ISCW10LabGuide

8/14/2019 ISCW10LabGuide

1/178

ISCW

Implementing SecureConverged Wide

Area NetworksVersion 1.0

Lab Guide

Editorial, Production, and Graphic Services: 07.21.06


2/178

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

European Headquarters

Cisco Systems International BV

Haarlerbergpark

Haarlerbergweg 13-19

1101 CH Amsterdam

The Netherlands

www-europe.cisco.com

Tel: 31 0 20 357 1000

Fax: 31 0 20 357 1100

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

www.cisco.com

Tel: 408 526-7660

Fax: 408 527-0883

Asia Pacific Headquarters

Cisco Systems, Inc.

168 Robinson Road

#28-01 Capital Tower

Singapore 068912

www.cisco.com

Tel: +65 6317 7777

Fax: +65 6317 7799

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on theC i s c o . c o m W e b s i t e a t w w w . c i s c o . c o m / g o / o f f i c e s .

Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Cyprus Czech Republic

Denmark Dubai , UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland

Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines

Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa

Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe

2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of

Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access

Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press,

Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare,

GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace,

MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare,

SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates

in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (0601R)

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN

CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF

THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED

WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR

PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release

content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.


3/178

ISCW

Lab Guide

OverviewThis guide presents the instructions and other information concerning the lab activities for thiscourse. You can find the solutions in the lab activity Answer Key.

Outline

This guide includes these activities:

Lab 2-1: E-Lab: Configuring DSL

Lab 3-1: Configuring Frame Mode MPLS

Lab 4-1: Configuring Site-to-Site IPsec VPNs

Lab 4-2: Configuring GRE Tunnels over IPsec Using SDM

Lab 4-3: Configuring IPsec VPN to Back Up a WAN Connection

Lab 4-4: Configuring Cisco Easy VPN Server Using SDM

Lab 5-1: Securing Cisco Routers

Lab 5-2: Securing Cisco Router Management

Lab 5-3: Configuring AAA Login Authentication and Exec Authorization on Cisco Routers

Lab 6-1: Configuring a Cisco IOS Firewall

Lab 6-2: Configuring Cisco IOS IPS

Lab 6-3: Troubleshooting Security

Answer Key


4/178

Lab 2-1: E-Lab: Configuring DSLComplete this lab activity to practice what you learned in the related module.

Activity Objective

In this activity, you will configure the Cisco 837 router as the PPPoE client for end users

connected behind its Ethernet 0 interface. After completing this activity, you will be able tomeet these objectives:

Perform a simulated install procedure

Perform a simulated configuration of a Cisco 837 router for NAT with PPPoE

Visual Objective

The figure illustrates what you will accomplish in this activity.

2006 Cisco Systems, Inc. All rights reserved. ISCW v1.04

Visual Objective for Lab 2-1:

E-Lab: Configuring DSL

Scenario

This simulation provides practice configuring a Cisco ADSL router for connectivity to an ISP

using PPPoE. In addition, the simulation is necessary to configure DHCP services for IPaddressing of local PCs at the location of the teleworker; also, basic PAT needs to be

configured. Please reference these detailed information to complete this simulation:

Use the PVC number provided in the simulation.

A dynamic IP address is assigned by the ISP.

2 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 2006 Cisco Systems, Inc.


5/178

2006 Cisco Systems, Inc. Lab Guide

Use the network provided in the simulation for the private network. Use CHAP

authentication with these credentials:

Hostname:providedin the simulation

Password:providedin the simulation

Import to the local PC devices all DHCP parameters provided by the ISP.

Required Resources

This is the resource that is required to complete this activity:

The DSL Standalone.zip archive containing all the files for the simulation

Command List

The table describes the commands that are used in this activity.

Cisco IOS Commands

Command Description

configure terminal Enters global configuration mode.

ip dhcp pool name Configures a DHCP address pool on a DHCP server andenters DHCP pool configuration mode.

network network-number[mask |prefix-length]

Configures the subnet number and mask for a DHCPaddress pool on a Cisco IOS DHCP server.

default-router address[address2...address8]

Specifies the default router list for a DHCP client.

import all Imports DHCP option parameters into the DHCP serverdatabase.

interface typenumber

[name-tag]

Configures an interface type and enters interface

configuration mode.

ip address negotiated[previous]

Specifies that the IP address for a particular interface isobtained via PPP/IPCP address negotiation.

encapsulationencapsulation-type

Sets the encapsulation method used by the interface.

ppp chap hostname hostname Creates a pool of dialup routers that all appear to be thesame host when authenticating with CHAP.

ppp chap password secret Enables a router calling a collection of routers that do notsupport this command (such as routers running older CiscoIOS software images) to configure a common CHAP secretpassword to use in response to challenges from anunknown peer.

mtu bytes Adjusts the maximum packet size or MTU size.

dialer pool number Specifies, for a dialer interface, which dialing pool to use toconnect to a specific destination subnetwork.

pvc [name] vpi/vci Creates or assigns a name to an ATM permanent virtualcircuit (PVC) and enters ATM VC configuration mode.

pppoe-client dial-pool-number number

Configures a PPPoE client and specifies DDR functionality.


6/178


access-list access-list-number{deny | permit}source [source-wildcard][log]

Defines a standard IP ACL.

ip nat inside source {list{access-list-number|access-list-name} | route-map name} {interface typenumber| pool name}[mapping-idmap-id|

overload | reversible |vrf name]

Enables NAT of the inside source address.

ip nat outside source{list {access-list-number| access-list-name} |route-map name} poolpool-name [add-route | mapping-idmap-id| vrf name]

Enables NAT of the outside source address.

ip tcp adjust-mssmax-segment-size

Adjusts the maximum segment size (MSS) value of TCPsynchronized (SYN) packets going through a router.

ip routeprefixmask {ip-address | interface-typeinterface-number[ip-address]} [dhcp][distance] [name][permanent | track number][tag tag]

Establishes static routes.

Job Aids

No job aids are needed to complete the lab activity.


7/178


Task 1: Configure PPPoE over DSLStep 1 Configure the ATM interface.

Step 2 Configure a PVC using the assigned VPI/VCI under the ATM 0 interface.

Step 3 Configure the PVC for PPPoE client operation.

Step 4 No shut the ATM0 interface.

Step 5 Configure the Dialer0 interface.

Step 6 Configure IP address negotiations.

Step 7 Configure PPP encapsulation.

Step 8 Configure the Chap username.

Step 9 Configure the Chap hostname.

Step 10 Configure the MTU.

Step 11 Assign the Dialer0 interface to the proper dialer pool.

Step 12 Configure the 827 as the DHCP server for the end users connected behind its

Ethernet0 interface.

Step 13 Configure the DHCP pool with the proper network range.

Step 14 Configure the default router.

Step 15 Import all DHCP parameters.

Step 16 Configure PAT.

Step 17 Ethernet0 interface is the inside interface.

Step 18 Dialer0 interface is the outside interface.

Step 19 Configure the proper ip nat inside statement.

Step 20 Configure an ACL to permit all traffic sourced from the Ethernet0 network.

Step 21 Adjust the TCP maximum segment size of the Ethernet0 interface to 1452.

Step 22 Configure a static default route pointing toward the Dialer0 interface.

