wnoguchi/network-config-generator: Network Configuration Generator
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\wnogu\Documents\github\network-config-generator> python ip-skel.py | clip
Project name: ccna-vpn-ipsec-0001-ipsec
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 100.0.0.1 255.255.0.0 no shutdown exit ! end write
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.200.0.2 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 200.0.0.2 255.255.0.0 no shutdown exit ! end write
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 100.0.0.3 255.255.0.0 no shutdown exit ! end write
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 200.0.0.4 255.255.0.0 no shutdown exit ! end write
ip 10.100.0.100 255.255.255.0 10.100.0.1 save
ip 10.200.0.200 255.255.255.0 10.200.0.2 save
configure terminal ! ip route 0.0.0.0 0.0.0.0 100.0.0.3 ! end
configure terminal ! ip route 0.0.0.0 0.0.0.0 200.0.0.4 ! end
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 network 100.0.0.0 mask 255.255.0.0 exit ! end
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 network 200.0.0.0 mask 255.255.0.0 exit ! end
R1#ping 200.0.0.2 source 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds: Packet sent with a source address of 100.0.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime lifetime 43200 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 periodic ! end
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime lifetime 43200 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 periodic ! end
HMAC(Keyed-hsasing Message Authentication Code)
configure terminal ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode tunnel exit ! ! Configure IPsec SA lifetime crypto ipsec security-association lifetime seconds 3600 ! ! Define IPsec encryption target traffic access-list 101 permit ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255 ! access-list 102 permit esp host 200.0.0.2 host 100.0.0.1 access-list 102 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp match address 101 set transform-set IPSEC set peer 200.0.0.2 exit ! interface GigabitEthernet 0/1 crypto map M-ipsec ip access-group 102 in exit ! end
configure terminal ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode tunnel exit ! ! Configure IPsec SA lifetime crypto ipsec security-association lifetime seconds 3600 ! ! Define IPsec encryption target traffic access-list 101 permit ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255 ! access-list 102 permit esp host 100.0.0.1 host 200.0.0.2 access-list 102 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp match address 101 set transform-set IPSEC set peer 100.0.0.1 exit ! interface GigabitEthernet 0/1 crypto map M-ipsec ip access-group 102 in exit ! end
PC-1> ping 10.200.0.200 10.200.0.200 icmp_seq=1 timeout 10.200.0.200 icmp_seq=2 timeout 10.200.0.200 icmp_seq=3 timeout 10.200.0.200 icmp_seq=4 timeout 10.200.0.200 icmp_seq=5 timeout
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA R1# *Mar 28 06:10:49.740: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.0.0.2
PC-1> ping 10.200.0.200 10.200.0.200 icmp_seq=1 timeout 10.200.0.200 icmp_seq=2 timeout 10.200.0.200 icmp_seq=3 timeout 10.200.0.200 icmp_seq=4 timeout 10.200.0.200 icmp_seq=5 timeout
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 200.0.0.2 100.0.0.1 MM_NO_STATE 0 ACTIVE IPv6 Crypto ISAKMP SA
R1# *Mar 28 06:07:07.415: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 200.0.0.2
R1#sh run | s crypto crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 43200 crypto isakmp key pg1xpsk address 200.0.0.2 crypto isakmp keepalive 30 periodic crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode tunnel crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address 101 crypto map M-ipsec
R2#sh run | s crypto crypto isakmp policy 1 encr 3des group 2 lifetime 43200 crypto isakmp key pg1xpsk address 100.0.0.1 crypto isakmp keepalive 30 periodic crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode tunnel crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address 101 crypto map M-ipsec
IKE phase 1 ISAKMP SA pre-share authentication missing on R2 …
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#cryp R2(config)#crypto isa R2(config)#crypto isakmp po R2(config)#crypto isakmp policy 1 R2(config-isakmp)#auth R2(config-isakmp)#authentication pre R2(config-isakmp)#authentication pre-share R2(config-isakmp)#^Z R2# *Mar 28 06:14:39.112: %SYS-5-CONFIG_I: Configured from console by console
PC-1> ping 10.200.0.200 10.200.0.200 icmp_seq=1 timeout 10.200.0.200 icmp_seq=2 timeout 10.200.0.200 icmp_seq=3 timeout 84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=12.124 ms 84 bytes from 10.200.0.200 icmp_seq=5 ttl=62 time=10.759 ms
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 200.0.0.2 100.0.0.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
PC-1> ping 10.200.0.200 84 bytes from 10.200.0.200 icmp_seq=1 ttl=62 time=11.085 ms 84 bytes from 10.200.0.200 icmp_seq=2 ttl=62 time=10.075 ms 84 bytes from 10.200.0.200 icmp_seq=3 ttl=62 time=13.185 ms 84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=11.984 ms 84 bytes from 10.200.0.200 icmp_seq=5 ttl=62 time=10.882 ms
R1#sh ip ro Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 100.0.0.3 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 100.0.0.3 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.100.0.0/24 is directly connected, GigabitEthernet0/0 L 10.100.0.1/32 is directly connected, GigabitEthernet0/0 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 100.0.0.0/16 is directly connected, GigabitEthernet0/1 L 100.0.0.1/32 is directly connected, GigabitEthernet0/1
PPPoE
PPPoE + IPsec(ESP, Tunnel mode)
Padding Must be times 8
?
