Scribd
Upload
8 views16 pages

Week 5 Optional Assignment

Uploaded by

sharonwairimu600

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt

Week 5 Optional Assignment

Uploaded by

sharonwairimu600
8 views16 pages

Copyright

© © All Rights Reserved

Available Formats

DOCX, PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
8 views16 pages

Week 5 Optional Assignment

Uploaded by

sharonwairimu600

Copyright:

© All Rights Reserved
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 16

Course: Cloud and Network Security

Student Name: Dickens Omolo

Student No.: cs-cns07-24101

Sunday, 20th October, 2024

Week 5 Optional Assignment: Configuring a Site-to-Site IPsec VPN

Introduction
This report outlines the process of configuring a site-to-site IPsec VPN between two routers, R1
and R3, while traversing a third router, R2 that does not have any VPN knowledge. The
objective of this assignment was to enable secure communication between two local area
networks (LANs) using IPsec, which encrypts and authenticates IP packets at the network layer.
The report details the steps taken to set up the routers, configure necessary parameters, and
verify the VPN’s functionality.

The topology is as shown below.


Objectives
 Verify connectivity throughout the network.
 Configure R1 to support a site-to-site IPsec VPN with R3.

Addressing table

Device Interface IP Address Subnet Mask Default Switch Port


Gateway
R1 G0/0 192.168.1.1 255.255.255.0 N/A S1 F0/1
R1 N/A

S0/0/0 (DCE) 10.1.1.2 255.255.255.252 N/A

R2 G0/0 192.168.2.1 255.255.255.0 N/A S2 F0/2


R2 N/A

S0/0/0 10.1.1.1 255.255.255.252 N/A


R2 N/A

S0/0/1 (DCE) 10.2.2.1 255.255.255.252 N/A

R3 G0/0 192.168.3.1 255.255.255.0 N/A S3 F0/5


R3 N/A

S0/0/1 10.2.2.2 255.255.255.252 N/A

PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/2

PC-B NIC 192.168.2.3 255.255.255.0 192.168.2.1 S2 F0/1

PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18

ISAKMP Phase 1 Policy Parameters

Parameter Options and


Parameters R1 R3
Defaults

Key Distribution
Manual or ISAKMP ISAKMP ISAKMP
Method
Encryption
DES, 3DES, or AES AES 256 AES 256
Algorithm
Hash Algorithm MD5 or SHA-1 SHA-1 SHA-1
Authentication
Pre-shared keys or RSA pre-share pre-share
Method
Key Exchange DH Group 1, 2, or 5 DH 5 DH 5

IKE SA Lifetime 86400 seconds or less 86400 86400

ISAKMP Key Provided by user. vpnpa55 vpnpa55


IPsec Phase 2 Policy Parameters

Parameters R1 R3

Transform Set Name VPN-SET VPN-SET

ESP Transform Encryption esp-aes esp-aes

ESP Transform esp-sha-hmac esp-sha-hmac


Authentication

Peer IP Address 10.2.2.2 10.1.1.2

Traffic to be Encrypted access-list 110 (source 192.168.1.0 access-list 110 (source 192.168.3.0
dest 192.168.3.0) dest 192.168.1.0)

Crypto Map Name VPN-MAP VPN-MAP

SA Establishment ipsec-isakmp ipsec-isakmp

The routers have been pre-configured with the following:


 Password for console line: ciscoconpa55
 Password for vty lines: ciscovtypa55
 Enable password: ciscoenpa55
 SSH username and password: SSHadmin / ciscosshpa55
 OSPF 101

Configuration Steps and Results


Part 1: Configure IPsec Parameters on R1
Step 1: Test connectivity.
Ping from PC-A to PC-C.
As from screenshot below there is connectivity between the PC-A and PC-C

Step 2: Enable the Security Technology package.


a. Enable the security technology package by using the following command to enable the package.
R1(config)# license boot module c1900 technology-package securityk9
b. Accept the end-user license agreement.
c. Save the running-config and reload the router to enable the security license.
d. Verify that the Security Technology package has been enabled by using the show
version command.

