Pages

Sunday, January 31, 2016

GET VPN


Group Encrypted Transport VPN
! ! KS key server on R5
conf t

crypto isakmp policy 10
hash sha256
authentication pre-share
group 14
lifetime 180
encryption aes 256
exit

do show crypto isakmp policy

crypto isakmp key cisco123 address 0.0.0.0

crypto key gen rsa general label GETVPN mod 1024 exportable

crypto ipsec transform-set Our-TSET esp-aes 192 esp-sha-hmac
exit

crypto ipsec profile GDOI-Profile
set transform-set Our-TSET
set security-association lifetime seconds 300
exit

crypto gdoi group Our-GETVPN
identity number 6783
server local
address ipv4 5.5.5.5
rekey transport unicast
rekey lifetime seconds 600
rekey retransmit 10 number 2
rekey authentication mypubkey rsa GETVPN

sa ipsec 1
profile GDOI-Profile
match address ipv4 101
replay time window-size 5
exit
exit
exit

ip access-list extended 101
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
exit

router ospf 1
net 0.0.0.0 255.255.255.255 area 0
end

! GM Group member on R1-R4
conf t
crypto isakmp policy 10
hash sha256
authentication pre-share
group 14
lifetime 180
encryption aes 256
exit

crypto isakmp key cisco123 address 0.0.0.0

## we are not building tunnel between R2-R4 ie group members. They all will be using GDOI , the common SA.

crypto gdoi group Our-GETVPN
identity number 6783
server address ipv4 5.5.5.5
exit

crypto map GETVPN-MAP 10 gdoi
set group Our-GETVPN
exit

interface e0/0
crypto map GETVPN-MAP
ip tcp adjust-mss 1360
exit

router ospf 1
net 0.0.0.0 255.255.255.255 area 0
end

! R5

crypto gdoi ks rekey replace-now

show crypto gdoi

show crypto gdoi ks policy

show crypto gdoi ks acl

show crypto gdoi ks rekey

show crypto gdoi ks member


! R1

show crypto isakmp sa

show crypto isakmp sa detail

show crypto session

show crypto isakmp sa

show crypto gdoi

show crypto gdoi gm rekey

To get hit count of encrypted traffic:
show crypto engine connections active

show crypto ipsec sa

ping 10.2.2.2 source 10.1.1.1 repeat 123

show crypto engine connections active

show crypto gdoi group Our-GETVPN




















Saturday, January 30, 2016

IKEv2 Pushing Policy


Adding AAA Authorization and pushing configuration

! FlexVPN Server R1

show crypto engine connections active
show crypto ikev2 sa
show ip route ospf

conf t
ip local pool FlexPool 172.16.0.100 172.16.0.200
aaa new-model
aaa authorization network Author-List local

do show crypto ikev2 authorization policy
crypto ikev2 authorization policy default
pool FlexPool
exit

crypto ikev2 profile IKEv2-Profile
aaa author group cert list Author-List default
end

! Spokes R2-R4

conf t
int tun 0
ip address negotiated
end

clear crypto session

show ip int brief

show ip route ospf

Working after mode config
Full configs R1 - R4:

R1#show run
Building configuration...

Current configuration : 5646 bytes
!
! Last configuration change at 16:02:14 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authorization network Author-List local
!
!
!
!       
!
aaa session-id common
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!       
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r1.cbtnuggets.com
 ip-address 15.0.0.1
 subject-name CN=r1,O=cbtnuggets.com
 revocation-check none
 rsakeypair r1.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 04
  3082024A 308201B3 A0030201 02020104 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323030 3831365A 170D3135 30373031
  32303038 31365A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723131 37301506 092A8648 86F70D01 09081308
  31352E30 2E302E31 301E0609 2A864886 F70D0109 02161172 312E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00C19869 47EB6BE5 1F76EE98 FE005644 2E7356F0 4A6A083D 8DA45C68
  860D9905 B0FF882D B6B96641 69B9A601 F6ED9E19 24BFB905 890D0FD7 BEE3C60A
  0385919D 8C733D16 E830B860 23C43C07 DCCB01BD 34BF6FFC F27F8BA9 28E5ACC7
  7D82F9EC 5F9A3BF7 811FC0B1 301DEFE2 3E06ADCA 0144136E B905D904 91243809
  FAC2F8FE BD020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 1604148A C8C4EA5A 6D91FE86 ED951D39 FC63AB62 E90D1F30 0D06092A
  864886F7 0D010105 05000381 8100711E B9B3EE1B 6020702B 80E80704 1B42BC99
  03C70C01 430EB95A E5A406F0 2B101B19 86158E53 ABAB8C81 5936A62C 34C66AA0
  FBA41EDD C08DBECF 3E3E2138 8B5963FE C45816E6 381958BF 67B8A012 EC1AE394
  84D0617E 4D2DE05B 669A1291 1DA08FF0 1257E42B 1BA73788 EF7B24CB 7798D54A
  E703F45B 3C03ED4C 2BD75F85 D28C
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
crypto ikev2 authorization policy default
 pool FlexPool
 route set interface
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
 aaa authorization group cert list Author-List default
 virtual-template 1
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 15.0.0.1 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile default
!
router ospf 1
!
ip local pool FlexPool 172.16.0.100 172.16.0.200
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 15.0.0.5
!
no cdp advertise-v2
!
!
!
!
!
control-plane
!
!
!
!
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 transport input all
!
ntp server 5.5.5.5
!
end


R2# show run
Building configuration...

Current configuration : 5374 bytes
!
! Last configuration change at 16:03:16 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!       
!
!


!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r2.cbtnuggets.com
 ip-address 25.0.0.2
 subject-name CN=r2,O=cbtnuggets.com
 revocation-check none
 rsakeypair r2.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 05
  3082024A 308201B3 A0030201 02020105 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323031 3033395A 170D3135 30373031
  32303130 33395A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723231 37301506 092A8648 86F70D01 09081308
  32352E30 2E302E32 301E0609 2A864886 F70D0109 02161172 322E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00958128 72E94635 39249318 793E25AC E6062475 665090ED B3E40332
  23103752 AA80E558 88FE1B90 6D0A55CB 15529219 17CF9A3B 56C24BF6 C16F3221
  CB70634A 566D821A ACEAE2C4 F2E8F67D 78D59990 109DE621 D4A143EA C8325A8A
  73619F29 EA777FE5 E9A058B7 87E35769 F6856F02 D0F4E8D9 6CF3D35D 331DA62E
  4219C27B 55020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 16041416 501C1D6B B2D383A3 3DE6EDAF 37A9DE90 B3026530 0D06092A
  864886F7 0D010105 05000381 81003DCA 088EE816 DADEB245 A352C090 8395401C
  1BA6F26B 935C9DC7 86DE1FA7 61D5B31F CF424EC7 8779550F 3F32E3DF E5CFA6BC
  CBC441F3 BC0571DC F2749731 0B9848E9 62201362 07B62352 49607F3C 35F2E699
  6A16D7EC ACECB68F 47D08011 E41D892D 1300D866 71D46CA8 7B88B15B 13608858
  0300EDBE BBCC1843 22B6A956 1F72
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!       
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 10.2.2.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip address negotiated
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 25.0.0.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 25.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!       
!
!
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end


R3#show run
Building configuration...

