This document provides instructions for configuring a site-to-site VPN tunnel between two routers using IPSec and pre-shared keys in Packet Tracer. It outlines the configuration steps for Router 1 and Router 0, including enabling ISAKMP, setting encryption and authentication methods, creating crypto maps, and applying them to interfaces. Show commands are included to verify the VPN setup and monitor encrypted traffic between the routers.
This document provides instructions for configuring a site-to-site VPN tunnel between two routers using IPSec and pre-shared keys in Packet Tracer. It outlines the configuration steps for Router 1 and Router 0, including enabling ISAKMP, setting encryption and authentication methods, creating crypto maps, and applying them to interfaces. Show commands are included to verify the VPN setup and monitor encrypted traffic between the routers.
This document provides instructions for configuring a site-to-site VPN tunnel between two routers using IPSec and pre-shared keys in Packet Tracer. It outlines the configuration steps for Router 1 and Router 0, including enabling ISAKMP, setting encryption and authentication methods, creating crypto maps, and applying them to interfaces. Show commands are included to verify the VPN setup and monitor encrypted traffic between the routers.
This document provides instructions for configuring a site-to-site VPN tunnel between two routers using IPSec and pre-shared keys in Packet Tracer. It outlines the configuration steps for Router 1 and Router 0, including enabling ISAKMP, setting encryption and authentication methods, creating crypto maps, and applying them to interfaces. Show commands are included to verify the VPN setup and monitor encrypted traffic between the routers.
https://learningnetwork.cisco.com/docs/DOC-10756 1/3 Login Register Premium Library Contact Us/Help About Us Mobile View Connect with us on: Search the Learning Network Cisco Learning Home IT Careers Connections Certifications Learning Center Our Store Cisco Learning Home > Certifications > Security (CCNA Security) > IINS Exam > Documents Jusqu' IINS Exam documents dans Cr le: 19 dc. 2010 12:22 par Yasser Ramzy Auda - CCSI , CCNP R&S , CCNP Security - Dernire modification: 19 dc. 2010 12:42 par Yasser Ramzy Auda - CCSI , CCNP R&S , CCNP Security VPN site to site packet tracer 5.3 lab VERSION 1 79 Jaime first of all you need to study Well the concepts of IPSec , VPN types , CRYPTOLOGY before you read this document Its just show you how to type the right commands on both router sides using packet tracer 5.3 We will have the following topology Notice you will set static route between the two routers while on real live both will connected through ISPs
for router 1 we will type the following commands : Router(config)#crypto isakmp enable <=== enable IPsec Router(config)#crypto isakmp policy 1 <=== set new policy with number 1 Router(config-isakmp)#authentication pre-share <=== using shred key authentication method (if use certification use rsa-sig instead of pre-share) Router(config-isakmp)#encryption aes <=== use symmetric encryption AES Router(config-isakmp)#hash sha <=== use hash alghorthim sha for data integrity Router(config-isakmp)#group 2 <=== use diffe helman group 2 Router(config-isakmp)#exit Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used with next site , next site ip address 11.0.0.1 and note on packet tracer you use 0.0.0.0 instead of subnetmask Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac <=== set transform set called yasser and esp is the protocol will be used , u can use AH on internal VPN Router(config)#crypto ipsec security-association lifetime seconds 86400 <=== key expire after 86400 seconds Router(config)#ip access-list extended ramzy <=== ACL called ramzy to tell which traffic will use the vpn tunnel Router(config-ext-nacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Router(config-ext-nacl)#exit Router(config)#crypto map auda 100 ipsec-isakmp <=== create crypto map called auda with seq number 100 % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)#match address ramzy <=== link above ACL to this crypto map Router(config-crypto-map)#set peer 11.0.0.1 <=== link next site ip address to this crypto map Router(config-crypto-map)#set pfs group2 <=== link DH group 2 to this crypto map Router(config-crypto-map)#set transform-set yasser <=== link above transform set to this crypto map Router(config-crypto-map)#ex Router(config)#int fa 0/1 <=== apply crypto map auda to interface face the next site link. Router(config-if)#crypto map auda *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#do wr Building configuration... [OK] Router(config-if)#^Z Router#
