Create an IPsec VPN tunnel using Packet Tracer - CCNA Security

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video I'm gonna configure an IPSec VPN tunnel using packet tracer I'm using packet tracer 7.1.1 but you could do the same lab using packet tracer 6.3 you'll just need three 19:41 routers to 2960 series switches and two pcs which you can just drag-and-drop and then connect together remember to put the 1941 routers connect them with crossover cables in packet tracer and then you're ready to go now I've already configured the interface IP addresses on these routers and I've also got a default route on r1 and r3 pointing towards the ISP router now I've put no static routes on the ISP router so we're not able to ping across the network so the ISP router the only two networks it knows about if I open it up and look at the routing table you'll see that it only knows about its two connected networks that is it knows about this network here 209 165 100.0 and 209 165 200 0 or H interface so it cannot route to this one network in this three Network so pings across will not work they will fail and I'll just delete these really quickly and we'll do it one more time here so pings across are gonna fail also a ping from let's say the PC to the ISP will also fail because this router here doesn't know about this 3 Network and this router up here doesn't know about this one network how we're going to make this work is we're gonna create an IPSec VPN tunnel and then these networks will be tunneled across and the ISP router won't even realize it's carrying traffic from on one network to a three network because those IP addresses will be the tunneled IP addresses in the header second IP address in the packet headers now to make an IPSec VPN tunnel you need to have the technology or security license on the router now our three already has that security license upgrade but our one doesn't let's see if we can upgrade it to the security license here so we can just I've already checked as you can see here that it doesn't have the security license I did a show version command to check that so now I'll go to global config mode and I'll say license boot module C 1900 series routers technology - package security canine and then I'll hit enter and then I have to accept the License Agreement so I'll type yes and that upgrades the license then I'll save the configuration and then reload the router and then once the router reloads I can check again to make sure that I now have the security license I have it in a trial evaluation period but you'll need the security license if you want to do an IPSec VPN tunnel so I'll do a show version command here and you can see there it is security security k9 evaluation so now with the security licence enabled I can go ahead and do an IPSec VPN tunnel now the configurations that I put on r1 r2 and r3 they look like this no not like that they look like this so here are the configurations I put on r1 the ISP router and r3 and you can see it's just the interfaces are configured the highest P router the ISP router just has the interface configured no static routes and r3 has a default route pointing towards the ISP and r1 has a default route pointing towards the ISP now I'll post these configurations to the description below the video so you could just copy and paste it into your packet tracer if you want to build this I'll paste those configurations so that you can start out at this point also I'll put in the configuration for setting up the security canine license so once you have that set up you're ready to go all you got to do is set it to set up the IPSec VPN tunnel is put in these pieces one you're going to need to set up an access list to permit the traffic or the matching traffic that will go across the tunnel to you're gonna set up your ISO camp policy this is phase one and your ISO camp key this is phase one of the IPSec tunnel then you're gonna set up your IPSec transform set which is phase two of the IKE or the the ike negotiation the set up of the tunnel process the IPSec is phase two then you're going to create a crypto map to tie it all together and then apply the crypto map to the interface so there's five basic components okay let's get started now for our one I'll go to global config mode here and I'm gonna start by pasting in my ACL now my ACL I have it listed here in my notes and here it is I'll just copy that and I'll paste it in right here and access-list 100 permit IP from the one network that's the land on the left side to the three network which is the land on the right side on our three so there's my axis list 100 now I'll just go back into my notes here switch these around three and one so from the three network to the one network and then I'll just copy and paste that in to the other router so now on our three I'll set up that same access list when you set up an IPSec VPN tunnel configurations kind of have to match on either side okay so let's see here I'll paste that and we'll double check that it's right access list 100 permit the three network to reach the one network okay so now I have access list 100 on either side that permits traffic from this network to reach this network and on this router from this network to reach this network okay so ACLs are done now we're gonna set up the ISO camp policy so the ISIS camp policy I'll go back to my notes here and you can see here crypto ISO camp policy 10 we're gonna use encryption AES 256 bit key for authentication we're gonna use a pre-shared key and diffie-hellman group 5 for key exchange so I'll just grab this and I'll copy it and I'm gonna paste that in on either router paste there's my crypto ice account policy with encryption authentication using pre-shared keys and diffie-hellman group that looks good and I'll paste that same thing in on the other side there we go next looking at my notes here I've got to do the ISO camp key the password will be secret key and then the address is the peer router so if I'm r1 r3 an interface outside interface is 209 165 200 dot 1 in other words when I'm when I do this on our one I want to use the address of the the router on the opposite side of the tunnel the outside facing interface right here so that's what I'm going to do so I'll just grab this and I'll copy it and then on our one I'll just paste that in I'll exit and go back to global config mode and paste it in there it is and now on the other router I'll go in there and exit and I'll paste it in and then I'm gonna change the address and then I'll change that address to 100.1 which is the IP address of our ones outside interface so there's our keys now we need the same key the same password on either side crypto I so camp key secret key and then the peer routers IP address so if I'm are three two oh nine 165 101 is this router