Current configuration : 5374 bytes
!
! Last configuration change at 16:03:36 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!       
!
!


!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r3.cbtnuggets.com
 ip-address 35.0.0.3
 subject-name CN=r3,O=cbtnuggets.com
 revocation-check none
 rsakeypair r3.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 06
  3082024A 308201B3 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323031 3131305A 170D3135 30373031
  32303131 31305A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723331 37301506 092A8648 86F70D01 09081308
  33352E30 2E302E33 301E0609 2A864886 F70D0109 02161172 332E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00B1EA0F 0329DF33 D5CE118E BE3215D7 DDA70509 7312ACF5 346EC84A
  C3DE07BE 8EB840BD 427BF130 3F8B02E3 1604ECCD B865AC49 A59602B4 167AFA7F
  0BE75EF4 AC22F6EC 266E2E1C 6947D829 6F045782 8E65AC4E C0BE8010 5BF0149C
  A37902CF FBAD642C BE68AD1B 1BC9F7F3 DCB5BCBF BE9960BE 96753AD8 4014C0D2
  65334830 49020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 16041460 127B3E86 EFE1CDB9 D25E62A1 77E480BE C8DE6F30 0D06092A
  864886F7 0D010105 05000381 81004663 8ACBCFB3 CD3C5D83 98386A62 F3F1931B
  1E5229D3 896F2A22 C933F881 AC762260 B5419243 9168CB3B D9D21ECD 7DAA594B
  8A02E3E4 05F0675E 7E727C48 1407E5C9 9067E9B7 C06AFBAD B85D20C9 344D3EE0
  51312B0C 1619F875 43A0B76E 6FFBF2BF D04B533C 01655FF9 EEA0941E A5008CD2
  5E3F9148 40E14638 43016CD4 254C
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!       
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 10.3.3.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip address negotiated
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 35.0.0.3 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 35.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!       
!
!
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end


R4#show run
Building configuration...

Current configuration : 5374 bytes
!
! Last configuration change at 16:03:51 PST Tue Jul 1 2014
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!       
!
!


!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 serial-number none
 fqdn r4.cbtnuggets.com
 ip-address 45.0.0.4
 subject-name CN=r4,O=cbtnuggets.com
 revocation-check none
 rsakeypair r4.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 07
  3082024A 308201B3 A0030201 02020107 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31323031 3133395A 170D3135 30373031
  32303131 33395A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723431 37301506 092A8648 86F70D01 09081308
  34352E30 2E302E34 301E0609 2A864886 F70D0109 02161172 342E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00B343F4 E93CD649 7BC99C33 3EDF887E 977BE584 29002562 224C3F55
  AAE65EF1 4966E5B6 714C6BD6 0DBE4A99 5B08C38E 2B263F01 F90802A1 3AEFC4D5
  F6C4843D 2AC5D695 06EA39F7 6F3A4CD4 9253FCCF 8E5FA17D 265CC49B A27BD3D7
  0BABC34C B4DD79EE A560246A 48150AE4 4798327D C4BE1326 5E10F1BF 083DE022
  1F8B81AB F9020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 E8EAF4BA 661E67B3 16A425E2 43FA702E C5798AB4 301D0603
  551D0E04 160414FE A8B17992 5E253531 80017713 C15B5D02 917A5030 0D06092A
  864886F7 0D010105 05000381 81004D17 8AC3681E 3EDEAEF5 797E352A 6DE87B62
  C9A22B7F DFEA1B52 6742EE86 4A7C4719 905B6557 999D02A7 F582E32D 3A21856C
  4D6C15BD 91A3023F B50E90DB C9FF0B37 8FE78CEE 0C46F320 DDBA7771 0B48F05A
  03A7966D 9493CF66 FF945098 E42C7F52 7122DC78 96232F68 E67B5A53 BD4AD682
  A585969C 24E97994 0931E32D F3A1
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303730 31313833 3732345A 170D3137 30363330
  31383337 32345A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 A198DCFC FA4458DA FED402A2 735A6A47 678FDD5F
  946E78BC C5C23824 1C4CC015 CD2B1909 13C5AD37 A65CE556 D4F6A079 15858690
  2E2AE2DF 3DC0F8C7 9010E5C4 8988FF0B 90CD0455 EEC940B1 6A701018 37571EDB
  F84846A3 3C2DD003 99F6EFA2 796D8974 042AC364 D728AEC8 DA6EEB34 E98DD2E7
  8F2B4DE0 ED945888 1C905DE5 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014E8 EAF4BA66 1E67B316 A425E243 FA702EC5 798AB430 1D060355 1D0E0416
  0414E8EA F4BA661E 67B316A4 25E243FA 702EC579 8AB4300D 06092A86 4886F70D
  01010405 00038181 0060D501 BDF814CE 00DB7902 CE3BEF28 068A065B CD6715E0
  BB34AB1A DD38416A FCC4BA5C CE9DBAEC 31CA42D5 90255556 50EDD297 4264A28D
  C86C8789 CC87DA31 642752D5 1D4BE83D D91631E8 3D35D265 A4A074F2 7A889FD2
  37305219 2C962F4E 817A7CE2 FAE485A2 BED6E3F8 435C9451 CF2A665B D5DA4FFA
  61EF9AEF 14A45E6A 4B
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!       
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 10.4.4.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip address negotiated
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 45.0.0.4 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 45.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!       
!
!
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end

