Home > CISCO, Security > Quick Practice Lab: Configure IPsec Tunnel between two Cisco routers

Quick Practice Lab: Configure IPsec Tunnel between two Cisco routers

April 5th, 2010

Try this quick and simple practice lab, where a secure IPsec tunnel is configured between two routers.  Use debug to see ISAKMP and IPsec working.

IPSEC Tunnel - Lab Practice

IPSEC Tunnel - Lab Practice

R1 Configuration:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key cisco address 192.168.23.3
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.3
set pfs group5
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
crypto map MYMAP
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

R3 Configuration:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key cisco address 192.168.12.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set pfs group5
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
interface Loopback0
ip address 172.16.3.1 255.255.255.0
!
interface Serial0/0/0
ip address 192.168.23.3 255.255.255.0
crypto map MYMAP
!
access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

Success Criteria:

R1#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.23.3    192.168.12.1    QM_IDLE           1077    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 192.168.12.1

protected vrf: (none)
local  ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote  ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
current_peer 192.168.23.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.12.1, remote crypto endpt.:192.168.23.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

R1#

Categories: CISCO, Security Tags:
Comments are closed.