HQ(config)#crypto map BRANCH-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
HQ(config-crypto-map)#set peer 209.165.200.242
HQ(config-crypto-map)#set transform-set BRANCH-VPN
HQ(config-crypto-map)#match address BRANCH-VPN-ACL
HQ(config-crypto-map)#exit
HQ(config)#ip access-list extended BRANCH-VPN-ACL
HQ(config-ext-nacl)#remark HQ to Branch traffic to trigger VPN
HQ(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 // CRYPTO ACL; MIRRORED
BRANCH ACL
HQ(config-ext-nacl)#exit
HQ(config)#interface s0/0/1
HQ(config-if)#crypto map BRANCH-MAP
HQ(config-if)#
*Jan 3 23:02:38.631: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch#show crypto ?
call Show crypto call admission info
ctcp cTCP connections
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
gdoi Show crypto gdoi
ha Crypto High Availability information
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Session status: DOWN
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Branch#ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/84/84 ms // PING DROPPED DUE TO VPN HANDSHAKE
TUNNEL NEGOTIATION
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:00:09
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1001 lifetime:23:59:49
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4501643/3590
Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4501643/3590
Branch#clear crypto isakmp
Branch#clear crypto sa
Branch(config)#interface tunnel0 // IPSEC VPN DOES NOT ALLOW DYNAMIC ROUTING PROTOCOLS, MULTICAST
AND BROADCAST; WILL NEED GRE OVER IPSEC
Branch(config-if)#
*Jan 4 00:27:11.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch(config-if)#ip address 172.16.100.2 255.255.255.252
Branch(config-if)#tunnel ?
bandwidth Set tunnel bandwidth informational parameter
checksum enable end to end checksumming of packets
destination destination of tunnel
flow flow options
key security or selector key
mode tunnel encapsulation method
mpls MPLS tunnel commands
path-mtu-discovery Enable Path MTU Discovery on tunnel
protection Enable tunnel protection
rbscp Set tunnel RBSCP parameters
route-via Select subset of routes for tunnel transport
sequence-datagrams drop datagrams arriving out of order
source source of tunnel packets
tos set type of service byte
ttl set time to live
udlr associate tunnel with unidirectional interface
vrf set tunnel vrf membership
Branch(config-if)#tunnel source ?
A.B.C.D ip address
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
SSLVPN-VIF SSLVPN Virtual Interface
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Dot11Radio Virtual dot11 interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
X:X:X:X::X IPv6 address
vmi Virtual Multipoint Interface
Branch(config-if)#tunnel source 209.165.200.242
Branch(config-if)#tunnel destination 209.165.200.226
Branch(config-if)#
*Jan 4 00:27:43.055: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
HQ(config)#interface tunnel0
HQ(config-if)#
*Jan 3 23:10:26.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
HQ(config-if)#ip address 172.16.100.1 255.255.255.252
HQ(config-if)#tunnel source 209.165.200.226
HQ(config-if)#tunnel destination 209.165.200.242
HQ(config-if)#
*Jan 3 23:10:53.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch#show interfaces tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.100.2/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 209.165.200.242, destination 209.165.200.226
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Branch#ping 172.16.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/69/72 ms
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Session status: DOWN // TRAFFIC IS NOT ENCRYPTED
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Branch(config)#no ip access-list extended HQ-VPN-ACL
Branch(config)#ip access-list extended HQ-VPN-ACL
Branch(config-ext-nacl)#remark HQ to Branch GRE traffic to trigger VPN
Branch(config-ext-nacl)#permit gre host 209.165.200.242 host 209.165.200.226 // MAKE GRE TRAFFIC INTERESTING
HQ(config)#no ip access-list extended BRANCH-VPN-ACL
HQ(config)#ip access-list extended BRANCH-VPN-ACL
HQ(config-ext-nacl)#remark Branch to HQ GRE traffic to trigger VPN
HQ(config-ext-nacl)#permit gre host 209.165.200.226 host 209.165.200.242
Branch#ping 172.16.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 96/97/100 ms
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:00:19
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:59:40
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226 // GRE PROTOCOL 47
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4426451/3580
Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4426451/3580
Branch#ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 // PING DROPS DUE TO NO ROUTE TO HQ
.....
