Create a Cisco IPsec protected tunnel interface!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
will it work will it not work and if not why not [Music] hey welcome back in a previous video we took a look at the concept of tunneling with ip traffic over a network and i'll put a card for it i think right there so if you haven't checked out that video take a quick peek at that and in this video here's what we're going to cover i'd like to address how we can implement if we have cisco gear two different sites how we can implement a site-to-site tunnel and more importantly how we can protect that traffic so if somebody steals it or is eavesdropping on that tunnel traffic they won't be able to make sense of it because it's encrypted so let's use this topology here with these two routers r1 and r2 which are both connected to the publicly routable internet and if we want to build a tunnel let's go ahead and draw the tunnel visually so we're working on building this logical tunnel that they can use to communicate with each other over the internet the way we would do that on a cisco router is we'd go into configuration mode and then we'd specify interface tunnel and then we'd specify the tunnel interface that we want to create so if you don't have any tunnel interfaces the numbering is like from 0 to 110 billion it's a lot so you can just say tunnel 0 to start off and that puts us into interface configuration mode for this tunnel and then we would specify a few details such as where does this tunnel start from r1's perspective and the answer is going to be the tunnel is going to start from 15.1.1.1 that's its interface connected to the internet and where's this tunnel going to end and the ending point of this tunnel is going to be at 25.2.2.2 that's the iep address on r2 that's connected to the internet so we do that respectively on both sides r1 and r2 would both specify the starting point from their perspective and the ending point for that tunnel now the other part that we need to do to make this tunnel functional is we need to give each of these tunnel interfaces an iep address and that's going to boil down to planning on what do we want to use for ip addressing now for these iep dresses they don't have to be routable on the internet because these are going to be inside the actual packets as seen on the internet look like they're coming from 15.1.1.1 going to 25222 and so the tunnel interface can be any ip dress space that we want to use so if we wanted to we could say we want this tunnel to be the 10.12.12 network i'm just using that because it's going to go between r1 and r2 and then we give ip addresses in that subnet to each of the router interfaces so interface tunnel 0 maybe we give it 0.1 on the 10.12.12 network and the total interface on r2 maybe we give it dot 2. and once we've done so and if these two routers have reachability to the other side of the tunnel boom our tunnel is built so let me show you what that would look like from r1's perspective if we do a show run for interface tunnel 0 which i already have built and set up here's its configuration it says the tunnel source is its ip address the tunnel destination is the ip address of r2 and the ip address that we're using on that interface is 10.12.12.1 i did the same thing over on r2 except i changed the source and destination based on r2's perspective let me show you that too so here in r2 we do a show run for interrace tunnel zero we can see the exact flip of that so it has an ip address on the 10.12.12 network i gave it.2 and the tunnel source is its own ip address and the tunnel destination is the ip dress of r1 on the other side so if we did a show iprout it's going to show as a directly connected network the 10.12.12 network and if you try to ping 10.12.12.1 and press enter all that traffic is going over the tunnel now the question might come up well keith how do you verify that's really going over the tunnel and not just being routed normally over the internet and the way we can verify that is with a packet capture let me show you so if we're going to go ahead and capture the traffic as it crosses over the simulation here of the public internet i'll go ahead and right click it click on capture specify the interface and away we go also make that a little bigger so it's easier to see so here we have some cdp messages and so forth but if we send some traffic in fact let's go ahead and on r2 we'll do a ping to 10.12.12.1 let's also set the size to a thousand a thousand bytes and also let's specify that we want to go ahead and send a specific data pattern so we'll say data seven seven seven seven so what that's gonna do it's gonna send us a very specific pattern that we can recognize as we look at that data on the network so there's five pings if we go back to our packet capture and grab any one of these here it is all the sevens and hexadecimal and the ascii equivalent of those is a bunch of w's so what's happening here when we do those pings r2 is saying oh how do i reach that address and from its routing table it says use the tunnel because it's a directly connected network and it takes that ping request so we'll say right here the ping with the original source and destination ip address information and then it adds a gre header the generic routing encapsulation protocol and then it places in the outside header the one the internet sees the actual ip addresses of the source and destination before