LAB
Crypto keyring NEWKEYRING
Pre-shared-key address 172.17.2.4 key cisco1
Pre-shared-key address 172.17.2.7 key cisco2
Pre-shared-key address 172.17.2.4 key cisco1
Pre-shared-key address 172.17.2.7 key cisco2
Task 2: (Optional) Configure an IPsec Transform Set
Router(config)# crypto ipsec transform-set AES128-SHA esp-aes 128 esp-sha-hmac
Task 3: Configure an IPsec Protection Profile
Router(config)# crypto ipsec profile MYIPsecProfile
Router(ipsec-profile)# set transform-set AES128-SHA
Router(ipsec-profile)# end
Router# copy running-config startup-config
Router(ipsec-profile)# set transform-set AES128-SHA
Router(ipsec-profile)# end
Router# copy running-config startup-config
Task 4: Configure a Virtual Template Interface
Interface Virtual-template1 type tunnel
Ip unnumbered GigabitEthernet0/0
Tunnel mode ipsec ipv4
Tunnel protection ipsec profile MYIPsecProfile
Ip unnumbered GigabitEthernet0/0
Tunnel mode ipsec ipv4
Tunnel protection ipsec profile MYIPsecProfile
(Note: The IP address of a virtual template interface must be configured using the ip
unnumbered interface command.)
unnumbered interface command.)
Task 5: Map Remote Peer to a Virtual Template Interface
Router# show crypto isakmp profile ISAKMPProfile
Keyring NEWKEYRING
Match identity address 172.17.2.4 255.255.255.255
Match identity address 172.17.2.7 255.255.255.255
Virtual-template 1
=========================================================================
HUBKeyring NEWKEYRING
Match identity address 172.17.2.4 255.255.255.255
Match identity address 172.17.2.7 255.255.255.255
Virtual-template 1
=========================================================================
hostname Site_HUB
no ip domain lookup
crypto keyring NEWKEYRING
pre-shared-key address 10.1.1.5 key cisco
pre-shared-key address 10.1.1.9 key cisco2
!
crypto isakmp policy 10
encryption aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp profile MYISAKMPProfile
keyring NEWKEYRING
match identity address 10.1.1.5 255.255.255.255
match identity address 10.1.1.9 255.255.255.255
virtual-template 1
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile MYIPsecPROFILE
set transform-set AES128-SHA
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip ospf 200 area 2
!
interface Serial1/1
ip address 10.1.1.1 255.255.255.252
serial restart-delay 0
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial1/1
ip ospf 200 area 2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.7 area 0
!
router ospf 200
log-adjacency-changes
!
Site_A
hostname Site_A
no ip domain lookup
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 10.1.1.1
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile MYIPsecPROFILE
set transform-set AES128-SHA
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
ip ospf 200 area 2
!
interface Tunnel10
ip unnumbered Serial1/2
ip ospf 200 area 2
tunnel source Serial1/2
tunnel destination 10.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
!
interface Serial1/2
ip address 10.1.1.5 255.255.255.252
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.7 area 0
!
router ospf 200
log-adjacency-changes
!
Site_B
hostname Site_B
no ip domain lookup
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco2 address 10.1.1.1
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile MYIPsecPROFILE
set transform-set AES128-SHA
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
ip ospf 200 area 2
!
interface Tunnel10
ip unnumbered Serial1/3
ip ospf 200 area 2
tunnel source Serial1/3
tunnel destination 10.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
!
interface Serial1/3
ip address 10.1.1.9 255.255.255.252
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.8 0.0.0.7 area 0
!
router ospf 200
log-adjacency-changes
!
ISP
hostname ISP
no ip domain lookup
!
interface Serial1/1
ip address 10.1.1.2 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
ip address 10.1.1.6 255.255.255.252
serial restart-delay 0
!
interface Serial1/3
ip address 10.1.1.10 255.255.255.252
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
!
end
hostname ISP
no ip domain lookup
!
interface Serial1/1
ip address 10.1.1.2 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
ip address 10.1.1.6 255.255.255.252
serial restart-delay 0
!
interface Serial1/3
ip address 10.1.1.10 255.255.255.252
serial restart-delay 0
!
router ospf 100
log-adjacency-changes
network 10.1.1.0 0.0.0.255 area 0
!
end
Verification
Site_HUB#show crypto isakmp peers
Peer: 10.1.1.5 Port: 500 Local: 10.1.1.1
Phase1 id: 10.1.1.5
Peer: 10.1.1.9 Port: 500 Local: 10.1.1.1
Phase1 id: 10.1.1.9
Site_HUB#show crypto isakmp po
Site_HUB#show crypto isakmp policy ?
| Output modifiers
<cr>
Site_HUB#show crypto isakmp peers
Peer: 10.1.1.5 Port: 500 Local: 10.1.1.1
Phase1 id: 10.1.1.5
Peer: 10.1.1.9 Port: 500 Local: 10.1.1.1
Phase1 id: 10.1.1.9
Site_HUB#show crypto isakmp po
Site_HUB#show crypto isakmp policy ?