Success rate is 0 percent (0/5)
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 209.165.200.241 to network 0.0.0.0
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.100.0 is directly connected, Tunnel0
209.165.200.0/29 is subnetted, 1 subnets
C 209.165.200.240 is directly connected, Serial0/0/1
C 192.168.1.0/24 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 209.165.200.241
Branch(config)#router eigrp 1
Branch(config-router)#network 192.168.1.0 0.0.0.255
Branch(config-router)#network 172.16.100.0 0.0.0.3
HQ(config)#router eigrp 1
HQ(config-router)#network 10.10.0.0 0.0.255.255
HQ(config-router)#network 172.16.100.0 0.0.0.3
HQ(config-router)#
*Jan 3 23:26:09.743: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.2 (Tunnel0) is up: new
adjacency
Branch#show ip eigrp neighbor
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.100.1 Tu0 12 00:00:21 88 2151 0 3
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 209.165.200.241 to network 0.0.0.0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:01:08, Null0
C 172.16.100.0/30 is directly connected, Tunnel0
209.165.200.0/29 is subnetted, 1 subnets
C 209.165.200.240 is directly connected, Serial0/0/1
D 10.0.0.0/8 [90/27008000] via 172.16.100.1, 00:00:23, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 209.165.200.241
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:08:38
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:51:21
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 19 drop 0 life (KB/Sec) 4426449/3081
Outbound: #pkts enc'ed 29 drop 1 life (KB/Sec) 4426448/3081
Branch#ping 10.10.10.1 source 192.168.1.1 // LAN-TO-LAN (SITE-TO-SITE VPN) HAS REACHABILITY
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/98/100 ms
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:09:45
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:50:13
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 39 drop 0 life (KB/Sec) 4426446/3014
Outbound: #pkts enc'ed 49 drop 1 life (KB/Sec) 4426445/3014
Branch#traceroute 10.10.20.238 source 192.168.1.1
Type escape sequence to abort.
Tracing the route to 10.10.20.238
1 172.16.100.1 68 msec * 68 msec // HOPS TO HQ GRE TUNNEL (ENCRYPTED); BRANCH UNAWARE IT TRAVERSED PUBLIC INTERNET
It's fun educating my colleagues, mainly those who have routing and switching skills, about security terms, ASA firewall CLI (mostly on NAT) and recipes for creating IPsec VPNs. It also helps me reinforce my network security and ASA firewall knowledge. I always tell that the "official" security term is GRE over IPsec and the mnemonic I use is "GRE is covered by IPsec."
