Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 9

15. SVTI vs GRE

Hello guys. Welcome to another video on the CCMP security certification. And we are going to configure GRE with IPsec on it and we’re also going to configure SBTi IPsec site to site VPN connection. So let’s go ahead and start. So the SBTi is going to be between R one and R two. Let’s go ahead and put SDT right here and the GRE tunnel, which I seconds output is going to be right here. So let’s go ahead and put it at GRE right here. And let’s go ahead and start with this configuration. The first one that we’re going to configure is going to be the GRE with IPsec.

So let’s go ahead and start that. And we have to configure the IP addresses because I have not configured any of the IP addresses configured like I saw through a house name of our three for this one that’s going to interface to interface gigabit zero, which is the 1. 2, which is the one point in two router two. The IP address for this one is 40. The one that two is doing a shut down. We can go ahead and exit now let’s go ahead we actually need to go to R two. Let’s go ahead and configure house name of R two interface zero which is a 1. 2 router three IP address of 41 now shut down. Now we should be able to ping from R two.

We should be able to ping router three. So do ping 41 two. There we go. So we’re able to access that router. So now let’s go ahead and start with this configuration. So the first thing that we want to configure is phase one of Ike version one, aka the Isaacamp. So let’s go ahead and configure that. The first thing that you need to configure is the Crypto Isaacamp policy. So let’s go ahead and create a policy. We’re going to start with R one.

So crypto isacam policy, it’s going to policy one. And from here you need to do the encryption, the hashtag algorithm, the authentication, the group number and also the lifetime. So let’s go ahead and start with that. The encryption is going to be triple desk authentication. You’re going to be using a preschool key. The hash is going to be 25. The group number is going to be group number two and the lifetime is going to be the maximum one, which is 86, 400. Okay. So we have now configured the policy which is part of the Ike version one, phase one. So after we do that, we need to go ahead and configure crypto as the camp and we need to give it a key.

And now we can give it a key name which is going to be CCMP security and then the address that we want to attach to it and we want to attach it to our three IP address which is 42. There you go. So that is done. After we have done that, what we need to do is we need to go ahead and configure phase two of this tunnel. And phase two is to configure the transform set. So let’s go ahead and do that crypto IPsec transform set and we’re going to call it just TSET. Actually, let’s just do GRE. TSET looks better and the encryption is going to be ESP with MD Five and HMAC. And the tunnel mode needs to be, the mode is going to be tunnel. And after we do that we need to go ahead and create the interface tunnel one and that is going to be where we configure GRE.

So let’s go to interface tunnel one. And from here we need to configure the tonal source, the destination of the tunnel, the tunnel mode, which is going to be GRE IP and the IP address of this tonal. Okay, and then after that we need to attach, let’s see. Actually I’m not done with phase two. I need to go ahead and configure a since I’m not configuring a crypto map, I’m going to be configuring a profile. I need to go ahead and create a profile and then I need to attach that transform set to the profile. So let’s go ahead and do that real quick. And the way that you do that, you do a crypto IPsec profile. Let me see. Crypto IPsec profile. Let’s go ahead and get out of here first. Crypto IPsec profile. And the profile name is going to be GRE profile, that’s how we’re going to call it. And in here we need to set the transform set, which is going to be called the same name that we gave it to that transform set over here. There we go. So that is done. And now we can go ahead and go into interface tono one. And let’s go ahead and give it the source of this tonal source which is coming out of gigabit one or zero, the tonal destination, which is 41 two. Here we go. And then we need to give an IP address for this tunnel. We’re going to create an IP address. So you see that one? That one, that one. There we go. And then after we do that, we need to go ahead and configure the tonal protection, which means that we’re going to attach IPsec to it because GRE by itself cannot provide encryption.

So we need to go ahead and do that IPsec profile. And right here we need to attach that profile that we created, which is GRE profile. There we go. So now you can see the Isaacamp went from on off to on. So Isaac amp is now on. So now we need to do the same on R three. You can see that the line product interface changed to down. So it should come up up after I configure it on R three. So we need to go ahead and configure phase one over here. So we need to create a policy. So crypto is a policy. We’re going to use policy one. Let’s go ahead and configure authentication pre share key encryption which is three desk and this needs to match, it needs to match our three needs to match our two. So hashing Nd five, the group number needs to match as well. The lifetime is 86 400. Okay, so we have authentication encryption, hashing group number and lifetime. Let me see if I’m missing it then I am not. So after we do that, we need to go ahead and configure the crypto key.

