Static VTI VPN point-to-point

LAP  

Task 1: (Optional) Configure an IKE Policy on Each Peer

Router# configure terminal

Router(config)# crypto isakmp policy 10

Router(config-isakmp)# authentication pre-share

Router(config-isakmp)# hash sha

Router(config-isakmp)# encryption aes 128

Router(config-isakmp)# group 14

Router(config-isakmp)# lifetime 3600

Router(config-isakmp)# exit

Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer

Router# configure terminal

Router(config)# crypto isakmp key !%@$^#@&%RRETWERsdf address 172.17.2.4

Router(config)# end

Router# copy running-config startup-config

Task 3: Configure an IPsec Protection Profile

Router(config)# crypto ipsec profile MYIPsecProfile

Router(ipsec-profile)# set transform-set AES128-SHA

Router(ipsec-profile)# end

Router# copy running-config startup-config

Task 4: Configure a Virtual Tunnel Interface (VTI)

Router(config)# interface Tunnel0

Router(config-if)# ip unnumbered GigabitEthernet0/0

Router(config-if)# tunnel source GigabitEthernet0/0

Router(config-if)# tunnel destination 172.17.2.4

Router(config-if)# end

Router# copy running-config startup-config

Task 5: Apply the Protection Profile to the Tunnel Interface

Router(config)# interface Tunnel0

Router(config-if)# tunnel mode ipsec ipv4

Router(config-if)# tunnel protection ipsec profile MYIPsecProfile

Router(config-if)# end

Router# copy running-config startup-config

Task 6: Configure Routing into the VTI Tunnel

Router(config)# ip route 10.1.2.0 255.255.255.0 Tunnel0

Router(config-if)# end

Router# copy running-config startup-config

Task 7: Verify the configuration and functions

■ show interface tunnel verifies the status of the virtual tunnel interface.

■ debug crypto isakmp displays debugging messages about IKE events.

■ debug crypto ipsec displays debugging messages about IPsec SA establishment.

■ show crypto ipsec sa can directly verify the status of an IPsec SA.

■ show ip route | include Tunnel displays all routes pointing to local tunnels interfaces 

==========================================
Router A configuration

Building configuration..

Current configuration : 1937 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname A

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

archive

 log config

  hidekeys

!

crypto isakmp policy 10

 encr aes

 authentication pre-share

 group 5

 lifetime 3600

crypto isakmp key cisco address 10.1.2.2

!

crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac

!

crypto ipsec profile MYIPsecPROFILE

 set transform-set AES128-SHA

!

ip tcp synwait-time 5

!

interface Loopback0

 ip address 192.168.1.1 255.255.255.0

!

interface Tunnel10

 ip address 192.168.100.1 255.255.255.252

 tunnel source Serial1/1

 tunnel destination 10.1.2.2

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile MYIPsecPROFILE

!

interface FastEthernet0/0

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface Serial1/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/1

 ip address 10.1.1.1 255.255.255.252

 serial restart-delay 0

!

interface Serial1/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/3

 no ip address

 shutdown

 serial restart-delay 0

!

router eigrp 1

 network 192.168.1.0

 network 192.168.100.0

 no auto-summary

!

router ospf 100

 log-adjacency-changes

 network 10.1.1.0 0.0.0.7 area 0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login

!

End

Router ISP configuration

Building configuration..

Current configuration : 1358 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ISP

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

archive

 log config

  hidekeys

!

ip tcp synwait-time 5

!

interface FastEthernet0/0

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface Serial1/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/1

 ip address 10.1.1.2 255.255.255.252

 serial restart-delay 0

!

interface Serial1/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/3

 ip address 10.1.2.1 255.255.255.252

 serial restart-delay 0

!

router ospf 100

 log-adjacency-changes

 network 10.1.1.0 0.0.0.7 area 0

 network 10.1.2.0 0.0.0.7 area 0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login

!

End

Router R3 configuration

Building configuration..

Current configuration : 1978 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

archive

 log config

  hidekeys

!

crypto isakmp policy 10

 encr aes

 authentication pre-share

 group 5

 lifetime 3600 (doesn’t need to be match to the other site)

crypto isakmp key cisco address 10.1.1.1

!

crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac

!

crypto ipsec profile MYIPsecPROFILE

 set transform-set AES128-SHA

!

ip tcp synwait-time 5

!

interface Loopback0

 ip address 192.168.2.1 255.255.255.0

!

interface Tunnel10

 ip address 192.168.100.2 255.255.255.252

 tunnel source Serial1/3

 tunnel destination 10.1.1.1

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile MYIPsecPROFILE

!

interface FastEthernet0/0

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface Serial1/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial1/3

 ip address 10.1.2.2 255.255.255.252

 serial restart-delay 0

!

router eigrp 1

 network 192.168.2.0

 network 192.168.100.0

 no auto-summary

!

router ospf 100

 log-adjacency-changes

 network 10.1.2.0 0.0.0.7 area 0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 login

!        

End

Result of ping from 192.168.1.1(loopback0 of A) to 192.168.2.1(loopback0 of R3)

: displays the source IP address as 10.1.1.1 and destination IP address as 10.1.2.2, and encrypted by VPN. Therefore, couldn’t see what the pakets are.

Ping from 10.1.1.1 to 10.1.2.2

Displays every things in clear text.