After rebooting, I confirmed the activation again, and the securityk9 module was successfully enabled.
Step 3: Identify interesting traffic on R1.
Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as interesting. This
interesting traffic will trigger the IPsec VPN to be implemented when there is traffic between the R1 to
R3 LANs. All other traffic sourced from the LANs will not be encrypted. Because of the implicit deny
all, there is no need to configure a deny ip any any statement.
R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0
0.0.0.255

Step 4: Configure the IKE Phase 1 ISAKMP policy on R1.


Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key vpnpa55.
Refer to the ISAKMP Phase 1 table for the specific parameters to configure. Default values do not
have to be configured. Therefore, only the encryption method, key exchange method, and DH method
must be configured.
Note: The highest DH group currently supported by Packet Tracer is group 5. In a production
network, you would configure at least DH 14.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# exit
R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2

Step 5: Configure the IKE Phase 2 IPsec policy on R1.


a. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac.
R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use
sequence number 10 and identify it as an ipsec-isakmp map.
R1(config)# crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3
R1(config-crypto-map)# set peer 10.2.2.2
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# exit

Step 6: Configure the crypto map on the outgoing interface.


Bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface.
R1(config)# interface s0/0/0
R1(config-if)# crypto map VPN-MAP
Part 2: Configure IPsec Parameters on R3
Step 1: Enable the Security Technology package.
a. On R3, issue the show version command to verify that the Security Technology package license
information has been enabled.
b. If the security technology package has not been enabled, enable the package and reload R3.

Step 2: Configure router R3 to support a site-to-site VPN with R1.


Configure reciprocating parameters on R3. Configure ACL 110 to identify the traffic from the LAN on
R3 to the LAN on R1 as interesting.
R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0
0.0.0.255

Step 3: Configure the IKE Phase 1 ISAKMP properties on R3.


Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key vpnpa55.
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 5
R3(config-isakmp)# exit
R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2
Step 4: Configure the IKE Phase 2 IPsec policy on R3.
c. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac.
R3(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
d. Create the crypto map VPN-MAP to bind all of the Phase 2 parameters together. Use sequence
number 10 and identify it as an ipsec-isakmp map.
R3(config)# crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)# description VPN connection to R1
R3(config-crypto-map)# set peer 10.1.1.2
R3(config-crypto-map)# set transform-set VPN-SET
R3(config-crypto-map)# match address 110
R3(config-crypto-map)# exit
Step 5: Configure the crypto map on the outgoing interface.
Bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface.
R3(config)# interface s0/0/1
R3(config-if)# crypto map VPN-MAP
I applied the crypto map to the Serial 0/0/1 interface on R3.
Part 4: Verify the IPsec VPN
1. Check Tunnel Before Traffic:
o I verified the IPsec security associations on R1 before generating traffic:
The output showed that no packets had been processed yet.

Step 2: Create interesting traffic.


Ping PC-C from PC-A.

I pinged from PC-A to PC-C again, generating interesting traffic.

Step 3: Verify the tunnel after interesting traffic.


On R1,I re-issue the show crypto ipsec sa command. Notice that the number of packets is more
than 0, which indicates that the IPsec VPN tunnel is working.
I reissued the show crypto ipsec sa command and observed that packets were now being encapsulated
and encrypted.
Step 4: Create uninteresting traffic.
Finally, I pinged PC-B from PC-A and confirmed that the packet counts did not change, indicating
uninteresting traffic was not encrypted.
Step 5: Verify the tunnel.
On R1, I re-issue the show crypto ipsec sa command. I nthat the number of packets has not
changed, which verifies that uninteresting traffic is not encrypted.

Step 6 Checking results.


My completion percentage was 100%. I clicked Check Results to see feedback and verification of which
required components have been completed

Conclusion
Through this exercise, I learned the importance of configuring both the ISAKMP and IPsec
settings for a secure VPN connection between routers. The step-by-step process highlighted how
to identify interesting traffic using ACLs and set up both phases of the VPN. My experience
reinforced the need for meticulous configuration and testing, as even minor errors can disrupt
connectivity. Overall, this activity deepened my understanding of network security and VPN
configuration, valuable skills.

You might also like