CCIE Routing & Switching version 5: IPsec- IKE phase 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
now once we have a successful phase one where the in the case of ika phase one they are going to negotiate the security parameters for for having a secured channel now the phase two is going to negotiate the IPSec transforms it's or we can say in the Phase two it's going to actually apply the IPSec parameters which will help in a secure communication here now now what exactly we do here is we need to apply some different transform sets now transform set is a set of algorithms which are used to provide a secure communication process now we got some different protocols involved in that actually we need to define like I discussed there are two different protocols which are used in the phase one which is going to define what encryption method or authentication and securing the information now there are two different protocols we can use either we can use ESP or authentication header now the major difference between these two set of protocols is now ESP is going to provide an encryption which authentication header is not going to provide now either you can go with some ESP ESP or we can go with some combination of ESP place authentication header now that is something what we are going to define inside the transform setting now ESP works on protocol number 50 whereas authentication header walks on protocol number 51 now when it comes to ESP add some extra overhead on the routers where as indication header add some less overhead but when it comes to security like ESP is going to provide some encryption which authentication header is not going to provide so it provides almost all the options except that I can accept the encryption method so depending upon the options we need to choose which all wisdom set you want to go with for applying the IPSec policies in the phase 2 now we got some options here like if you go with a configuration there are three different steps we need to configure a transforms now the first step will be contouring the transform set and the transform set we are going to define like I'm using an IP set something like that we are going to define what encryption method we are going to use so here I am going to use ESP protocol with with an encryption of a years that's what I am using and then again I am using ESP method where I'm going to define sha algorithm which Earth Mac now all these options you can find in the command line if you just go to the command line on the routers if I go and define crypto IPSec transforms it now we are going to create a transform set and the transform set name can be anything like I'm using IP underscore set and you can see if I if I give the question mark you will find the different options here so if I'm using authentication header with md5 hit smack now authentication is going to provide the authentication with md5 for data integrity or you can use sha or you can use ESP now here you can see we need to select the different algorithms and we need to ensure that we are we are going with all the options like we are going to support the encryption now to support encryption we need to use any one of this algorithm which is going to support encryption here now if you see your authentication header do not have any encryption options here now the first thing we need to have an encryption so in that case I am going to go with 3ds or any anyone of this let's go with AES and you can see the bits here now after that I need to have a data integrity so to provide the data integrity either I need to go with ESP md5 H Mac or I need to go with ESP sha H Mac some I'm going with ESP sha H Mac okay now you can see once once we select it now you can see very less options here if you want to combine this instead of using ESP Shah mat you can also use attend authentication header char Mac as well it all depends upon what set of protocols you want to use for applying the IPSec parameters so that's that's what we call as transform set so let me go with this configuration here and then I'll try to copy paste the same configuration on the router too as well just to ensure that they it matches on both the sides so I can use the same name that won't be a problem anyway so these are first step now we need to define a transform set transform set is a set of algorithms which we are going to use to apply the IPSec policies here now once we configure the transform set then we are going to create a crypto map now in the case of crypto map what we are going to do is we need to define the interesting traffic that's what we are doing if you remember in the first step we created one SEO which is going to match the traffic from one network to our network and it is defined in the ECL 100 so we are saying match IP address 100 and any traffic coming from 1.84 through broad network and the remote peel if it is going for so and so peer that is a VPN endpoint peel we are going to apply this transform set here and then finally we are going to apply this crypto map on the interface which is which is going on that country interface now these are our next step here let us go to the command line and configure the same here I'll go to outer one on the route of one I am going to create a crypto map see our map some name you can use some so I forgot to use map commands I need to say see our map some name and then it is asking you what exactly you want to create I want to create IPSec as to be IPSec so I forward to you the Nimbus oh I need to say ten some number and then we just need to define IPSec I skimp