R4#


Thursday, January 28, 2016

DTVI IKEv2 Hub and Spoke RSA-Sig


! R1
conf t
crypto pki certificate map CMAP 1
issuer-name co cbtnuggets
exit

default crypto ikev2 proposal

crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha256
group 14
exit

do show crypto ikev2 proposal default

default crypto ikev2 policy
do show crypto ikev2 policy default

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
virtual-template 1
exit

default crypto ipsec transform-set
crypto ipsec transform-set default esp-gcm 256
exit

do show crypto ipsec transform-set default

default crypto ipsec profile
do show crypto ipsec profile

crypto ipsec profile default
set ikev2-profile IKEv2-Profile


interface virtual-template 1 type tunnel
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
ip ospf 1 area 0
end

!R2-R4
conf t
crypto pki certificate map CMAP 1
issuer-name co cbtnuggets
exit

default crypto ikev2 proposal

crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha256
group 14
exit

do show crypto ikev2 proposal default

default crypto ikev2 policy
do show crypto ikev2 policy default

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit

default crypto ipsec transform-set
crypto ipsec transform-set default esp-gcm 256
exit

do show crypto ipsec transform-set default

default crypto ipsec profile
do show crypto ipsec profile

crypto ipsec profile default
set ikev2-profile IKEv2-Profile

interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile default
ip ospf 1 area 0
end

show crypto ikev2 sa

show crypto engine connections active

show ip route ospf

ping 10.1.1.1 source 10.2.2.2

! R3

show crypto ikev2 sa

show crypto engine connections active

show ip route ospf

ping 10.1.1.1 source 10.3.3.3

ping 10.2.2.2 source 10.3.3.3

ping 10.4.4.4 source 10.3.3.3

traceroute 10.4.4.4 source 10.3.3.3

Full configs after FlexVPN Hub and Spoke RSA-Sigs

R1#show run
Building configuration...

Current configuration : 5310 bytes
!
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 fqdn r1.cbtnuggets.com
 ip-address 15.0.0.1
 subject-name CN=r1,O=cbtnuggets.com
 revocation-check none
 rsakeypair r1.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 02
  3082024A 308201B3 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323034 3131355A 170D3135 30363330
  32303431 31355A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723131 37301506 092A8648 86F70D01 09081308
  31352E30 2E302E31 301E0609 2A864886 F70D0109 02161172 312E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00B653B6 ABDC5758 2339C4F1 7B0AD0F9 9E817998 568D6650 C6686D91
  807CAC24 78CB9986 32A0DA40 C33FF34E A249B631 E8D0D530 2D2288BF 79EEA549
  9E4B83B8 722766EB F9F26EF8 78F51485 2C263A89 FB535F96 4620B661 3EF83E39
  78FFDE79 8BC8485A 67A21841 6BC3E611 CAA1E8C9 51CE6E8C 4E1AD63A E3F837C0
  908D448E C3020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 DA6D6286 7C1E7F0E 00CCD5E5 CB67AC9B 131A5A49 301D0603
  551D0E04 160414A7 B4F5492A 70171837 E375E803 59BD0EFF 69B45530 0D06092A
  864886F7 0D010105 05000381 81000737 5EE3D7EA 52F95BF0 016C16C5 0E8D9CF9
  B573C05F D2267B72 D97F91D3 64869B82 ACDECDC6 F5459A26 1255C610 DA0BF921
  4763FE3D 2FB195E0 3F952249 1529B0D0 DFAD4287 301F927D 25D75B40 4A474C0A
  6E1E0898 B27FA7EE 127D0AA7 A2440648 62854251 77EE351A 230FBD78 EC3C6BF5
  AA2229B4 0499BF9C 235E1CE3 FEC1
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323033 3233395A 170D3137 30363239
  32303332 33395A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 E6A45D41 6A03505B 25AC43E4 DF75D423 4FC17F38
  B71CCB69 689C91A3 72805451 3F08E5A5 8270328E B8A90A3E AA4F5F10 E111BAA3
  0AE8A8FD E71E026E 9114E31E B7882821 492DE980 865B0E74 4720CF6B FE3E7DA9
  AD2A532D 0C8AC331 74516469 C417A751 8B681B49 B39FCA0D B2CF4801 9C231964
  D07D137C 80D00C53 AB343A59 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014DA 6D62867C 1E7F0E00 CCD5E5CB 67AC9B13 1A5A4930 1D060355 1D0E0416
  0414DA6D 62867C1E 7F0E00CC D5E5CB67 AC9B131A 5A49300D 06092A86 4886F70D
  01010405 00038181 0029D86B E3CCC3A7 1E364195 96CE9968 3C0A4D3A 32075312
  30E3AB3C D6D9EBEE 002BF78F 5E89AA91 6B5786D8 8E2895D9 D5338A3A B5F02391
  20F9A9C8 E257585E 6A5BA551 E6FE7191 71259408 5EB037CA 503E0206 E6B73C81
  66C88387 1052844A 17C462AF 6A845350 068E3459 A104B967 93B5EFBC AEEEFB26
  4AA7B748 CF9C0F38 1C
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
 virtual-template 1
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!
!        
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 15.0.0.1 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile default
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 15.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!
!
!        
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end

R2#show run
Building configuration...

Current configuration : 5297 bytes
!
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!        
!


