{"id":638,"date":"2010-04-05T08:40:24","date_gmt":"2010-04-05T07:40:24","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=638"},"modified":"2010-04-05T08:51:30","modified_gmt":"2010-04-05T07:51:30","slug":"quick-practice-lab-configure-ipsec-tunnel-between-two-cisco-routers","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=638","title":{"rendered":"Quick Practice Lab: Configure IPsec Tunnel between two Cisco routers"},"content":{"rendered":"

Try this quick and simple practice lab, where a secure IPsec tunnel is configured between two routers.\u00a0 Use debug to see ISAKMP and IPsec working.<\/p>\n

<\/p>\n

\"IPSEC<\/a>

IPSEC Tunnel - Lab Practice<\/p><\/div>\n

R1 Configuration:<\/p>\n

crypto isakmp policy 10
\nencr aes 256
\nauthentication pre-share
\ngroup 5
\nlifetime 3600
\n!
\ncrypto isakmp key cisco address 192.168.23.3
\n!
\ncrypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
\n!
\ncrypto map MYMAP 10 ipsec-isakmp
\nset peer 192.168.23.3
\nset pfs group5
\nset security-association lifetime seconds 900
\nset transform-set 50
\nmatch address 101
\n!
\ninterface Loopback0
\nip address 172.16.1.1 255.255.255.0
\n!
\ninterface FastEthernet0\/0
\nip address 192.168.12.1 255.255.255.0
\nduplex auto
\nspeed auto
\ncrypto map MYMAP
\n!
\naccess-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255<\/p><\/blockquote>\n

R3 Configuration:<\/p>\n

crypto isakmp policy 10
\nencr aes 256
\nauthentication pre-share
\ngroup 5
\nlifetime 3600
\n!
\ncrypto isakmp key cisco address 192.168.12.1
\n!
\ncrypto ipsec security-association lifetime seconds 1800
\n!
\ncrypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac
\n!
\ncrypto map MYMAP 10 ipsec-isakmp
\nset peer 192.168.12.1
\nset pfs group5
\nset security-association lifetime seconds 900
\nset transform-set 50
\nmatch address 101
\n!
\ninterface Loopback0
\nip address 172.16.3.1 255.255.255.0
\n!
\ninterface Serial0\/0\/0
\nip address 192.168.23.3 255.255.255.0
\ncrypto map MYMAP
\n!
\naccess-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255<\/p><\/blockquote>\n

Success Criteria:<\/p>\n

R1#sh crypto isa sa
\nIPv4 Crypto ISAKMP SA
\ndst\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 src\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 conn-id slot status
\n192.168.23.3\u00a0\u00a0\u00a0 192.168.12.1\u00a0\u00a0\u00a0 QM_IDLE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1077\u00a0\u00a0\u00a0 0 ACTIVE<\/p>\n

IPv6 Crypto ISAKMP SA<\/p>\n

R1#sh crypto ipsec sa<\/p>\n

interface: FastEthernet0\/0
\nCrypto map tag: MYMAP, local addr 192.168.12.1<\/p>\n

protected vrf: (none)
\nlocal\u00a0 ident (addr\/mask\/prot\/port): (172.16.1.0\/255.255.255.0\/0\/0)
\nremote\u00a0 ident (addr\/mask\/prot\/port): (172.16.3.0\/255.255.255.0\/0\/0)
\ncurrent_peer 192.168.23.3 port 500
\nPERMIT, flags={origin_is_acl,}
\n#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
\n#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
\n#pkts compressed: 0, #pkts decompressed: 0
\n#pkts not compressed: 0, #pkts compr. failed: 0
\n#pkts not decompressed: 0, #pkts decompress failed: 0
\n#send errors 1, #recv errors 0<\/p>\n

local crypto endpt.: 192.168.12.1, remote crypto endpt.:192.168.23.3
\npath mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0\/0
\ncurrent outbound spi: 0x0(0)<\/p>\n

inbound esp sas:<\/p>\n

inbound ah sas:<\/p>\n

inbound pcp sas:<\/p>\n

outbound esp sas:<\/p>\n

outbound ah sas:<\/p>\n

outbound pcp sas:<\/p>\n

R1#<\/p><\/blockquote>\n

<\/blockquote>\n","protected":false},"excerpt":{"rendered":"

Try this quick and simple practice lab, where a secure IPsec tunnel is configured between two routers.\u00a0 Use debug to see ISAKMP and IPsec working.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,13],"tags":[36],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/638"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=638"}],"version-history":[{"count":4,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/638\/revisions"}],"predecessor-version":[{"id":643,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/638\/revisions\/643"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=638"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}