- "Do I Know This Already?" Quiz
- Authentication, Authorization, and Accounting
- Remote Authentication Dial-In User Service
- Terminal Access Controller Access Control System Plus
- Encryption Technology Overview
- Certificate Enrollment Protocol
- Extensible Authentication Protocol, Protected EAP, and Temporal Key Integrity Protocol
- Virtual Private Dial-Up Networks (VPDN)
- Foundation Summary
- Q & A
- Scenario: Configuring Cisco Routers for IPSec
- Scenario Answers
Scenario
Scenario: Configuring Cisco Routers for IPSec
Figure 4-21 displays a simple two-router topology where traffic from network 131.108.100.0/24 is encrypted when it is sent to the remote network 131.108.200.0/24.
Figure 4-21 Scenario Topology
Example 4-19 displays the working configuration of R1, with lines numbered from 1 to 31.
Example 4-19. R1's Full Configuration
1. version 12.2 2. hostname R1 3. enable password cisco 4. crypto isakmp policy 1 5. hash md5 6. authentication pre-share 7. crypto isakmp key CCIE address 131.108.255.2 8. crypto ipsec transform-set anyname esp-des esp-sha-hmac 9. mode tunnel 10. crypto map anyname1 1 ipsec-isakmp 11. set peer 131.108.255.2 12. set security-association lifetime seconds 180 13. set transform-set anyname 14. match address 100 15. interface Ethernet0/0 16. ip address 131.108.100.1 255.255.255.0 17. interface Serial0/0 18. ip address 131.108.255.1 255.255.255.252 19. encapsulation frame-relay 20. ip split-horizon 21. ip ospf network point-to-point 22. frame-relay map ip 131.108.255.2 102 broadcast 23. frame-relay interface-dlci 102 24. frame-relay lmi-type ansi 25. crypto map anyname1 26. interface Ethernet0/1 27. ip address 131.108.101.1 255.255.255.0 28. router ospf 1 29. network 131.108.0.0 0.0.255.255 area 0 30. access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255 31. end
Example 4-20 displays the working configuration of R2, with lines numbered from 1 through 29.
Example 4-20. R2's Full Configuration
1. Version 12.2 2. hostname R2 3. enable password cisco 4. crypto isakmp policy 1 5. hash md5 6. authentication pre-share 7. crypto isakmp key CCIe address 131.108.255.1 8. crypto ipsec transform-set anyname esp-des esp-sha-hmac 9. mode tunnel 10. crypto map anyname1 1 ipsec-isakmp 11. set peer 131.108.255.1 12. set security-association lifetime seconds 180 13. set transform-set anyname 14. match address 100 15. interface Ethernet0/0 16. ip address 131.108.200.1 255.255.255.0 17. interface Serial0/0 18. ip address 131.108.255.2 255.255.255.252 19. encapsulation frame-relay 20. ip split-horizon 21. ip ospf network point-to-point 22. frame-relay map ip 131.108.255.1 201 broadcast 23. frame-relay interface-dlci 201 24. frame-relay lmi-type ansi 25. crypto map anyname1 26. router ospf 1 27. network 131.108.0.0 0.0.255.255 area 0 28. access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108.100.0 0.0.0.255 29. end
The following debug output is seen on R1 after the network administrator pings remote network 131.108.100.1 from Router R2's console port.
- Why will the IPSec tunnel not negotiate properly?
R2#debug crypto engine Crypto Engine debugging is on R2#ping Protocol [ip]: Target IP address: 131.108.100.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 131.108.200.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 131.108.100.1, timeout is 2 seconds: 22:58:55: CryptoEngine0: generate alg parameter 22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0 22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0 22:58:55: CryptoEngine0: generate alg parameter 22:58:55: CryptoEngine0: create ISAKMP SKEYID for conn id 1 22:58:55: CryptoEngine0: generate hmac context for conn id 1. 22:58:55: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 131.108.255.1 failed it s sanity check or is malformed.... Success rate is 0 percent (0/5) R2#
- What subnets will be encrypted between Routers R1 and R2?
- What IOS command produced the following display and from which router?
Crypto Map "anyname1" 1 ipsec-isakmp Peer = 131.108.255.2 Extended IP access list 100 access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255 Current peer: 131.108.255.2 Security association lifetime: 4608000 kilobytes/180 seconds PFS (Y/N): N Transform sets={ anyname, } Interfaces using crypto map anyname1: Serial0/0
- Will Host A be able to communicate with Host B or Host C? The following displays are the IP routing tables on R1 and R2. (Assume the gateway configurations on the PCs are correct.)
R1's IP routing table:
R1>show ip route Codes: C - connected, , O - OSPF, 131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks C 131.108.255.0/30 is directly connected, Serial0/0 O 131.108.200.0/24 [110/400] via 131.108.255.2, 00:52:00, Serial0/0 C 131.108.101.0/24 is directly connected, Ethernet0/1 C 131.108.100.0/24 is directly connected, Ethernet0/0
R2's IP routing table:
R2>show ip route Codes: C - connected, , O - OSPF 131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks C 131.108.255.0/30 is directly connected, Serial0/0 C 131.108.200.0/24 is directly connected, Ethernet0/0 O 131.108.101.0/24 [110/58] via 131.108.255.1, 00:52:09, Serial0/0 131.108.100.0/24 [110/58] via 131.108.255.1, 00:52:09, Serial0/0
- To allow the IP subnet 131.108.101.0/24 attached to the R1 Ethernet 0/1 interface to be encrypted over the IPSec tunnel and to communicate with the remote PC IP address 131.108.200.5, what configuration changes are required on which router?