Branch(config)#interface loopback1
Branch(config-if)#
*Jan 3 23:37:17.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
Branch(config-if)#description Branch LAN
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#interface s0/0/1
Branch(config-if)#description Connection to ISP
Branch(config-if)#ip address 209.165.200.242 255.255.255.248
Branch(config-if)#bandwidth 64
Branch(config-if)#no shutdown
*Jan 3 23:38:07.179: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
HQ(config)#interface loopback1
HQ(config-if)#
*Jan 3 22:20:47.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
HQ(config-if)#description Headquarters LAN
HQ(config-if)#ip address 10.10.10.1 255.255.255.0
HQ(config-if)#interface s0/0/1
HQ(config-if)#description Connection to ISP
HQ(config-if)#ip address 209.165.200.226 255.255.255.248
HQ(config-if)#clock rate 64000
HQ(config-if)#bandwidth 64
HQ(config-if)#no shutdown
HQ(config-if)#
*Jan 3 22:21:55.527: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jan 3 22:21:56.527: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
ISP(config)#interface loopback1
ISP(config-if)#
*Jan 3 22:59:50.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
ISP(config-if)#description Simulating the Internet
ISP(config-if)#ip address 209.165.202.129 255.255.255.240
ISP(config-if)#interface s0/0/0
ISP(config-if)#description Connection to Branch
ISP(config-if)#ip address 209.165.200.241 255.255.255.248
ISP(config-if)#clock rate 64000
ISP(config-if)#bandwidth 64
ISP(config-if)#no shutdown
ISP(config-if)#
*Jan 3 23:00:53.167: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jan 3 23:00:54.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
ISP(config-if)#do ping 209.165.200.242
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.242, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
ISP(config-if)#interface s0/0/1
ISP(config-if)#description Connection to HQ
ISP(config-if)#ip address 209.165.200.225 255.255.255.248
ISP(config-if)#bandwidth 64
ISP(config-if)#no shutdown
ISP(config-if)#do ping 209.165.200.226
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
ISP(config-if)#exit
ISP(config)#ip route 209.165.200.232 255.255.255.248 serial0/0/1
ISP(config)#ip route 209.165.200.248 255.255.255.248 serial0/0/0
Branch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 209.165.200.242 YES manual up up
Loopback1 192.168.1.1 YES manual up up
Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds: // NO LEARNED ROUTE
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds: // NO LEARNED ROUTE
.....
Success rate is 0 percent (0/5)
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set // NO DEFAULT ROUTE TO ISP
209.165.200.0/29 is subnetted, 1 subnets
C 209.165.200.240 is directly connected, Serial0/0/1
C 192.168.1.0/24 is directly connected, Loopback1
Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.241
HQ(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.225
Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address source 192.168.1.1 }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 // ISP BLOCKS PRIVATE IP; NO NAT CONFIGURED
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Branch(config)#ip access-list extended BRANCH_NAT_ACL // SKIP NAT DUE TO ROUTER MEMORY ISSUE
Branch(config-ext-nacl)#remark ?
LINE Comment up to 100 characters
<cr>
Branch(config-ext-nacl)#remark Do not translate Branch LAN to HQ LAN addresses
Branch(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255 // FOR S2S IPSEC VPN
Branch(config-ext-nacl)#remark Translate LAN to all Internet destinations
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any // NAT ACL
Branch(config-ext-nacl)#exit
Branch(config)#ip nat ?
Stateful Stateful NAT configuration commands
create Create flow entries
inside Inside address translation
log NAT Logging
outside Outside address translation
piggyback-support NAT Piggybacking Support
pool Define pool of addresses
portmap Define portmap of portranges
service Special translation for application using non-standard
port
sip-sbc SIP Session Border Controller commands
source Source address translation
translation NAT translation entry configuration
Branch(config)#ip nat pool ?
WORD Pool name
Branch(config)#ip nat pool BRANCH_NAT_POOL ?
A.B.C.D Start IP address
netmask Specify the network mask
prefix-length Specify the prefix length
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 ?
A.B.C.D End IP address
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 ?
netmask Specify the network mask
prefix-length Specify the prefix length
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 prefix-length ?
<1-32> Prefix length
Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 prefix-length 29
Branch(config)#
*Jan 3 23:56:03.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
Branch(config)#ip nat inside ?
destination Destination address translation
source Source address translation
Branch(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
Branch(config)#ip nat inside source list ?
<1-2699> Access list number for local addresses
WORD Access list name for local addresses
Branch(config)#ip nat inside source list BRANCH_NAT_ACL ?
interface Specify interface for global address
pool Name pool of global addresses
Branch(config)#ip nat inside source list BRANCH_NAT_ACL pool ?
