Wednesday, February 26, 2020

Articles

VPN IPSec / ESP : Lab GNS3

VPN IPSEC ESP : Lab GNS3

Prerequisites:

If you’ve completed the previous lab; Lab:Redistributing Routing Protocolsthen you should have a basic understanding of mutual route redistribution.

1
Review of the architecture

 IPsec ESP Architecture

2
Explication



Objectif : To send L2 traffic over Internet, to have VLAN-to-VLAN connection between multi-sites with:

  • Encapsulation
  • Authentication
  • Encryption

ISP Network components :

  • BackBone Network (Two routers - Casa & Rabat - with Frame-Relay & OSPF area0 Technologies).
  • Inter-City Network (One router by city - Tanger & Marrakech in our case, with Frame-Relay & OSPF area2224 & area3739 technologies).
  • Intar-City Network (One router by zone - TangerMed & CenterMrk in our case, with Ethernet & EIGRP technologies).
3
Test / Challenge



IPSecESPpingNATOK

NB: We can't ping from PC1 to PC2 ==> Configuration of IPSec VPN 

4
VPN L2TP Configuration



4.1. AgenceVoyage Router
4.1.1. Transform-set
AgenceVoyage(Config)#crypto ipsec transform-set TstMrk esp-3des esp-md5-hmac
4.1.2. Policy
AgenceVoyage(Config)#crypto isakmp policy 1
AgenceVoyage(Config-isakmp)#encr 3des
AgenceVoyage(Config-isakmp)#hash md5
AgenceVoyage(Config-isakmp)#authentication pre-share
AgenceVoyage(Config-isakmp)#group 2
AgenceVoyage(Config-isakmp)#exit 
AgenceVoyage(Config)#crypto isakmp key pass!2013 address 209.65.39.2
4.1.3. ACL for Filtring
AgenceVoyage(Config)#ip access-list extended ACL_VPN
AgenceVoyage(config-ext-nacl)#remark [Comment: Pour VPN SITE TO SITE]
AgenceVoyage(config-ext-nacl)#permit ip 192.168.24.0 0.0.0.255 192.168.39.0 0.0.0.255
AgenceVoyage(config-ext-nacl)#exit 
4.1.4. Creation of Crypto Map
AgenceVoyage(Config)#crypto map TSTMRKCMAP 1 ipsec-isakmp
AgenceVoyage(config-crypto-map)#set peer 209.65.39.2
AgenceVoyage(config-crypto-map)#set transform-set TstMrk
AgenceVoyage(config-crypto-map)#match address ACL_VPN
AgenceVoyage(config-crypto-map)#exit 
4.1.5. Configuration of Serial0/0 Interface
AgenceVoyage(Config)#interface Serial0/0
AgenceVoyage(config-if)#crypto map TSTMRKCMAP
AgenceVoyage(config-if)#exit 
4.1.6. Exception from NAT
AgenceVoyage(Config)#no access-list 101 permit ip 192.168.24.0 0.0.0.255 any
AgenceVoyage(config)#access-list 101 deny ip 192.168.24.0 0.0.0.255 192.168.39.0 0.0.0.255
AgenceVoyage(config)#access-list 101 permit ip 192.168.24.0 0.0.0.255 any
AgenceVoyage(config)#exit 
4.2. AgenceMed Router
4.2.1. Transform-set
AgenceMed(Config)#crypto ipsec transform-set TstMed esp-3des esp-md5-hmac
4.2.2. Policy
AgenceMed(Config)#crypto isakmp policy 1
AgenceMed(Config-isakmp)#encr 3des
AgenceMed(Config-isakmp)#hash md5
AgenceMed(Config-isakmp)#authentication pre-share
AgenceMed(Config-isakmp)#group 2
AgenceMed(Config-isakmp)#exit 
AgenceMed(Config)#crypto isakmp key pass!2013 address 209.65.24.2
4.2.3. ACL for Filtring
AgenceMed(Config)#ip access-list extended ACL_VPN
AgenceMed(config-ext-nacl)#remark [Comment: Pour VPN SITE TO SITE]
AgenceMed(config-ext-nacl)#permit ip 192.168.39.0 0.0.0.255 192.168.24.0 0.0.0.255
AgenceMed(config-ext-nacl)#exit 
4.2.4. Creation of Crypto Map
AgenceMed(Config)#crypto map TSTMEDCMAP 1 ipsec-isakmp
AgenceMed(config-crypto-map)#set peer 209.65.24.2
AgenceMed(config-crypto-map)#set transform-set TstMed
AgenceMed(config-crypto-map)#match address ACL_VPN
AgenceMed(config-crypto-map)#exit 
4.2.5. Configuration of Serial0/0 Interface
AgenceMed(Config)#interface Serial0/0
AgenceMed(config-if)#crypto map TSTMEDCMAP
AgenceMed(config-if)#exit 
4.2.6. Exception from NAT
AgenceMed(Config)#no access-list 101 permit ip 192.168.39.0 0.0.0.255 any
AgenceMed(config)#access-list 101 deny ip 192.168.39.0 0.0.0.255 192.168.24.0 0.0.0.255
AgenceMed(config)#access-list 101 permit ip 192.168.39.0 0.0.0.255 any
AgenceMed(config)#exit 
5
Test du VPN



 IPsec ESP Test

6
Vérification avec une capture du trafic (WireShark)



IPSec ESP Traffic

IPsec ESP Test

GET IN TOUCH

ESSALIFI MOHAMED FAICAL
Rabat - Maroc/Morocco
+212 6 61 233 909

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Skype: mf.essalifi

Scroll to top