Articles

VPN IPSec / ESP : Lab GNS3

Category: Content

Published Date

Written by ESSALIFI

VPN IPSEC ESP : Lab GNS3

Prerequisites:

If you’ve completed the previous lab; Lab:Redistributing Routing Protocols, then you should have a basic understanding of mutual route redistribution.

Review of the architecture

IPsec ESP Architecture

Explication

Objectif : To send L2 traffic over Internet, to have VLAN-to-VLAN connection between multi-sites with:

Encapsulation
Authentication
Encryption

ISP Network components :

BackBone Network (Two routers - Casa & Rabat - with Frame-Relay & OSPF area0 Technologies).

Inter-City Network (One router by city - Tanger & Marrakech in our case, with Frame-Relay & OSPF area2224 & area3739 technologies).

Intar-City Network (One router by zone - TangerMed & CenterMrk in our case, with Ethernet & EIGRP technologies).

Test / Challenge

IPSecESPpingNATOK

NB: We can't ping from PC1 to PC2 ==> Configuration of IPSec VPN

VPN L2TP Configuration

4.1. AgenceVoyage Router

4.1.1. Transform-set

AgenceVoyage(Config)#crypto ipsec transform-set TstMrk esp-3des esp-md5-hmac

4.1.2. Policy

AgenceVoyage(Config)#crypto isakmp policy 1
AgenceVoyage(Config-isakmp)#encr 3des
AgenceVoyage(Config-isakmp)#hash md5
AgenceVoyage(Config-isakmp)#authentication pre-share
AgenceVoyage(Config-isakmp)#group 2
AgenceVoyage(Config-isakmp)#exit 
AgenceVoyage(Config)#crypto isakmp key pass!2013 address 209.65.39.2

4.1.3. ACL for Filtring

AgenceVoyage(Config)#ip access-list extended ACL_VPN
AgenceVoyage(config-ext-nacl)#remark [Comment: Pour VPN SITE TO SITE]
AgenceVoyage(config-ext-nacl)#permit ip 192.168.24.0 0.0.0.255 192.168.39.0 0.0.0.255
AgenceVoyage(config-ext-nacl)#exit

4.1.4. Creation of Crypto Map

AgenceVoyage(Config)#crypto map TSTMRKCMAP 1 ipsec-isakmp
AgenceVoyage(config-crypto-map)#set peer 209.65.39.2
AgenceVoyage(config-crypto-map)#set transform-set TstMrk
AgenceVoyage(config-crypto-map)#match address ACL_VPN
AgenceVoyage(config-crypto-map)#exit

4.1.5. Configuration of Serial0/0 Interface

AgenceVoyage(Config)#interface Serial0/0
AgenceVoyage(config-if)#crypto map TSTMRKCMAP
AgenceVoyage(config-if)#exit

4.1.6. Exception from NAT

AgenceVoyage(Config)#no access-list 101 permit ip 192.168.24.0 0.0.0.255 any
AgenceVoyage(config)#access-list 101 deny ip 192.168.24.0 0.0.0.255 192.168.39.0 0.0.0.255
AgenceVoyage(config)#access-list 101 permit ip 192.168.24.0 0.0.0.255 any
AgenceVoyage(config)#exit

4.2. AgenceMed Router

4.2.1. Transform-set

AgenceMed(Config)#crypto ipsec transform-set TstMed esp-3des esp-md5-hmac

4.2.2. Policy

AgenceMed(Config)#crypto isakmp policy 1
AgenceMed(Config-isakmp)#encr 3des
AgenceMed(Config-isakmp)#hash md5
AgenceMed(Config-isakmp)#authentication pre-share
AgenceMed(Config-isakmp)#group 2
AgenceMed(Config-isakmp)#exit 
AgenceMed(Config)#crypto isakmp key pass!2013 address 209.65.24.2

4.2.3. ACL for Filtring

AgenceMed(Config)#ip access-list extended ACL_VPN
AgenceMed(config-ext-nacl)#remark [Comment: Pour VPN SITE TO SITE]
AgenceMed(config-ext-nacl)#permit ip 192.168.39.0 0.0.0.255 192.168.24.0 0.0.0.255
AgenceMed(config-ext-nacl)#exit

4.2.4. Creation of Crypto Map

AgenceMed(Config)#crypto map TSTMEDCMAP 1 ipsec-isakmp
AgenceMed(config-crypto-map)#set peer 209.65.24.2
AgenceMed(config-crypto-map)#set transform-set TstMed
AgenceMed(config-crypto-map)#match address ACL_VPN
AgenceMed(config-crypto-map)#exit

4.2.5. Configuration of Serial0/0 Interface

AgenceMed(Config)#interface Serial0/0
AgenceMed(config-if)#crypto map TSTMEDCMAP
AgenceMed(config-if)#exit

4.2.6. Exception from NAT

AgenceMed(Config)#no access-list 101 permit ip 192.168.39.0 0.0.0.255 any
AgenceMed(config)#access-list 101 deny ip 192.168.39.0 0.0.0.255 192.168.24.0 0.0.0.255
AgenceMed(config)#access-list 101 permit ip 192.168.39.0 0.0.0.255 any
AgenceMed(config)#exit

Test du VPN

IPsec ESP Test

Vérification avec une capture du trafic (WireShark)

IPSec ESP Traffic

IPsec ESP Test

Articles

VPN IPSec / ESP : Lab GNS3

FOOTER NAVIGATION

GET SOCIAL WITH US

GET IN TOUCH