Scenario Configuring Cisco Routers for IPSec

Study Material For Cisco Ccna Ccnp And Ccie Students

Study Material For Cisco Students

Get Instant Access

Figure 4-21 displays a simple two-router topology where traffic from network 131.108.100.0/24 is encrypted when it is sent to the remote network 131.108.200.0/24.

Figure 4-21 Scenario Topology

Host C

131.108.101.5/24

Host A

Host A

Ethernet 0/0 131.108.100.1/24

Ethernet 0/1 131.108.101.0/24

131.108.255.0/24

Ethernet 0/0 131.108.100.1/24

131.108.100.5/24

IPSec Tunnel

Ethernet 0/0 131.108.200.1/24

Host B

131.108.200.5/24

Example 4-19 displays the working configuration of R1, with lines numbered from 1 to 31.

Example 4-19 R1's Full Configuration

1. version 12.2

2. hostname R1

3. enable password cisco

4. crypto isakmp policy 1

5. hash md5

6. authentication pre-share

7. crypto isakmp key CCIE address 131.108.255.2

8. crypto ipsec transform-set anyname esp-des esp-sha-hmac

9. mode tunnel

10. crypto map anyname1 1 ipsec-isakmp

11. set peer 131.108.255.2

12. set security-association lifetime seconds 180

13. set transform-set anyname

14. match address 100

15. interface Ethernet0/0

16. ip address 131.108.100.1 255.255.255.0

17. interface Serial0/0

18. ip address 131.108.255.1 255.255.255.252

Example 4-19 R1's Full Configuration (Continued)

19. encapsulation frame-relay

20. ip split-horizon

21. ip ospf network point-to-point

22. frame-relay map ip 131.108.255.2 102 broadcast

23. frame-relay interface-dlci 102

24. frame-relay lmi-type ansi

25. crypto map anyname1

26. interface Ethernet0/1

27. ip address 131.108.101.1 255.255.255.0

28. router ospf 1

29. network 131.108.0.0 0.0.255.255 area 0

30. access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255

31. end

Example 4-20 displays the working configuration of R2, with lines numbered from 1 through 29.

Example 4-20 R2's Full Configuration

1.

Version 12.2

2.

hostname R2

3.

enable password cisco

4.

crypto isakmp policy 1

5.

hash md5

6.

authentication pre-share

7.

crypto isakmp key CCIe address 131.108.255.1

8.

crypto ipsec transform-set anyname esp-des esp-sha

hmac

9.

mode tunnel

10.

crypto map anyname1 1 ipsec-isakmp

11.

set peer 131.108.255.1

12.

set security-association lifetime seconds 180

13.

set transform-set anyname

14.

match address 100

15.

interface Ethernet0/0

16.

ip address 131.108.200.1 255.255.255.0

17.

interface Serial0/0

18.

ip address 131.108.255.2 255.255.255.252

19.

encapsulation frame-relay

20.

ip split-horizon

21.

ip ospf network point-to-point

22.

frame-relay map ip 131.108.255.1 201 broadcast

23.

frame-relay interface-dlci 201

24.

frame-relay lmi-type ansi

25.

crypto map anyname1

26.

router ospf 1

27.

network 131.108.0.0 0.0.255.255 area 0

28.

access-list 100 permit ip 131.108.200.0 0.0.0.255

131.108.100.0 0.0.0.255

29.

end

The following debug output is seen on R1 after the network administrator pings remote network 131.108.100.1 from Router R2's console port.

1. Why will the IPSec tunnel not negotiate properly?

R2#debug crypto engine

Crypto Engine debugging is on R2#ping

Protocol [ip]:

Target IP address: 131.108.100.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 131.108.200.1

Type of service [0]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 131.108.100.1, timeout is 2 seconds:

22:58:55: CryptoEngine0: generate alg parameter

22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0

22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0

22:58:55: CryptoEngine0: generate alg parameter

22:58:55: CryptoEngine0: create ISAKMP SKEYID for conn id 1

22:58:55: CryptoEngine0: generate hmac context for conn id 1.

22:58:55: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 131.108.255.1 failed it s sanity check or is malformed

Success rate is 0 percent (0/5) R2#

2. What subnets will be encrypted between Routers R1 and R2?

3. What IOS command produced the following display and from which router?

Crypto Map "anyname1" 1 ipsec-isakmp Peer = 131.108.255.2 Extended IP access list 100 access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255 Current peer: 131.108.255.2

Security association lifetime: 4608000 kilobytes/180 seconds PFS (Y/N): N

Transform sets={ anyname, } Interfaces using crypto map anyname1: Serial0/0

4. Will Host A be able to communicate with Host B or Host C? The following displays are the IP routing tables on R1 and R2. (Assume the gateway configurations on the PCs are correct.)

R1's IP routing table: R1>show ip route

131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 131.108.255.0/30 is directly connected, Serial0/0

O 131.108.200.0/24 [110/400] via 131.108.255.2, 00:52:00, Serial0/0

C 131.108.101.0/24 is directly connected, Ethernet0/1

C 131.108.100.0/24 is directly connected, Ethernet0/0

R2's IP routing table: R2>show ip route

131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks C 131.108.255.0/30 is directly connected, Serial0/0

C 131.108.200.0/24 is directly connected, Ethernet0/0

O 131.108.101.0/24 [110/58] via 131.108.255.1, 00:52:09, Serial0/0

131.108.100.0/24 [110/58] via 131.108.255.1, 00:52:09, Serial0/0

5. To allow the IP subnet 131.108.101.0/24 attached to the R1 Ethernet 0/1 interface to be encrypted over the IPSec tunnel and to communicate with the remote PC IP address 131.108.200.5, what configuration changes are required on which router?

Was this article helpful?

0 0

Post a comment