!
!
!
!
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 fqdn r2.cbtnuggets.com
 ip-address 25.0.0.2
 subject-name CN=r2,O=cbtnuggets.com
 revocation-check none
 rsakeypair r2.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 03
  3082024A 308201B3 A0030201 02020103 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323034 3231345A 170D3135 30363330
  32303432 31345A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723231 37301506 092A8648 86F70D01 09081308
  32352E30 2E302E32 301E0609 2A864886 F70D0109 02161172 322E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00D05645 14D61302 091164C1 959EB527 ED87FE2E 797258EA 67464B66
  14AE2E62 4A6C472A 6CD01B51 65848B64 28B697ED 04D344F3 35A0D7F0 72425D64
  949D1BB7 77562536 F56327D8 95469071 239A7DE3 45F5ECFE 13F6181D F8AD2178
  0398294A 34DA4B10 DCC7FE72 651266F5 78A6493C 6B85EEE4 163A0DD3 273204C1
  4CAF2E68 7F020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 DA6D6286 7C1E7F0E 00CCD5E5 CB67AC9B 131A5A49 301D0603
  551D0E04 16041453 0CF1AEB9 56EFA10D 13C0008F 4142CB1E DEF21930 0D06092A
  864886F7 0D010105 05000381 810083C2 18142500 53E6E3F7 F9207B1B 53D9FC31
  A6FB145C 75CAAD58 C63B7F9E AB04A017 C1593332 A50C5C29 04A1E4AC 8075B724
  F7B2BE57 E43192B3 5C9BBC6B F72F1C09 45E26852 23C13393 A0D8CDCB C816EDE5
  E9028950 9FCC85D1 4653245E D925F977 3FF0D167 5349EC86 14CBF14E 201EF3E5
  8C535775 C66CEBA2 A42EAE67 EB49
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323033 3233395A 170D3137 30363239
  32303332 33395A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 E6A45D41 6A03505B 25AC43E4 DF75D423 4FC17F38
  B71CCB69 689C91A3 72805451 3F08E5A5 8270328E B8A90A3E AA4F5F10 E111BAA3
  0AE8A8FD E71E026E 9114E31E B7882821 492DE980 865B0E74 4720CF6B FE3E7DA9
  AD2A532D 0C8AC331 74516469 C417A751 8B681B49 B39FCA0D B2CF4801 9C231964
  D07D137C 80D00C53 AB343A59 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014DA 6D62867C 1E7F0E00 CCD5E5CB 67AC9B13 1A5A4930 1D060355 1D0E0416
  0414DA6D 62867C1E 7F0E00CC D5E5CB67 AC9B131A 5A49300D 06092A86 4886F70D
  01010405 00038181 0029D86B E3CCC3A7 1E364195 96CE9968 3C0A4D3A 32075312
  30E3AB3C D6D9EBEE 002BF78F 5E89AA91 6B5786D8 8E2895D9 D5338A3A B5F02391
  20F9A9C8 E257585E 6A5BA551 E6FE7191 71259408 5EB037CA 503E0206 E6B73C81
  66C88387 1052844A 17C462AF 6A845350 068E3459 A104B967 93B5EFBC AEEEFB26
  4AA7B748 CF9C0F38 1C
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!
!
!        
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 10.2.2.2 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip unnumbered Loopback0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 25.0.0.2 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!        
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!        
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 25.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!
!
!        
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end

R3#show run
Building configuration...

Current configuration : 5362 bytes
!
! No configuration change since last restart
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!        
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 fqdn r3.cbtnuggets.com
 ip-address 35.0.0.3
 subject-name CN=r3,O=cbtnuggets.com
 revocation-check none
 rsakeypair r3.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 05
  3082024A 308201B3 A0030201 02020105 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323034 3434385A 170D3135 30363330
  32303434 34385A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723331 37301506 092A8648 86F70D01 09081308
  33352E30 2E302E33 301E0609 2A864886 F70D0109 02161172 332E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00BA9808 06198447 65F544EC A4F09FCA E64247A3 4A4EA352 681CD308
  B91A4347 9498A3C2 119452F6 50267CFF 29B1DF2D 208904D8 810DF8CC 5B12E861
  BB39FE11 77555806 3FD86998 769857AE 8DE366D1 FF2C71D3 B2BEEC27 56AC794E
  21579444 32C94D6F 412F5FDF BA85F630 8C0C8D2B DF8B33E6 AA170541 41F464A5
  CCDF6E4F B3020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 DA6D6286 7C1E7F0E 00CCD5E5 CB67AC9B 131A5A49 301D0603
  551D0E04 16041488 16086A9F D82A29BC EC299C99 EA4D6A6A 4ACA1B30 0D06092A
  864886F7 0D010105 05000381 81003B7A FD0455AC 07A73A7B B36B9591 4077E90C
  40A2FA85 22632AF3 12328BDB BFE9F16E B57BE785 FF2B5FDE A805121E 7955D4F7
  BCCA5E5A 094E889D 21D65FFC D18F36A2 6CB3786E 9BF39708 18D5D905 B543D727
  D8A2223D 522EE178 128F55A5 4D45BEAA 01D486C6 407A5348 1EF3E0A3 7779E6B3
  C502586A B9F79A88 53F85D41 7DD7
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323033 3233395A 170D3137 30363239
  32303332 33395A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 E6A45D41 6A03505B 25AC43E4 DF75D423 4FC17F38
  B71CCB69 689C91A3 72805451 3F08E5A5 8270328E B8A90A3E AA4F5F10 E111BAA3
  0AE8A8FD E71E026E 9114E31E B7882821 492DE980 865B0E74 4720CF6B FE3E7DA9
  AD2A532D 0C8AC331 74516469 C417A751 8B681B49 B39FCA0D B2CF4801 9C231964
  D07D137C 80D00C53 AB343A59 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014DA 6D62867C 1E7F0E00 CCD5E5CB 67AC9B13 1A5A4930 1D060355 1D0E0416
  0414DA6D 62867C1E 7F0E00CC D5E5CB67 AC9B131A 5A49300D 06092A86 4886F70D
  01010405 00038181 0029D86B E3CCC3A7 1E364195 96CE9968 3C0A4D3A 32075312
  30E3AB3C D6D9EBEE 002BF78F 5E89AA91 6B5786D8 8E2895D9 D5338A3A B5F02391
  20F9A9C8 E257585E 6A5BA551 E6FE7191 71259408 5EB037CA 503E0206 E6B73C81
  66C88387 1052844A 17C462AF 6A845350 068E3459 A104B967 93B5EFBC AEEEFB26
  4AA7B748 CF9C0F38 1C
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!        
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
 ip address 10.3.3.3 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip unnumbered Loopback0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 35.0.0.3 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 35.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!        
!
!
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end


R4#show run
Building configuration...