Project name: ccna-vpn-ipsec-0002-ipsec-pppoe
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 100.0.0.1 255.255.0.0 no shutdown exit ! end write
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.200.0.2 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 200.0.0.2 255.255.0.0 no shutdown exit ! end write
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
ip 10.100.0.100 255.255.255.0 10.100.0.1 save
ip 10.200.0.200 255.255.255.0 10.200.0.2 save
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 network 100.0.0.1 mask 255.255.255.255 exit ! end
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 network 200.0.0.2 mask 255.255.255.255 exit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 100.0.0.1 ! interface Loopback1 ip address 100.1.3.3 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 200.0.0.2 ! interface Loopback1 ip address 200.2.4.4 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
R1#ping 200.0.0.2 source 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds: Packet sent with a source address of 100.0.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 periodic ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac !(Default) !mode tunnel exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255 exit ! ip access-list extended A-security permit esp host 200.0.0.2 host 100.0.0.1 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp !permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 periodic ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac !(Default) !mode tunnel exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 200.0.0.2 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp !permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 200.0.0.2 100.0.0.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
R1(config)#no crypto isakmp keepalive 30 per
R2(config)#no crypto isakmp keepalive 30 periodic
R1#clear crypto isakmp
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 100.0.0.1 200.0.0.2 QM_IDLE 1002 ACTIVE 200.0.0.2 100.0.0.1 QM_IDLE 1003 ACTIVE 200.0.0.2 100.0.0.1 MM_NO_STATE 1001 ACTIVE (deleted) IPv6 Crypto ISAKMP SA
PC-1> ping 10.200.0.200 -c 100 10.200.0.200 icmp_seq=1 timeout 10.200.0.200 icmp_seq=2 timeout 84 bytes from 10.200.0.200 icmp_seq=3 ttl=62 time=12.339 ms 84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=11.275 ms ^C PC-1>
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 100.0.0.1 200.0.0.2 QM_IDLE 1002 ACTIVE 200.0.0.2 100.0.0.1 QM_IDLE 1003 ACTIVE IPv6 Crypto ISAKMP SA
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 100.0.0.1 200.0.0.2 MM_NO_STATE 1002 ACTIVE (deleted) 200.0.0.2 100.0.0.1 MM_NO_STATE 1003 ACTIVE (deleted) IPv6 Crypto ISAKMP SA
for a while
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 100.0.0.1 200.0.0.2 QM_IDLE 1004 ACTIVE IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa interface: Dialer1 Crypto map tag: M-ipsec, local addr 100.0.0.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.100.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0) current_peer 200.0.0.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72 #pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2 plaintext mtu 1398, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1 current outbound spi: 0x45A01B3D(1168120637) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xBC213362(3156292450) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4261867/1574) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x45A01B3D(1168120637) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4261867/1574) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:
R1#show crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+MD5 0 72 72 100.0.0.1 2 IPsec 3DES+MD5 72 0 0 100.0.0.1 1004 IKE MD5+3DES 0 0 0 100.0.0.1
R2#sh crypto ipsec sa interface: Dialer1 Crypto map tag: M-ipsec, local addr 200.0.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.100.0.0/255.255.255.0/0/0) current_peer 100.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95 #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.0.0.2, remote crypto endpt.: 100.0.0.1 plaintext mtu 1398, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1 current outbound spi: 0xBC213362(3156292450) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x45A01B3D(1168120637) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4147942/1303) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBC213362(3156292450) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4147942/1303) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: R2#sh crypto engine connections active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec 3DES+MD5 0 145 145 200.0.0.2 2 IPsec 3DES+MD5 146 0 0 200.0.0.2 1004 IKE MD5+3DES 0 0 0 200.0.0.2