WORD Pool name for global addresses
Branch(config)#ip nat inside source list BRANCH_NAT_ACL pool BRANCH_NAT_POOL
Branch(config)#interface loopback1
Branch(config-if)#ip nat inside
Branch(config-if)#interface s0/0/1
Branch(config-if)#ip nat outside
Branch(config-if)#end
Branch#ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 // ISP CAN'T ROUTE PINGS TO PRIVATE IP ON HQ; IPsecVPN IS NEEDED TO PROTECT TRAFFIC TRAVERSING THE PUBLIC INTERNET
.....
Success rate is 0 percent (0/5)
Branch(config)#crypto ?
ca Certification authority
call Configure Crypto Call Admission Control
ctcp Configure cTCP encapsulation
dynamic-map Specify a dynamic crypto map template
engine Enter a crypto engine configurable menu
gdoi Configure GDOI policy
identity Enter a crypto identity list
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
key Long term key operations
keyring Key ring commands
logging logging messages
map Enter a crypto map
mib Configure Crypto-related MIB Parameters
pki Public Key components
provisioning Secure Device Provisioning
wui Crypto HTTP configuration interfaces
xauth X-Auth parameters
Branch(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
Branch(config)#crypto isakmp policy ?
<1-10000> Priority of protection suite
Branch(config)#crypto isakmp policy 1 // ISAKMP POLICY FOR PHASE 1
Branch(config-isakmp)#?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
Branch(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).
Branch(config-isakmp)#encryption aes
Branch(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group ?
1 Diffie-Hellman group 1 (768 bit)
14 Diffie-Hellman group 14 (2048 bit)
15 Diffie-Hellman group 15 (3072 bit)
16 Diffie-Hellman group 16 (4096 bit)
2 Diffie-Hellman group 2 (1024 bit)
5 Diffie-Hellman group 5 (1536 bit)
Branch(config-isakmp)#group 2
Branch(config-isakmp)#exit
Branch(config)#crypto isakmp ?
aggressive-mode Disable ISAKMP aggressive mode
client Set client configuration policy
default ISAKMP default policy
enable Enable ISAKMP
fragmentation IKE Fragmentation enabled if required
identity Set the identity which ISAKMP will use
invalid-spi-recovery Initiate IKE and send Invalid SPI Notify
keepalive Set a keepalive interval for use with IOS peers
key Set pre-shared key for remote peer
nat Set a nat keepalive interval for use with IOS peers
peer Set Peer Policy
policy Set policy for an ISAKMP protection suite
profile Define ISAKMP Profiles
xauth Set Extended Authentication values
Branch(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
WORD The UNENCRYPTED (cleartext) user password
Branch(config)#crypto isakmp key cisco123 ?
address define shared key with IP address
hostname define shared key with hostname
Branch(config)#crypto isakmp key cisco123 address 209.165.200.226
Branch(config)#crypto ipsec ?
client Configure a client
default Default transform-set
df-bit Handling of encapsulated DF bit.
fragmentation Handling of fragmentation of near-MTU sized packets
nat-transparency IPsec NAT transparency model
optional Enable optional encryption for IPSec
profile Configure an ipsec policy profile
security-association Security association parameters
transform-set Define transform and settings
Branch(config)#crypto ipsec transform-set ?
WORD Transform set tag
Branch(config)#crypto ipsec transform-set HQ-VPN ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
Branch(config)#crypto ipsec transform-set HQ-VPN esp-3des ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
Branch(config)#crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac // IPSEC POLICY FOR PHASE 2
Branch(cfg-crypto-trans)#exit
Branch(config)#crypto map ?
WORD Crypto map tag
Branch(config)#crypto map HQ-MAP ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
Branch(config)#crypto map HQ-MAP 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
Branch(config)#crypto map HQ-MAP 10 ipsec-isakmp // VPN TUNNEL INFO
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Branch(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
Branch(config-crypto-map)#set ?
identity Identity restriction.
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
Branch(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
Branch(config-crypto-map)#set peer 209.165.200.226
Branch(config-crypto-map)#set transform-set ?
WORD Proposal tag
Branch(config-crypto-map)#set transform-set HQ-VPN
Branch(config-crypto-map)#match ?
address Match address of packets to encrypt.