| Output modifiers
<cr>
Site_HUB#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Site_HUB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.1.1.5 QM_IDLE 1003 0 ACTIVE
10.1.1.1 10.1.1.9 QM_IDLE 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
Site_HUB#show crypto isakmp profile
ISAKMP PROFILE MYISAKMPProfile
Ref Count = 3
Identities matched are:
ip-address 10.1.1.5 255.255.255.255
ip-address 10.1.1.9 255.255.255.255
Certificate maps matched are:
keyring(s): NEWKEYRING
trustpoint(s): <all>
virtual-template: 1
Site_HUB#
Site_HUB#show running-config interface Virtual-access 2
Building configuration...
Current configuration : 240 bytes
interface Virtual-Access2
ip unnumbered Serial1/1
ip ospf 200 area 2
tunnel source 10.1.1.1
tunnel destination 10.1.1.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
no tunnel protection ipsec initiate
end
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Site_HUB#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.1 10.1.1.5 QM_IDLE 1003 0 ACTIVE
10.1.1.1 10.1.1.9 QM_IDLE 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
Site_HUB#show crypto isakmp profile
ISAKMP PROFILE MYISAKMPProfile
Ref Count = 3
Identities matched are:
ip-address 10.1.1.5 255.255.255.255
ip-address 10.1.1.9 255.255.255.255
Certificate maps matched are:
keyring(s): NEWKEYRING
trustpoint(s): <all>
virtual-template: 1
Site_HUB#
Site_HUB#show running-config interface Virtual-access 2
Building configuration...
Current configuration : 240 bytes
interface Virtual-Access2
ip unnumbered Serial1/1
ip ospf 200 area 2
tunnel source 10.1.1.1
tunnel destination 10.1.1.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
no tunnel protection ipsec initiate
end
Site_HUB#show running-config interface Virtual-access 3
Building configuration...
Building configuration...
Current configuration : 240 bytes
!
interface Virtual-Access3
ip unnumbered Serial1/1
ip ospf 200 area 2
tunnel source 10.1.1.1
tunnel destination 10.1.1.9
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
no tunnel protection ipsec initiate
end
Site_HUB#show interfaces virtual-access
Site_HUB#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 unassigned YES NVRAM administratively down down
Serial1/1 10.1.1.1 YES NVRAM up up
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 10.1.1.1 YES TFTP down down
Virtual-Access2 10.1.1.1 YES TFTP up up
Virtual-Access3 10.1.1.1 YES TFTP up up
Loopback0 192.168.1.1 YES manual up up
!
interface Virtual-Access3
ip unnumbered Serial1/1
ip ospf 200 area 2
tunnel source 10.1.1.1
tunnel destination 10.1.1.9
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYIPsecPROFILE
no tunnel protection ipsec initiate
end
Site_HUB#show interfaces virtual-access
Site_HUB#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial1/0 unassigned YES NVRAM administratively down down
Serial1/1 10.1.1.1 YES NVRAM up up
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 10.1.1.1 YES TFTP down down
Virtual-Access2 10.1.1.1 YES TFTP up up
Virtual-Access3 10.1.1.1 YES TFTP up up
Loopback0 192.168.1.1 YES manual up up
프로토콜 loading이 끝날 때 까지 20초 이상이 걸린다(아래는 shutdown 후 no shut)
Site_HUB(config)#int s1/1
Site_HUB(config-if)#sh
Site_HUB(config-if)#no s
*Mar 1 01:51:23.003: %OSPF-5-ADJCHG: Process 100, Nbr 10.1.1.10 on Serial1/1 from FULL to DOWN, Neighbor Down: Interface down or detached
Site_HUB(config-if)#no sh
Site_HUB(config-if)#
*Mar 1 01:51:24.827: %OSPF-5-ADJCHG: Process 100, Nbr 10.1.1.10 on Serial1/1 from LOADING to FULL, Loading Done
Site_HUB(config-if)#
*Mar 1 01:51:36.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Mar 1 01:51:36.655: %OSPF-5-ADJCHG: Process 200, Nbr 192.168.2.1 on Virtual-Access2 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 01:51:36.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Mar 1 01:51:36.919: %OSPF-5-ADJCHG: Process 200, Nbr 192.168.3.1 on Virtual-Access3 from FULL to DOWN, Neighbor Down: Interface down or detached
Site_HUB(config-if)#
*Mar 1 01:51:46.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Mar 1 01:51:46.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Mar 1 01:51:47.047: %OSPF-5-ADJCHG: Process 200, Nbr 192.168.2.1 on Virtual-Access2 from LOADING to FULL, Loading Done
*Mar 1 01:51:47.271: %OSPF-5-ADJCHG: Process 200, Nbr 192.168.3.1 on Virtual-Access3 from LOADING to FULL, Loading Done
No comments:
Post a Comment