Current configuration : 5362 bytes
!
! No configuration change since last restart
version 15.3
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone PST -8 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!        
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint Trusted-CA
 enrollment url http://5.5.5.5:80
 fqdn r4.cbtnuggets.com
 ip-address 45.0.0.5
 subject-name CN=r4,O=cbtnuggets.com
 revocation-check none
 rsakeypair r4.cbtnuggets.com
!
!
!
crypto pki certificate map CMAP 1
 issuer-name co cbtnuggets
!
crypto pki certificate chain Trusted-CA
 certificate 06
  3082024A 308201B3 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323034 3535375A 170D3135 30363330
  32303435 35375A30 5F311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02723431 37301506 092A8648 86F70D01 09081308
  34352E30 2E302E35 301E0609 2A864886 F70D0109 02161172 342E6362 746E7567
  67657473 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
  89028181 00E889F5 E2664DBA 00E488E4 127F00E9 33067393 0E33086B 426EABF6
  2A1ECA04 7AC8F3FB C1EAC99B 111B6D81 3CAB9F07 6C8028C5 18A5B24E F37D1352
  7EC3D9BA D2EF3F50 D0ED797A 0E3985B6 BD04B526 12D8EF6F 573C7F1F 9A5C0F0E
  88F4B4B4 DF62DDED 563AEAB3 26B3F7AF 4ED072CB C8561614 34F70E09 37A512F9
  61C2C969 B7020301 0001A34F 304D300B 0603551D 0F040403 0205A030 1F060355
  1D230418 30168014 DA6D6286 7C1E7F0E 00CCD5E5 CB67AC9B 131A5A49 301D0603
  551D0E04 160414AF 5F14869D A54E1338 262F03F8 52F15188 F481D630 0D06092A
  864886F7 0D010105 05000381 8100529C DB22B2EC 116E90E7 297410F3 69761163
  2D380858 788C6A3A 4D232C4C E80DE083 5106D1D2 AF124A5E 2A0DAD96 1B9EE611
  D6116C80 0BC7CA74 483C71BA 7F6BFA7D 52DD5324 BF4331CC AC46E375 36EEFD6B
  3A3007D4 76AA2EB8 4D8E2380 77D71A69 3D9EA83A 394BC0AA 3C232706 31C362E7
  C3F4A7C9 0BB2C5DA 89F858F6 FAFE
        quit
 certificate ca 01
  30820225 3082018E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  26311730 15060355 040A130E 6362746E 75676765 74732E63 6F6D310B 30090603
  55040313 02434130 1E170D31 34303633 30323033 3233395A 170D3137 30363239
  32303332 33395A30 26311730 15060355 040A130E 6362746E 75676765 74732E63
  6F6D310B 30090603 55040313 02434130 819F300D 06092A86 4886F70D 01010105
  0003818D 00308189 02818100 E6A45D41 6A03505B 25AC43E4 DF75D423 4FC17F38
  B71CCB69 689C91A3 72805451 3F08E5A5 8270328E B8A90A3E AA4F5F10 E111BAA3
  0AE8A8FD E71E026E 9114E31E B7882821 492DE980 865B0E74 4720CF6B FE3E7DA9
  AD2A532D 0C8AC331 74516469 C417A751 8B681B49 B39FCA0D B2CF4801 9C231964
  D07D137C 80D00C53 AB343A59 02030100 01A36330 61300F06 03551D13 0101FF04
  05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
  168014DA 6D62867C 1E7F0E00 CCD5E5CB 67AC9B13 1A5A4930 1D060355 1D0E0416
  0414DA6D 62867C1E 7F0E00CC D5E5CB67 AC9B131A 5A49300D 06092A86 4886F70D
  01010405 00038181 0029D86B E3CCC3A7 1E364195 96CE9968 3C0A4D3A 32075312
  30E3AB3C D6D9EBEE 002BF78F 5E89AA91 6B5786D8 8E2895D9 D5338A3A B5F02391
  20F9A9C8 E257585E 6A5BA551 E6FE7191 71259408 5EB037CA 503E0206 E6B73C81
  66C88387 1052844A 17C462AF 6A845350 068E3459 A104B967 93B5EFBC AEEEFB26
  4AA7B748 CF9C0F38 1C
        quit
!
redundancy
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto ikev2 proposal default
 encryption aes-cbc-256
 integrity sha256
 group 14
!
!
!
crypto ikev2 profile IKEv2-Profile
 match certificate CMAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint Trusted-CA
!
crypto isakmp diagnose error
!
!
crypto ipsec transform-set default esp-gcm 256
!
crypto ipsec profile default
 set ikev2-profile IKEv2-Profile
!
!
!
!        
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
 ip address 10.4.4.4 255.255.255.0
 ip ospf network point-to-point
 ip ospf 1 area 0
!
interface Tunnel0
 ip unnumbered Loopback0
 ip ospf 1 area 0
 tunnel source Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 15.0.0.1
 tunnel protection ipsec profile default
!
interface Ethernet0/0
 ip address 45.0.0.4 255.255.255.0
!
interface Ethernet0/1
 no ip address
 shutdown
!
interface Ethernet0/2
 no ip address
 shutdown
!
interface Ethernet0/3
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 45.0.0.5
!
no cdp advertise-v2
!
!
!
control-plane
!
!        
!
!
!
!
alias exec c config t
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
ntp server 5.5.5.5
!
end











RSA-Sig authentication of IKEv2


FlexVPN site to site with RSA-Sig authentication of IKEv2
keyring is only used if we are using pre-shared keys in ikev2

! R1
conf t

no crypto pki trustpoint Trusted-CA
yes

crypto key zeroize rsa
yes

crypto key generate rsa modulus 1024 label r1.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r1.cbtnuggets.com
fqdn r1.cbtnuggets.com
subject-name CN=r1,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

crypto pki certificate map CMAP 10
issuer-name co cbtnuggets
exit

crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
exit

crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
exit

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit

crypto ipsec transform-set Our-TSET esp-aes esp-sha-hmac
mode transport

crypto ipsec profile IPsec-Profile
set transform-set Our-TSET
set ikev2-profile IKEv2-Profile
exit

interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 25.0.0.2
tunnel protection ipsec profile IPsec-Profile
ip ospf 1 area 0
end

! R2
conf t

no crypto pki trustpoint Trusted-CA
yes

crypto key zeroize rsa
yes

crypto key generate rsa modulus 1024 label r2.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r2.cbtnuggets.com
fqdn r2.cbtnuggets.com
subject-name CN=r2,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

crypto pki certificate map CMAP 10
issuer-name co cbtnuggets
exit

crypto ikev2 proposal IKEv2-Proposal
encryption aes-cbc-128
integrity sha1
group 5
exit

crypto ikev2 policy IKEv2-Policy
proposal IKEv2-Proposal
exit

crypto ikev2 profile IKEv2-Profile
identity local dn
match certificate CMAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
exit

crypto ipsec transform-set Our-TSET esp-aes esp-sha-hmac
mode transport
exit

crypto ipsec profile IPsec-Profile
set transform-set Our-TSET
set ikev2-profile IKEv2-Profile
exit

interface Tunnel0
ip unnumbered loop 0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile IPsec-Profile
ip ospf 1 area 0
end

show crypto ikev2 sa

show crypto ikev2 sa detail

show crypto engine connections active

show ip route ospf

ping 10.1.1.1 source 10.2.2.2



Certificate Install


Setting up Digital Certificates

! R5
conf t

ntp master 5
int loop 0
ip add 5.5.5.5 255.255.255.255

exit
ip http server

crypto pki server CA
issuer-name CN=CA,O=cbtnuggets.com
hash sha512
grant auto
no shutdown