Branch(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
Branch(config-crypto-map)#match address HQ-VPN-ACL
Branch(config-crypto-map)#exit
Branch(config)#ip access-list extended HQ-VPN-ACL
Branch(config-ext-nacl)#remark Branch to HQ traffic to trigger VPN
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255 // CRYPTO ACL
Branch(config-ext-nacl)#exit
Branch(config)#interface s0/0/1
Branch(config-if)#crypto ?
ipsec Set IPSec parameters
map Assign a Crypto Map
Branch(config-if)#crypto map ?
WORD Crypto Map tag
<cr>
Branch(config-if)#crypto map HQ-MAP // APPLY CRYPTO MAP
*Jan 4 00:15:42.747: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
HQ(config)#crypto isakmp policy 1
HQ(config-isakmp)#encryption aes
HQ(config-isakmp)#authentication pre-share
HQ(config-isakmp)#group 2
HQ(config-isakmp)#exit
HQ(config)#crypto isakmp key cisco123 address 209.165.200.242
HQ(config)#crypto ipsec transform-set BRANCH-VPN esp-3des esp-sha-hmac
HQ(cfg-crypto-trans)#exit
HQ(config)#crypto map BRANCH-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
HQ(config-crypto-map)#set peer 209.165.200.242
HQ(config-crypto-map)#set transform-set BRANCH-VPN
HQ(config-crypto-map)#match address BRANCH-VPN-ACL
HQ(config-crypto-map)#exit
HQ(config)#ip access-list extended BRANCH-VPN-ACL
HQ(config-ext-nacl)#remark HQ to Branch traffic to trigger VPN
HQ(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 // CRYPTO ACL; MIRRORED
BRANCH ACL
HQ(config-ext-nacl)#exit
HQ(config)#interface s0/0/1
HQ(config-if)#crypto map BRANCH-MAP
HQ(config-if)#
*Jan 3 23:02:38.631: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch#show crypto ?
call Show crypto call admission info
ctcp cTCP connections
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
gdoi Show crypto gdoi
ha Crypto High Availability information
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Session status: DOWN
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Branch#ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/84/84 ms // PING DROPPED DUE TO VPN HANDSHAKE
TUNNEL NEGOTIATION
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:00:09
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1001 lifetime:23:59:49
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4501643/3590
Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4501643/3590
Branch#clear crypto isakmp
Branch#clear crypto sa
Branch(config)#interface tunnel0 // IPSEC VPN DOES NOT ALLOW DYNAMIC ROUTING PROTOCOLS, MULTICAST
AND BROADCAST; WILL NEED GRE OVER IPSEC
Branch(config-if)#
*Jan 4 00:27:11.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch(config-if)#ip address 172.16.100.2 255.255.255.252
Branch(config-if)#tunnel ?
bandwidth Set tunnel bandwidth informational parameter
checksum enable end to end checksumming of packets
destination destination of tunnel
flow flow options
key security or selector key
mode tunnel encapsulation method
mpls MPLS tunnel commands
path-mtu-discovery Enable Path MTU Discovery on tunnel
protection Enable tunnel protection
rbscp Set tunnel RBSCP parameters
route-via Select subset of routes for tunnel transport
sequence-datagrams drop datagrams arriving out of order
source source of tunnel packets
tos set type of service byte
ttl set time to live
udlr associate tunnel with unidirectional interface
vrf set tunnel vrf membership
Branch(config-if)#tunnel source ?
