Articles

VPN IPSec / ESP : Lab GNS3

Category: Content

Published Date

Written by ESSALIFI

Hits: 1621

VPN IPSEC ESP : Lab GNS3

Prerequisites:

If you’ve completed the previous lab; Lab:Redistributing Routing Protocols, then you should have a basic understanding of mutual route redistribution.

Objectif : To send L2 traffic over Internet, to have VLAN-to-VLAN connection between multi-sites with:

• Encapsulation
• Authentication
• Encryption

ISP Network components :

• BackBone Network (Two routers - Casa & Rabat - with Frame-Relay & OSPF area0 Technologies).

• Inter-City Network (One router by city - Tanger & Marrakech in our case, with Frame-Relay & OSPF area2224 & area3739 technologies).

• Intar-City Network (One router by zone - TangerMed & CenterMrk in our case, with Ethernet & EIGRP technologies).

NB: We can't ping from PC1 to PC2 ==> Configuration of IPSec VPN 

AgenceVoyage(Config)#crypto ipsec transform-set TstMrk esp-3des esp-md5-hmac

AgenceVoyage(Config)#crypto isakmp policy 1
AgenceVoyage(Config-isakmp)#encr 3des
AgenceVoyage(Config-isakmp)#hash md5
AgenceVoyage(Config-isakmp)#authentication pre-share
AgenceVoyage(Config-isakmp)#group 2
AgenceVoyage(Config-isakmp)#exit 
AgenceVoyage(Config)#crypto isakmp key pass!2013 address 209.65.39.2

AgenceVoyage(Config)#ip access-list extended ACL_VPN
AgenceVoyage(config-ext-nacl)#remark [Comment: Pour VPN SITE TO SITE]
AgenceVoyage(config-ext-nacl)#permit ip 192.168.24.0 0.0.0.255 192.168.39.0 0.0.0.255
AgenceVoyage(config-ext-nacl)#exit 

AgenceVoyage(Config)#crypto map TSTMRKCMAP 1 ipsec-isakmp
AgenceVoyage(config-crypto-map)#set peer 209.65.39.2
AgenceVoyage(config-crypto-map)#set transform-set TstMrk
AgenceVoyage(config-crypto-map)#match address ACL_VPN
AgenceVoyage(config-crypto-map)#exit 

AgenceVoyage(Config)#interface Serial0/0
AgenceVoyage(config-if)#crypto map TSTMRKCMAP
AgenceVoyage(config-if)#exit 

AgenceVoyage(Config)#no access-list 101 permit ip 192.168.24.0 0.0.0.255 any
AgenceVoyage(config)#access-list 101 deny ip 192.168.24.0 0.0.0.255 192.168.39.0 0.0.0.255
AgenceVoyage(config)#access-list 101 permit ip 192.168.24.0 0.0.0.255 any
AgenceVoyage(config)#exit 

AgenceMed(Config)#crypto ipsec transform-set TstMed esp-3des esp-md5-hmac

AgenceMed(Config)#crypto isakmp policy 1
AgenceMed(Config-isakmp)#encr 3des
AgenceMed(Config-isakmp)#hash md5
AgenceMed(Config-isakmp)#authentication pre-share
AgenceMed(Config-isakmp)#group 2
AgenceMed(Config-isakmp)#exit 
AgenceMed(Config)#crypto isakmp key pass!2013 address 209.65.24.2

AgenceMed(Config)#ip access-list extended ACL_VPN
AgenceMed(config-ext-nacl)#remark [Comment: Pour VPN SITE TO SITE]
AgenceMed(config-ext-nacl)#permit ip 192.168.39.0 0.0.0.255 192.168.24.0 0.0.0.255
AgenceMed(config-ext-nacl)#exit 

AgenceMed(Config)#crypto map TSTMEDCMAP 1 ipsec-isakmp
AgenceMed(config-crypto-map)#set peer 209.65.24.2
AgenceMed(config-crypto-map)#set transform-set TstMed
AgenceMed(config-crypto-map)#match address ACL_VPN
AgenceMed(config-crypto-map)#exit 

AgenceMed(Config)#interface Serial0/0
AgenceMed(config-if)#crypto map TSTMEDCMAP
AgenceMed(config-if)#exit 

AgenceMed(Config)#no access-list 101 permit ip 192.168.39.0 0.0.0.255 any
AgenceMed(config)#access-list 101 deny ip 192.168.39.0 0.0.0.255 192.168.24.0 0.0.0.255
AgenceMed(config)#access-list 101 permit ip 192.168.39.0 0.0.0.255 any
AgenceMed(config)#exit 

IPSec ESP Traffic