DMVPN Lab 2 Configure IPSEC
Previous Next
Download Lab: EVE-NG
Image needed: Cisco IOSv
Description:
This lab is an extension to the previous one, basic router configuration and DMVPN have been implemented, you need to run topology, verify all configurations then configure IPsec over DMVPN to secure traffic traversing between HQ and branches. Lab details included within the .unl file.
Topology:
Task1: Enable IPSEC on the HQ
Download Lab: EVE-NG
Image needed: Cisco IOSv
Description:
This lab is an extension to the previous one, basic router configuration and DMVPN have been implemented, you need to run topology, verify all configurations then configure IPsec over DMVPN to secure traffic traversing between HQ and branches. Lab details included within the .unl file.
Topology:
Task1: Enable IPSEC on the HQ
Step1: Define crypto policy in the global configuration mode.
Step2: Create a crypto key and transform-set.
Step3: Apply transform-set to the IPSEC profile.
Step4: Under interface tunnel 0 enable IPSEC.
Step5: Save configurations.
Command reference:
Configurations:
R1(config)# crypto isakmp policy 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# exit
!
R1(config)# crypto isakmp key cisco123 address 0.0.0.0
R1(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)# mode transport
R1(cfg-crypto-trans)# exit
!
R1(config)# crypto ipsec profile IPSECPROFILE
R1(ipsec-profile)# set transform-set MYSET
R1(ipsec-profile)# exit
!
R1(config)# interface tunnel 0
R1(config-if)# tunnel protection ipsec profile IPSECPROFILE
R1(config-if)# exit
R1(config)#
Verification:
R1# show crypto isakmp sa
R1# show crypto isakmp sa detail
R1# show crypto ipsec sa peer 50.0.0.1
R1# show dmvpn peer nbma 50.0.0.1 detail
R1# debug crypto isakmp
Task2: Enable IPSEC on the Spoke
Step2: Create a crypto key and transform-set.
Step3: Apply transform-set to the IPSEC profile.
Step4: Under interface tunnel 0 enable IPSEC.
Step5: Save configurations.
Command reference:
Configurations:
R1(config)# crypto isakmp policy 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# exit
!
R1(config)# crypto isakmp key cisco123 address 0.0.0.0
R1(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)# mode transport
R1(cfg-crypto-trans)# exit
!
R1(config)# crypto ipsec profile IPSECPROFILE
R1(ipsec-profile)# set transform-set MYSET
R1(ipsec-profile)# exit
!
R1(config)# interface tunnel 0
R1(config-if)# tunnel protection ipsec profile IPSECPROFILE
R1(config-if)# exit
R1(config)#
Verification:
R1# show crypto isakmp sa
R1# show crypto isakmp sa detail
R1# show crypto ipsec sa peer 50.0.0.1
R1# show dmvpn peer nbma 50.0.0.1 detail
R1# debug crypto isakmp
Task2: Enable IPSEC on the Spoke
Step1: Define crypto policy in the global configuration mode.
Step2: Create a crypto key and transform-set.
Step3: Apply transform-set to the IPSEC profile.
Step4: Under interface tunnel 0 enable IPSEC.
Step5: Verify IPSEC tunnels
Step6: Save configurations.
Step7: Repeat steps 1 through 6 on all spoke routers.
Command reference:
Configurations:
R1(config)# crypto isakmp policy 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# exit
!
R1(config)# crypto isakmp key cisco123 address 0.0.0.0
R1(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)# mode transport
R1(cfg-crypto-trans)# exit
!
R1(config)# crypto ipsec profile IPSECPROFILE
R1(ipsec-profile)# set transform-set MYSET
R1(ipsec-profile)# exit
!
R1(config)# interface tunnel 0
R1(config-if)# tunnel protection ipsec profile IPSECPROFILE
R1(config-if)# exit
R1(config)#
Verification:
R1# show crypto isakmp sa
R1# show crypto isakmp sa detail
R1# show crypto ipsec sa peer 50.0.0.1
R1# show dmvpn peer nbma 50.0.0.1 detail
R1# debug crypto isakmp
Step2: Create a crypto key and transform-set.
Step3: Apply transform-set to the IPSEC profile.
Step4: Under interface tunnel 0 enable IPSEC.
Step5: Verify IPSEC tunnels
Step6: Save configurations.
Step7: Repeat steps 1 through 6 on all spoke routers.
Command reference:
Configurations:
R1(config)# crypto isakmp policy 5
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# exit
!
R1(config)# crypto isakmp key cisco123 address 0.0.0.0
R1(config)# crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)# mode transport
R1(cfg-crypto-trans)# exit
!
R1(config)# crypto ipsec profile IPSECPROFILE
R1(ipsec-profile)# set transform-set MYSET
R1(ipsec-profile)# exit
!
R1(config)# interface tunnel 0
R1(config-if)# tunnel protection ipsec profile IPSECPROFILE
R1(config-if)# exit
R1(config)#
Verification:
R1# show crypto isakmp sa
R1# show crypto isakmp sa detail
R1# show crypto ipsec sa peer 50.0.0.1
R1# show dmvpn peer nbma 50.0.0.1 detail
R1# debug crypto isakmp
Comments
Post a Comment