it forwards that traffic so all the internet sees is hey here's a packet from 2522 to 15111 and it sees the layer 4 protocol as gre and then inside that has the original payload and you know the good news is we can verify that because i've got the packet capture still open let's go take a peek so here in the packet capture if we take a look at the actual payload it's icmp it's an echo request and then we have an ipv4 header but that ipv4 header that we see right here the original packet has been encapsulated in the layer 4 protocol of gre which is protocol number 47 and then for the outside ip header the one the internet sees it has the source address of 25222 and the destination address of 15.1.1.1 but the big problem is we're not encrypting that data if an eavesdropper an isp anybody in the path on the internet takes that packet and looks at the payload they can plainly see exactly what it is there's absolutely no confidentiality regarding those ip packets and that's where we bring to the table a little protocol called ipsec which is really a family of protocols that can help encrypt and protect the data while it's in transit and because we have a tunnel interface that's currently working all we need to do is apply an ipsec profile to that tunnel interface and it automatically says great i get it anytime i send traffic through the tunnel i will encrypt it and then the other side of that tunnel can then decrypt it so we're protecting that data as it crosses over the internet so for this demonstration i've got an ipsec profile already configured i'm simply going to apply that ipsec profile to the tunnel interface and boom we're done let's do it and here's the syntax we went into interface configuration mode for the tunnel and we said tunnel protection ipsec profile and the name of a profile that i previously created and boom it's done now he's saying i'm not too happy about this because the other side of the tunnel is not yet configured let's go over to r2 and we will apply the same config over there because it also has an ip6 profile already created i'm simply applying that profile to the interface so now on either one of the routers if we wanted to look at the ike phase one and the ike phase two total information we do show crypto isocamp essay for the ike phase one tunnel information and if we want to see the ike phase 2 tunnel or the ipsec tunnel we can do a show crypto ipsec sa for security association and there it is so this is showing us the number of packets encrypted and decrypted as well as the interesting traffic so even though we're not using a crypto map which is an older way of doing it because we applied the ipsec profile to a gre tunnel interface here it specifies that any traffic between these two peers if it happens to be protocol 47 which is the protocol number for generic routing and encapsulation go ahead and encrypt it and here's what that means in measurable terms now if we send traffic over this tunnel between these two devices anybody who's eavesdropping in the middle will not be able to make sense of the contents of the data because they simply don't have the keys to unlock the data and that's one of the benefits of ipsec we're protecting that data through encryption so to verify that here on r2 let's go ahead and do that same thing we did earlier ping over to 10 12 12 1 1 000 bytes and we'll send a data pattern of 7777 the capture is still running let's go take a look at the capture at layer 4 it's pointing to the layer 4 protocol of esp which is protocol 50. now this is the important part all that data that previously was a bunch of www and ascii or 7777 in hex all that information is now encrypted and the only two devices that can make sense of this data and how the ability to encrypt and decrypt it respectively are r1 and r2 the two ends of this tunnel so it was a gre tunnel we put the ip6 profile on it and now it's an ipsec site to site tunnel so the goal is of having an ipsec tunnel is taking traffic from one site like the 1010 network with pc1 and protecting that traffic with ipsec as it gets shipped over the tunnel over to site two like pc2 so my question for you is this is the tunnel going to be used to protect that traffic between pc1 and pc2 and pc2 and pc1 or not so if you would think about that for a moment in the comments below i'd love your opinion it will be protected or it won't be protected or maybe the traffic won't even work at all i'd like to know your feedback so put that in the comments below and we'll follow it up with another video that helps identify will it work will it not work and if not why not so we'll take a look at all that in the next video so thanks for joining me for a few moments today in this video i've enjoyed being with you and i'll catch you in the next video i've been waiting all my life for something i've been down the darkest roads and up in the clouds but i've always felt that something's missing [Music] that was until i found you right there in the crowd
Info
Channel: Keith Barker
Views: 6,108
Rating: undefined out of 5
Keywords: ccna, cisco, 200-301, Cisco CCNA, Cisco Certification, ogit, Keith Barker, ipsec vpn, ipsec tunnel, cisco ipsec vpn, cisco ipsec tunnel configuration, cisco ipsec vpn configuration, cisco ipsec site to site vpn configuration
Id: NBUa-HA-1TE
Channel Id: undefined
Length: 9min 42sec (582 seconds)
Published: Fri Oct 16 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.