Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 10

16. ASA 2 IOS IKEv2 (Site-to-Site IPsec VPN)

Hello guys. Welcome to another video. And in this video we are going to be configuring IPsec between a firewall and a router. So between this firewall over here and this router over here, we are going to be configuring IPsec site to site IPsec. Now remote VPN, it’s going to be a side to side VPN because the IPsec you, you can either do a site to site or a remote access VPN. Not like SSL. SSL only lets you do a remote access VPN. So let’s go ahead and configure this.

And we’re actually going to be configuring Ike version one. Then we’re going to remove it and then we’re going to configure IG version two as well. So we’re going to test both of them so you guys can see how to configure both of them. The first thing that I want to do, hopefully you can see the IP addresses for the website over here has 172 1652. This ASA on gatorb one has 51. And then on the outside is ten to ten, 200. This one router over here on the outside has 1010 six and the inside ten six at one. And this browser here, ten six at two.

Hopefully you guys are able to see it from this video. So the first thing that I want to do is I want to see if I’m able to pin from this essay, I want to see if I’m able to pin the router and as you can see, I’m able to pin the router. So that’s good. Something I want to do before, after we do that, I want to go ahead and create an object and it’s going to be called Network. And we are going to call Inside Network. This is going to be the Inside network of the ASA.

So this one over here and I’m going to say this one is a subnet or once over 216, 500. And it’s not going to be a wallcar mask, but it’s going to be a slash 24. Then we are going to create another object and this object is going to be called Network. It’s going to be a network object and it’s going to be called the router one network. And I’m going to add the Inside network or what I want, which is ten, six, 60.

We do a subnet subnet and it is ten, six, 60 slash 24. Then we’re going to do an exit out of here. And then after that I want to create an access list and I go on to call this let’s just call it Cry ACL in here. What I want to do is I want to permit an IP address object and I want to permit the object of Inside Network, which is going to be the source, right? And the source going to this other network over here, which is the destination. So our one network. So inside network does not exist. Oh, I just put inside net.

Let’s go ahead and edit that. There we go. So what I’m doing right here is I’m creating an access list, and I want to permit an IP address or any IP address coming from this object, which is the inside. This is the source, which is this network. So any traffic coming from this source going to router one network, which is ten 60, this one right here. Okay. So I’m permitting that access, and that accesses, we are going to be using it for the crypto map and know that.

So after we do that, we also need to do a route outside and we need to tell it and where to go. Whenever they want to reach Six or Six or 00:24, I want you to send it to Ten to ten six. There we go. And if we do a show route, you should see a static route. And what I’m saying is, if anybody from the inside or if anybody wants to go to ten 60, please send it to Ten Six, which is sort of one, and it should be able to get to that. Okay, good. So now what we want to do is we want to create the crypto, not Ashtagamp IQV One policy. And in this policy, one. And over here, we want to specify the hash algorithm that we want to use. We want to use MD five. The authentication that we want to use is a preschooler key. The group number that we want to use is two lifetime. We’re going to set it to the default, which is 86, 86 and 400.

Then we want to do encryption, which is going to be three desk. Good. So after that is done, let’s just go ahead and exit out of here. And we want to do a crypto AGV One, and we want to enable it to the outside interface, which is this one right here. Okay, so after that is done, let’s go ahead and create the IB Two policy, because like I said before, we are going to be configuring IB One and also ICB Two. So we’re going to configure IB One first, test it, and then we’re going to configure IV Two and test it. So let’s go and create the ICV Two policy.

So you do a crypto IV Two policy. Number one, we’re going to do a encryption, and it’s going to have a encryption, and it’s going to have AES 192. And then AES we also want to do integrity. And integrity for this is going to be Sha 26 and Sha. So as you can see, for IB Two, you are able to select two. So either use this one. If the right one does not have that one, then use this one for also integrity, use for hashing, use shot 256. And if it doesn’t have chart 256, then you choose regular shaft. And that is a benefit that I agree.

Two has over. I could be one. I three one. If you want to do the same. You will have to create another group policy for that. But for IGU two you can only create one one group policy and add as many options as you want for integrity encryption and all that. And also group we are going to do either five or two lifetime. We are going to leave it at the default. 86, 400. Actually we need to put seconds. 86, 400 and then we’re going to exit. And we also need to do a crypto IQB two enable to the outside interface which is this one right here. Okay. So that is done. Let’s go ahead and do the ICP one, the ICP one transform set. So let’s go ahead and do crypto IQB one.

