Home > Articles > Certification > Cisco Certification > CCIE

  • Print
  • + Share This
This chapter is from the book

Scenario

Scenario: Configuring Cisco Routers for IPSec

Figure 4-21 displays a simple two-router topology where traffic from network 131.108.100.0/24 is encrypted when it is sent to the remote network 131.108.200.0/24.

04fig21.gif

Figure 4-21 Scenario Topology

Example 4-19 displays the working configuration of R1, with lines numbered from 1 to 31.

Example 4-19. R1's Full Configuration

1.  version 12.2
2.  hostname R1
3.  enable password cisco
4.  crypto isakmp policy 1
5.   hash md5
6.   authentication pre-share
7.  crypto isakmp key CCIE address 131.108.255.2
8.  crypto ipsec transform-set anyname esp-des esp-sha-hmac
9.  mode tunnel
10. crypto map anyname1 1 ipsec-isakmp
11.  set peer 131.108.255.2
12.  set security-association lifetime seconds 180
13.  set transform-set anyname
14.  match address 100
15. interface Ethernet0/0
16.  ip address 131.108.100.1 255.255.255.0
17. interface Serial0/0
18. ip address 131.108.255.1 255.255.255.252
19.  encapsulation frame-relay
20.  ip split-horizon
21.  ip ospf network point-to-point
22.  frame-relay map ip 131.108.255.2 102 broadcast
23.  frame-relay interface-dlci 102
24.  frame-relay lmi-type ansi
25.  crypto map anyname1
26. interface Ethernet0/1
27.  ip address 131.108.101.1 255.255.255.0
28. router ospf 1
29.  network 131.108.0.0 0.0.255.255 area 0
30.  access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255
31. end

Example 4-20 displays the working configuration of R2, with lines numbered from 1 through 29.

Example 4-20. R2's Full Configuration

1.  Version 12.2
2.  hostname R2
3.  enable password cisco
4.  crypto isakmp policy 1
5.  hash md5
6.  authentication pre-share
7.  crypto isakmp key CCIe address 131.108.255.1
8.  crypto ipsec transform-set anyname esp-des esp-sha-hmac
9.  mode tunnel
10. crypto map anyname1 1 ipsec-isakmp
11. set peer 131.108.255.1
12. set security-association lifetime seconds 180
13. set transform-set anyname
14. match address 100
15. interface Ethernet0/0
16. ip address 131.108.200.1 255.255.255.0
17. interface Serial0/0
18.  ip address 131.108.255.2 255.255.255.252
19.  encapsulation frame-relay
20.  ip split-horizon
21.  ip ospf network point-to-point
22.  frame-relay map ip 131.108.255.1 201 broadcast
23.  frame-relay interface-dlci 201
24.  frame-relay lmi-type ansi
25.  crypto map anyname1
26.  router ospf 1
27.  network 131.108.0.0 0.0.255.255 area 0
28.  access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108.100.0 0.0.0.255
29.  end

The following debug output is seen on R1 after the network administrator pings remote network 131.108.100.1 from Router R2's console port.

  1. Why will the IPSec tunnel not negotiate properly?

    R2#debug crypto engine
    Crypto Engine debugging is on
    R2#ping
    Protocol [ip]:
    Target IP address: 131.108.100.1
    Repeat count [5]:
    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: 131.108.200.1
    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 131.108.100.1, timeout is 2 seconds:
    22:58:55: CryptoEngine0: generate alg parameter
    22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0
    22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0
    22:58:55: CryptoEngine0: generate alg parameter
    22:58:55: CryptoEngine0: create ISAKMP SKEYID for conn id 1
    22:58:55: CryptoEngine0: generate hmac context for conn id 1.
    22:58:55: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 131.108.255.1 failed it
    s sanity check or is malformed....
    Success rate is 0 percent (0/5)
    R2#
  2. What subnets will be encrypted between Routers R1 and R2?
  3. What IOS command produced the following display and from which router?
    Crypto Map "anyname1" 1 ipsec-isakmp
            Peer = 131.108.255.2
            Extended IP access list 100
       access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255
            Current peer: 131.108.255.2
            Security association lifetime: 4608000 kilobytes/180 seconds
            PFS (Y/N): N
            Transform sets={ anyname, }
            Interfaces using crypto map anyname1:
                    Serial0/0
  4. Will Host A be able to communicate with Host B or Host C? The following displays are the IP routing tables on R1 and R2. (Assume the gateway configurations on the PCs are correct.)

    R1's IP routing table:

    R1>show ip route
    Codes: C - connected, , O - OSPF,
         131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks
    C       131.108.255.0/30 is directly connected, Serial0/0
    O       131.108.200.0/24 [110/400] via 131.108.255.2, 00:52:00, Serial0/0
    C       131.108.101.0/24 is directly connected, Ethernet0/1
    C       131.108.100.0/24 is directly connected, Ethernet0/0

    R2's IP routing table:

    R2>show ip route
    Codes: C - connected, , O - OSPF
         131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks
    C       131.108.255.0/30 is directly connected, Serial0/0
    C       131.108.200.0/24 is directly connected, Ethernet0/0
    O       131.108.101.0/24 [110/58] via 131.108.255.1, 00:52:09, Serial0/0
    131.108.100.0/24 [110/58] via 131.108.255.1, 00:52:09, Serial0/0
    
  5. To allow the IP subnet 131.108.101.0/24 attached to the R1 Ethernet 0/1 interface to be encrypted over the IPSec tunnel and to communicate with the remote PC IP address 131.108.200.5, what configuration changes are required on which router?
  • + Share This
  • 🔖 Save To Your Account