ISR Computing -
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - Dynamic VTI - Local AuthenticationCCIE Security - VPN Study Guide - Dynamic VTI - Local Authentication
This is a basic CCIE Security lab setup. Diagram and configurations are compatible with Proctor Labs.
You can simply paste configs in the proper routers and topology will work.
You can go to http://www.proctorlabs.com/ and purchase rack time. 8 hour slot will be enough to test this configuration.
Proctor Labs Configurations (POD 108):
Tasks: R6 configuration uses two (2) ISAKMP profiles. Once for R4 and one for R2. Later in the exercise you will understand why we split them in two. R4's ISAKMP profile will be also used by TEST-PC vpn. Since both of the will run client mode, and follow same model we will put them in VPN_GROUP1.
R6#
conf t
netwoaaa new-model
aaa authentication login LOCALAUTH local
aaa authorization network LOCALAUTH local
aaa authentication login TACAUTH none
aaa authorization network TACAUTH none
username vpnuser1 password 0 cisco123
username vpnuser2 password 0 cisco123
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
exit
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
exit
ip local pool VPN_POOL1 44.44.100.1 44.44.100.100
access-list 150 permit ip 66.66.66.66 0.0.0.0 any
# User PC VPN Group
crypto isakmp client configuration group VPN_GROUP1
acl 150
key cisco123
pool VPN_POOL1
save-password
exit
# R2 Client Mode VPN
crypto isakmp client configuration group VPN_GROUP2
acl 150
key cisco123
pool VPN_POOL1
save-password
exit
# ISAKMP Profile for User PC VPN
crypto isakmp profile ISAKMP_PROF1
match identity group VPN_GROUP1
client authentication list LOCALAUTH
isakmp authorization list LOCALAUTH
client configuration address respond
virtual-template 2
exit
# ISAKMP Profile for R2 Client Mode VPN
crypto isakmp profile ISAKMP_PROF2
match identity group VPN_GROUP2
client authentication list LOCALAUTH
isakmp authorization list LOCALAUTH
client configuration address respond
virtual-template 3
exit
crypto ipsec profile IPSEC_PROF1
set transform-set TS1
exit
# Use this Template for User PC VPN
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit
# Use this Template for R2 Client Mode VPN
interface Virtual-Template3 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit
end
wr mem
R2 will be running in network extension mode which allows host on it's "inside" network to be accessible from the other side of the VPN tunnel.
R2# conf t
line vty 0 4
privilege level 15
password cisco123
exit
interface Virtual-Template1 type tunnel
ip unnumbered G0/0
exit
crypto ipsec client ezvpn CLIENT
connect auto
group VPN_GROUP2 key cisco123
mode network-extension
peer 44.44.2.6
username vpnuser2 password cisco123
xauth userid mode local
virtual-interface 1
exit
interface GigabitEthernet0/0
description Outside interface
crypto ipsec client ezvpn CLIENT outside
exit
interface GigabitEthernet0/1
description Inside interface
crypto ipsec client ezvpn CLIENT inside
exit
interface Lo22
description Inside interface
crypto ipsec client ezvpn CLIENT inside
exit
end
wr mem
#---------------------------------------
#--- Outputs
#---------------------------------------
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
66.0.0.0/32 is subnetted, 1 subnets
S 66.66.66.66 [1/0] via 0.0.0.0, Virtual-Access2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
122.0.0.0/32 is subnetted, 1 subnets
C 122.122.122.122 is directly connected, Loopback0
44.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O 44.44.2.0/24 [110/12] via 44.44.4.5, 00:00:24, GigabitEthernet0/0
O 44.44.3.0/24 [110/2] via 44.44.4.5, 00:00:25, GigabitEthernet0/0
C 44.44.4.0/24 is directly connected, GigabitEthernet0/0
C 44.44.5.0/24 is directly connected, GigabitEthernet0/1
C 44.44.100.1/32 is directly connected, Loopback10000
R2#
R2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : CLIENT
Inside interface list: Loopback0
Outside interface: Virtual-Access2 (bound to GigabitEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 44.44.100.1 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address : 66.66.66.66
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 44.44.2.6
R2#
In addition to that as you can see R6 has VPN reachability to R2 Lo22.