Step 23 Use the show ip route command to examine the IP address assigned to the Dialer0

interface and the IP address of the aggregation router.


8/178

Lab 3-1: Configuring Frame Mode MPLSComplete this lab activity to practice what you learned in the related module.

Visual Objective

This section contains information about your laboratory setup, details of the physical and

logical connectivity in the laboratory, and information about the addressing scheme and IGProuting. Each pod will contain the router types defined in the table. Each pod is independent of

other pods (that is, pods do not interact). Two learners are usually assigned to one pod. The

addressing scheme of the pods differs, which is indicated with anx. Thex should always be

replaced by the pod number.

The names of all routers in your pod follow the naming convention detailed in this table.

Router Naming Convention

Router Name Description

HQ Provider access router, which in a real network connects tocustomer routers. Router represents access to the providernetwork.

Branch Provider core router, which in a real network has no connection tocustomer routers.

ISP Provider router, which connects different sites. Learners have noaccess to this router.

The first serial interface of the branch router is connected back-to-back to the ISP router. The

DCE site is on the ISP router. The second FastEthernet interface of the HQ is connected to the

second FastEthernet interface of the branch router.


Visual Objective for Lab 3-1:Configuring Frame Mode MPLS



9/178


The IP addressing of routers has been performed using the allocations scheme detailed in the IP

host address table.

IP Host Address (Where x Is the Pod Number)

Router Interface IP Address

HQ (Loopback0) 10.0.x.1/32

HQ (Fa0/0) Public IP address (172.31.1.1 was used as an examplein this document)

HQ (Fa0/1) 10.2.x.1/24

Branch (Loopback0) 10.0.x.2/32

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial) 10.5.x.10/24

Workstation Public IP address

Note This addressing scheme has been selected for ease of use in the labs; it does not optimize

the use of the address space.

EIGRP is used as the routing protocol between routers. The EIGRP routing configuration on

the HQ router is shown in this printout:

router eigrp 1

redistribute connected

passive-interface Loopback0

network 10.0.0.0

no auto-summary

The EIGRP routing configuration on the branch router is shown in this printout:

router eigrp 1

passive-interface FastEthernet0/0


network 10.0.0.0

no auto-summary

Activity Objective

MPLS can be enabled in Service Provider core networks to prepare the network core for MPLS

services such as MPLS VPNs and MPLS-TE. Enabling basic MPLS functionality within the

service provider environment involves enabling CEF, and LDP, TDP or, in certain cases, both

protocols.

In this activity, your network has become an extension of an existing ISPs MPLS network.

You will configure and verify Frame Mode MPLS on your IOS routers to link your network

into the ISPs network. After completing this activity, you will be able to meet these objectives:

Enable IP CEF

Enable MPLS on a Frame Mode interface

Configure the MTU size


10/178



Visual Objective for Lab 3-1:Configuring Frame Mode MPLS

Required Resources

This is the resource required to complete this activity:

Cisco IOS documentation

Command List


MPLS Commands

Command Description

ip cef Enables CEF switching on all interfaces with CEFcapability.

mpls ip Enables MPLS forwarding of IPv4 packets along normallyrouted paths.

mpls mtu size Sets the per-interface MPLS MTU for labeled packets.

mpls label protocol {ldp |tdp | both }

Specifies the label distribution protocol to be used on agiven interface.

show mpls interfaces[interface] [detail]

Displays information about one or more interfaces thathave been configured for label switching.

show mpls ldp discovery Displays the status of the LDP discovery process. Thiscommand generates a list of interfaces over which the LDPdiscovery process is running.

show mpls ldp neighbor[address | interface][detail]

Displays the status of LDP sessions.



11/178


show mpls ldp bindings[network {mask | length}[longer-prefixes]] [local-label label [- label]}[remote-label label [-label] [neighbor address][local]

Displays the contents of the LIB.

Job Aid

This job aid is available to help you complete the lab activity.

The instructor will allocate a pod that you will configure. Use this table to write down the

pod assigned to you.

Pod Assigned

Parameter Value (Provided by Instructor)

pod


12/178


Task 1: Enable LDP on the Provider Routers

In this task, you will configure basic label switching functionality in the provider core network.

Activity Procedure

Complete these steps:

Step 1 On the HQ router in your pod, perform these tasks:

Enable CEF.

Enable LDP on the interface that is connected to the branch router.

Note The mpls label protocol ldp command can be issued at the global configuration level.

Step 2 On the branch router, perform these tasks:

Enable CEF.

Enable LDP on the interface that is connected to the HQ router.

Enable LDP on the interface that is connected to the ISP router.

Activity Verification

You have completed this task when you attain these results:

On each of your routers, verify that the interfaces in question have been configured to use

LDP.

Branch#show mpls interfaces

Interface IP Tunnel Operational

FastEthernet0/1 Yes (ldp) No Yes

Serial0/0/0 Yes (ldp) No Yes

On each of your routers, verify that LDP Hello messages are transmitted and received over

the appropriate interfaces and LDP neighbor relationships are established over them.

Branch#show mpls ldp discovery

Local LDP Identifier:

10.0.1.2:0

Discovery Sources:

Interfaces:

FastEthernet0/1 (ldp): xmit/recv

LDP Id: 10.0.1.1:0

Serial0/0/0 (ldp): xmit/recv

LDP Id: 10.10.10.10:0; no host route

Branch#show mpls ldp neighbor

Peer LDP Ident: 10.0.1.1:0; Local LDP Ident 10.0.1.2:0

TCP connection: 10.0.1.1.646 - 10.0.1.2.31740

State: Oper; Msgs sent/rcvd: 30/31; Downstream

Up time: 00:15:11

LDP discovery sources:

FastEthernet0/1, Src IP addr: 10.2.1.1

Addresses bound to peer LDP Ident:

172.31.1.1 10.2.1.1 10.0.1.1

Peer LDP Ident: 10.10.10.10:0; Local LDP Ident 10.0.1.2:0

TCP connection: 10.10.10.10.15637 - 10.0.1.2.646

State: Oper; Msgs sent/rcvd: 26/19; Downstream

Up time: 00:14:20

LDP discovery sources:


13/178


Serial0/0/0, Src IP addr: 10.5.1.10

Addresses bound to peer LDP Ident:

10.10.10.10 10.5.1.10

On each of your routers, verify that LDP has allocated a label for each prefix in its IP

routing table:

HQ#show mpls ldp bindings

tib entry: 0.0.0.0 0.0.0.0, rev 16

local binding: tag: imp-null

tib entry: 10.0.1.1 255.255.255.255, rev 12


remote binding: tsr: 10.0.1.2:0, tag: 18tib entry: 10.0.1.2 255.255.255.255, rev 6

local binding: tag: 16

remote binding: tsr: 10.0.1.2:0, tag: imp-null

tib entry: 10.2.1.0 255.255.255.0, rev 4



tib entry: 10.5.1.0 255.255.255.0, rev 14



tib entry: 10.6.6.0 255.255.255.0, rev 10



tib entry: 10.10.10.0 255.255.255.0, rev 8


remote binding: tsr: 10.0.1.2:0, tag: 17tib entry: 172.31.1.0 255.255.255.0, rev 2


remote binding: tsr: 10.0.1.2:0, tag: 16

Perform a traceroute from the HQ router to the loopback address of the ISP router

(10.10.10.10) and verify that the results display the associated labels:

HQ#traceroute 10.10.10.10

Type escape sequence to abort.

