- Well its time for me to sit my Cisco security exams again. My CCSP was superseded by the CCNP-Security so I’m on the case to regain past glory(!?). Anyway, the script is that you need the CCNA Security too which I’ll come back to, but for now I’m into the SECURE or 642-637 exam preparation. Quite a lot has changed since I sat the equivalent in 2005, one thing of note is the new VPN method of using Tunnel interfaces instead of crypto-maps and to be honest it looks fantastic! Here’s my test in the lab, and I also got a copy of ‘Omnigraffle Pro’ which makes nice Visio type drawings…
The plan is to ping from 1.1.1.1 to 1.1.1.2 across the VPN. I’ve set the interfaces up already and will show the test ping, in case there is any doubt..
R2#sh ip int bri Interface IP-Address OK? Method Status Protocol Async1 unassigned YES unset down down FastEthernet0 10.0.0.2 YES manual up up clipped Loopback0 1.1.1.2 YES manual up up Vlan1 unassigned YES unset up down R1#sh ip int bri Interface IP-Address OK? Method Status Protocol Async1 unassigned YES unset down down FastEthernet0 10.0.0.1 YES manual up up clipped Loopback0 1.1.1.1 YES manual up up Vlan1 unassigned YES unset up down R1#ping 1.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Now its time to configure some crypto stuff. I’ll be working through the list below:
- Create a transform set for IKE phase2
- Create an IPSec profile
- Create an IKE policy
- Create an IKE key
- Create the tunnel interface
- Create the static route
Step 1.
R1(config)#crypto ipsec transform-set TEST-SET esp-aes esp-sha-hmac R1(cfg-crypto-trans)#exit
Step 2.
R1(config)#crypto ipsec profile TEST-PROFILE R1(ipsec-profile)#set transform-set TEST-SET R1(ipsec-profile)#exit
Step 3.
R1(config)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#encryption aes R1(config-isakmp)#group 14 R1(config-isakmp)#hash sha R1(config-isakmp)#exit
Step 4.
crypto isakmp key sup3rs3cr3t address 10.0.0.2
Step 5.
R1(config)#int tunnel0 R1(config-if)#ip unnumbered fa0 R1(config-if)#tunnel source fa0 R1(config-if)#tunnel destination 10.0.0.2 R1(config-if)#tunnel mode ipsec ipv4 R1(config-if)#tunnel protection ipsec profile TEST-PROFILE R1(config-if)#no shut
Step 6.
ip route 1.1.1.2 255.255.255.255 tunnel0
Ok, now I will create a mirror configuration on R2. The relevant bits are clipped from the running config. Note that default values are not included in the running config:
crypto isakmp policy 10 encr aes authentication pre-share group 14 crypto isakmp key sup3rs3cr3t address 10.0.0.2 ! crypto ipsec transform-set TEST-SET esp-aes esp-sha-hmac ! crypto ipsec profile TEST-PROFILE set transform-set TEST-SET ! interface Tunnel0 ip unnumbered FastEthernet0 tunnel source FastEthernet0 tunnel mode ipsec ipv4 tunnel destination 10.0.0.2 tunnel protection ipsec profile TEST-PROFILE ! ip route 1.1.1.2 255.255.255.255 Tunnel0
The tunnel will come up without the VPN passing traffic which is new, we can see the active ‘tunnel with the old fashioned command:
R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.0.0.1 10.0.0.2 QM_IDLE 2001 ACTIVE IPv6 Crypto ISAKMP SA
Staus is active and State is QM_IDLE which is good. Here’s the ping test…
R1# ping 1.1.1.2 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/24 ms
I used a lot of pings to check the encamp/decap totals on the command:
R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 10.0.0.1 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 10.0.0.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 0xB7D9DD26(3084508454) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x2DF2C04A(770883658) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4593846/2996) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB7D9DD26(3084508454) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4593829/2996) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
You can see the icmp packet are being ‘encapsulated’ with IPSec – so all round success!