Actually crypto is going to be IPsec IP one transform set and this one’s going to be called TSET. We are going to use ESP AES then ESP sha with HMAC done. And then if we are going to be using let’s go ahead and just set the transfer set for IQB two as well. Actually we’re not going to do that now. Let’s go ahead and just leave it like this. And let’s go ahead and just do the ICB two. So let’s go ahead and do crypto IPsec IQB two. And this one is going to be the IPsec proposal and we’re going to be called this IPsec v two AES. That’s going to be the name of it.

And after that we want to do a protocol ESP encryption AES. And then the protocol integrity. Integrity. Why should I take it? Let’s go ahead and do let’s see, we are at the crypto IPsec IQB two IPsec proposal. Let’s go ahead and do a question mark. Okay. It doesn’t let me do integrity or group number for the ICB two proposal. It only lets me do the espip SEC. Okay.

So let’s go ahead and leave it like that. Exit. Let’s go ahead and do the group policy. We’re going to recall this group a and it’s going to be internal. Then we want to do a group policy. We’re going to select the same group a that we just created and we’re going to add some attributes to it. And inside this attribute we just want to do a VPN tonal protocol IGB one also IGB two so we can use both. So what I’m saying is for this group policy that we create a group a, I want to add some attributes and the attributes is that we want to turn on the VPN protocol of aggression one and also aggression two. Then we want to do a toner toner group and we’re going to say it’s 1010 six, which is the IP address of router one over here, toner group type IPsec twelve. Let’s go and just do an exit. Toner group ten, 1010 six type. And for this one up is IPsec lane to lane. There we go. Okay.

So it needs to be an l to l. That’s what I was missing. Okay, so from this tunnel group, you want to do an IC. Let me see. Okay, we did the toner group. Then we want to do a toner group ten or ten six. And we’re going to do general attributes. And we’re going to say that the default group policy that we’re going to use is going to be the group a that we just created. We’re going to exit out of here. Then we’re going to go again to toner group ten six. And we want to do the IPsec attributes. And inside right here, we want to do the ICV one. We want to add the preschool key, which is going to be called cisco. So that’s the preshirt key that we’re going to be using. And then for IGV two, local authentication is going to be a preshirt key, and it’s also going to be cisco.

All right, so let’s look like that. Then let’s go ahead and do the remote, which is also going to be the same. Okay, so then we can do exit out here. And then after that, let’s just go ahead and do a crypto, and we’re going to create this IQV. Let’s just go ahead and get not IV one. Let’s go ahead and call it crypto our map. We are going to match crypto. I’m sorry. Crypto our map. One we want it crypto map our map. And this one is to be one we want to match. And we want to match the address from cry ACL. Then we do a crypto RMAP one, set the pier to be 1010 six.

Then we’re going to do crypto our map. Set ICB one transform set to TSET. Then we do an hour map again. And we need to do the IP two set ICB two. So it’s a set. Let me verify that. Set IQB two ipset proposal. And then on this proposal, we need to add that proposal that we created. I forgot the name of it. Let’s go ahead and go into that proposal. Proposal we call IPsec v two AES. Let’s go ahead and paste it right here. There we go. And then we need to go ahead and set that crypto map, our map interface, outside interface. So now we are ready to form a VPN, either with icwig one or with IB two. So let’s go ahead and create that from router one config g and from over here. The first thing that I need to do is do a crypto crypto policy, which is isaacampi one is only for the firewall from the router one. You need to do the isaacamp policy, which is the same as IQB one. And for now, we need to match everything we did. Hash was 95. Authentication was preshow key. Encryption was three deaths. Lifetime was 86, 400. Crypt number was two. Okay, then after that let you go ahead and do a crypto. We do a crypto isaacamp actually let’s go ahead and exit and do a crypto. Isaacamp key is going to be Cisco. The IP address of it’s going to be ten attenda 200 because we’re going to point this from this router to the ASA, which is ten to ten 200. Okay, then let’s go ahead and do the crypto IPsec transform set. We are going to be called a TSET and after that let’s go ahead and do ESP AES. It needs to match like the other side which we set shall with HMAC. Then let’s go ahead and create that IP access list.

It’s going to be an extended access list. We are going to call it the same name, doesn’t really need to match. And we want to permit ten dot 60. Just want it to be a Walker match. And we want to permit to the destination of 16150, two for five permits IP. There we go, exit. And then we want to create a crypto map. Let’s just call it IGB one map for this one. Want IPsec. Isaac Amp. Right here. We need to match the address of Cry ACL. Then we need to set the peer to the IP address of the ASA or the firewall. Then we want to set the transform set to TSET. After that is done, let’s go ahead and go to interface to a crypto map. IQB one map. There we go. Isaacamp is now on, so let’s go ahead and end it. Crypto Isaacamp essay. We don’t have any essays right now because we have not sent any traffic. But after we send traffic, we should be able to do that. So let’s go ahead and do a ping. 217217, 216, 52. And we are going to source this from ten, six, two, let’s see ten, six, one. There we go. And we don’t have any traffic. That’s because we need to do it on 15 to IP route. 2170, 216, 50. I wanted to send it to ten 1010, 200 and let’s go ahead and ping again. Let’s go ahead and ping again.