R1#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit R1#show crypto ipsec transform-set Transform set default: { esp-aes esp-sha-hmac } will negotiate = { Transport, }, Transform set IPSEC: { esp-3des esp-md5-hmac } will negotiate = { Tunnel, },
R1#show crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation R - IKE Auto Reconnect Interface: Dialer1 Uptime: 00:44:59 Session status: UP-ACTIVE Peer: 200.0.0.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 200.0.0.2 Desc: (none) Session ID: 0 IKEv1 SA: local 100.0.0.1/500 remote 200.0.0.2/500 Active Capabilities:(none) connid:1004 lifetime:23:45:06 IPSEC FLOW: permit ip 10.100.0.0/255.255.255.0 10.200.0.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 156 drop 0 life (KB/Sec) 4261856/900 Outbound: #pkts enc'ed 156 drop 0 life (KB/Sec) 4261856/900
keyword
reference
configuration
configure terminal ! ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC ftp ip inspect name CBAC icmp ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 periodic ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac !(Default) !mode tunnel exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 ip nat inside ip inspect CBAC in exit ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 ip nat outside encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! ip nat inside source list A-nat interface Loopback 1 overload ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255 exit ! ip access-list extended A-security permit esp host 200.0.0.2 host 100.0.0.1 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp permit icmp any any exit ! ip access-list extended A-nat deny ip 10.100.0.0 0.0.0.255 10.200.0.0 0.0.0.255 permit ip 10.100.0.0 0.0.0.255 any exit ! dialer-list 20 protocol ip permit ! end
configure terminal ! ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC ftp ip inspect name CBAC icmp ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 periodic ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac !(Default) !mode tunnel exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 ip nat inside ip inspect CBAC in exit ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 ip nat outside encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! ip nat inside source list A-nat interface Loopback 1 overload ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 200.0.0.2 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp permit icmp any any exit ! ip access-list extended A-nat deny ip 10.200.0.0 0.0.0.255 10.100.0.0 0.0.0.255 permit ip 10.200.0.0 0.0.0.255 any exit ! dialer-list 20 protocol ip permit ! end
configure terminal ! username admin1 password cisco1 ! line vty 0 15 exec-timeout 0 0 password ciscotel login local logging synchronous ! this required by default IOSv for remote access transport input telnet ssh exit ! ip domain-name pg1x.net ! end
ping to world
PC-1> ping 200.0.0.2 84 bytes from 200.0.0.2 icmp_seq=1 ttl=252 time=12.863 ms 84 bytes from 200.0.0.2 icmp_seq=2 ttl=252 time=12.085 ms ^C
ping over vpn
PC-1> ping 10.200.0.200 10.200.0.200 icmp_seq=1 timeout 84 bytes from 10.200.0.200 icmp_seq=2 ttl=62 time=30.486 ms 84 bytes from 10.200.0.200 icmp_seq=3 ttl=62 time=19.197 ms 84 bytes from 10.200.0.200 icmp_seq=4 ttl=62 time=20.302 ms 84 bytes from 10.200.0.200 icmp_seq=5 ttl=62 time=20.438 ms PC-1>
ifconfig eth0 10.100.0.103 netmask 255.255.255.0 broadcast 10.100.0.255 route add default gw 10.100.0.1 eth0
telnet to R4