Tracing the route to ISP (10.10.10.10)

1 10.2.1.2 [MPLS: Label 17 Exp 0] 0 msec 0 msec 0 msec

2 10.5.1.10 8 msec * 4 msec

Task 2: Configure the MTU Size

Labeling a packet makes it larger because of the label stack. To prevent the fragmentation of

labeled packets in the MPLS backbone, you will configure MPLS MTU on the link between the

HQ and branch routers.

Activity Procedure

Maximum size of the frame can be the maximum MTU size of the Ethernet interface, increased

by a label stack with up to three labels. Complete these steps:

Step 1 On the interface that is connected to the branch router, change MPLS MTU on the

HQ router.

Step 2 On the interface that is connected to the HQ router, change MPLS MTU on the

branch router.


14/178




Verify MPLS MTU size on the interface on the Access router.

HQ#show mpls interfaces FastEthernet0/1 detail

Interface FastEthernet0/1:

IP labeling enabled (ldp):

Interface config

LSP Tunnel labeling not enabledBGP tagging not enabled

Tagging operational

Fast Switching Vectors:

IP to MPLS Fast Switching Vector

MPLS Turbo Vector

MTU = 1512

Task 3: Remove MPLS Configuration

In this task, you will remove MPLS configuration from the HQ and branch routers.

Activity Procedure


Step 1 On the HQ router in your pod, perform these tasks:

Disable CEF.

Disable LDP on the interface that is connected to the branch router.

Remove MPLS MTU configuration on the interface that is connected to the

branch router.

Step 2 On the branch router, perform these tasks:

Disable CEF.

Disable LDP on the interface that is connected to the HQ router. Disable LDP on the interface that is connected to the ISP router.

Remove MPLS MTU configuration on the interface that is connected to the HQ

router.



Verify interface configuration on the HQ router.

HQ#show running-config interface FastEthernet 0/1

Building configuration...

Current configuration : 129 bytes

!

interface FastEthernet0/1

description *** Link to Branch ***

ip address 10.2.1.1 255.255.255.0

duplex auto

speed auto

end


15/178


Verify interface configuration on the branch router.

Branch#show running-config interface FastEthernet 0/1



!


description *** Link to HQ ***

ip address 10.2.1.2 255.255.255.0

duplex auto

speed autoend

Branch#show running-config interface Serial 0/0/0



!

interface Serial0/0/0

description *** Link to ISP ***

ip address 10.5.1.2 255.255.255.0

end


16/178

Lab 4-1: Configuring Site-to-Site IPsec VPNsComplete this lab activity to practice what you learned in the related module.

Visual Objective


logical connectivity in the laboratory, and information about the addressing scheme and IGProuting. Each pod is independent of other pods (that is, pods do not interact). Two learners are

usually assigned to one pod. The addressing scheme of the pods differs, which is indicated with

x. Thex should always be replaced by the pod number. Each pod will contain the router types

defined in the table and one PC.

The names of all devices in your pod follow the naming convention detailed in this table.

Device Naming Convention

Device Name Description

Workstation PC used for accessing router via SDM interface.

Server PC used as TFTP server for downloading files.

HQ, branch Routers between which you will establish IPsec tunnel.

ISP Router in the Service Provider network. Router is not accessibleby learners.

The first serial interface of the branch router is connected back-to-back to the ISP. The DCE

site is on the ISP router. The first FastEthernet interface of the branch router is connected to the

server. The second FastEthernet interface of the branch is connected to the second FastEthernet

interface of the HQ router. The first FastEthernet interface of the HQ router is connected to the

Internet, where the workstation is connected.


Visual Objective for Lab 4-1:Configuring Site-to-Site IPsec VPNs



17/178


The IP addressing of the device has been performed using the allocations scheme detailed in the

IP host address table.


Device Interface IP Address

Workstation Public IP address (see on the device)

Server 10.6.6.254/24


HQ (Fa0/0) Public IP address (provided by instructor)

HQ (Fa0/1) 10.2.x.1/24

HQ (S0/0/0) Shutdown


Branch (Fa0/0) 10.6.6.x/24

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial) 10.5.x.10/24



Routing in the Network


routers is shown in these printouts: HQ router:

router eigrp 1



network 10.0.0.0

no auto-summary

Branch router:

router eigrp 1



network 10.0.0.0

no auto-summary

Activity Objective

In this exercise, you will configure two routers to establish a secure path between two networks

over an untrusted network (as shown in the Visual Objective figure). The path will be secured

using IPsec protocols, assisted by the IKE key-exchange protocol, which will also enforce the

required traffic protection policy.


18/178

In the activity, you will configure a site-to-site IPsec VPN with preshared keys authentication,

using SDM and CLI. After completing this activity, you will be able to meet these objectives:

Launch the Site-to-Site VPN Wizard and accept the default IKE policy, transform set, and

IPsec rules

Use the VPN Connection Information window to identify the IP address or host name of

the remote site that will terminate the VPN tunnel that you are configuring, to specify the

router interface to use, and to enter the preshared key that both routers will use to

authenticate each other

Use the VPN Connection Information window to examine and select the IKE policy,

priority, and encryption type

Use the Transform Set window to examine and select the transform set for your VPN

Use the Traffic to Protect window to define the traffic that this VPN will protect per the

given requirements

Use the Summary window to confirm that your VPN values match those provided in the

exercise

Visual ObjectiveThe figure illustrates what you will accomplish in this activity. You will configure an IPsec

tunnel between the HQ and branch routers to secure traffic between HQ FA0/0 network and

network 10.10.10.0/24. (IP address 10.10.10.10/24 is the loopback on the ISP router.)


Visual Objective for Lab 4-1:Configuring Site-to-Site IPsec VPNs

Required Resources

This resource is required to complete this activity:




19/178


Command List


SDM Preparation Commands

Command Description

copy Copies files between file systems

ip http server Starts the http server

ip http secure-server Starts the https server

ip http authentication Defines the authentication method of the local http server

username username passwordpassword

Creates local users

show crypto key mypubkeyrsa

Displays the public RSA keys

show flash Displays the contents of the flash

show running-config Displays the running configuration

show crypto isakmp policy Displays the IKE proposals

show ip interface brief Displays brief interface status

Job Aid




Pod Assigned


pod


20/178


Task 1: Prepare the Routers for SDM-Based Provisioning

In this task, you will configure the HQ router in your pod for SDM provisioning. Routers in the

lab have preconfigured IP addresses and routing.

Activity Procedure


Step 1 Check if the files sdm.tar, home.tar, 256MB.sdf, home.shtml, sdmconfig-28xx.cfg,

common.tar exist in the flash memory of the HQ routers. If the files are already in

the flash, proceed with Step 3.

Step 2 Copy the files from the server to the HQ router flash memory:

Copy the file sdm.tar from the server to the HQ routers flash memory, using the

copy tftp flash: command.

Use the same command to copy other files needed: home.tar, 256MB.sdf,

home.shtml, sdmconfig-28xx.cfg, and common.tar.

Step 3 Configure the HQ router to support SDM management:

Start the HTTP server.

