Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 1 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, February 19, 2012

Cisco IOU IPsec Site to Site VPN with Pre-shared key, RSA Key, or CA Part 1

Cisco IOU IPsec Site to Site VPN 


R1#sh ver
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Experimental Version 12.4(20090407:185408) [yuiu-redbuild-V124_24_5_6_PIC1 177]
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 08-Apr-09 02:09 by yuiu

ROM: Bootstrap program is Linux

R1 uptime is 45 minutes
System returned to ROM by reload at 0
System image file is "unix:../i86bi_linux-adventerprisek9-ms"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
          
If you require further assistance please contact us by sending email to
[email protected].

Linux Unix (Intel-x86) processor with 40401K bytes of memory.
Processor board ID 1
8 Ethernet interfaces
8 Serial interfaces
16K bytes of NVRAM.

Configuration register is 0x0



R1#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
R2.test.com      Eth 1/3            129           R       Linux Uni Eth 1/3

Physical Diagram





R1#sh run
Building configuration...

Current configuration : 2144 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
ip cef
ip domain name test.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 123456 address 12.1.1.2
!      
!
crypto ipsec transform-set P2-Transform esp-des esp-sha-hmac 
!
crypto map P2-Transform 10 ipsec-isakmp 
 set peer 12.1.1.2
 set transform-set P2-Transform 
 match address acl_vpn
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 ip address 12.1.1.1 255.255.255.0
 crypto map P2-Transform
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!      
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!      
no ip http server
no ip http secure-server
ip route 2.2.2.0 255.255.255.0 12.1.1.2
!
ip access-list extended acl_vpn
 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!

exception data-corruption buffer truncate
end

--------------------------------------------------------------------------------------------------------

R2#sh run
Building configuration...

Current configuration : 2128 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone CST 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip source-route
!
!
!      
!
ip cef
ip domain name test.com
no ipv6 traffic interface-statistics
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 123456 address 12.1.1.1
!      
!
crypto ipsec transform-set P2-Tran esp-des esp-sha-hmac 
!
crypto map P1-P2-Map 10 ipsec-isakmp 
 set peer 12.1.1.1
 set transform-set P2-Tran 
 match address acl_vpn
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
 no ip address
 shutdown
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
!
interface Ethernet1/1
 no ip address
 shutdown
!
interface Ethernet1/2
 no ip address
 shutdown
!
interface Ethernet1/3
 ip address 12.1.1.2 255.255.255.0
 crypto map P1-P2-Map
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!      
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!      
no ip http server
no ip http secure-server
ip route 1.1.1.0 255.255.255.0 12.1.1.1
!
ip access-list extended acl_vpn
 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
exception data-corruption buffer truncate
end

--------------------------------------------------------------------------------------------

R2#ping 1.1.1.1 source 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/24 ms

R2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
12.1.1.1        12.1.1.2        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R2#


No comments:

Post a Comment