sVTI-Based VPN Configuration

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone charles here welcome back to the channel in this video i want to take a look at a topic from the s core blueprint that being svti based vpns svti meaning static virtual tunnel interface this is actually a newer more simple approach to vpn configuration that uses a tunnel interface and that means we don't have to use crypto maps with access control lists let's jump in and take a look you can see the topology on screen with a couple of routers interconnected very simple i'm going to configure a site-to-site ipsec vpn and much of this will look the same as what we've previously done in our site-to-site vpn video router one you can see is that 10.10.10.1 router 2 is at 10.10.10.2 so here on router 1 let's start with our ipsec phase 1 configuration so under global configuration mode let's say crypto iso camp policy i want to give that a policy number which i'm just going to make one and if we look at our contextual help options we see those same attributes once again remember our hegel mnemonic which outlines all of the attributes we need to match on each side the hash authentication group lifetime and encryption so let's say hash sha 512 authentication pre-share let's say group 14 lifetime i'll set that to 3600 let's say encryption aes 256. let's configure our pre-shared keys now so let's say [Music] crypto isocamp key i'm going to make that very simply cisco we want to identify our remote peer by saying address and the address is of course 10.10.10.2 because we're working from router 1 at the moment let's say do show crypto isocamp policy just to make sure everything's in place and that looks good let's go over to r2 now we'll do something very similar global configuration mode crypto iso camp policy one we want to say hash sha 512 authentication pre-share we'll say group 14 lifetime 3600 and encryption aes 256. let's configure our pre-shared key crypto isocamp key that was cisco and for the address we want to point to router 1 at 10.10.10.1 we'll say do show crypto isa camp policy and everything looks good there now we can move to our phase 2 configuration i'm going to jump back to router 1 and we can say crypto instead of isocamp we want to say ipsec we want to configure the transform set we need to give that a name i'm going to make that remote in all caps and we have to define one method for encryption and one method for authentication you can see all of those options in our contextual help i'm going to say esp aes 256 followed by esp sha 512 dash hmac now we can set our mode by saying mode again you can see we can do transport or tunnel mode this time we want to choose tunnel now we want to create an ipsec profile so let's say crypto ipsec profile followed by a name i'm going to make that very simply ipsec in all caps we attach our transform set to this profile by saying set transform hyphen set and the name of that was remote let's go over to router 2 and do the same thing crypto ipsec transform hyphen set the name of that is remote esp aes 256 esp sha 512 hmac we want to set our mode to tunnel now we want to create our profile crypto ipsec profile name is ipsec now we want to attach our transform set by saying set transform hyphen set the name of that is remote and now what we do is we create a tunnel interface and add our ipsec profile to that this is very similar to creating a normal gre tunnel where we would set a source and destination address so let's go back to r1 and under global configuration mode let's say interface tunnel 0 that gets us under tunnel interface configuration mode you can see the tunnel state changed to down because now we've created a virtual tunnel let's say tunnel source to set the source to our local interface i p address 10.10.10.1 it's tunnel destination we want to set that to of course 10.10.10.2 now we need to say tunnel mode and if we look at contextual help you'll see some familiar options under there if we were creating a normal gre tunnel if you're familiar with that this is where we would typically set that to gre mode in this case we want to say ipsec and contextual help indicates that we need to specify ipv4 or ipv version 6. of course in our case we're using ipv4 and finally i'll hit enter we can set our tunnel protection mode by saying tunnel protection if we look at contextual help you'll see that we can use a pre-shared key or we can use ipsec we obviously want to choose ipsec and you can probably guess we of course need to specify our ipsec profile that we created by name which was ipsec in all caps and i did forget the profile keyword so i need to say profile first before i do that followed by ipsec so now when we hit enter we see a message letting us know that isocamp is on the tunnel interface is up so that all looks good let's go to r2 and let's do the same thing let's go under global configuration mode interface tunnel zero and one thing i just realized we forgot to do on r1 let's go back under our tunnel we're still under there we didn't give this tunnel an ip address so let's say ip address we can make that anything we want i'm just going to make that 50.50.50.1 with a 24-bit subnet mask so almost forgot to do that back over on r2 we've created our tunnel let's give it an ip address here likewise we'll make that 50.50.50.2 in this case with a 24-bit subnet mask let's say tunnel source that is 10.10.10.2 tunnel destination 10.10.10.1 tunnel mode we want ipsec and we want to indicate ipv4 we want to set our tunnel protection to ipsec we want to call out the profile the name of that profile is ipsec we'll hit enter we're going to see a similar message letting us know isa kemp is on and the tunnel is up if we break out of here and we say show ip interface brief we're going to see our tunnel interface let's say show interface tunnel 0 and this is going to tell us that our tunnel is up the encapsulation is tunnel we see our source and destination address we see the address that we assigned it 50.50.50.2 in this case because we're on router 2 and we see that we are using ipsec so all of that looks good if we break out of here and we say show crypto session we see our peer listing over udp port 500 our pier is router 1 at 10.10.10.1 udp port 500 by the way is used by ipsec based vpns for establishing those secure tunnels we also see that our session is in the up active state which is exactly what we would want to see that's all for now if you'd like to support this channel please consider subscribing leaving a comment or sharing this video with someone you think may enjoy it that's the best way you can support what i'm doing if you'd like to support the content i'm creating even more please consider checking out the membership links found in the video description i hope you found this content useful and i want to thank you sincerely for watching [Music] you

Info

Channel: Charles Judd

Views: 297

Rating: undefined out of 5

Keywords: cisco, ccna, ccnp, ccie, enterprise infrastructure, 300-410, 350-401, 200-301, networking, IT, SCOR, 350-701, VPN, svti, static virtual tunnel interface, ipsec, 1.4 sVTI

Id: k58klOiUzhk

Channel Id: undefined

Length: 9min 37sec (577 seconds)

Published: Fri Sep 17 2021