LAB 2 BASIC SITE-TO-SITE IPSEC VPN & NAT-T
- Dean McKenzie
- Feb 20, 2022
- 2 min read
Welcome back to part two of the lab on integrating a network without a static IP address (IPSEC NAT-T). As this lab topology shares the same as lab 1 (previous lab) it is best to clone the lab from eve-ng. Proceed with making the necessary changes such as a title change or erase the configuration in lab 2 (if configuration is present in routers). Ultimately, reachability needs to be achieved between R1 and R2 with R4 acting as the ISP gateway for R1 and R2.
If you have not had an opportunity to read Lab1 please go back and take a look. This article lacks a lot of the detail that was obtained in lab one and builds on that knowledge.
Task 1
Configure loopback interfaces on R1 and R2, reachability to the loopback interfaces should use static routes based on the following policy:
- R1 and R2 should be configured with default static routes pointing to the ISP Router, R4.
- R4 should be configured with two static routes; One for network 10.1.1.1/24 R1’s loopback; Second for 10.2.2.2/24 R2’s loopback.
Task 2
Configure static network address translation NAT on R4 so that R1’s outbound interface address (192.1.10.1) is seen to R2 as 192.1.20.1.
See below for configuration:
R4 ISP
Commands Used:
!
interface gig0/0
ip nat inside
!
interface gig0/1
ip nat outside
exit
!
ip nat inside source static 192.1.10.1 192.1.20.1
!
Verify NAT
show ip nat translations
Task 3
Configure a basic site-to-site IPSEC VPN between R1 and R2. The only traffic that is permitted over the tunnel is the loopback networks, respectively R1’s 10.1.1.1/24 and R2’s 10.2.2.2/24.
Site-to-Site Policy Guidelines:
ISAKMP Policy | IPsec Policy |
Authentication: Pre-Shared | Encryption: ESP-3DES |
Hash: MD5 | Hash: ESP-MD5-HMAC |
DH Group 2: 1024bit | Proxy-ID/Crypto ACL 10.1.1.1 <-> 10.2.2.2 |
Encryption: 3DES | |
Pre Shared Key: cisco | |
From lab 1 the reader should have a general idea on the step-by-step process for configuring IPsec within a Router.
Next, we will be configured the ISAKMP policy displayed in the table above.
Commands Used:
R1
1. ISAKMP Policy 10
Network Device Commands
R1
en
R1
config t
R1
crypto isakmp policy 10
R1
encryption 3des
R1
hash md5
R1
authentication pre-share
R1
group 2
2. Configure ISAKMP Key
crypto isakmp key cisco111 address 192.1.20.23. Configure IPsec transform set
crypto IPsec transform-set TSET esp-3des esp-md5-hmac
mode tunnel4. Define interesting traffic
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 log-input5. Configure Crypto map
Network Device Commands
R1
crypto map CMAP 10 ipsec-isakmp
R1
set peer 192.1.20.2 (R1-R2)
R1
set transform-set TSET
R1
match address 101 6. Apply crypto map to interface
interface GigabitEthernet0/0
crypto map CMAPNext, we will configure R2.
R2
1. ISAKMP Policy 10
Network Device Commands
R2
en
R2
config t
R2
crypto isakmp policy 10
R2
encryption 3des
R2
hash md5
R2
authentication pre-share
R2
group 22. Configure ISAKMP Key
Note: - R2 has to use the translated ip address to peer with R1. From the perspective or R2 it will be establishing a tunnel with the 192.1.20.1 address, and this needs to be reflected in our configuration.
3. Configure IPsec transform set
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode tunnel
4. Define interesting traffic
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 log-input
5. Configure crypto map
Network Device Commands
R2
crypto map CMAP 10 ipsec-isakmp
R2
set peer 192.1.20.2 (R1-R2)
R2
set transform-set TSET
R2
match address 101 6. Apply crypto map to interface
interface GigabitEthernet0/1
crypto map CMAP
Proof is in the pudding!
Testing & Verifying
Comments