here r1 this interface here all right so we've set up part 1 part 2 now we've got to set up our IPSec transform set which is phase 2 so let's take a look at that the crypto IPSec transform set you give it a name in this case I'm gave it the name R 1 to R 3 and then we're going to use ESP AES encryption 256 bit key and then ESP sha H Mac for a keyed hash so we'll do this I'll just grab this and copy it and I'll paste that into r1 paste and that is R 1 to R 3 now I'll paste the same thing into r3 but then I'll change the name so it makes sense this will be or three to our 1 so the IPSec phase 2 we're gonna use encapsulating security payload AES encryption 256 bit and ESP sha and H map which stands for keyed hash message authentication code this provides integrity and authentication ok so we have that done so now going back to my notes we've got the IPSec transform set and now all we need to do is set up our crypto map now the crypto map you have to give it a name so I get the name IPSec - map the number I gave you the number 10 and then IPSec - isit camp so this is what we're gonna be using in the crypto map we're gonna be using IPSec and AIESEC Camp you have to set your peer address of the other router then perfect forward secrecy group five security Association the lifetime then you have to set your transform set so I give it the name of the transform set that I'm using which I set over here and then matching addresses that are going to activate the VPN tunnel this match address and this is access list 100 so this tells it that the access list will be 100 the transform sets are 1 2 R 3 over here the security Association lifetime perfect forward secrecy we're using diffie-hellman group 5 and then the peer router at the other end of the tunnel so this works for r1 because 200 dot 1 is at the other end of the tunnel and our transform set is named this so this is setup for working for r1 so I'll just copy it and paste it into r1 now I'll have to go over to r1 though to set this up so r1 and paste alright now that's done now notice when it says crypto map IPSec map 10 and then it says this new crypto map will remain disabled until a peer and a valid access list have been configured so there's the peer and there's the access list that's been set up so now I'll go back in here and go into my notes and I'm going to change this slightly I'll change this to 100 for the opposite and this will be R 3 to R 1 and now it's set up to go the other way so I'll copy that and paste it in here on R 3 paste and there it is so now we've set up our access list our ice account policy our ice camp key our IPSec transform set for phase 2 of the IKE negotiation process phase 1 basically sets up the key authentication and sets up the tunnel and then phase 2 sets up the types of encryption that we're going to be setting when we're transforming when we're transferring the data so phase 1 sets up the authentication phase and sets up the tunnel Part 2 sets up the tunnel for sending the data we set up the crypto map which tied it all together and now all we have to do is apply the crypto map to the interface so the crypto nap the crypto map is named IPSec Maps so all we have to do is now go into our interface interface gigabit 0/0 which is the outside facing interface and say crypto map IP SEC - map and that basically turns on the processor starts the ISO camp is on alright so then on the other side I'll go to the router and also go into interface gigabit 0/0 and it's the same command crypto map IP SEC - map which is the name I gave it and that turns it on so now it should be on and it should be working now before we couldn't ping across but now we should be able to ping across now what I'll do is I'll just go in here to PCA and open up the command prompt and I'll set up a ping and let's let that ping go for a second here now it's gonna fail at first I might have to give it a couple of tries to get it working here in packet tracer it takes a second to get going over here on PCC I'll do the same thing ping across 192.168.1.2 n you can see I'm getting replies here and over here you can see I also got a reply here and now I'm getting replies there's the replies and so it's working now remember ISP has no idea about the one network or the three network but yet I'm pinging across well how is that well it's easy what you could do is you can go into the simulation mode here alright and in simulation mode I'll say show none edit filters ICMP and then I'll set up a packet from here to here and then capture forward and we see it hits the router and then it goes across and if we look inside the packet at the inbound PD you details you can see as far as the ISP is concerned this is coming from the 209 165 100.1 address destined for the 209 165 200 dot 1 but what's inside is the ESP header and then the second IP address which is basically encrypted in the tunnel and there is the 1:10 to 310 communication as you can see that's actually what's happening so the ISP doesn't see that that tunneled information and then that gets capture forwarded and set and it reaches its destination whoo-hoo so pretty cool so I'll go back to real-time mode here and and that's pretty much it also what you can do is we can go into r1 here and control C and show crypto IPSec si for security associations and you can see what's happening here show crypto IPSec si and we can see here packets encapsulated packets encrypted 11 packets D capsulated packets decrypted 11 so you can see the packets are being encrypted and decrypted here and you have more choices here under the show crypto put a question mark you can look at IPSec you look at our ISO camp and look at our crypto map we can look at all the settings but as you can see it's working so pretty cool
Info
Channel: danscourses
Views: 190,189
Rating: 4.9406919 out of 5
Keywords: IPsec, VPN, tunnel, packet tracer, CCNA, Security, danscourses, create, how to, Cisco
Id: Z7LwU6H5IGE
Channel Id: undefined
Length: 18min 28sec (1108 seconds)
Published: Thu Feb 22 2018
Related Videos
MicroNugget: IPsec Site to Site VPN Tunnels Explained | CBT Nuggets
CBT Nuggets
323K
GRE over IP Tunnel in Packet Tracer
danscourses
94K
How to Configure VPN Remote Access+IPsec on Cisco Router_Full Video
Cisco Triangle
26K
What is IPSec?
Palo Alto Networks LIVEcommunity
140K
Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels
Ryan Lindfield
267K
IPsec VPN Introduction - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
125K
NAT basics for beginners CCNA - Part 1
danscourses
267K
VPNs Explained | Site-to-Site + Remote Access
CertBros
118K
VPN en Cisco Packet Tracer
José Martín
88K
Subnet Mask - Explained
PowerCert Animated Videos
88K
Extended Access List (ACL) for the Cisco CCNA - Part 1
danscourses
230K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.