root@PC-3:~# ping 34.0.0.4 PING 34.0.0.4 (34.0.0.4) 56(84) bytes of data. 64 bytes from 34.0.0.4: icmp_seq=1 ttl=253 time=9.55 ms 64 bytes from 34.0.0.4: icmp_seq=2 ttl=253 time=5.95 ms 64 bytes from 34.0.0.4: icmp_seq=3 ttl=253 time=5.65 ms 64 bytes from 34.0.0.4: icmp_seq=4 ttl=253 time=5.40 ms 64 bytes from 34.0.0.4: icmp_seq=5 ttl=253 time=6.47 ms 64 bytes from 34.0.0.4: icmp_seq=6 ttl=253 time=6.35 ms 64 bytes from 34.0.0.4: icmp_seq=7 ttl=253 time=5.58 ms 64 bytes from 34.0.0.4: icmp_seq=8 ttl=253 time=4.80 ms 64 bytes from 34.0.0.4: icmp_seq=9 ttl=253 time=5.75 ms 64 bytes from 34.0.0.4: icmp_seq=10 ttl=253 time=5.30 ms 64 bytes from 34.0.0.4: icmp_seq=11 ttl=253 time=5.97 ms 64 bytes from 34.0.0.4: icmp_seq=12 ttl=253 time=4.80 ms 64 bytes from 34.0.0.4: icmp_seq=13 ttl=253 time=5.46 ms 64 bytes from 34.0.0.4: icmp_seq=14 ttl=253 time=4.98 ms 64 bytes from 34.0.0.4: icmp_seq=15 ttl=253 time=4.74 ms 64 bytes from 34.0.0.4: icmp_seq=16 ttl=253 time=6.07 ms 64 bytes from 34.0.0.4: icmp_seq=17 ttl=253 time=4.44 ms 64 bytes from 34.0.0.4: icmp_seq=18 ttl=253 time=4.66 ms ^C --- 34.0.0.4 ping statistics --- 18 packets transmitted, 18 received, 0% packet loss, time 17021ms rtt min/avg/max/mdev = 4.446/5.666/9.555/1.112 ms root@PC-3:~# ping 34.0.0.4 PING 34.0.0.4 (34.0.0.4) 56(84) bytes of data. 64 bytes from 34.0.0.4: icmp_seq=1 ttl=253 time=12.7 ms 64 bytes from 34.0.0.4: icmp_seq=2 ttl=253 time=4.56 ms ^C --- 34.0.0.4 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 4.563/8.656/12.750/4.094 ms root@PC-3:~# telnet 34.0.0.4 Trying 34.0.0.4... Connected to 34.0.0.4. Escape character is '^]'. ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** User Access Verification Username: admin1 Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
R1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/11 ms R1#sh R1#show ip ins R1#show ip inspect se R1#show ip inspect sessions Established Sessions Session FD64AA8 (10.100.0.103:48140)=>(34.0.0.4:23) tcp SIS_OPEN R1#show ip inspect al R1#show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [unlimited : unlimited] connections max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Interface Configuration Interface GigabitEthernet0/0 Inbound inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session FD64AA8 (10.100.0.103:48140)=>(34.0.0.4:23) tcp SIS_OPEN R1#show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [unlimited : unlimited] connections max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Interface Configuration Interface GigabitEthernet0/0 Inbound inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set R1#show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [unlimited : unlimited] connections max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Interface Configuration Interface GigabitEthernet0/0 Inbound inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session FD64AA8 (10.100.0.103:8)=>(34.0.0.4:0) icmp SIS_OPEN R1#show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [unlimited : unlimited] connections max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Interface Configuration Interface GigabitEthernet0/0 Inbound inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session FD64AA8 (10.100.0.103:8)=>(34.0.0.4:0) icmp SIS_OPEN R1#telnet 34.0.0.4 Trying 34.0.0.4 ... % Connection timed out; remote host not responding R1#telnet 34.0.0.4 Trying 34.0.0.4 ... % Connection timed out; remote host not responding R1#telnet 34.0.0.4 Trying 34.0.0.4 ... % Connection timed out; remote host not responding R1#show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [unlimited : unlimited] connections max-incomplete sessions thresholds are [unlimited : unlimited] max-incomplete tcp connections per host is unlimited. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-timeout is 5 sec Inspection Rule Configuration Inspection name CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Interface Configuration Interface GigabitEthernet0/0 Inbound inspection rule is CBAC tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 ftp alert is on audit-trail is off timeout 3600 icmp alert is on audit-trail is off timeout 10 Outgoing inspection rule is not set Inbound access list is not set Outgoing access list is not set Established Sessions Session FD64888 (10.100.0.103:48142)=>(34.0.0.4:23) tcp SIS_OPEN R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip tel R1(config)#ip telnet sour R1(config)#ip telnet source-interface Gig R1(config)#ip telnet source-interface GigabitEthernet 0/0 R1(config)#^Z R1#show ip inspect all *Apr 3 23:11:27.820: %SYS-5-CONFIG_I: Configured from console by console R1#telnet 34.0.0.4 Trying 34.0.0.4 ... % Connection timed out; remote host not responding R1#telnet 34.0.0.4 Trying 34.0.0.4 ... % Connection timed out; remote host not responding