Site to Site VPNs for CCNAs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone Anthony Sequeira here with Stormwind comm and today I'm going to do something a little dangerous that's right we are going to go ahead and look at a configuration that CCNA students are not responsible for I repeat you are not responsible for this configuration if you are a CCNA a lot of my students in class were very interested in VPN technologies and this was great because as you know as a CCNA student you are responsible for VPN technologies but it's an overview of Virtual Private networking but my students were so interested when we were talking about this I promised them a video that would demonstrate a basic site-to-site VPN configuration and verification now again what you're about to see you are not responsible for in an exam environment but I want to show you just how easy it is to set up and just how fun it is and just how simple it is to do some verifications to make sure that your site to site VPN is working so when we talk about a site to site VPN we're going to talk about a couple of hosts here and these hosts hosts a and host B are behind routers r1 and r2 we can pretend that the Internet is in the middle and of course we're going to create a VPN tunnel between these routers to secure certain information that is going between the hosts now let me tell you a little bit about the set up so that you can emulate this yourself yeah you can do this yourself what I did was I used a router for host a and a router for host B and then routers surprise surprise for r1 and r2 let me show you my set up a little bit there's nothing up my sleeves folks but I did pre configure a little bit here so that I wouldn't bore you with the basics of this topology setup if we look at host a here for example and do a show IP interface brief we can see that I used the 10 10 10 100 Network for host a to connect to router 1 and if you do a show IP route you can see that I put in a default static route pointing to R 1 so R 1 is host A's default gateway to get to the rest of the world let's slide over and take a look at R 1 R 1 is configured with a IG R P so that it can learn of the remote host B Network so between R 1 and R 2 we're running a I gr P let's go over finally and take a look at host B there's going to be no surprise there if we do a show IP interface brief we can see that I use the 10 20 20 network over on host B to make connectivity to router 2 and if we do a show IP route over there you can see a simple static default route pointing to the r2 device in order to give host B connectivity to the rest of the world all right so just a simple configuration here I'm using once again 10 10 10 over on the host a network 10 20 20 over in the host B Network and I'm using 192 1 1 to simulate the internet here in this cloud alright excellent well it's time to go in and configure a site-to-site VPN between r1 and r2 that'll be triggered by certain traffic flowing between host a and host B let's do it so we're going to begin our configurations over on our one now you remember about these site to site VPN s you remember that we're going to use that Ike protocol the internet key exchange protocol to set up a secure channel or what I called in class the cone of silence if you want to think about get smart so we're going to set up that management channel if you will so that they can negotiate and discuss how they're going to secure the actual data that is transferred back and forth you remember that Ike is part of that eisah camp suite so the first thing that we do is we set up an ISO camp policy here on the device how are we going to set up this cone of silence well we're going to go ahead and use pre shared key information and for encryption we'll use triple des will use diffie-hellman group two we'll use md5 for hashing and we'll set up a lifetime on this of 86,400 seconds I'm not in a real secure environment here so I'll set these lifetimes really high so that this can persist without needing to be renegotiated so there you go folks they're setting up the ike phase one information as we discussed in our class now i said that i'm going to do pre shared key so i better setup the pre shared key information that iso kemp will use will put in a plaintext password of cisco here which will be hashed in the configuration by the way and the address of our peer is going to be one 92168 1.2 and let me just check the addressing here do show IP interface brief yep that's the right addressing okay great so we have set up the pre shared key for AIESEC that we're going to use with our partner now what we need to do is we need to indicate for the data itself for the data itself that they're going to exchange how is IPSec going to protect the traffic we create what's called an IPSec transform set that dictates how we're going to protect that traffic watch this we say crypto IPSec transform set I'll call mine trans and we're going to use ESP Triple DES and we're going to use HP and sha and H Mac for the integrity checking and all that good stuff so notice very similar to what we did with our ice account policy we are with our IP set policy just dictating the particular protocols from our protection suite that we are going to use the next thing that we're going to do is we're going to create an extended access list that defines what traffic will be protected by the tunnel very important here this is not an access list as I'll prove to you that dictates what can flow between these routers no no this is what we call a crypto access list this is going to define what traffic will be protected by the VPN anything that doesn't fall within this access list will be transferred but it will not be protected by the VPN tunnel notice here we're going to just in a very lazy man or say all right all of ICMP traffic will go ahead and encrypt in the tunnel we obviously will do a ping to test and ping will fall within the definition of that extended access control list all right it's time to tie all of these ingredients together in what we call a crypto map and this crypto map is going to be assigned to an interface so I'm creating one for IPSec and eisah camp and it says okay this crypto map will not be enabled until you define at least who were going to appear with well we'll define that more we'll say look if you match on the extended access list 100 please protect the traffic you're going to be doing a VPN peering with one 92168 one two let's go ahead and use diffie-hellman group two let's set a transform set of trans we created that earlier and let's set a security Association lifetime in seconds ah let's say security Association lifetime we'll do it in seconds and that will be eight 86,400 there you go we tie all these ingredients together in a crypto map and now we go to the appropriate interface facing