So crypto Isaac Camp key, TCMP security, it needs to match and the address for this is going to be 41 which needs to match to this address right here. Okay, so that has been configured and now we have configured phase one. So now we need to configure Ike version one, phase two which is configure the transform set and then attach that transform set to the profile that we are going to create. So you do a crypto ipset transform set. We need to give a name, ure TSET sounds good. And we’re going to use ESP with three desk and ESP with MD five and HMAC. The mode needs to match two tonal. So now we’re going to exit and then we are going to create a crypto IPsec profile. Right, there we go. And now we give it a name and it’s going to be GRE profile. And here we need to set the transform set to the name of this which is Gret set. Great.

So now we need to go ahead and configure the tono GRE tonal. So interface tono. We’re going to use tonal two, the source actually tonal source and then tonal destination is going to 41. We need to create an IP address which is going to be 60, the one, that one, that two. And after we do that, I believe that we need to go ahead and attach that profile that we have created so we can use IPsec. So tunnel protection IPsec profile and we attach that profile that we created, GRE profile which has the transform set attached to it. There you go. So now it is on and as you can see that the protocol was down for the interface, for the tone interface and now it came up. So now if you want to do some show commands, you can go ahead and do a show crypto Isaac Camp Essay and show crypto Isaac Camp SA and this is to verify phase one that it is working. You can see that it is active and you can also if you want to see the phase two, see two is working for IC version one, you can do a show crypto Ipsecase.

I forgot the shell. Here we go. And as you can see right here, there is zero package that has been encrypted and we can change that real quick by pinging. You can go ahead and ping 41 there we go. And now if we do a showcrypto IPsec SA, it is now being encrypted. Let me see, what did I cell phone router two. Okay, cell phone router two. You want to ping router three, which is for the one. The one that two. And now we should have something encrypted. It was not encrypted interested. So it looks like it’s not working. Let’s see. Show crypto iprise. Show crypto Isaacamp SA you can see that it’s active. Let’s try to ping 40. That on the two again. Okay, so it is working.

What if we ping the toner, which is 60? The one, that one. That’s two. They would do that. Now let’s go ahead and show crypto as a campaign for a show crypto IPsec. Now you can see that it was encrypted. So whenever we ping, whenever you use the tone, you can see that it is going up. So that’s how you configure GRE with IPsec. But if you want to configure SVTI and what SVTI does is that it removes the four byte packets, which makes this transition, which makes the communication a little bit faster because it is lighter. So we are going to configure SVTs. So you can see the difference.

It’s actually almost identical to it. It’s only one command that changes. So let’s go ahead and configure them. That’s going to be between R two and R one. So in R two, we need to configure interface gigabyte one with an IP address of 31 and then 245-24-5250. Now it show down. Now let’s go to R One. Conflict first. Give it a hostname. R one. Interface gigabit zero one. IP address of three, 1124-525-2450. Now shut down. Now we should be able to ping 31. We do a duping. There we go. So we have a connection between R One and R Two. Before we keep going with this configuration, we want to make sure that this interface is active and we are able to ping each other.

So now from here, what we need to do is we need to go ahead and configure first phase one for aggression one, which is going to be the same. We just need to create it on a different policy. Since we use policy two for since we use policy one for this one, we’re going to use a different policy for router two. But for router one we can use crypto policy one. So let’s go in crypto Isaacam policy, we’re going to use let’s just use like 50. And from here, authentication is going to be a pretty sure key that we’re going to be using encryption, we are going to use 30 desk hashing. It’s going to be Nd five. Group number two lifetime is going to be the maximum 86, 400. So then after that we need to go ahead and create a crypto Isaacamp key. We’re going to call it CCMP Security as well. And it’s going to go to address of 31. Right we configure router one. So we need to send it to router two right here, 31. Great.

So after that is created, we are done with phase one. That’s phase one of IC version one. So now we now need to create a transform set and a profile and then a tonal. So let’s go ahead and create that transform set first. And to do that you need to do a crypto IPsec transform set and we are going to call this SDT for transform set and we need to get an ESP of three desk and then ESP for the hashing is going to be Nd five with HMAC. The mode is going to be tunnel mode. Great. So now we need to go ahead and create the interface tunnel and we’re going to use tunnel three. And from here we need to do the tonal source which is gear res, one tonal destination which is going to be 31 one. And then we need to create an IP address for this GRE tunnel which is going to be let’s go ahead and create just 51 one or two actually to provide that zero. Great. So now after we do that, we need to go ahead and do a tonal protection using IPsec profile. And the profile that we’re going to be using is I did not create that profile. So let’s go ahead and create that profile.

First exit, let’s do a crypto IPsec profile. The profile is going to be called SVTI profile and we are going to add the transform set which we call SVTI TSET. We can just copy it from here, paste it. And now let’s go ahead into the tonal three. And we need to do the tonal protection using IPsec profile and we’re going to use this SVTI profile. There we go. So now the command that changes is going to be the Turner mode. So Turner mode, I did not do it for R two and R one, r two and R three because the default is to use GRE. So when you want to use Suti, you want to change that mode to be Turner mode, use IPsec and we’re going to use IP before for that. Okay, so that is done, we are done configuring R one. Now we need to go ahead and configure R two which is basically doing the same thing. So we’re going to create a crypto as a cam policy. We’re going to use policy 50. We’re going to choose the authentication of a preser key encryption, three desk, hashing Nd five.