and you can see the crypto map will remain be disabled until you add a valid valid peer so we are going to add the peer but before that I am going to say match utters the ACL 100 which we created already and then I'm going to say set peer to five 25.00 two and then I'm going to apply the transform set which I created and then finally I'm going to apply it on a zero by zero interface script of map and then see our map let me do the same confirmation on the other route as well on the router - now once we are done with the configurations now we need all the conversations we have we created a transform set and then we have we have applied a crypto map and then finally on the interface as well let's go to the command line for verifying some of the specific show commands which will be useful for for troubleshooting kind of stuff let's go to the command line here now the first show command we'll be using here is show crypto so most of the show command starts with show crypto either we use IPSec if you want to verify IPSec parameters we use IPSec or you can say I skimmed so it depends so I'm going to say I skim and the first show command I am going to use is transform set or show crypto map so first let's go with a show crypto map command now show crypto map is going to show you the access list we have created an axis system 100 which will be our interesting traffic which is coming from one dot network going to 2 dot network on the router 1 and the pier is 25.00 2 and the transforms that we have applied IP underscore set now if you want to verify the transform set we need to say show crypto ice can I be sick there is something an IP sip transforms it I can see this transform set is going to define that I'm going to use ESP these are the protocols or the whole rhythms which I am going to use for when applying the IPSec policies now the next thing we are going to use the next command is show crypto let's go with the next command show crypto ice cream security Association sa now here you can see you don't see any output here let me try other commands so show crypto IPSec security Association now right now here you will see some of the packets sent or encapsulated encrypted D calculated these things right now you don't see any traffic going here let's try to generate some interesting traffic from the router one so try to ping to 1 into 168 2.2 and the source will be 1 into 168 1.1 now actually when I try to ping here it's not pinging and the reason is actually I applied a wrong crypto map here if you just go to the configuration I just sorted out that because I did the copy-paste of the configurations I forgot to change the peer address because I thought it's the same configuration so if you just verify the conversations here now the peer address on the router 2 has to be router 1 but it is configured as router to itself so that's one of the one of the problem here so let me change this configuration first so there's a reason you can see it's not working so I'm going to remove this fear and I'm going to apply the peer as 15.00 one so now if you verify show crypto map I should see the peer has to be 15 or 0 0 1 and on the router 1 the show crypto map the peer has to be 25.00 2 now already I have a default routes in my routing table which will ensure that any traffic coming for any packet it will go to the outer thigh and the router fine knows exactly way to forward so now already I have a router on the router fire I have confused some static routes here just for testing purpose anyway we are not going to do anything on the router fire you will have a reach ability here so I'm going to say router one if I try to ping to 1 into 168 - tor - I'm going to ping to 192 168 1.1 I can see I'm able to communicate between them and if I give a command show crypto IB sake security Association probably I should see the packets has to match you can see the packets are matching here let me try to generate some traffic for any uninterested traffic uninterested traffic itself try to ping to 2.4 dot 2.2 you can see I'm able to ping or if I go with the show crypto IPSec si you can see the packets numbering has not increased because that comes under the category of clear text and that that doesn't match here so whatever the traffic coming whatever we define in the ECL if that particular traffic comes then only you will see the packets will get encrypted here now if anything comes outside that ACL probably that traffic still communicate between them but it will go in a clear text
Info
Channel: Sikandar Shaik
Views: 36,705
Rating: undefined out of 5
Keywords: CCNA, Cisco, CCIE
Id: HTaVbXgB6Dg
Channel Id: undefined
Length: 11min 52sec (712 seconds)
Published: Sat Nov 28 2015
Related Videos
CCIE Routing & Switching version 5: IPsec- IKE phase 1
Sikandar Shaik
74K
Dynamic Multipoint VPN - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
70K
Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels
Ryan Lindfield
273K
Cisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101
soundtraining.net
275K
EIGRP Explained | Step by Step
CertBros
167K
Virtual Private Network - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
85K
Traceroute (tracert) Explained - Network Troubleshooting
PowerCert Animated Videos
209K
Cisco CCNP TSHOOT - Troubleshoot BGP
Paul Browning
39K
Explaining the Diffie-Hellman Key Exchange
F5 DevCentral
55K
First Hop Redundancy - Introduction - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
36K
2 IPSec Site to Site VPN using Pre shared Key explained
Jayachandran
17K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.