[ LiB ]Practical Exercise 14-3: IPSec Router-to-Router Hub and Spoke Practical Exercise 14-4: IPSec Between Three Routers Using Private Addresses

Practical Exercise 14-3 Solution

The following is a step-by-step discussion of the Practical Exercise solution.

Task 1 Solution

IKE uses UDP port 500. The IPSec ESP and AH protocols use protocol numbers 50 and 51. You must ensure that any existing access lists you might already have configured do not block protocol 50, 51, and UDP port 500 traffic at any interface used by IPSec. In some cases you might need to reconfigure an existing access list to explicitly permit this traffic.

Task 2 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R1(config)#crypto isakmp key cisco170 address 100.133.123.2
R1(config)#crypto isakmp key cisco180 address 100.133.123.3
R1(config)#crypto isakmp key cisco190 address 100.133.123.4

Step 2. At the R2 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R2(config)#crypto isakmp key cisco170 address 100.133.123.1

Step 3. At the R3 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R3(config)#crypto isakmp policy 1
R3(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R3(config)#crypto isakmp key cisco180 address 100.133.123.1

Step 4. At the R4 console, provide all the configuration required to set the following IKE settings:

Define an ISAKMP policy:




R4(config)#crypto isakmp policy 1
R4(config-isakmp)#authentication pre-share

Define the ISAKMP peer and key:




R4(config)#crypto isakmp key cisco190 address 100.133.123.1

Task 3 Solution

Step 1. At the R1 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R1(config)#ip route 170.170.170.0 255.255.255.0 100.133.123.2
R1(config)#ip route 180.180.180.0 255.255.255.0 100.133.123.3
R1(config)#ip route 190.190.190.0 255.255.255.0 100.133.123.4

Define a crypto access list:




R1(config)#access-list 170 permit ip 160.160.160.0 0.0.0.255 170.170.170.0
  0.0.0.255
R1(config)#access-list 180 permit ip 160.160.160.0 0.0.0.255 180.180.180.0
  0.0.0.255
R1(config)#access-list 180 permit ip 160.160.160.0 0.0.0.255 190.190.190.0
  0.0.0.255

Define an IPSec transform set:




R1(config)#crypto ipsec transform-set 170cisco esp-des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec transform-set 180cisco esp-des esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec transform-set 190cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R1(config)#crypto map mymap 17 ipsec-isakmp
R1(config-crypto-m)#set peer 100.133.123.2
R1(config-crypto-m)#set transform-set 170cisco
R1(config-crypto-m)#match address 170
R1(config-crypto-m)#exit
R1(config)#crypto map mymap 18 ipsec-isakmp
R1(config-crypto-m)#set peer 100.133.123.3
R1(config-crypto-m)#set transform-set 180cisco
R1(config-crypto-m)#match address 180
R1(config)#crypto map mymap 19 ipsec-isakmp
R1(config-crypto-m)#set peer 100.133.123.4
R1(config-crypto-m)#set transform-set 190cisco
R1(config-crypto-m)#match address 190

Associate the crypto map to the Ethernet 0 interface:




R1(config)#interface ethernet 0
R1(config-if)#crypto map mymap

Step 2. At the R2 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R2(config)#ip route 160.160.160.0 255.255.255.0 100.133.123.1

Define a crypto access list:




R2(config)#access-list 170 permit ip 170.170.170.0 0.0.0.255 160.160.160.0
  0.0.0.255

Define an IPSec transform set:




R2(config)#crypto ipsec transform-set 170cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R2(config)#crypto map mymap 17 ipsec-isakmp
R2(config-crypto-m)#set peer 100.133.123.1
R2(config-crypto-m)#set transform-set 170cisco
R2(config-crypto-m)#match address 170

Associate the crypto map to the Ethernet 0 interface:




R2(config)#interface ethernet 0
R2(config-if)#crypto map mymap

Step 3. At the R3 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R3(config)#ip route 160.160.160.0 255.255.255.0 100.133.123.1

Define a crypto access list:




R3(config)#access-list 180 permit ip 180.180.180.0 0.0.0.255 160.160.160.0
  0.0.0.255

Define an IPSec transform set:




R3(config)#crypto ipsec transform-set 180cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R3(config)#crypto map mymap 18 ipsec-isakmp
R3(config-crypto-m)#set peer 100.133.123.1
R3(config-crypto-m)#set transform-set 180cisco
R3(config-crypto-m)#match address 180

Associate the crypto map to the Ethernet 0 interface:




R3(config)#interface ethernet 0
R3(config-if)#crypto map mymap

Step 4. At the R4 console, provide all the configuration required to set the following IPSec settings:

Define a route to the peer network:




R3(config)#ip route 160.160.160.0 255.255.255.0 100.133.123.1

Define a crypto access list:




R3(config)#access-list 190 permit ip 190.190.190.0 0.0.0.255 160.160.160.0
  0.0.0.255

Define an IPSec transform set:




R3(config)#crypto ipsec transform-set 190cisco esp-des esp-md5-hmac

Define the IPSec crypto map:




R3(config)#crypto map mymap 19 ipsec-isakmp
R3(config-crypto-m)#set peer 100.133.123.1
R3(config-crypto-m)#set transform-set 190cisco
R3(config-crypto-m)#match address 190

Associate the crypto map to the Ethernet 0 interface.




R3(config)#interface ethernet 0
R3(config-if)#crypto map mymap

[ LiB ]Practical Exercise 14-3: IPSec Router-to-Router Hub and Spoke Practical Exercise 14-4: IPSec Between Three Routers Using Private Addresses