And this needs to match group number two. So router two needs to match router one or otherwise it won’t work. The lifetime needs to be 86, 400. Now it’s going to create a crypto, isaacamp key, CCMP security, the address, and it’s two matches 31 two. Let’s go ahead and config T. So that is done. So now we are done with phase one. Now let’s go ahead and configure phase two, which is crypto IPsec transform set. We’re going to call this Sptit set and we need to add the encryption which is three desk and the hashing which is Nd five Mac. The mode is going to be tonal. Now we need to go ahead and create the profile and the way you do that is crypto IPsec profile and we’re going to go this SVTI profile and we’re going to set the transform set over here and it’s going to be SVTI transform set. Now let’s go ahead and do an interface tonal 50. The tonal source is going to be gigabit one. Tonal destination has to be 31 two, the IP address of router one. After we do that, let’s go ahead and do the tonal mode which is contribution IPsec with IP before and that’s what tells this tonal to use SVTI configuration and that drops the GRE four byte packet. So after we do that, then we need to do a ton of protection IPsec profile and we need to attach that profile. Boom, that’s done.

So now you can see that it was down and now it came up and you can see right here that it also came up in router one. Turn out from here. Let’s do some show command, show crypto Isaacamp SA you can see that it is active for 31 or two. You can also do a show crypto IPsec SA four face two. And which you have this is for tonal one. This is the one going to 41 a two, which is this one right here. But we want to see the other one, right? We want to see ton of 50 which is going to 31 two. Let’s see if we are able to do SA. There we go. So now we can see it like that, which is a lot better. And after we do that I also want to do because SVTI supports dynamic routing. So let’s go and create a couple of interfaces and then we are going to enable Ergrp. So let’s go and configure interface. We’re going to create a loop back one with an IP address of this router two. So let’s do two exit router ERP one, the network that we need to add. We need to add two networks, which is the loopback address and we also need to add the tono. And let’s see if we do a do show interface tonal 50 and tonal 50 at P address, see if we can find it. Interface brief. Let’s just go ahead and do interface brief.

And this tunnel is 61. So let’s do network 61. Done. Now let’s do it on our one. Let’s configure interface loop loop back of one with an IP address of let’s go ahead and configure router ERP. Remember that ERP needs to match the autonomous number the same as this router, router two, so we can form an adjacency. So let’s go and add these network network and this do a do show IP brief. And the tone of this one is 50. The one that one, that two. Show IP interface brief. See if I can figure this right. Okay, so ton of 50 does not have an IP address yet. So we need to change that and make it 51 for other one. So interface tonal 50 IP address, 51. And now let’s go into your P one and let’s go ahead and remove this network because we don’t need it. And let’s go ahead and add 51. Let’s see. Wait, did I do this right? So on router two, do show IP interface brief. Try it again. So 51 to one and 51 two. Okay, so that’s good. So now on router two, we are going to add the other network, which is 51 two. There we go. And now you can see that we have a new adjacency. So that is great.

Show routes, show IP routes ergrp neighbors or ergrp. You can see that we have that right here. So that is working good. So now we can do let’s try to provide one. Let’s try to ping two. Two, which is a loopback address. It was ping. Now let’s do it to showcrypto IPsec SA. And the pier is going to be 31. And you can see that there’s a lot of more packets here because we can ERP in Air Europe, I think. I cannot remember from my routing and switching times, but I think it’s like every 5 seconds it sends a new package and that’s why we see how it’s incremented, how it is encapsulating and the capsulating a lot more. But we are able to ping and we are able to do all that good stuff. Let’s see if we’re able to do a show crypto. Let’s see show crypto route sessions engine. Now we don’t want to do that. Identity, maybe IPsec profiles. And you can see that on router one, we have two profiles, which is the default one. And we also have the SVTI one that we created. Let’s see how many we have on router two. On router two we should be able to have three, which is the default, the SVTI one and the GRE one. So show crypto IPsec profile.

And like I said before, we should have three. The GRE profile, the one that goes over here, the SVTI, the one that goes to router one and the default one that comes with it. So this is the one that you can add delete and it comes with the router. Okay. So you can see both of them are working. So we have configured SVTI IPsec VPN tonal and we also created a GRE tonal. So that’s how you are able to configure both of them. A lot of companies use SVTI more than GRE because GRE add a four byte packet to the header makes this the data to go a little bit slower than SVTI. And SVTI makes it faster because it removes the four Bytes GRE packets from the header, so they accept.

• Category: Uncategorized