end

show crypto pki server

! R1 as CA client

ping 5.5.5.5

conf t

ntp server 5.5.5.5

do show ntp associations

do show ntp status

crypto key generate rsa modulus 2048 label r1.cbtnuggets.com

do show crypto key mypubkey rsa r1.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r1.cbtnuggets.com
fqdn r1.cbtnuggets.com
subject-name CN=r1,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

do show crypto pki trustpoints

do show crypto pki certificates

crypto pki enroll Trusted-CA

do show crypto pki certificates verbose Trusted-CA

end

! R2 as CA client

conf t
ntp server 5.5.5.5

crypto key generate rsa modulus 2048 label r2.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r2.cbtnuggets.com
fqdn r2.cbtnuggets.com
subject-name CN=r2,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

end

show crypto pki certificates


! R3 as CA client

conf t
ntp server 5.5.5.5

crypto key generate rsa modulus 2048 label r3.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r3.cbtnuggets.com
fqdn r3.cbtnuggets.com
subject-name CN=r3,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

end

show crypto pki certificates

! R4 as CA client

conf t
ntp server 5.5.5.5

crypto key generate rsa modulus 2048 label r4.cbtnuggets.com

crypto pki trustpoint Trusted-CA
enrollment url http://5.5.5.5
rsakeypair r4.cbtnuggets.com
fqdn r4.cbtnuggets.com
subject-name CN=r4,O=cbtnuggets.com
revocation-check none
exit

crypto pki authenticate Trusted-CA

crypto pki enroll Trusted-CA

end

show crypto pki certificates




FlexVPN Smart Defaults


! R1

ping 25.0.0.2 source 15.0.0.1

show crypto ikev2 proposal default

show crypto ikev2 policy default

show crypto ipsec transform-set default

show crypto ipsec profile default

conf t

crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha256
group 2
exit

do show crypto ikev2 proposal default

! reset the defaults

default crypto ikev2 proposal

do show crypto ikev2 proposal default

! customize the one R1 will use

crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192
integrity sha512 sha384 sha256
group 20 16 15 14
exit

do show crypto ikev2 proposal default

crypto ikev2 keyring Our-Keys
peer R2
address 25.0.0.2
identity address 25.0.0.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
exit
exit

crypto ikev2 profile default
match identity remote address 25.0.0.2
identity local address 15.0.0.1
authentication local pre-share
authentication remote pre-share
keyring local Our-Keys
lifetime 7200
exit

do show crypto ipsec transform-set

crypto ipsec transform-set default esp-gcm 256
exit

do show crypto ipsec transform-set

! ipsec profile

do show crypto ipsec profile default

crypto ipsec profile default
set pfs group20
exit

do show crypto ipsec profile default

int tun 5
tunnel mode ipsec ipv4
ip unnumbered loop 0
tunnel source e0/0
tunnel destination 25.0.0.2
ip ospf 1 area 0
tunnel protection ipsec profile default
end

! R2

conf t
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192
integrity sha512 sha384 sha256
group 20 16 15 14
exit

do show crypto ikev2 proposal default

do show crypto ikev2 policy default

crypto ikev2 keyring Our-Keys
peer R1
address 15.0.0.1
identity address 15.0.0.1
pre-shared-key local cisco123
pre-shared-key remote cisco123
exit
exit

crypto ikev2 profile default
match identity remote address 15.0.0.1
identity local address 25.0.0.2
authentication local pre-share
authentication remote pre-share
keyring local Our-Keys
lifetime 7200: this need not to be exactly same
exit

crypto ipsec transform-set default esp-gcm 256
exit

crypto ipsec profile default
set pfs group20
exit

int tun 5
tunnel mode ipsec ipv4
ip unnumbered loop 0
tunnel source e0/0
tunnel destination 15.0.0.1
ip ospf 1 area 0
tunnel protection ipsec profile default
end

show crypto ikev2 sa

show crypto ikev2 sa detail

conf t
crypto ikev2 dpd 60 2 on-demand
end

show crypto engine connections active

clear crypto ikev2 sa

show crypto ikev2 sa detail

show ip ospf neighbor

show ip route ospf

ping 10.1.1.1 source 10.2.2.2 repeat 1000

show crypto engine connections active



Wednesday, January 27, 2016

Call Admission Control


To avoid
- TCP syn flood attack
- DDos attack

In case of ike phase1
CAC protects:
- In-negotiation limit
- SA limit

How many session we can have on any device at any given point of time.

In our topology internet is R5
on R2 :
ping 10.1.1.1 source g2/0
ping 10.3.3.3 source g2/0
ping 10.4.4.4 source g2/0
show history

show crypto isakmp sa
On R5 we have 5 active ike phase1 sa tunnel

show crypto call admission statistics
by default max in negotiation is 1000

conf t
crypto call admission limit ike sa 2
crypto call admission limit ike in-negotiation-sa 10

show crypto call admission statistics

show crypto isakmp sa

R1: create additional sa
int s1/0
shutdown
clear crypto isakmp

Do same on each router
Bring interfaces once again on all routers

R2 :
show crypto isakmp sa

show ip route eigrp

ping 10.1.1.1 source 10.2.2.2

ping 10.4.4.4 source 10.2.2.2

show crypto isakmp sa
show crypto all admission statistics
1 ike request will be rejected









Flex VPN DVTI


!R5

show crypto ikev2 sa

show crypto engine connections active

ping 10.6.0.6 source 10.5.0.5

show run | section crypto

show ip int brief | exclude unassigned

show ip protocols

show ip route ospf


conf t
no int tun 3

interface virtual-template 1 type tunnel
ip unnumbered loop 0
tunnel source gig 0/0
tunnel mode ipsec ipv4
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf 1 area 0
tunnel protection ipsec profile default
exit

crypto ikev2 profile OUR-PROFILE
virtual-template 1
end

show crypto ikev2 sa

show ip route ospf

ping 10.6.0.6 source 10.5.0.5

FlexVPN IKEv2 Site to Site Tunnels


FLEX VPN: combination of all sorts of VPN techniques that we have

GCM: Galois/Counter mode is a mode of operation for symmetric key cryptographic block ciphers.

