In this article I will show how to create a VPN site-to-site in GNS3.
First of all we have to create the topology, so create a new project and drag elements to reproduce this:
Let's take a look to what we have starting from bottom left clockwise:
- CE1 is our Branch Office router that will connect to the Main Office
- PE1 is our Provider Edge router that connects the Branch Office to the Internet
- PE2 is our Provider Edge router that connects the Main Office to the Internet
- CE2 is our Main Office router that connects the headquarter to the Internet
- C1 is a cloud connected to a Loopback interface configured with IP address 192.168.233.101 (this element is optional, you can substitute it with an Ethernet Switch)
Now let's configure all of the router with basic configuration and assign IP addresses as follows:
#CE1
hostname CE1
line con 0
logging synchronous
exec-timeout 0
!
interface FastEthernet0/0
ip address 192.168.233.254 255.255.255.0
no shutdown
!
interface Serial1/0
ip address 192.168.30.1 255.255.255.252
no shutdown
#PE1
hostname PE1
line con 0
logging synchronous
exec-timeout 0
!
interface Serial1/0
ip address 192.168.30.5 255.255.255.252
no shutdown
!
interface Serial1/1
ip address 192.168.30.2 255.255.255.252
no shutdown
#PE2
hostname PE2
line con 0
logging synchronous
exec-timeout 0
!
interface Serial1/0
ip address 192.168.30.6 255.255.255.252
no shutdown
!
interface Serial1/1
ip address 192.168.30.10 255.255.255.252
no shutdown
#CE2
hostname CE2
line con 0
logging synchronous
exec-timeout 0
!
interface FastEthernet0/0
ip address 192.168.210.254 255.255.255.0
!
interface Serial1/0
ip address 192.168.30.9 255.255.255.252
no shutdown
To ensure that the "public network" has fully reachability, we will configure eigrp on network 192.168.30.0 and disable auto-summarization since our network is subnetted:
# CE1, CE2, PE1, PE2
router eigrp 1
network 192.168.30.0
no auto-summary
After this step you should be able to ping 192.168.30.9 from CE1.
Now we are going to configure an IPSec VPN site-to-site, so we will need:
- crypto isakmp policy
are numbered policies that specifies parameters for IKE Phase 1 connection and at least one policy on the initiator must match with the isakmp policies configured on the responder
multiple policies can be configured, they will be selected starting from lower numbers, so is heavily recommended to assign those number to stronger policies - crypto ipsec transport-set
the transport sets define IPSec parameters for SAs established in IKE Phase 2. On a single transform set can be specified up to three protocol/algorithm specifications - interesting traffic ACL
an ACL specifying "interesting traffic", i.e. the traffic that will be carried over IPSec connection - crypto map
is an object that maps together ACL, transform set and the peer IP address - create a static route
a static route needs to be created to forward the traffic for the remote network to the peer - apply the crypto map to the outgoing interface
the crypto map must be applied to the interface the traffic to remote network will go out from
1. crypto isakmp policy
Our IPSec peers will be CE1 and CE2, so on both ends we will create isakmp policies. Remember that at least one of them must match on the other peer unless the connection will not bring up.
Just to make it easy, we will configure the same policies on both. Our policy with priority 10 will user 3-DES encryption and MD5 hashing and a pre-shared key authentication, while a weaker isakmp policy with priority 20 will use a simple SHA-1 hashing:
#CE1 and CE2
crypto isakmp policy 10
encryption 3des
hash md5
authentication pre-share
!
crypto isakmp policy 20
hash sha
!
Then we must assign a pre-shared key to the peer. Please note that pre-shared password assignment is not on specific policies, but is on a per-peer basis. That means that when IKE Phase 1 is initialized, if an isakmp policy matches and it contains "authentication pre-share", then the remote peer will have to supply the password matching its IP address.
We configure CE1 and CE2 so that they must supply the password "mypassword" to confirm their identity
#CE1 and CE2
crypto isakmp key mypassword address 192.168.30.9
2. crypto ipsec transform-set
The second step is to configure our transport sets. Since each command allows to specify up to three protocol/algorithm combination, we will create a set that will use ESP 3-DES encryption and AH with SHA-1 hashing in transport mode
#CE1 and #CE2
crypto ipsec transform-set set-10 ah-sha-hmac esp-3des
mode transport
!
crypto ipsec security-association lifetime seconds 120
In the last command we have defined the lifetime for each single SA too
3. interesting traffic ACL
Now we must specify the traffic that we are going to encapsulate through the IPSec secure channel.
