ISR Computing -
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - LAN-to-LAN IPSec Tunnel using Static VTICCIE Security - VPN Study Guide - LAN-to-LAN IPSec Tunnel using Static VTI
LAN-to-LAN IPSec Tunnel using Static VTI
Task 2.1: Create LAN-to-LAN VPN tunnel between R2 Lo22 and R4 Lo44. Do not use crypto maps, do not use ACLs.
Solution:
R4#
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS10 esp-3des esp-md5-hmac
!
crypto ipsec profile PROF10
set transform-set TS10
!
interface Tunnel0
ip address 44.44.100.4 255.255.255.0
tunnel source 44.44.4.4
tunnel destination 44.44.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF10
ip route 22.22.22.22 255.255.255.255 Tunnel0
R2#
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
exit
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS10 esp-3des esp-md5-hmac
exit
crypto ipsec profile PROF10
set transform-set TS10
exit
interface Tunnel0
ip address 44.44.100.2 255.255.255.0
tunnel source 44.44.2.2
tunnel destination 44.44.4.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF10
exit
ip route 44.44.44.44 255.255.255.255 Tunnel0
Successful Output:
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 44.44.4.4 YES manual up up
Serial0/0 unassigned YES TFTP administratively down down
FastEthernet0/1 unassigned YES manual administratively down down
Serial0/1 unassigned YES manual administratively down down
Loopback4 4.4.4.4 YES manual up up
Loopback44 44.44.44.44 YES manual up up
Tunnel0 44.44.100.4 YES manual up down
R4#
Mar 26 10:35:24.554: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback4
22.0.0.0/32 is subnetted, 1 subnets
S 22.22.22.22 is directly connected, Tunnel0
44.0.0.0/24 is subnetted, 6 subnets
O 44.44.2.0 [110/12] via 44.44.4.5, 00:07:13, FastEthernet0/0
O 44.44.3.0 [110/2] via 44.44.4.5, 00:07:13, FastEthernet0/0
C 44.44.4.0 is directly connected, FastEthernet0/0
O 44.44.5.0 [110/2] via 44.44.4.3, 00:07:13, FastEthernet0/0
C 44.44.44.0 is directly connected, Loopback44
C 44.44.100.0 is directly connected, Tunnel0
R4#
R4#
R4#ping 22.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/16 ms
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
44.44.2.2 44.44.4.4 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 44.44.4.4
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 44.44.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 44.44.4.4, remote crypto endpt.: 44.44.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x1C0E4791(470697873)
inbound esp sas:
spi: 0x8A196297(2316919447)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: 3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4408324/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1C0E4791(470697873)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: 4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4408324/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R4#
Task 2.2: Configure R2 such that traffic from 22.22.22.22 to 44.44.44.44 will not exceed sending rate of more than 8kbps.
Solution:
class-map match-all VPN-QOS-TRAFFIC
match any
!
!
policy-map VPN-QOS-POLICY
class VPN-QOS-TRAFFIC
police cir 8000
conform-action transmit
exceed-action drop
violate-action drop
!
interface Tunnel0
ip address 44.44.100.2 255.255.255.0
tunnel source 44.44.2.2
tunnel destination 44.44.4.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF10
service-policy output VPN-QOS-POLICY
R2#show policy-map
Policy Map VPN-QOS-POLICY
Class VPN-QOS-TRAFFIC
police cir 8000 bc 1500 be 1500
conform-action transmit
exceed-action drop
violate-action drop
R2#
R2#show policy-map interface Tunnel 0
Tunnel0
Service-policy output: VPN-QOS-POLICY
Class-map: VPN-QOS-TRAFFIC (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#
R4#ping 22.22.22.22 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/20 ms
R4#ping 22.22.22.22 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
R4#
R2#show policy-map interface Tunnel 0
Tunnel0
Service-policy output: VPN-QOS-POLICY
Class-map: VPN-QOS-TRAFFIC (match-all)
10 packets, 1000 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 10 packets, 1000 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#
R2#ping 44.44.44.44 size 1300 timeout 0 repeat 100000
Type escape sequence to abort.
Sending 100000, 1300-byte ICMP Echos to 44.44.44.44, timeout is 0 seconds:
......................................................................
<output omitted>
......................................
Success rate is 0 percent (0/5218)
R2#
R2#
R2#show policy-map interface Tunnel 0
Tunnel0
Service-policy output: VPN-QOS-POLICY
Class-map: VPN-QOS-TRAFFIC (match-all)
5228 packets, 6784400 bytes
5 minute offered rate 48000 bps, drop rate 48000 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes, be 1500 bytes
conformed 16 packets, 8800 bytes; actions:
transmit
exceeded 1 packets, 1300 bytes; actions:
drop
violated 5211 packets, 6774300 bytes; actions:
drop
conformed 2000 bps, exceed 1000 bps, violate 401000 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#
R2#
Task 2.3: Configure R2 and R4 such that there are no static routes on the routers for networks 22.22.22.0/24 to 44.44.44.0/24.
R4#
router eigrp 100
no auto-summary
network 44.44.100.0
network 44.44.44.0
exit
no ip route 22.22.22.22 255.255.255.255 Tunnel0
R2#
router eigrp 100
no auto-summary
network 44.44.100.0
network 22.22.22.0
exit
no ip route 44.44.44.44 255.255.255.255 Tunnel0
Unfortunately our EIGRP adjacency does not come up.