R5:
Verify the connectivity
ping 46.0.0.6 source 45.0.0.5

show crypto ikev2 proposal default

show crypto ikev2 policy default

! Use default IKEv2 proposal
! demo custom one
conf t
crypto ikev2 proposal OUR-Proposal
! demo question mark, encryption, integrity, group
exit

no crypto ikev2 proposal OUR-Proposal
do show crypto ikev2 proposal

crypto ikev2 keyring OUR-KEY-RING
peer R6-Branch-Router
description This describes R6
address 46.0.0.6
identity fqdn r6.cbtnuggets.com
pre-shared-key local cisco-ABC
pre-shared-key remote cisco-XYZ
exit
exit

crypto ikev2 profile OUR-PROFILE
identity local fqdn R5.cbtnuggets.com
match identity remote fqdn R6.cbtnuggets.com
authentication local pre-share
authentication remote pre-share
keyring OUR-KEY-RING
exit

do show crypto ipsec transform-set

crypto ipsec profile default
set ikev2-profile OUR-PROFILE
exit

interface tunnel 3
ip unnumbered loop 0
tunnel source gig 0/0
tunnel destination 46.0.0.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
ip mtu 1400
ip tcp adjust-mss 1360
exit

Use static route:
ip route 10.6.0.0 255.255.255.0 tunnel 3 200
end

R6:
conf t
crypto ikev2 keyring OUR-KEY-RING
peer R5-HQ-Router
address 45.0.0.5
identity fqdn r5.cbtnuggets.com

pre-shared-key local cisco-XYZ

pre-shared-key remote cisco-ABC
exit

exit

crypto ikev2 profile OUR-PROFILE
identity local fqdn R6.cbtnuggets.com
match identity remote fqdn R5.cbtnuggets.com
authentication local pre-share
authentication remote pre-share
keyring OUR-KEY-RING
exit

crypto ipsec profile default
set ikev2-profile OUR-PROFILE
exit

interface tunnel 3
ip unnumbered loop 0
tunnel source gig 0/1
tunnel mode ipsec ipv4
tunnel destination 45.0.0.5
tunnel protection ipsec profile default
ip mtu 1400
ip tcp adjust-mss 1360
exit

ip route 10.5.0.0 255.255.255.0 tunnel 3 200
end

show ip route

ping 10.5.0.5 source 10.6.0.6

show crypto ikev2 sa

show crypto ipsec sa

show crypto engine connections active

ping 10.5.0.5 source 10.6.0.6 repeat 1000

show crypto engine connections active

! Still on R6
conf t
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
exit

interface tunnel 3
ip ospf 1 area 0
exit

end

show ip ospf int brief

! R5
conf t
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
exit

interface tunnel 3
ip ospf 1 area 0
end

show ip ospf int brief

show ip ospf neighbor

show ip route ospf

ping 10.6.0.6 source 10.5.0.5




Tuesday, January 26, 2016

Dynamic VTI Hub


DVTI

ping 25.0.0.2

ping 35.0.0.3

ping 45.0.0.4

show run | section crypto

conf t

crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
exit

crypto keyring OUR-PSKs
pre-shared-key address 0.0.0.0 key cisco123
exit

crypto ipsec transform-set OUR-SET esp-aes 128 esp-md5-hmac
exit

crypto ipsec profile OUR-IPsec-PROFILE
set transform-set OUR-SET
exit

interface virtual-template 1 type tunnel
ip unnumbered loop 0
tunnel mode ipsec ipv4
tunnel protection ipsec profile OUR-IPsec-PROFILE
exit

crypto isakmp profile OUR-IKE-PROFILE
match identity address 25.0.0.2 255.255.255.255
match identity address 0.0.0.0
virtual-template 1
keyring OUR-PSKs
exit

router eigrp 777
no auto-summary
network 1.0.0.0
network 10.0.0.0
end

! R2-R4
conf t
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
exit

crypto isakmp key cisco123 address 0.0.0.0

crypto ipsec transform-set OUR-SET esp-aes 128 esp-md5-hmac
exit

crypto ipsec profile OUR-IPsec-PROFILE
set transform-set OUR-SET
exit

interface tunnel 2
tunnel mode ipsec ipv4

ip unnumbered loopback 0
tunnel source serial 1/0
tunnel destination 15.0.0.1

tunnel protection ipsec profile OUR-IPsec-PROFILE
exit

router eigrp 777
no auto-summary
! Note: only need to include networks local to the router you are working on
network 2.0.0.0
network 3.0.0.0
network 4.0.0.0
network 10.0.0.0
end

! R1
show crypto isakmp sa

show ip int brief | exclude unassigned

show crypto engine connections active

!  R2

show ip route eigrp

ping 10.3.3.3 source 10.2.2.2

traceroute 10.3.3.3



VTI site to site static VPNs


To put different policies on different traffic we can use Virtual tunnel interface (VTI) on IOS router.

VTI  site to site static

! R1
conf t

! Old tunnel for DMVPN
int tun 0
shutdown
exit

crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit

crypto ipsec profile P2P-PROFILE
set transform-set P2P-SET
exit

do show run | section crypto

interface tunnel 1
ip unnumbered loopback 0 : borrow ip address from loopback addresses
tunnel source serial 1/0
tunnel destination 35.0.0.3

tunnel mode ipsec ipv4
tunnel protection ipsec profile P2P-PROFILE
exit

router eigrp 777
network 1.1.1.1 0.0.0.0
end

! R3
conf t

! Old tunnel for DMVPN
int tun 0
shutdown
exit

crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit

crypto ipsec profile P2P-PROFILE
set transform-set P2P-SET
exit

do show run | section crypto

interface tunnel 1
ip unnumbered loopback 0
tunnel source serial 1/0
tunnel destination 15.0.0.1

tunnel mode ipsec ipv4
tunnel protection ipsec profile P2P-PROFILE
exit

router eigrp 777
network 3.3.3.3 0.0.0.0
end

show crypto isakmp sa

show crypto engine connection active

show ip eigrp neighbors

show ip route eigrp

ping 10.1.1.1 source 10.3.3.3

show ip int brief | exclude unassigned

let's apply different policies for traffic going through tunnel interface and traffic flowing in clear text ie through the physical interface