Start the HTTPS server.

Configure a local authentication method for access to the HTTP server.

Create a local user with privilege level 15 and MD5-based password protection.

Use the username sdm and the password sdmpassword.

Note In actual implementations, do not use simple, easy-to-guess usernames and passwords.

Use long (at least 8 characters) random strings with a mixture of numeric and lowercase and

uppercase alphabetical characters.


You have completed this task when you start SDM from the workstation in your pod, following

these steps:

Step 1 On the workstation, open the Internet Explorer and access the HQ router via HTTP

(http://).

Step 2 Log in as user sdm with the password sdmpassword.


21/178

ClickOK. A new window appears, asking you if you want to use HTTPS.

ClickOK. A Security Alert window appears, asking you if you want to accept the

certificate from the router.

ClickYes to accept the certificate. Now the session becomes HTTPS, so you need to enter

the username and password again. Use the username sdm and the password sdmpassword.



22/178

ClickOK. When the SDM starts, you will first see a security warning.

ClickMore Details to view the self-signed certificate.



23/178

View the certificate. ClickClose and then Yes to proceed at the security warning. If any

additional warning appears, clickYes.

ClickYes to proceed at the security warning window that appears.

SDM on the HQ router will start.



24/178


25/178

Task 2: Access the Site-to-Site VPN Wizard

In this task, you will launch the Site-to-Site VPN Wizard.

Activity Procedure


Step 1 Configure the HQ router using SDM. Click the Configure tab.

Step 2 Choose VPN from the category bar.

Step 3 Choose the VPN Site-to-Site VPN option.

Step 4 Leave the default selection of Create a Site to Site VPN and clickLaunch the

selected task.

Step 5 At this point, you can choose one of two options. You may choose to use the Quick

Setup mode or the Step by Step Wizard. In this lab exercise, you will use the Step by

Step Wizard mode.



26/178


Complete these steps to verify the activity:

Step 1 From the SDM, you can see output similar to this:

Step 2 ClickNext to proceed.

Task 3: Define VPN Connection

In this task, you will use the VPN Connection Information window to identify the IP address or

host name of the remote site that will terminate the VPN tunnel that you are configuring. Youwill specify the router interface to use and enter the preshared key that both routers will use to

authenticate each other.

Activity Procedure


Step 1 Configure the HQ router. Select FastEthernet0/1 as the interface for this VPN

connection.

Step 2 Select static peer identity, and configure the peer address 10.2.x.2 (wherex is the

pod number).

Step 3 Set the preshared key to secretkey.



27/178





Task 4: Select an IKE Proposal

In this task, you will configure IKE parameters (also known as the ISAKMP policy because

ISAKMP, the Internet Security Association and Key Management Protocol, is the foundationof IKE) on both IPsec/IKE peers, which will enable the two peers to securely handshake,

authenticate each other, and be able to agree on IPsec parameters when the IPsec policy is

configured later in this lab.

In this task, you will use the VPN Connection Information window to examine and select the

IKE policy, priority, and encryption type.



28/178

Activity Procedure


Step 1 Configure the HQ router. From the next window, determine what the default IKE

policy is.

Step 2 Add a new IKE proposal by clicking Add.

Step 3 Configure these parameters:

Priority: 2

Encryption: 3DES Hash: SHA-1

Authentication: Preshared

D-H Group: 2

Lifetime: 1 hour

Step 4 ClickOK.



29/178



Step 1 From the SDM, you can see output similar to this.

Step 2 Make sure the new IKE proposal appears in the window, and clickNext to proceed.

Your IKE parameters are now set, and the two peers should agree in their IKE parameters

(ISAKMP policies) when they handshake at the beginning of the IKE session. Now, you will

configure rules, specifying which traffic needs to be protected and the methods for its

protection.

Task 5: Select the Transform Set

In this task, you will use the Transform Set window to examine and select the transform set for

your VPN.

Activity Procedure


Step 1 Configure the HQ router. From the next window, determine what the default

transform set is.



30/178

Step 2 ClickAdd to add a new transform set with the name my_transform_set.

Step 3 Create a transform set, which represents the set of protection algorithms used inside

IPsec to protect traffic. The transform set should use the ESP encapsulation only,

with 3DES as the traffic encryption algorithm, and SHA-1 as the traffic

authentication/integrity algorithm. ClickShow Advanced to configure IPsec tunnel

mode for this transform set, although this is the default setting.

Step 4 ClickOK.



31/178



Step 1 From the SDM, you can see output similar to this.

Step 2 Choose new Transform Set from the drop-down list, and clickNext to proceed.



32/178

Task 6: Select Traffic to Protect

In this task, you will create and apply traffic protection rules to specify which traffic must be

protected. In this task, you will use the Traffic to Protect window to define the traffic that this

VPN will protect per the given requirements.

Activity Procedure

Complete this step:

Step 1 Protect all traffic between these subnets: subnet of the FA0/0 HQ interface and

10.10.10.0/24.







33/178

Task 7: Complete the Setup

In this task, you will use the Summary window to confirm that your VPN values match those

provided in the previous tasks.

Activity Procedure


Step 1 Configure the HQ router. From the next window, examine the summary of the

configuration, which will be sent to the router.

Step 2 ClickFinish to apply the configuration to the router.



34/178

Step 3 When the configuration is applied, clickOK.



Step 1 From the VPN window, you can see the new connection (IPsec tunnel). Because one

side of the tunnel is not configured, the current status of the connection is Down.



35/178

Task 8: Generate Mirror Configuration

In this task, you will generate a mirror configuration to paste it on the branch router.

Activity Procedure


Step 1 From the SDM window on the HQ router, click the Generate Mirror button.



36/178

Step 2 ClickSave to save the mirror configuration. Name the file Branch.txt.

Step 3 ClickSave and then OK to close the Generate Mirror window.



37/178



You have completed this task when you attain this result:

From the workstation desktop, open the Branch.txt file and verify the configuration. See the

crypto map name.

crypto isakmp policy 2

authentication pre-share

encr 3des

hash shagroup 2

lifetime 3600

exit



encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key secretkey address 10.2.1.1

crypto ipsec transform-set my_transform_set esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_1remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 172.31.1.0 0.0.0.255

exit

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP

address 10.2.1.2 that connects to this router.

set transform-set my_transform_set

set peer 10.2.1.1

match address SDM_1

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000

exit

Printout: HQ Router Mirrored IPsec Configuration

Task 9: Use Mirrored IPsec Configuration

In this task, you will use a mirrored IPsec configuration to configure the branch router.

Activity Procedure


Step 1 Connect to the branch router using the console. Copy the mirrored configuration

generated in the Generating Mirror Configuration task and paste it to the branch

router.

Step 2 The mirrored configuration is not complete to establish the IPsec tunnel, so add

these lines:

Apply crypto map to the FastEthernet0/1 interface on the branch router, using the crypto

map name as generated by the Generate Mirror feature:

interface FastEthernet 0/1

crypto map SDM_CMAP_1

Printout: Branch Router Additional IPsec Configuration


38/178



Step 1 From the VPN window, you can see the connection (IPsec tunnel). The status of the

connection is still Down.

Step 2 ClickTestTunnel and then Start.

Step 3 ClickYes in the SDM Warning window.



