IPsec part 1
I have started learning about IPsec and related technologies.
But this is a very large subject that I will go going quite in-depth with so I will be doing this as a multi-part post over a couple of weeks.
Setup
To get started I followed a pretty good Cisco guide for a configuration example and set it up in GNS3.
A couple of notes about how I set it up.
Routers = Cisco 2691
IOS = c2691-adventerprisek9_sna-mz.124-13b
I used the VPCs for PC1 and PC2. This allowed me to test that tunnel.
R2 is there only to provide transit from RouterA to RouterB. I also used OSPF to distribute the routes.
I will be going through each configuration and explain what each part does and some recommendations for production deployments. Configurations
RouterA
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key vpnuser address 10.0.0.2
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set myset
match address 100
!
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 1
!
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
no cdp log mismatch duplex
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Router B
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key vpnuser address 172.16.1.1
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 100
!
!
interface FastEthernet0/0
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 1
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255
no cdp log mismatch duplex
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R2
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
no ip domain lookup
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 1
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end