A.B.C.D ip address
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
SSLVPN-VIF SSLVPN Virtual Interface
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Dot11Radio Virtual dot11 interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
X:X:X:X::X IPv6 address
vmi Virtual Multipoint Interface
Branch(config-if)#tunnel source 209.165.200.242
Branch(config-if)#tunnel destination 209.165.200.226
Branch(config-if)#
*Jan 4 00:27:43.055: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
HQ(config)#interface tunnel0
HQ(config-if)#
*Jan 3 23:10:26.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
HQ(config-if)#ip address 172.16.100.1 255.255.255.252
HQ(config-if)#tunnel source 209.165.200.226
HQ(config-if)#tunnel destination 209.165.200.242
HQ(config-if)#
*Jan 3 23:10:53.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch#show interfaces tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.100.2/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 209.165.200.242, destination 209.165.200.226
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Branch#ping 172.16.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/69/72 ms
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Session status: DOWN // TRAFFIC IS NOT ENCRYPTED
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Branch(config)#no ip access-list extended HQ-VPN-ACL
Branch(config)#ip access-list extended HQ-VPN-ACL
Branch(config-ext-nacl)#remark HQ to Branch GRE traffic to trigger VPN
Branch(config-ext-nacl)#permit gre host 209.165.200.242 host 209.165.200.226 // MAKE GRE TRAFFIC INTERESTING
HQ(config)#no ip access-list extended BRANCH-VPN-ACL
HQ(config)#ip access-list extended BRANCH-VPN-ACL
HQ(config-ext-nacl)#remark Branch to HQ GRE traffic to trigger VPN
HQ(config-ext-nacl)#permit gre host 209.165.200.226 host 209.165.200.242
Branch#ping 172.16.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 96/97/100 ms
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:00:19
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:59:40
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226 // GRE PROTOCOL 47
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4426451/3580
Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4426451/3580
Branch#ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 // PING DROPS DUE TO NO ROUTE TO HQ
.....
Success rate is 0 percent (0/5)
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 209.165.200.241 to network 0.0.0.0
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.100.0 is directly connected, Tunnel0
209.165.200.0/29 is subnetted, 1 subnets
C 209.165.200.240 is directly connected, Serial0/0/1
C 192.168.1.0/24 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 209.165.200.241
Branch(config)#router eigrp 1
Branch(config-router)#network 192.168.1.0 0.0.0.255
Branch(config-router)#network 172.16.100.0 0.0.0.3
HQ(config)#router eigrp 1
HQ(config-router)#network 10.10.0.0 0.0.255.255
HQ(config-router)#network 172.16.100.0 0.0.0.3
HQ(config-router)#
*Jan 3 23:26:09.743: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.2 (Tunnel0) is up: new
adjacency
Branch#show ip eigrp neighbor
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.100.1 Tu0 12 00:00:21 88 2151 0 3
Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 209.165.200.241 to network 0.0.0.0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/16 is a summary, 00:01:08, Null0
C 172.16.100.0/30 is directly connected, Tunnel0
209.165.200.0/29 is subnetted, 1 subnets
C 209.165.200.240 is directly connected, Serial0/0/1
D 10.0.0.0/8 [90/27008000] via 172.16.100.1, 00:00:23, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback1
S* 0.0.0.0/0 [1/0] via 209.165.200.241
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:08:38
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:51:21
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 19 drop 0 life (KB/Sec) 4426449/3081
Outbound: #pkts enc'ed 29 drop 1 life (KB/Sec) 4426448/3081
Branch#ping 10.10.10.1 source 192.168.1.1 // LAN-TO-LAN (SITE-TO-SITE VPN) HAS REACHABILITY
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/98/100 ms
Branch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial0/0/1
Uptime: 00:09:45
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:50:13
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 39 drop 0 life (KB/Sec) 4426446/3014
Outbound: #pkts enc'ed 49 drop 1 life (KB/Sec) 4426445/3014
Branch#traceroute 10.10.20.238 source 192.168.1.1
Type escape sequence to abort.
Tracing the route to 10.10.20.238
1 172.16.100.1 68 msec * 68 msec // HOPS TO HQ GRE TUNNEL (ENCRYPTED); BRANCH UNAWARE IT TRAVERSED PUBLIC INTERNET
No comments:
Post a Comment