39/178

Step 4 In the next window, enter 10.10.10.10 in the Enter the IP address of a host in the

destination network field.



40/178

Step 5 ClickContinue. The test should be successful.

Note In case the workstation is not on the same subnet as FA0/0 interface of the HQ router,

packets will not go through IPsec VPN tunnel.

Step 6 ClickOK and then Close. The status of the tunnel should now be Up.



41/178

Step 7 Examine the HQ router configuration, using the show running-config command to

see the VPN setup.

HQ#show running-config

username sdm privilege 15 secret 5 $1$yGtx$5rU6rTEHAkTVAJMyIaJob1

!


encr 3des


group 2

!crypto isakmp policy 2

encr 3des


group 2

lifetime 3600

crypto isakmp key secretkey address 10.2.1.2

!

crypto ipsec transform-set my_transform_set esp-3des esp-sha-hmac

!


description Tunnel to10.2.1.2

set peer 10.2.1.2

set transform-set my_transform_set

match address 100

!interface FastEthernet0/1


ip address 10.2.1.1 255.255.255.0


!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.31.1.0 0.0.0.255 10.10.10.0 0.0.0.255

Printout: HQ Router Running Configuration

Step 8 Open the console connection to the HQ router and examine the IPsec VPN statistics,

using the show crypto ipsec sa command. Check the number of encrypted packets.

HQ#show crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr 10.2.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer 10.2.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29

#pkts compressed: 0, #pkts decompressed: 0



42/178


#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

Printout: HQ Router crypto ipsec sa Command

Step 9 From the HQ router, ping IP address 10.10.10.10. Use the standard ping command.

HQ#ping 10.10.10.10


Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

Printout: Ping from HQ to 10.10.10.10

Step 10 Examine the IPsec VPN statistics, using the show crypto ipsec sa command. Check

the number of encrypted packets again. The number of the encrypted packets is the

same because the standard ping has a source IP address that is different from the

address where the packets permitted are to be encrypted.


interface: FastEthernet0/1

Crypto map tag: SDM_CMAP_1, local addr 10.2.1.1












Printout: HQ Router crypto ipsec sa Command

Step 11 From the HQ router, ping IP address 10.10.10.10. Now, use the extended ping

command with the source IP address from the HQ FA0/0 interface.

HQ#ping

Protocol [ip]:

Target IP address: 10.10.10.10

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: FastEthernet0/0

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:


Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

Packet sent with a source address of 172.31.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

Printout: Ping from HQ FA0/0 Interface to 10.10.10.10


43/178


44/178


Step 2 SDM will not delete all IPsec configuration lines, so use these commands to delete it

entirely:

no crypto isakmp policy 1


no crypto isakmp key secretkey address 10.2.1.2

no crypto ipsec transform-set my_transform_set

no access-list 100

Printout: Deleting IPsec Configuration on the HQ Router

Step 3 Delete the existing IPsec tunnel configuration on the branch router, using thesecommands:


no crypto map SDM_CMAP_1

!


no crypto ipsec transform-set my_transform_set




no ip access-list extended SDM_1

Printout: Deleting IPsec Configuration on the Branch Router



Examine the HQ router configuration, using the show running-config command, to see

that the crypto map is no longer on the FastEthernet0/1 interface.




!



ip address 10.2.1.1 255.255.255.0

duplex auto

speed auto

end

Printout: HQ Router Interface Configuration


45/178

Lab 4-2: Configuring GRE Tunnels over IPsecUsing SDM

Complete this lab activity to practice what you learned in the related module.

Activity Objective

In this exercise, you will configure two routers to establish a secure path between two networks

over an untrusted network (as shown in the figure). The path will be secured using secure GRE

protocol. You will create a secure GRE tunnel (GRE over IPsec) using SDM. After completing

this activity, you will be able to meet this objective:

Launch SDM v2.2a from the learners workstation and follow the steps on the Create Site

to Site VPN tab of the SDM VPN Wizard

Visual Objective



Visual Objective for Lab 4-2: ConfiguringGRE Tunnels over IPsec Using SDM

Required Resources



Command List

The table describes the command that is used in this activity.



46/178


Show Command

Command Description

show running-config Displays the running configuration

Job Aid




Pod Assigned


pod


47/178

Task 1: Create a Secure GRE Tunnel (GRE over IPsec) UsingSDM

In this task, you will configure a secure GRE tunnel between the HQ and branch routers in your

pod by using SDM. This tool enables you to create a GRE tunnel with IPsec encryption. When

you create a GRE tunnel configuration, you also create an IPsec rule that describes the

endpoints of the tunnel. Routers in the lab have preconfigured IP addresses and routing.

Activity Procedure


Step 1 On the workstation, open the Internet Explorer and access the HQ router via HTTP

(http://).

Step 2 Log in as user sdm with the password sdmpassword, and clickOK.

Step 3 A new window appears, asking you if you want to use HTTPS. ClickOK.



48/178

Step 4 The Security Alert window appears, asking you if you want to accept the certificate

from the router. ClickYes to accept the certificate.

Step 5 Now the session becomes HTTPS, so you need to enter the username and password

again. Use the username sdm and the password sdmpassword, and clickOK.



49/178

Step 6 When the SDM starts, you will first see a security warning. ClickYes to proceed at

the security warning. If any additional warning appears, clickYes.

Step 7 If any other warning appears, clickYes.

Step 8 ClickYes to proceed at the security warning window.



50/178

Step 9 Wait for a few seconds while SDM is loading the current configuration from yourrouter. Refresh SDM by clicking the Refresh button.

Step 10 In the SDM, clickConfigure.

Step 11 Choose VPN from the category bar.

Step 12 Choose the Site-to-Site VPN option.



51/178

Step 13 Select the Create a secure GRE tunnel (GRE over IPsec) option and click

Launch the selected task.

Step 14 From SDM, you can see the Secure GRE Wizard window. ClickNext.



52/178


Step 15 In the Tunnel Source area, select the interface FastEthernet0/1.

Tunnel Source: Select the interface name or the IP address of the interface that the

tunnel will use. The IP address of the interface must be reachable from the other end

of the tunnel; therefore it must a public, routable IP address. An error will be

generated if you enter an IP address that is not associated with any configured

interface.

Note SDM lists interfaces with static IP addresses and interfaces configured as unnumbered in

the Interface list. Loopback interfaces are not included in the list.

Details button: Click to obtain details about the interface that you selected. The

details window shows any HQ rules, IPsec policies, NAT rules, or Inspection rules

associated with the interface. If a NAT rule that has been applied to this interface

causes the address to be unroutable, the tunnel will not operate properly. To examine

any of these rules in more detail, go to Additional Tasks/ACL Editor.

Step 16 In the Tunnel Destination area, type the IP address 10.2.x.2 (wherex is the pod

number).

Tunnel Destination: Enter the IP address of the interface on the remote router at the

other end of the tunnel. This is the source interface from the point of view of the

other end of the tunnel.

Make sure that this address is reachable by using the ping command. The ping

command is available from the Tools menu. If the destination address cannot be

reached, the tunnel will not be created properly.

Step 17 Configure the IP address of the GRE tunnel 10.1.x.1/24.

IP Address of the GRE tunnel: Enter the IP address of the tunnel. The IP addresses

of both ends of the tunnel must be in the same subnet. The tunnel is given a separateIP address so that it can be a private address, if necessary.