r2 and we tie that crypto map to the interface with the crypto map command wonderful now notice what happens eisah camp just transitioned to the on state and ISO camp is ready to make that cone of silence with our two and negotiate how IPSec will protect the data that we've defined to be protected in our extended access control list did I go too fast well I apologize but guess what you get to see it again yeah sure we get to see the mirror image configuration on the r2 device so let's go over there and let's do it here we go first Ike phase one we do our ISO Kemp policy we set pre shared key or the authentication we set the encryption to Triple DES we set the diffie-hellman group to two we set the hashing to hmm what did I set the hashing to over on the other device let's check remember this stuff is going to need to match in order for them to form their association I set it to md5 alright good let me go back over to our to set it to md5 over here let's set that lifetime to 86400 and let's set our pre shared key information crypto aiesec m key I'm going to put it in encrypted that's why we put the zero there and our peer address is 191 6 8 1 1 alright excellent let's create our transform set we say crypto IPSec transform set my trans and it'll be ESP Triple DES and I did ESP sha H Mac we are going to exit that we're going to create our extended access list that defines what is going to be protected in the tunnel ICMP traffic from anywhere to anywhere and our crypto map as you might guess you get real good at these with practice there's a lot of steps but if you break it down it's not bad we do ike phase 1 we do ike phase 2 and then we tie it all together in a crypto map after we defined our crypto ACL yeah just break it down step by step so here we go crypto map my map and this is an IPSec Ice account type situation we're configuring here we'll match on the extended access list 100 we will go ahead and set our peer to 192 six eight one one we will set the group we will set the transform set we created my trans and we will set the security Association lifetime in seconds and we will go to the appropriate interface and tie the crypto map in my map and we will go ahead and note that AIESEC Kemp has clicked on and we are ready to verify that all our site to site VPN work actually functions as we would want it to what's our verification command well there's two of them you can verify Icke phase one and you can verify Icke phase two let's verify Icke phase one I'll do show crypto eisah Kemp security Association and there is nothing going on with Ike phase one if I check Ike phase to show crypto IPSec si there is no packets being encrypted and there's no packets being decrypted there is nothing going on with Ike phase two this is not a surprise is it because in order to trigger the site-to-site VPN we're going to need some of that ICMP traffic that we've defined to be encrypted all right let's try it so what we're going to do is we're going to go over to host B and on host B we're going to do a ping all the way over to host eh at 10 10 10 100 that's hostei and I'll do a big repeat count on this like ten thousand packets and uh oh we have a reach ability problem oh there we go oh and guess what the reach ability problem was the tunnel being established oh my goodness look at this while the tunnel was being established we were not able to reach that remote destination once the VPN tunnel got established it looks like we're okay oh my goodness this is amazing let's check our two and let's do that show crypto ice account security Association and look it did indeed set up that cone of silence to negotiate how the data would be protected with IPSec and let's check out the IPSec si oh my goodness look at this we are now encrypting and decrypting packets Wow so the VPN tunnel did establish itself and it did start protecting the traffic as we would want it to now let's prove something about that crypto access list and traffic being passed unencrypted let's test that so what I'm going to do is I'm going to go over to the R excuse me the host B device that's doing the ping and I'm going to stop the ping okay the ping is now stopped we're going to go over to the r2 device and we're going to rerun the show crypto IPSec si and we're going to see we stopped at five hundred and fifty three packets encrypted if I run it again we see we're still at five fifty three because I'm paranoid I'll run it one more time yep we stopped at five hundred and fifty three packets now what we're going to do is we're going to go to host B and we are going to tell net - host a we telnet into host a we go over to our - we rerun the show crypto IPSec si and we are still at 553 packets encrypted so you see what happened here telnet was allowed to go through these r1 and our two devices no problem and sure enough it just wasn't protected by the tunnel so we can see that crypto access list that was a key component of our configuration it's just defining what gets protected by the tunnel it is not restricting traffic to any particular traffic forum well folks I hope you enjoyed this presentation on creating the site-to-site VPN and remember what I said this was a little dangerous because I don't want CCNA students to be in a panic thinking that they have to have that configuration memorized like I have it for their certification exam environment no no no no not at all we obviously need to know about VPNs conceptually in the exam environment but we are not responsible for at the CCNA routing and switching level we're not responsible for the configurations well thank you so much for joining me in this presentation where we took a look at the wonderful world of site-to-site VPN s and their configuration
Info
Channel: StormWind Studios
Views: 187,764
Rating: 4.8903108 out of 5
Keywords: cisco, vpn, training, ccna, routing, switching, Cisco Systems (Organization)
Id: -hoKtNauHjI
Channel Id: undefined
Length: 19min 31sec (1171 seconds)
Published: Fri Oct 12 2012
Related Videos
Site to Site VPN Theory
Jayachandran
68K
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.5M
IINS 2.0 (CCNA Security) - An Overview of VPNs
StormWind Studios
15K
IPSec Site-to-Site VPNs w/Static Virtual Tunnel Interfaces (SVTI): IKEv1 & IKEv2
Travis Bonfigli
18K
VLANs, and Trunks, and Switches, Oh My!
StormWind Studios
634K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels
Ryan Lindfield
267K
Understanding Access Control Lists | Network Fundamentals Part 14
Network Direction
58K
Create an IPsec VPN tunnel using Packet Tracer - CCNA Security
danscourses
190K
VPNs Explained | Site-to-Site + Remote Access
CertBros
118K
(Demo) ASA VPN to AWS VPC
Benjamin Fowler
39K
11.5.2.4 Packet Tracer - Configuring a Linksys Router
Christian Augusto Romero Goyzueta
15K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.