for router 0 we will type the following commands : Router(config)#crypto isakmp enable Router(config)#crypto isakmp policy 1 Router(config-isakmp)#authentication pre-share Router(config-isakmp)#encryption aes Router(config-isakmp)#group 2 Router(config-isakmp)#hash sha Router(config-isakmp)#exit Router(config)#crypto isakmp key 0 address 11.0.0.2 0.0.0.0 Router(config)#crypto ipsec transform-set yasser esp-aes esp-sha-hmac Router(config)#crypto ipsec security-association lifetime seconds 86400 Router(config)#ip access-list extended ramzy Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255 Router(config-ext-nacl)#exit Router(config)#crypto map auda 100 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)#match address ramzy Router(config-crypto-map)#set peer 11.0.0.2 Router(config-crypto-map)#set pfs group2 Router(config-crypto-map)#set transform-set yasser Router(config-crypto-map)#exit Router(config)#interface fastEthernet 0/1 Certifications Show All ENTRY ASSOCIATE Data Center (CCNA Data Center) Design (CCDA) Routing & Switching (CCNA) Security (CCNA Security) Syllabus Data Sheets and Literature IINS Exam Exam Logic Tool SP Operations (CCNA SP Ops) Service Provider (CCNA SP) Video (CCNA Video) Voice (CCNA Voice) Wireless (CCNA Wireless) PROFESSIONAL EXPERT ARCHITECT SPECIALIST POLICIES| REFERENCE| TOOLS Actions Register / Login to participate in the community & access resources like: Register for free now. IT Training Videos and Seminars Cisco Certification Study Groups Cisco Certification Exam Topics Learn more about The Cisco Learning Network and our Premium Subscription options. Afficher : Tous Dfini comme signet par (13) D'autres liens comparables router to router vpn... cli step by step dmvpn w/ipsec gre w/crypto... Gateway-to-gateway VPN with preshared secrets DF Bit Override With IPsec VPNs Plus parYasser Ramzy Auda - CCSI , CCNP R&S , CCNP Security Afficher le profil de Yasser Ramzy Auda - CCSI , CCNP R&S , CCNP Security AAA Lab using Packet tracer 5.3 Languages: 10/9/2014 VPN site to site packet tracer 5.3 lab - The Cisco Learning Network https://learningnetwork.cisco.com/docs/DOC-10756 2/3 Router(config-if)#crypto map auda *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#exit Router(config)#do wr Building configuration... [OK] Router(config)#
now lets go to router 0 and do some show commands :
Router#show crypto Isakmp policy
Global IKE policy Protection suite of priority 1 encryption algorithm: AES - Advanced Encryption Standard (128 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Router#
Router#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 11.0.0.1 11.0.0.2 QM_IDLE 1062 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router#
Router#show crypto map Crypto Map auda 100 ipsec-isakmp Peer = 11.0.0.1 Extended IP access list ramzy access-list ramzy permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Current peer: 11.0.0.1 Security association lifetime: 4608000 kilobytes/86400 seconds PFS (Y/N): Y Transform sets={ yasser, } Interfaces using crypto map auda: FastEthernet0/1
Router#
Router#sh crypto ipsec transform-set Transform set yasser: { { esp-aes esp-sha-hmac } will negotiate = { Tunnel, },
Router#
now lets make pc0 ping pc1
Router#show crypto ipsec sa
interface: FastEthernet0/1 Crypto map tag: auda, local addr 11.0.0.2
local crypto endpt.: 11.0.0.2, remote crypto endpt.:11.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 0x12D96D50(316239184)
inbound esp sas: spi: 0x590D14F4(1494029556) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: FPGA:1, crypto map: auda sa timing: remaining key lifetime (k/sec): (4525504/86170) IV size: 16 bytes replay detection support: N Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x12D96D50(316239184) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2005, flow_id: FPGA:1, crypto map: auda sa timing: remaining key lifetime (k/sec): (4525504/86170) IV size: 16 bytes replay detection support: N Status: ACTIVE
HUAWEI IP DSLAM - MSAN MA5600 Large Capacity, View Ip Dslam, Huawei Product Details From Shanghai Chu Cheng Information Technology Co., Ltd. On Alibaba