IP Address: Enter the IP address of the tunnel in dotted decimal format.

Subnet Mask: Enter the subnet mask for the tunnel address in dotted decimal

format.


53/178

Step 18 From SDM, you can see the GRE Tunnel Information window. ClickNext.

Step 19 Do notselect the Create a backup secure GRE tunnel for resilience option. Click

Next.

Step 20 Set the preshared key to secretkey and clickNext.



54/178

Step 21 From the IKE Proposal window, determine what the default IKE policy is, and click

Next.

Step 22 From the Transform Set window, determine what the default transform set is. Click

Next.



55/178

Step 23 Select Static Routing to support the GRE over IPsec VPN. ClickNext.

Step 24 From the Static Routing Information window, select the Do split tunneling option.

Enter the destination network10.0.0.0 255.0.0.0 to route traffic through this GRE

tunnel. ClickNext.



56/178

Step 25 From the Summary window examine the summary of the configuration, which will

be sent to the router.

Step 26 ClickFinish to apply the configuration to the router.

Step 27 When the configuration is applied, clickOK.



57/178



From the VPN window, you can see the new connection (GRE tunnel). Because one side of

the tunnel is not configured, the current status of the connection is Down.



58/178

Task 2: Generate Mirror Configuration

In this task, you will generate a mirror configuration to paste it on the branch router.

Activity Procedure


Step 1 From the SDM window on the HQ router, click the Generate Mirror button.

Step 2 ClickSave to save the mirror configuration. Name the file Branch_GRE.txt.



59/178

Step 3 ClickSave and then OK to close the Generate Mirror window.



From the workstation desktop, open the Branch_GRE.txt file and verify the configuration.

See the crypto map name.



encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key secretkey address 10.2.1.1crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_1

remark SDM_ACL Category=4

permit gre host 10.2.1.2 host 10.2.1.1

exit


description Apply the crypto map on the peer router's interface having IP

address 10.2.1.2 that connects to this router.

set transform-set ESP-3DES-SHA

set peer 10.2.1.1

match address SDM_1

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000exit

Printout: HQ Router Mirrored IPsec and Partial GRE Configuration

Task 3: Use Mirrored Configuration

In this task, you will use mirrored IPsec configuration to configure the branch router.



60/178


Activity Procedure


Step 1 Connect to the branch router, using the console. Copy the mirrored configuration

generated in the previous task and paste it to the branch router.

Step 2 The mirrored configuration is not complete to establish GRE over IPsec tunnel, so

add these lines:

Apply crypto map to the FastEthernet0/1 interface on the branch router, using the cryptomap name as generated by the Generate Mirror feature:

interface FastEthernet 0/1


Printout: Branch Router Additional IPsec Configuration

Configure the tunnel interface, set the IP MTU to 1420, and use IP address 10.1.1.2/24. The

tunnel source should be Fa0/1, and the tunnel destination should be 10.2.x.1 (wherex is the

pod number). Apply crypto map to the tunnel interface on the branch router, and use the

crypto map name as generated by the Generate Mirror feature. Enable the tunnel for

dynamic path discovery. Use this example:

interface Tunnel0

ip address 10.1.x.2 255.255.255.0ip mtu 1420

tunnel source FastEthernet0/1

tunnel destination 10.2.x.1

tunnel path-mtu-discovery


Printout: Branch Router Tunnel Configuration

On the branch router, configure the static default route to the tunnel interface configured in

the previous bullet, and configure the static route for host IP address 10.2.x.1 (wherex is

the pod number) to Fa0/1 interface:

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route 10.2.x.1 255.255.255.255 FastEthernet0/1

Printout: Branch Router Additional GRE over IPsec Configuration


61/178



Step 1 From the VPN window, you can see the connection (GRE over IPsec tunnel). The

status of the connection is still Down.



62/178


63/178


!


description Tunnel to10.2.1.2

set peer 10.2.1.2

set transform-set ESP-3DES-SHA

match address 100

!

interface Tunnel0

ip address 10.1.1.1 255.255.255.0

ip mtu 1420

tunnel source FastEthernet0/1

tunnel destination 10.2.1.2tunnel path-mtu-discovery


!


description *** Link to Workstation ***

ip address 172.31.1.1 255.255.255.0

duplex auto

speed auto

!



ip address 10.2.1.1 255.255.255.0

duplex auto

speed auto

crypto map SDM_CMAP_1!

ip route 0.0.0.0 0.0.0.0 Tunnel0

ip route 10.2.1.2 255.255.255.255 FastEthernet0/1

!

access-list 100 remark SDM_ACL Category=4

access-list 100 permit gre host 10.2.1.1 host 10.2.1.2

Printout: HQ Router Running Configuration


64/178

Task 4: Remove GRE Tunnel Configuration

In this task, you will remove GRE tunnel configuration from both routers.

Activity Procedure


Step 1 Configure the HQ router. From the Edit Site to Site VPN window, delete the

existing GRE tunnel by clicking Delete in the upper-right corner of the window.

Step 2 SDM will not delete all GRE over IPsec configuration lines, so use these commands

to delete it entirely:no crypto isakmp policy 1


no crypto ipsec transform-set ESP-3DES-SHA

no access-list 100

no ip route 10.0.0.0 255.0.0.0 Tunnel0

no ip route 10.2.1.2 255.255.255.255 FastEthernet0/1

no interface Tunnel0


Step 3 Delete the existing GRE over IPsec tunnel configuration on the branch router, using

these commands:


no crypto map SDM_CMAP_1exit

!


no crypto ipsec transform-set ESP-3DES-SHA



no ip access-list extended SDM_1

no ip route 0.0.0.0 0.0.0.0 Tunnel0

no ip route 10.2.1.2 255.255.255.255 FastEthernet0/1

no interface Tunnel0



65/178


Printout: Deleting GRE over IPsec Configuration on the Branch Router



Examine the HQ router configuration, using the show running-config command to verify

that the crypto map is no longer on the FastEthernet0/1 interface.




!



ip address 10.2.1.1 255.255.255.0

duplex auto

speed auto

end

Printout: HQ Router Interface Configuration

Examine the branch router configuration, using the show running-config command to

verify that the crypto map is no longer on the FastEthernet0/1 interface.

Branch#show running-config interface FastEthernet 0/1



!


description *** Link to HQ ***

ip address 10.2.1.2 255.255.255.0

duplex auto

speed auto

end

Printout: Branch Router Interface Configuration


66/178


Lab 4-3: Configuring IPsec VPN to Back Up aWAN Connection

Complete this lab activity to practice what you learned in the related module.

Visual Objective


logical connectivity in the laboratory, and information about the addressing scheme and IGP

routing. Each pod is independent of other pods (that is, pods do not interact). Two learners are

usually assigned to the pod. The addressing scheme of the pods differs, which is indicated with

x. Thex should always be replaced by the pod number. Each pod will contain the router types

defined in the table and one PC.

The names of all devices in your pod follow the naming convention detailed in this table.

Device Naming Convention

Device Name Description

Workstation PC used for accessing router via SDM interface.

Server PC used as TFTP server for downloading files.

HQ, branch Routers between which you will establish IPsec tunnel.

