[ LiB ]Practical Exercise 14-2: Three Full-Mesh IPSec Routers Practical Exercise 14-3: IPSec Router-to-Router Hub and Spoke

Practical Exercise 14-2 Solution

The following is a step-by-step discussion of the Practical Exercise solution.

Task 1 Solution

IKE uses UDP port 500. The IPSec ESP and AH protocols use protocol numbers 50 and 51. You must ensure that any existing access lists you might already have configured do not block protocol 50, 51, and UDP port 500 traffic at any interface used by IPSec. In some cases you might need to reconfigure an existing access list to explicitly permit this traffic.

Task 2 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R1(config)#crypto isakmp key cisco123 address 100.133.123.2
R1(config)#crypto isakmp key cisco123 address 100.133.123.3

Step 2. At the R2 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R2(config)#crypto isakmp key cisco123 address 100.133.123.1
R2(config)#crypto isakmp key cisco123 address 100.133.123.3

Step 3. At the R3 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R3(config)#crypto isakmp key cisco123 address 100.133.123.1
R3(config)#crypto isakmp key cisco123 address 100.133.123.2

Task 3 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R1(config)#ip route 170.170.170.0 255.255.255.0 100.133.123.2
R1(config)#ip route 180.180.180.0 255.255.255.0 100.133.123.3

Define a crypto access list:




R1(config)#access-list 170 permit ip 160.160.160.0 0.0.0.255 170.170.170.0
  0.0.0.255
R1(config)#access-list 180 permit ip 160.160.160.0 0.0.0.255 180.180.180.0
  0.0.0.255

Define an IPSec transform set:




R1(config)#crypto ipsec transform-set 170cisco esp-des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec transform-set 180cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R1(config)#crypto map mymap 17 ipsec-isakmp
R1(config-crypto-m)#set peer 100.133.123.2
R1(config-crypto-m)#set transform-set 170cisco
R1(config-crypto-m)#match address 170
R1(config-crypto-m)#exit
R1(config)#crypto map mymap 18 ipsec-isakmp
R1(config-crypto-m)#set peer 100.133.123.3
R1(config-crypto-m)#set transform-set 180cisco
R1(config-crypto-m)#match address 180

Associate the crypto map to the Ethernet 0 interface:




R1(config)#interface ethernet 0
R1(config-if)#crypto map mymap

Step 2. At the R2 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R2(config)#ip route 160.160.160.0 255.255.255.0 100.133.123.1
R2(config)#ip route 180.180.180.0 255.255.255.0 100.133.123.3

Define a crypto access list:




R2(config)#access-list 160 permit ip 170.170.170.0 0.0.0.255 160.160.160.0
  0.0.0.255
R2(config)#access-list 180 permit ip 170.170.170.0 0.0.0.255 180.180.180.0
  0.0.0.255

Define an IPSec transform set:




R2(config)#crypto ipsec transform-set 160cisco esp-des esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#crypto ipsec transform-set 180cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R2(config)#crypto map mymap 16 ipsec-isakmp
R2(config-crypto-m)#set peer 100.133.123.1
R2(config-crypto-m)#set transform-set 160cisco
R2(config-crypto-m)#match address 160
R2(config-crypto-m)#exit
R2(config)#crypto map mymap 18 ipsec-isakmp
R2(config-crypto-m)#set peer 100.133.123.3
R2(config-crypto-m)#set transform-set 180cisco
R2(config-crypto-m)#match address 180

Associate the crypto map to the Ethernet 0 interface:




R2(config)#interface ethernet 0
R2(config-if)#crypto map mymap

Step 3. At the R3 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R3(config)#ip route 160.160.160.0 255.255.255.0 100.133.123.1
R3(config)#ip route 170.170.170.0 255.255.255.0 100.133.123.2

Define a crypto access list:




R3(config)#access-list 160 permit ip 180.180.180.0 0.0.0.255 160.160.160.0
  0.0.0.255
R3(config)#access-list 170 permit ip 180.180.180.0 0.0.0.255 170.170.170.0
  0.0.0.255

Define an IPSec transform set:




R3(config)#crypto ipsec transform-set 160cisco esp-des esp-md5-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec transform-set 170cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R3(config)#crypto map mymap 16 ipsec-isakmp
R3(config-crypto-m)#set peer 100.133.123.1
R3(config-crypto-m)#set transform-set 160cisco
R3(config-crypto-m)#match address 160
R3(config-crypto-m)#exit
R3(config)#crypto map mymap 17 ipsec-isakmp
R3(config-crypto-m)#set peer 100.133.123.2
R3(config-crypto-m)#set transform-set 170cisco
R3(config-crypto-m)#match address 170

Associate the crypto map to the Ethernet 0 interface:




R3(config)#interface ethernet 0
R3(config-if)#crypto map mymap

[ LiB ]Practical Exercise 14-2: Three Full-Mesh IPSec Routers Practical Exercise 14-3: IPSec Router-to-Router Hub and Spoke