R2#
Mar 26 11:55:03.181: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 44.44.100.4 (Tunnel0) is up: new adjacency
R2#
Mar 26 11:55:18.214: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 44.44.100.4 (Tunnel0) is down: holding time expired
R2#
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 44.44.2.10 to network 0.0.0.0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
44.0.0.0/24 is subnetted, 2 subnets
C 44.44.2.0 is directly connected, FastEthernet0/0
C 44.44.100.0 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R2#
Ok, let's try to define static neighbor:
R2#conf t
R2(config)#router eigrp 100
R2(config-router)#neighbor 44.44.100.4 Tunnel 0
R2(config-router)#end
R2#
Mar 26 11:57:30.587: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 44.44.100.4 (Tunnel0) is up: new adjacency
R2#sho
Mar 26 11:57:31.745: %SYS-5-CONFIG_I: Configured from console by console
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 44.44.2.10 to network 0.0.0.0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
44.0.0.0/24 is subnetted, 1 subnets
C 44.44.2.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R2#
Mar 26 11:57:35.367: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
Mar 26 11:57:36.369: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Mar 26 11:57:36.409: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 44.44.100.4 (Tunnel0) is down: interface down
R2#
R2#
R2#
Still does not work.
Let's take a look at http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml to find out what it might be.
Out problem is in our EIGRP configuration:
R4#show run | begin router
router eigrp 100
network 44.44.44.0 0.0.0.255
network 44.44.100.0 0.0.0.255
no auto-summary
!
<output omitted>
R4#
R2(config)#router eigrp 100
R2(config-router)#no network 22.0.0.0
R2(config-router)#no network 44.0.0.0
R2(config-router)#network 44.44.100.0 0.0.0.255
Mar 26 12:06:03.584: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 44.44.100.4 (Tunnel0) is up: new adjacency
R2(config-router)#network 22.22.22.0 0.0.0.255
R2(config-router)#
As you can see after we adjusted it, everything came back to normal.
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback4
22.0.0.0/24 is subnetted, 1 subnets
D 22.22.22.0 [90/297372416] via 44.44.100.2, 00:02:27, Tunnel0
44.0.0.0/24 is subnetted, 6 subnets
O 44.44.2.0 [110/12] via 44.44.4.5, 00:05:30, FastEthernet0/0
O 44.44.3.0 [110/2] via 44.44.4.5, 01:40:14, FastEthernet0/0
C 44.44.4.0 is directly connected, FastEthernet0/0
O 44.44.5.0 [110/2] via 44.44.4.3, 01:40:14, FastEthernet0/0
C 44.44.44.0 is directly connected, Loopback44
C 44.44.100.0 is directly connected, Tunnel0
R4#
R2#ping 44.44.44.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/16 ms
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 44.44.2.10 to network 0.0.0.0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
44.0.0.0/24 is subnetted, 3 subnets
C 44.44.2.0 is directly connected, FastEthernet0/0
D 44.44.44.0 [90/297372416] via 44.44.100.4, 00:04:25, Tunnel0
C 44.44.100.0 is directly connected, Tunnel0
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R2#
Task 2.4: R4 network 44.44.44.0/24 is required to tunnel all internet traffic through the central hub (R2). Core network traffic should not be tunneled. When 44.44.44.0/24 users hit internet resources (anything outside 44.44.0.0/16) they should appear as ip addresses from scope 44.44.2.100-200/24.
On ASA1 we will add static route to R5 Loopback 5 interface and we will verify that we are able to telnet to it from R2.
R5(config)#line vty 0 4
R5(config-line)#password cisco
R5(config-line)#privilege level 15
R5(config-line)#
asa1(config)#
asa1(config)# route outside 5.5.5.5 255.255.255.255 44.44.3.5
asa1(config)#
R2#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
Password required, but none set
[Connection to 5.5.5.5 closed by foreign host]
R2#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Password:
R5#who
Line User Host(s) Idle Location
0 con 0 idle 00:00:27
* 66 vty 0 idle 00:00:00 44.44.2.2
Interface User Mode Idle Peer Address
R5#
Now let's start R4 configuration. We will first put static default route to the tunnel.
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ip route 0.0.0.0 0.0.0.0 Tun0
R4(config)#
Ping is unsuccessful, because R5 does not have a route to R4 Lo44.
R4#ping 5.5.5.5 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#
Let's NAT on R2.
R2(config)#int Tunnel 0
R2(config-if)#ip nat inside
R2(config-if)#exit
R2(config)#int Fa0/0
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip nat pool R2POOL 44.44.2.100 44.44.2.200 netmask 255.255.255.0
R2(config)#access-list 110 deny esp any any
R2(config)#access-list 110 deny udp any eq isakmp any
R2(config)#access-list 110 deny udp any eq non500-isakmp any
R2(config)#access-list 110 permit ip any any
R2(config)#ip nat inside source list 110 pool R2POOL overload
R2(config)#
R4#ping 5.5.5.5 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/24 ms
R4#
R4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Password:
R5#who
Line User Host(s) Idle Location
0 con 0 idle 00:10:00
* 66 vty 0 idle 00:00:00 44.44.2.100
Interface User Mode Idle Peer Address
R5#
R4#
R4#telnet 44.44.4.5
Trying 44.44.4.5 ... Open
User Access Verification
Password:
R5#who
Line User Host(s) Idle Location
* 66 vty 0 idle 00:00:00 44.44.4.4
Interface User Mode Idle Peer Address
R5#
Search
Moving your apps to Amazon or Miscrosoft Clouds?
We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.
Ready for IPv6 Migration?
The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.
The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.
Are you fluent in "Linux"?
Learn Linux from a leading expert and quickly master you Linux skills.
Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.
Ideal training for Corporate IT Beginners and Advanced IT Admins alike.
Who's Online
We have 7 guests and no members online