ISP Router in the Service Provider network. Router is not accessibleby learners.

The first serial interface of the HQ and branch routers is connected back-to-back to the ISP.

The DCE site is on the ISP router. The first FastEthernet interface of the branch router is

connected to the server. The second FastEthernet interface of the branch is connected to the

second FastEthernet interface of the HQ router. The first FastEthernet interface of the HQrouter is connected to the Internet, where the workstation is connected.


67/178


ISCW 1.0 Lab IP Addressing

The IP addressing of the device has been performed using the allocations scheme detailed in the

IP host address table.


Device Interface IP Address

Workstation Public IP address (see on the device)

Server 10.6.6.254/24


HQ (Fa0/0) Public IP address (provided by instructor)

HQ (Fa0/1) 10.2.x.1/24

HQ (S0/0/0) 10.4.x.1/24


Branch (Fa0/0) 10.6.6.x/24

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial to HQ) 10.4.x.10/24

ISP (Serial to Branch) 10.5.x.10/24



68/178




Routing in the Network


routers is shown in these printouts:

HQ router:

router eigrp 1



network 10.0.0.0

no auto-summary

Branch router:

router eigrp 1



network 10.0.0.0

no auto-summary

Activity ObjectiveTwo sites are connected over a dedicated link (an Ethernet interface in the exercise) to

exchange business-critical data. At the same time, both sites are connected to the Internet

(serial interfaces in the exercise). In case of the link failure between sites, business-critical data

can be exchanged only via Internet connection (serial links). In this exercise, you will configure

two Cisco routers to establish a secure backup path between two networks over an untrusted

network (as shown in the figure). The path will be secured using IPsec protocols, assisted by

the Internet Key Exchange (IKE) key exchange protocol, which will also enforce the required

traffic protection policy. A backup IPsec VPN connection will be used only for exchanging

data between sites; other Internet traffic will be sent unencrypted.

In this activity, you will configure an IPsec VPN to back up a WAN connection. You will use apreshared key (a secret, a password) to authenticate the two IPsec/IKE peers to each other.

After completing this activity, you will be able to meet these objectives:

Configure IKE parameters

Create and apply traffic protection (IPsec) rules

Establish the backup IPsec tunnel


69/178

Visual Objective



Visual Objective for Lab 4-3: ConfiguringIPsec VPN to Back Up a WAN Connection

Required Resources



Command List


IPsec Configuration and Troubleshooting Commands

Command Description

authentication {rsa-sig |rsa-encr | pre-share}

Specifies the authentication method within an IKE policy.

crypto ipsec transform-settransform-set-name transform1

[transform2 [transform3]]

Defines a transform setan acceptable combination ofsecurity protocols and algorithms.

crypto isakmp key keystringaddress peer-address [mask]

Configures a preshared authentication key. You mustconfigure this key whenever you specify preshared keys inan IKE policy.

crypto isakmp policy priority Defines an IKE policy. IKE policies define a set ofparameters to be used during the IKE negotiation.

crypto map map-name seq-numipsec-isakmp

Creates or modifies a crypto map entry and enters thecrypto map configuration mode.



70/178


encryption {des | 3des} Specifies the encryption algorithm within an IKE policy.

group {1 | 2} Specifies the Diffie-Hellman group identifier within an IKEpolicy.

hash {sha | md5} Specifies the hash algorithm within an IKE policy.

match address [access-list-id| name]

Specifies an extended ACL for a crypto map entry.

set peer {hostname | ip-

address}

Specifies an IPsec peer in a crypto map entry.

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Specifies which transform sets can be used with the cryptomap entry.

show crypto ipsec sa Shows the settings used by current security associations.

show crypto isakmp policy Shows the parameters for each IKE policy.

show crypto isakmp sa Shows all current IKE security associations (SAs).

show crypto map Shows the crypto map configuration.

Job Aid




Pod Assigned


pod


71/178


Task 1: Configure IKE Parameters on Both Peers

In this task, you will configure IKE parameters (also known as the ISAKMP policy because

ISAKMP, the Internet Security Association and Key Management Protocol, is the foundation

of IKE) on both IPsec/IKE peers. This will enable the two peers to securely handshake,

authenticate each other, and be able to agree on IPsec parameters when the IPsec policy is

configured later in this lab.

Activity Procedure


Step 1 Configure the HQ router with these parameters (ISAKMP policy):

A policy priority that is less than 65535 (use, for example, 100)

Preshared keys as the peer authentication mechanism

3DES as the encryption algorithm for the IKE session (this is to protect the

management sessions privacy only)

SHA-1 as the hashing algorithm for the IKE session (this is to protect the

management sessions integrity only) Group 2 as the strength of Diffie-Hellman key exchange algorithm.

Note These settings for encryption, hashing, and Diffie-Hellman are the recommended settings for

most real-life deployments. For even higher security, you might consider using Diffie-

Hellman group 5.

Step 2 On the HQ router, configure the preshared key SeCrEtKeY and assign it to the IP

address of the outside interface of the peer router (branch). Use IP addresses from

the Serial0/0/0 interface.

Step 3 Configure the branch router with exactly the same IKE parameters (ISAKMPpolicy) as you have in the HQ router.

Step 4 On the branch router, configure the preshared key SeCrEtKeY and assign it to the

IP address of the outside interface of the peer router (HQ). Use IP addresses from

the Serial0/0/0 interface.



Use the show crypto isakmp policy command to verify the current IKE parameters

(ISAKMP policy) on both peers. The command output should resemble these printouts:

HQ#show crypto isakmp policy

Global IKE policy

Protection suite of priority 100

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).


72/178



authentication method: Rivest-Shamir-Adleman Signature



Printout: HQ Router IKE Parameters

Branch#show crypto isakmp policy

Global IKE policy

Protection suite of priority 100

encryption algorithm: Three key triple DES


authentication method: Pre-Shared Key



Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).


authentication method: Rivest-Shamir-Adleman Signature



Printout: Branch Router IKE Parameters

The ISAKMP policy with priority 65535 is the default policy, which is not secure enough for

most applications.

Your IKE parameters are now set, and the two peers should agree in their IKE parameters

(ISAKMP policies) when they handshake at the beginning of the IKE session. Now, you will

configure rules, specifying which traffic needs to be protected, and specify the methods for its

protection.

Task 2: Create and Apply Traffic Protection (IPsec) Rules

In this task, you will create and apply traffic protection rules (crypto maps) to specify which

traffic must be protected (using an ACL), using various protection methods (transform sets).

Activity Procedure


Step 1 On the HQ router, create a transform set, which represents the set of protection

algorithms used inside IPsec to protect traffic. The transform set should use the ESP

encapsulation only, with 3DES as the traffic encryption algorithm, and SHA-1 as

the traffic authentication/integrity algorithm. Use keywords esp-3des and esp-sha-

hmac. Configure IPsec tunnel mode for this transform set, although this is the

default setting.

Step 2 On the HQ router, configure a crypto ACL, which should describe traffic to be

protected inside the IPsec tunnel. The ACL should permit all IP traffic from the

workstation (IP subnet on the FastEthernet0/0 interface of the HQ router) to the site

behind the other IPsec peer (host IP address of the server 10.6.6.254). Permitinside

the crypto ACL means protect, whereas deny means route normally.