On CE1 we will protect all the traffic going out from 192.168.233.0 network directed to 192.168.210.0 network through the ISP's network, while CE2 will have a mirrored ACL
#CE1
access-list 110 permit ip 192.168.233.0 0.0.0.255 192.168.210.0 0.0.0.255
#CE2
access-list 110 permit ip 192.168.210.0 0.0.0.255 192.168.233.0 0.0.0.255
4. crypto map
In the previous steps we have defined general parameters for IKE Phase 1 and IKE Phase 2 and the traffic that we want to protect. Now we must configure a mapping between the parameters, the traffic and the peer host. Basically all of the configuration done before, exception done for the ACL, will be shared by any VPN connection the router will initiate or respond to.
On CE1 we are going to create a crypto map named remote-to-main, we will give it a priority value 10 and specify that it will use isakmp policies. In the crypto map contest then we will specify remote peer ip address, the transform set that will be used for IKE Phase 2 and the ACL that specifies the interesting traffic
#CE1
crypto map remote-to-main 10 ipsec-isakmp
set peer 192.168.30.9
set transform-set set-10
match address 110
On CE2 we will create a crypto map named main-to-remote with the same parameters changing the ip address of the remote peer
#CE2
crypto map main-to-remote 10 ipsec-isakmp
set peer 192.168.30.1
set transform-set set-10
match address 110
5. create a static route
Since remote networks are not announced by EIGRP, CE1 and CE2 cannot reach their respective private networks. To allow this we need to create a static route as follows:
#CE1
ip route 192.168.210.0 255.255.255.0 192.168.30.9
#CE2
ip route 192.168.233.0 255.255.255.0 192.168.30.1
6. apply the crypto map to the outgoing interface
in this last step we still need to apply the crypto map on the outgoing interface for destination network. A trick is to apply the crypto map on the interface facing the link used to reach the remote network.
For CE1 the outgoing interface for network 192.168.210.0 is s1/0 and for CE2 the outgoing interface for network 192.168.233.0 is s1/0:
#CE1
interface s1/0
crypto map remote-to-main#CE2
#CE2
interface s1/0
crypto map main-to-remote
Testing the configuration
Now that the config part has finished, we must test if everything is working as expected.
First we can ping from CE1 the remote network:
#ping 192.168.210.254
This WILL NOT WORK! Guess why? Because the ACL we specified identifies the traffic to be protected. As for default settings, your ping to 192.168.210.0 network will use outgoing interface ip address, that is 192.168.30.1. This traffic will not match ACL, so no IPSec channel is established.
Now, try with
#ping 192.168.210.254 source fa0/0
and if you followed all of the previous steps you will finally get an answer.
If you want you can use even your PC through loopback adapter, but remember that you will have to create a static route for network 192.168.210.0/24 to use 192.168.233.254 as gateway.
Now from CE1 issue the command
show crypto ipsec sa
you should have an output like this (interesting things are in red):
interface: Serial1/0
Crypto map tag: remote-to-main, local addr 192.168.30.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.233.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.210.0/255.255.255.0/0/0)
current_peer 192.168.30.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 17, #recv errors 0
local crypto endpt.: 192.168.30.1, remote crypto endpt.: 192.168.30.9
path mtu 1500, ip mtu 1500
current outbound spi: 0x71ADC14D(1907212621)
inbound esp sas:
spi: 0x813BA0FB(2168168699)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: remote-to-main
sa timing: remaining key lifetime (k/sec): (4453225/44)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0xECD85DFD(3973602813)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: remote-to-main
sa timing: remaining key lifetime (k/sec): (4453225/34)
replay detection support: Y
Status: ACTIVE
outbound esp sas:
spi: 0x71ADC14D(1907212621)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: remote-to-main
sa timing: remaining key lifetime (k/sec): (4453225/34)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
spi: 0x90972444(2425824324)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: remote-to-main
sa timing: remaining key lifetime (k/sec): (4453225/34)
replay detection support: Y
Nessun commento:
Posta un commento