So you can see there you go, we were able to ping. Now let’s go ahead and do the show crypto I second USA and you can see now that we have that crypto at I second per se, you should be able to see the crypto essay. You can see it right there or the package that we have sent nine. And if you want to do a source and then repeat it to 100 times, you see now that it went up by 100 times so that it’s working. Also if you want to do a crypto, I can say details. You can see that all the details, you see more details over here. Also if you want to do a crypto or show crypto sessions, you can see that right here. Also show crypto engine connections active. You see the active connections that we have right here and all the traffic that we have sent. So the counters are there. Okay, so that is good. That is working. So now since that is working, what I want to do is let’s go ahead and remove that one over here. So do a no crypto map. I agree one map so we can remove it. And after we remove it, since we saw that aggression one was working, let’s go ahead and configure aggregate two and see if it works. So let’s go ahead and do a crypto aggregate two proposal.

We’re going to be calling this aggregate to proposal and inside right here we need to do the encryption which is as CBC 128. Then we do the integrity sha one group number. We want to do their five or two and that’s it, we exit. Then we want to go into crypto AGV two policy into the default and we want to set that proposal that we just created, the IB two proposal, copy and paste it right here. After that is done, we need to go ahead and configure the crypto IQB two curing we are going to recall this. IV two caring. Inside of here we need to set the pier to be AES one the address of it. It’s going to be turn that turn 200. The identity address the same. Then we do the preser key local cisco precier key remote cisco exit. Now let’s go and create the crypto. Go ahead and exit again oops exit do the crypto IQB two profile. We’re going to record this IQB two profile and inside this IQB two profile we need to do a match match local ten six, the local IP address of the router one.

Then we do the match identity remote address 1010 200 for the ASA. The authentication that we’re going to be using for the local is going to be preshow key. The authentication for the remote is also going to be using preserve key. Then we need to go ahead and attach the key ring that we created IGB two keyring. Now it’s going to do the crypto IQB two transform transform set. We are going to name this TSET. We are going to be used in ESP aespa with HMAC c crypto IPsec. Let’s go to exit. Then after that is done, we need to go ahead and do another access list. So let’s go ahead and do IP access list extended 202. We want to permit IP address coming from 66025 to the destination of 170 216 54. We can go ahead and exit out here and then let’s create another crypto map. And this one is going to recall IGB. Two map aggregate, two map, one IPsec. Isaac Camp and inside right here, we need to match the address of 192 or 102, which is the access list that we created that is going to permit the source going to the destination over here. Then we set the pier to 1010 200 set transform set to TSET set aguitwo profile which was set to aggregate to profile. Good. So that’s done.

We are done. So let’s go ahead and go into interface, do the crypto map. I can be two map. You can see Isaac camp is now on. Let’s go ahead and show crypto IQB two SA. We don’t have any right now, so let’s go ahead and do a source and repeat it 100 times. There we go. So crypto IQB two SA and you can see right here it has formed that IGB two SA local remote and it’s using port 500 because we are using IPsec without Nat transversal. So we’re not using that T. If you were using that T, we were going to be using port four to 500 for both of them. Also, if you want to do a IPsec essay, you can see that IPsec essay. We sent 99 packets because the first one did not go through either because of ARP or because it was establishing that I graduation two tunnel and then that IPsec tunnel. All right. You can also do an IP two SA detail. You can see more details over here.

You can also do a show crypto engine connections active. You can see right here. So what else you can do, you can do a crypto or show crypto sessions. You can see the session right here, one session via IP two SA using the local of Ten attendant six 4500 to the remote of Ten, attend 200 and it is active. And we are using that IPsec flow of permit. This IP address ten 600:24, going to 70 216 50, which is this website right here. So it is working great. Now let’s see if we are able to go ahead and open this browser and see if we are able to go into this website over here. It should also be encrypted. So once we do that 1652, is it going to let me in? Yes, you can see right here, it’s saying turnkey Linux, just another WordPress website. And what that is going, you can do a shell crypto IPsec, I say you can see that we have seen a lot of more traffic because we are trying to get into this website over here. That is taking a little bit, but it is transferring data right now. There we go. Refresh. There we go. And if you do a show cryptography, like I say, you can see you have a lot of more traffic. If you refresh it, you get a lot more traffic. Encrypt it and decrypt did and we see no errors, no receiving errors, no send errors. So it is working great. So, guys.

• Category: Uncategorized