Step 3 On the HQ router, configure a crypto map to tie all configured parameters together

in a single rule. The crypto map should specify the traffic to be protected (the ACL

using the match address command), the protection bundle to use (the set

transform-set command), and the peer to send traffic to (the set peer command).


73/178


Step 4 On the HQ router, apply the configured crypto map to the outside, dirty

(untrusted) interface (Serial0/0/0).

Step 5 Repeat all steps in this task for the branch router. All IPsec parameters should match

between peers, and the crypto ACLs should mirror each other (that is, on the branch

router, the crypto ACL should permit traffic from the host 10.6.6.254 to the IP

subnet used on the FastEthernet0/0 interface of the HQ router).



On both peers, use the show crypto ipsec transform-set command to verify the current

bundles of protection algorithms (transform sets). The command output should resemble

these printouts:

HQ#show crypto ipsec transform-set

Transform set MYSET: { esp-3des esp-sha-hmac }

will negotiate = { Tunnel, },

Printout: Transform Set on the HQ Router

Branch#show crypto ipsec transform-set

Transform set MYSET: { esp-3des esp-sha-hmac }will negotiate = { Tunnel, },

Printout: Transform Set on the Branch Router

On both peers, use the show crypto map command to verify the current traffic protection

rules. The output should resemble these printouts:

HQ#show crypto map

Crypto Map "MYMAP" 10 ipsec-isakmp

Peer = 10.5.1.2

Extended IP access list 100

access-list 100 permit ip 172.31.1.0 0.0.0.255 host 10.6.6.254

Current peer: 10.5.1.2

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

MYSET,

}

Interfaces using crypto map MYMAP:

Serial0/0/0

Printout: HQ Traffic Protection Rules (Crypto Map)

Branch#show crypto map

Crypto Map "MYMAP" 10 ipsec-isakmp

Peer = 10.4.1.1

Extended IP access list 100

access-list 100 permit ip host 10.6.6.254 172.31.1.0 0.0.0.255

Current peer: 10.4.1.1

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): NTransform sets={

MYSET,

}

Interfaces using crypto map MYMAP:

Serial0/0/0

Printout: Branch Traffic Protection Rules (Crypto Map)


74/178


Task 3: Establish the Backup IPsec Tunnel

In this task, you will generate traffic to establish the backup IPsec tunnel and verify its

operation.

Activity Procedure


Step 1 Enable the Serial0/0/0 interface link on HQ router.

Step 2 On the both routers, verify the routing table.

HQ#show ip route

Gateway of last resort is not set

172.31.0.0 255.255.255.0 is subnetted, 1 subnets

C 172.31.1.0 is directly connected, FastEthernet0/0

10.0.0.0 255.0.0.0 is variably subnetted, 7 subnets, 2 masks

C 10.2.1.0 255.255.255.0 is directly connected, FastEthernet0/1

D 10.0.1.2 255.255.255.255

[90/156160] via 10.2.1.2, 00:01:29, FastEthernet0/1

D 10.10.10.0 255.255.255.0

[90/2297856] via 10.4.1.10, 00:01:29, Serial0/0/0D 10.6.6.0 255.255.255.0


C 10.0.1.1 255.255.255.255 is directly connected, Loopback0

D 10.5.1.0 255.255.255.0


C 10.4.1.0 255.255.255.0 is directly connected, Serial0/0/0

Printout: HQ Router Routing Table

Step 3 Perform traceroute from the HQ FastEthernet0/0 (172.31.x.1/24) interface to the

(10.6.6.254).

HQ#traceroute

Protocol [ip]:


Source address: 172.31.1.1

Numeric display [n]:


Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:


Tracing the route to 10.6.6.254

1 10.2.1.2 0 msec 4 msec 0 msec

2 10.6.6.254 4 msec 0 msec 0 msec

Printout: Traceroute from HQ FastEthernet0/0 to the Server

Step 4 Disable the FastEthernet0/1 interface on the HQ router (the link to the branch

router).

Step 5 Perform traceroute again from the HQ FastEthernet0/1 interface to the server

(10.6.6.254). Now, traceroute should show the path through the Internet

(Serial0/0/0). The back up secure IPsec VPN connection via the Internet should

establish.

HQ#traceroute

Protocol [ip]:


75/178



Source address: 172.31.1.1

Numeric display [n]:


Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:


Tracing the route to 10.6.6.254

1 *

10.5.1.2 20 msec 24 msec

2 10.6.6.254 32 msec 28 msec 32 msec

Printout: Traceroute from HQ FastEthernet0/0 to the Server



On the HQ router, use the show crypto isakmp sa command to display the current IKE

sessions of this peer. The state of QM_IDLE indicates an idle IKE (ISAKMP) session after

all negotiation has been completed. The output should resemble this printout:

HQ#show crypto isakmp sa

dst src state conn-id slot status

10.5.1.2 10.4.1.1 QM_IDLE 1 0 ACTIVE

Printout: ISAKMP Connections (IKE SAs) in the HQ

On the HQ router, use the show crypto ipsec sa command to display the current (created)

IPsec SAs. IPsec can only protect traffic if SAs for that traffic specification are established.

Examine the statistics (counters) indicating encrypted and authenticated packets. They

should steadily increase as you send more traffic through the IPsec tunnel.


interface: Serial0/0/0

Crypto map tag: MYMAP, local addr 10.4.1.1












Printout: IPsec SAs in the HQ

On the branch router, use the show crypto isakmp sa command to display the current IKE

sessions of this peer. The state of QM_IDLE indicates an idle IKE (ISAKMP) session after

all negotiation has been completed. The output should resemble this printout:

Branch#show crypto isakmp sa

dst src state conn-id slot status

10.5.1.2 10.4.1.1 QM_IDLE 1 0 ACTIVE

Printout: ISAKMP Connections (IKE SAs) in the Branch


76/178


On the branch router, use the show crypto ipsec sa command to display the current

(created) IPsec SAs. IPsec can only protect traffic if SAs for that traffic specification are

established. Examine the statistics (counters) indicating encrypted and authenticated

packets. They should steadily increase as you send more traffic through the IPsec tunnel.

Branch#show crypto ipsec sa

interface: Serial0/0/0

Crypto map tag: MYMAP, local addr 10.5.1.2

protected vrf: (none)local ident (addr/mask/prot/port): (10.6.6.254/255.255.255.255/0/0)










Printout: IPsec SAs in the Branch

Task 4: Remove Backup ConfigurationIn this task, you will remove IPsec configuration from the HQ and branch routers.

Activity Procedure


Step 1 Enable the FastEthernet0/1 interface on the HQ router.

Step 2 Delete the crypto map configuration from the Serial0/0/0 interface on the HQ and

branch routers.

interface Serial0/0/0no crypto map MYMAP

Printout: Deleting IPsec Configuration on the HQ and Branch Routers

Step 3 Delete the crypto map, transform set, ISAKMP policy, preshared key, and ACL

configuration on the HQ and branch routers.

no crypto map MYMAP

no crypto ipsec transform-set MYSET


no crypto isakmp key SeCrEtKeY address 10.5.x.2

! x is pod number

no access-list 100


no crypto map MYMAP

no crypto ipsec transform-set MYSET


no crypto

Documents

ISCW10LabGuide