R6#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 44.44.2.10 to network 0.0.0.0
66.0.0.0/24 is subnetted, 1 subnets
C 66.66.66.0 is directly connected, Loopback66
6.0.0.0/24 is subnetted, 1 subnets
C 6.6.6.0 is directly connected, Loopback6
22.0.0.0/24 is subnetted, 1 subnets
S 22.22.22.0 [1/0] via 0.0.0.0, Virtual-Access2
44.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 44.44.2.0/24 is directly connected, FastEthernet0/0
S 44.44.5.0/24 [1/0] via 0.0.0.0, Virtual-Access2
S 44.44.100.4/32 [1/0] via 0.0.0.0, Virtual-Access3
S 44.44.100.5/32 [1/0] via 44.44.5.100, Virtual-Access4
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R6#
R6#
R6#telnet 22.22.22.22 /source-interface Lo66
Trying 22.22.22.22 ... Open
User Access Verification
Password: xyz
R2#show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:24
*578 vty 0 idle 00:00:00 66.66.66.66
Interface User Mode Idle Peer Address
R2#
R4 is running in client mode, and uses local authentication.
R4#
conf t
line vty 0 4
privilege level 15
password cisco123
exit
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
exit
crypto ipsec client ezvpn CLIENT
connect auto
group VPN_GROUP1 key cisco123
mode client
peer 44.44.2.6
virtual-interface 1
username vpnuser1 password cisco123
xauth userid mode local
exit
interface Loopback4
crypto ipsec client ezvpn CLIENT inside
exit
interface Loopback44
crypto ipsec client ezvpn CLIENT inside
exit
interface FastEthernet0/0
description Internet Connection
crypto ipsec client ezvpn CLIENT
exit
end
wr mem
#---------------------------------------
#--- Outputs
#---------------------------------------
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback4
66.0.0.0/32 is subnetted, 1 subnets
S 66.66.66.66 [1/0] via 0.0.0.0, Virtual-Access2
44.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 44.44.2.0/24 [110/12] via 44.44.4.5, 00:02:31, FastEthernet0/0
O 44.44.3.0/24 [110/2] via 44.44.4.5, 00:02:31, FastEthernet0/0
C 44.44.4.0/24 is directly connected, FastEthernet0/0
O 44.44.5.0/24 [110/2] via 44.44.4.2, 00:02:31, FastEthernet0/0
C 44.44.44.0/24 is directly connected, Loopback44
C 44.44.100.4/32 is directly connected, Loopback10000
R4#
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
44.44.2.6 44.44.4.4 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R4#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 44.44.4.4
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 44.44.2.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 44.44.4.4, remote crypto endpt.: 44.44.2.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF8BA85AA(4172973482)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD62CB5F(224578399)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4584463/3505)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF8BA85AA(4172973482)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4584462/3505)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R4#
R4#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : CLIENT
Inside interface list: Loopback4, Loopback44
Outside interface: Virtual-Access2 (bound to FastEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 44.44.100.4 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address : 66.66.66.66
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 44.44.2.6
R4#
R4#ping 66.66.66.66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 66.66.66.66 source Lo4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R4#ping 66.66.66.66 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#
And finally there are couple Cisco VPN Client screenshots.
Search
Moving your apps to Amazon or Miscrosoft Clouds?
We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.
Ready for IPv6 Migration?
The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.
The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.
Are you fluent in "Linux"?
Learn Linux from a leading expert and quickly master you Linux skills.
Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.
Ideal training for Corporate IT Beginners and Advanced IT Admins alike.
Who's Online
We have 9 guests and no members online