*************************************************** Lab 1 - Configure a Point-To-Point VPN using GRE *************************************************** ---------------------------------------------------- 1. Creating a Tunnel Interface ---------------------------------------------------- ----- R1 ----- Interface Tunnel1 tunnel source 192.1.12.1 tunnel destination 192.1.23.3 ip address 192.168.1.1 255.255.255.0 ----- R3 ----- Interface Tunnel1 tunnel source E0/0 tunnel destination 192.1.12.1 ip address 192.168.1.3 255.255.255.0 ---------------------------------------------------------- 2. Configure a Routing Protocol to establish connectivity ---------------------------------------------------------- ----- R1 ----- router eigrp 100 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R3 ----- router eigrp 100 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 +++++++++++++++++++++++++++ Characteristics: +++++++++++++++++++++++++++ -> Protocol: GRE Point-to-Point -> Logically connects the 2 Endpoints to each other -> Runs a Routing Protocol to learn routes from the peer device -> Uses the Routing Table to determine interesting traffic -> This type of VPN is referred to as a "Routing Based VPN" -> Although GRE Encapsulates the inner packet, it DOES Not encrypt the Packet *************************************************** Lab 2 - Configure a LAN-To-LAN VPN using IPSec *************************************************** ------ R1 ------ ! 1. Configure Phase I Parameters (ISAKMP = UDP/500) crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key Cisco123 address 192.1.23.3 ! 2. Configure Phase II Parameters (ESP = Protocol # 50) crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Define the Interesting Traffic by configuring an ACL (Policy) access-list 101 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255 access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.3.0 0.0.0.255 access-list 101 permit ip 172.16.1.0 0.0.0.255 10.3.3.0 0.0.0.255 access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 ! 4. Link the above parameters to each other by using a Crypto Map crypto map CMAP 10 ipsec-isakmp set peer 192.1.23.3 set transform-set ABC match address 101 ! 5. Apply the Crypto map to the outgoing interface Interface E0/0 crypto map CMAP ------ R3 ------ ! 1. Configure Phase I Parameters (ISAKMP = UDP/500) crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key Cisco123 address 192.1.12.1 ! 2. Configure Phase II Parameters (ESP = Protocol # 50) crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Define the Interesting Traffic by configuring an ACL (Policy) access-list 101 permit ip 10.3.3.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.3.3.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 101 permit ip 172.16.3.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255 ! 4. Link the above parameters to each other by using a Crypto Map crypto map CMAP 10 ipsec-isakmp set peer 192.1.12.1 set transform-set ABC match address 101 ! 5. Apply the Crypto map to the outgoing interface Interface E0/0 crypto map CMAP +++++++++++++++++++++++++++ Characteristics: +++++++++++++++++++++++++++ -> Protocol: IPSec Protocol Suite (ISAKMP & ESP) -> Uses an ACL (Policy) to define the interesting traffic -> This type of VPN is referred to as a "Policy-based VPN" -> It encrypts the Data Encrypts -> As the interesting traffic is defined by an ACL, any changes require you to manually configure/re-configure the ACL *************************************************** Lab 3 - Configure GRE Over IPSec *************************************************** ---------------------------------------------------- 1. Creating a Tunnel Interface ---------------------------------------------------- ----- R1 ----- Interface Tunnel1 tunnel source 192.1.12.1 tunnel destination 192.1.23.3 ip address 192.168.1.1 255.255.255.0 ----- R3 ----- Interface Tunnel1 tunnel source E0/0 tunnel destination 192.1.12.1 ip address 192.168.1.3 255.255.255.0 ---------------------------------------------------------- 2. Configure a Routing Protocol to establish connectivity ---------------------------------------------------------- ----- R1 ----- router eigrp 100 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R3 ----- router eigrp 100 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ------------------------------- EIGRP Hello Packet [98 Bytes] ------------------------------- ---------------------------------------------------------------------------- | GRE | 192.1.12.1 | 192.1.23.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | ---------------------------------------------------------------------------- ---------------------------------------------------------- 3. Configure IPSec to encrypt the Tunnel Interface ---------------------------------------------------------- ------ R1 ------ ! 1. Configure Phase I Parameters (ISAKMP = UDP/500) crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key Cisco123 address 192.1.23.3 ! 2. Configure Phase II Parameters (ESP = Protocol # 50) crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec profile and link it to the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface Interface Tunnel1 tunnel protection ipsec profile IPROF ------ R3 ------ ! 1. Configure Phase I Parameters (ISAKMP = UDP/500) crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key Cisco123 address 192.1.12.1 ! 