Scenario:
Your network colleagues were very enthusiastic when you showed them that a GRE tunnel makes it possible to tunnel routing protocols across VPN connections, and after configuring the previous “GRE Tunnel Basic” lab (see our lab section) your colleagues now ask you to configure a basic IPSEC Site-to-Site VPN so they can configure encrypted GRE tunnels later.
Goal:
- All IP addresses have been preconfigured as specified in the topology picture.
- Router Godzilla and Nessie have a loopback interface:
Godzilla: Loopback0: 1.1.1.1 /24
Nessie: Loopback0: 3.3.3.3 /24 - Configure OSPF on all 3 routers and advertise the following networks:
192.168.12.0 /24
192.168.23.0 /24
1.1.1.0 /24
3.3.3.0 /24 - Ensure that Godzilla and Nessie can ping each other.
- Ensure you can ping 3.3.3.3 from Godzilla, sourced from it’s Loopback0 interface.
- We are going to configure an IPSEC connection between Router Godzilla and Nessie.
- Create a ISAKMP policy:
Authentication: pre-shared-key
Encryption: AES 256
Hashing: SHA
DH: Group 5
Lifetime: 3600 - Configure the pre-shared-key “VAULT” which you will use for the IPSEC connection.
- Configure the IPSEC transform-set:
Cipher: AES 256
ESP (Encapsulating Security Protcol)
Hashing: SHA - Change the IPSEC security association lifetime to 1800 seconds.
- You need to encrypt traffic from Router Godzilla’s Loopback0 interface destined to Nessie’s Loopback0 interface, create the correct access-list.
- Ensure you have a correct access-list on both Routers.
- Create the correct crypto-map to finish the IPSEC configuration.
- Verify the IPSEC configuration, you can use the following show/debug commands:
show crypto ipsec transform-set
show crypto map
show crypto ipsec sa
debug crypto isakmp - Try a ping from Router Godzilla’s Loopback0 interface destined to Router Nessie’s Loopback0 interface, if your configuration is correct then traffic should be encrypted.
IOS:
c3640-jk9s-mz.124-16.bin
Topology:
Video Solution:
Configuration Files
You need to register to download the GNS3 topology file. (Registration is free!)Once you are logged in you will find the configuration files right here.
Do you want your CCNA or CCNP Certificate?
The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.
Written by René Molenaar - CCIE #41726
Hey is it possible for you to send me the configs on all routers.
If i have the final configs i’ll post them here.
I finished configuring the routers but am still not able to see the anything when i do a “show crypto isakmp sa”
Send something through the tunnel which is supposed to be encrypted.
show crypto isakmp sa should only show you the “active” traffic.
i just finished this lab today. I’d like to say thanks to Rene. this is what I came up with.
i assume the configuration of ospf shouldn’t be a problem, as that is not the main concern of this lab, so I won’t include it here. partial config of Godzilla.
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key VAULT address 192.168.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.23.3
set transform-set VPN
match address 101
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
access-list 101 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
Nessie config is similar to Godzilla.
also, check the access list using the “sho ip access-list” to see how many matches.
I guess the desired state should be QM_IDLE on “sho cry isa sa”. and that is what I got as follows:
Godzilla#sho cry isa sa
dst src state conn-id slot status
192.168.12.1 192.168.23.3 QM_IDLE 1 0 ACTIVE
make sure it is not MM_NO_STATE or make sure it’s not empty (no entry).
another good command to check the tunnel is the “sho cry sess” as follows:
Godzilla#sho cry sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.23.3 port 500
IKE SA: local 192.168.12.1/500 remote 192.168.23.3/500 Active
IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 3.3.3.0/255.255.255.0
Active SAs: 2, origin: crypto map
I also notice that “ping 3.3.3.3 sourc lo0” is required from Godzilla to initiate the tunnel to bring it to QM_IDLE state. I’m not sure if that is the intention of the author.
cheers.
Current configuration : 1161 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Godzilla
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key VAULT address 192.168.23.3
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set IPSEC ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map CMAP 1 ipsec-isakmp
set peer 192.168.23.3
set transform-set IPSEC
match address 111
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.12.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
!
!
!
access-list 111 permit ip host 1.1.1.1 host 3.3.3.3
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
im wondering Rene, in this lab wouldnt the OSPF packets be visible (unencrypted) when traversing KingKong ?
Well it depends….we use an access-list to select the traffic we want to encrypt. Just keep in mind that we can’t send routing protocols through an IPSEC tunnel by default. We need to configure a GRE tunnel first and then configure IPSEC to encrypt the GRE tunnel.
Why is it necessary to add the loopbacks to OSPF? I’ve worked with ASA/PIX site to site VPNs and I never have to define how to get to the subnet that traffic should be encrypted for. The only route the ASA/PIX rely on is how to get to the peer IP address.
This also depends. In this example router Godzilla and Nessie need to know how to reach each other’s loopback interface so we need routing. Another option would be to create a site-to-site VPN between Godzilla/Nessie and use a default route pointing to the tunnel interface or something.
Result . Thanks
Thanks!
Having a bit of a problem, with this config. Whenever it loads it runs into set-up mode. Config reg – 0x2142 tried changing to 0x2102 and reload but still wont work.
Any ideas?
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key VAULT address 192.168.12.1 255.255.255.0 no-xauth
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set TRANS_SET esp-aes 256 esp-sha-hmac
!
ip access-list extended INT-TRAFFIC
permit ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set TRANS_SET
match address INT-TRAFFIC
!
interface FastEthernet0/0
crypto map CRYPTOMAP
It work after configure command [b]half-duplex[/b] on all interfaces. Is this normal?
Hello,
I have a question in regards to the crypto map configuration. I noticed in your solution the pfs group5 command is used. Is this a best practice configuration or is it a required option? From what I have been able to read, this provides another hashing each time a new security association occurs. Doesn’t this happen when the lifetimes of the isakmp policies and crypto map expires?
I,m a little new to this so forgive me if the question is trivial.
Tedd
Although that I logged in web site, still I face "You need to register to be able to download the GNS3 Topology File. (Registration is Free!)"
Why is that?
I am 100 percent sure that I am logged in
Maybe I missed it but what was the point of the 192.168.13.0/24 address space?
This might sound weird. in my gns3 i’m running
C3640-s-mz_120-7_t
somehow i cant run the crypto command. is this because of the platform?
your IOS dont support crypto commands. get c3640-jk9s-mz.124-16.bin
got it to work but wrong access-lists messed me up for a while. good lab!
Kindly fix this, I am unable to see the network diagram and the startup config
final configuration files dont have full configuration. can anyone provide me the final s2s final configuration ?
Hey Renee hope all is well my friend. I am unable to see the network diagram or the startup configs. I know you are a busy man but i was wondering if there was any chance you could update this for us. Thanks a lot for everything you do! I really appreciate it.
Hey Rene do you have the topology and configs to do this lab?