2. Configure Phase II Parameters (ESP = Protocol # 50) crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec profile and link it to the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface Interface Tunnel1 tunnel protection ipsec profile IPROF ------------------------------- EIGRP Hello Packet [150 Bytes] ------------------------------- Tunnel Mode: ------------------------------------------------------------------------------------------------------------ |ESP | 192.1.12.1 | 192.1.23.3 | GRE | 192.1.12.1 | 192.1.23.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | ------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------- 4. Configure IPSec to use Transport Mode ---------------------------------------------------------- ------------------------------- EIGRP Hello Packet [134 Bytes] ------------------------------- Transport Mode: --------------------------------------------------------------------------------- |ESP | 192.1.12.1 | 192.1.23.3 | GRE | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | --------------------------------------------------------------------------------- ------ R1 ------ crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ------ R2 ------ crypto ipsec transform-set ABC esp-3des esp-sha-hmac mode transport ********************************************************** Lab 4 - Configure a Native IPSec Tunnel Interface / S-VTI ********************************************************** --------------------------------------------------------------- 1. Configure the Tunnel Interface to use IPSec as the protocol --------------------------------------------------------------- ----- R1 ----- Interface tunnel 1 tunnel mode ipsec ipv4 ----- R3 ----- Interface tunnel 1 tunnel mode ipsec ipv4 Native IPSec Tunnel Mode: ------------------------------- EIGRP Hello Packet [126 Bytes] ------------------------------- --------------------------------------------------------------------------------- |ESP | 192.1.12.1 | 192.1.23.3 | EIGRP | 192.168.1.1 | 224.0.0.10 | Data | --------------------------------------------------------------------------------- ********************************************************** Lab 5 - Configure S-VTI - From Scratch ********************************************************** ----- R1 ----- ! 1. Configure Phase I Parameters (ISAKMP = UDP/500) crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key Cisco123 address 192.1.23.3 ! 2. Configure Phase II Parameters (ESP = Protocol # 50) crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec profile and link it to the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface Interface Tunnel1 ip address 192.168.1.1 255.255.255.0 tunnel source E 0/0 tunnel destination 192.1.23.3 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 100 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ----- R3 ----- ! 1. Configure Phase I Parameters (ISAKMP = UDP/500) crypto isakmp policy 5 authentication pre-share encryption 3des hash md5 group 2 crypto isakmp key Cisco123 address 192.1.12.1 ! 2. Configure Phase II Parameters (ESP = Protocol # 50) crypto ipsec transform-set ABC esp-3des esp-sha-hmac ! 3. Configure an IPSec profile and link it to the Transform-set crypto ipsec profile IPROF set transform-set ABC ! 4. Apply the IPSec Profile to the Tunnel Interface Interface Tunnel1 ip address 192.168.1.3 255.255.255.0 tunnel source E 0/0 tunnel destination 192.1.12.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPROF ! 5. Routing Protocol router eigrp 100 network 192.168.1.0 network 10.0.0.0 network 172.16.0.0 ********************************************************** Lab 6 - Configure mGRE ********************************************************** ----- R1 ----- Interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.4 192.1.40.4 ip nhrp map 192.168.1.5 192.1.50.5 ----- R2 ----- Interface Tunnel 1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 2 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.4 192.1.40.4 ip nhrp map 192.168.1.5 192.1.50.5 ----- R3 ----- Interface Tunnel 1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 3 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.4 192.1.40.4 ip nhrp map 192.168.1.5 192.1.50.5 ----- R4 ----- Interface Tunnel 1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.5 192.1.50.5 ----- R5 ----- Interface Tunnel 1 ip address 192.168.1.5 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp map 192.168.1.1 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3 ip nhrp map 192.168.1.4 192.1.40.4 ********************************************************** Lab 7 - Configure DMVPN ********************************************************** ----- R1 ----- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ----- R2 ----- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.2 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ----- R3 ----- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.3 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ----- R4 ----- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.4 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ----- R5 ----- no Interface Tunnel 1 Interface Tunnel 1 ip address 192.168.1.5 255.255.255.0 tunnel source E0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.1 ip nhrp map 192.168.1.1 192.1.10.1 ============================================== DMVPN ============================================== DMVPN Phase - I, II & III IPSec with DMVPN Dual-Hub DMVPN