! R3 Policies
conf t
class-map match-all VTI-CLASS
match any
exit

class-map match-all Serial-CLASS
match any
exit

do show class-map

policy-map VTI-MAP
class VTI-CLASS
set precedence 2
exit
exit

policy-map Serial-MAP
class Serial-CLASS
set precedence 4
exit
exit

do show policy-map

int tunnel 1
service-policy output VTI-MAP
exit

int serial 1/0
service-policy output Serial-MAP
end

show policy-map interface tunnel 1

show policy-map interface serial 1/0

ping 15.0.0.1 repeat 3

show policy-map interface serial 1/0

































Troubleshooting DMVPN



1. Check basic connectivity
ping traceroute

2. Following protocols are allowed through DMVPN
UDP: port no 500 for ike phase 1 by default use that for negotiation
UDP: port no 4500: used in case of nat traversal
L4 protocol no 50 which is used by ESP ipsec traffic ie ike phase 2

3.Do we have compatible ike pahse1 policies
Do we have compatible transform-set
Do we have correct auth setup

! Prep to break R2
conf t
interface gig 1/0
shutdown

interface Tunnel0
tunnel key 7683
exit

crypto isakmp policy 5
encr aes 128
exit

no crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
no crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto ipsec transform-set OURSET esp-aes 256 esp-md5-hmac
mode transport
exit

logging console 7
end
clear crypto sa
undebug all
clear log

FIX R2
interface gig 1/0
no shutdown

interface Tunnel0
tunnel key 6783
exit

crypto isakmp policy 5
encr aes 256
exit

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
exit

Troubleshooting Steps:
!  R2:
ping 15.0.0.1

show ip int brief | exclude unassigned

conf t
int gig 1/0
no shutdown
exit

do ping 15.0.0.1

! R1
show ip nhrp

show run interface tunnel 0

! R2
do show run interface tunnel 0

interface Tunnel0
tunnel key 6783
exit

do ping 10.1.1.1 repeat 1

do show ip route

do show ip protocols

do show ip eigrp neighbor

!  Remove ipsec profiles for testing

do show run interface tunnel 0

interface tunnel 0
no tunnel protection ipsec profile OUR_IPSec_PROFILE

! R1
conf t
do show run int tunnel 0

interface tunnel 0
no tunnel protection ipsec profile OUR_IPSec_PROFILE

! R2
do show ip route eigrp

do ping 10.1.1.1 repeat 1

! R1
tunnel protection ipsec profile OUR_IPSec_PROFILE
end

! R2
tunnel protection ipsec profile OUR_IPSec_PROFILE
exit

interface gig 1/0
shutdown
exit

logging buffered 7
no logging console
do clear log

! R1
conf t
logging buffered 7
logging console 7
do debug crypto isakmp

! R2
interface gig 1/0
no shutdown
exit

! R1
no logging console
end
undebug all

show crypto isakmp policy

! R2
do show crypto isakmp policy

crypto isakmp policy 5
encr aes 256
exit

do show crypto isakmp policy
do show crypto isakmp sa

! R1
conf t
logging console 7
do clear log

do debug crypto isakmp

! R2
interface gig 1/0
shutdown
do show crypto isakmp sa
do clear crypto isakmp
do show crypto isakmp sa
no shutdown
exit

! R1
no logging console
do undebug all

do show crypto isakmp key

! R2
do show crypto isakmp key

! R2
do show run | section crypto
no crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

do show crypto isakmp sa

do show crypto engine connections active

do show crypto ipsec sa

! IKE Phase 2

! R1
do clear log

do show debug

do debug crypto isakmp
do debug crypto ipsec
logging console 7

! R2
interface gig 1/0
shutdown

no shutdown
exit

! R1
no logging console
do undebug all

do show crypto ipsec transform-set
do show run | section crypto

! R2
do show crypto ipsec transform-set

do show run | section transform

crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac
mode transport
end

show crypto isakmp sa

show crypto ipsec sa

show crypto engine connections active

ping 10.3.3.3 source 10.2.2.2 repeat 1

show dmvpn detail : mapping between gre address and actual internet ip address.


Protected DMVPN




! R2

show ip nhrp : it displays mapping

show dmvpn

show ip route eigrp

ping 10.4.4.4 source 10.2.2.2 repeat 2

! R1
show crypto isakmp policy

conf t
crypto isakmp policy 5 : lower the number better the priority
hash sha
authentication pre-share
group 14
lifetime 86400
encr aes 256
exit

crypto isakmp key cisco123 address 0.0.0.0 : anybody having this key will be able to peer with R1

crypto ipsec transform-set OURSET esp-aes 256 esp-sha-hmac : for ike phase 2
mode transport : default mode is tunnel
exit

crypto ipsec profile OUR_IPSec_PROFILE
set transform-set OURSET
exit

interface tunnel 0
tunnel protection ipsec profile OUR_IPSec_PROFILE
exit

int gig 1/0
shutdown

no shutdown
end

! Repeat above on R2 - R4

! R2
show ip route

show ip route eigrp

show ip nhrp

ping 10.4.4.4 source 10.2.2.2 repeat 1

ping 10.3.3.3 source 10.2.2.2 repeat 1

show dmvpn

ping 10.3.3.3 repeat 1

show dmpvn

show dmvpn detail

show dmvpn peer nbma 45.0.0.4 detail

show crypto isakmp sa

show crypto isakmp sa detail

show crypto ipsec sa peer 15.0.0.1

show crypto ipsec sa peer 45.0.0.4

show dmvpn detail


Monday, January 25, 2016

Naked DMVPN


To have full connectivity between headquarter and remote routers.

! R1 HUB no IPsec yet
show ip int brief

conf t
int tunnel 0
tunnel source gig 1/0
tunnel mode gre multipoint: instead of specifying destination we specify dynamic multipoint vpn
tunnel key 6783: should match on any incoming traffic


NHRP config :
ip nhrp network-id 1: network should match
ip nhrp authentication cisco123
ip nhrp map multicast dynamic: learn NBMA address dynamically
ip nhrp shortcut
ip nhrp redirect
Above two commands are part of phase 3

ip address 172.16.0.1 255.255.255.0 : GRE address

tunnel path-mtu-discovery
no tunnel path-mtu-discovery

ip mtu 1400
ip tcp adjust-mss 1360
end

! Spoke R2:
conf t
interface tunnel 0
tunnel mode gre multipoint
tunnel source gig 1/0
tunnel key 6783

ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1

ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
end

! R3
conf t
interface tunnel 0
tunnel mode gre multipoint
tunnel source gig 1/0
tunnel key 6783

ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip nhrp shortcut

ip address 172.16.0.3 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
end

! R4
conf t
interface tunnel 0
tunnel mode gre multipoint
tunnel source gig 1/0
tunnel key 6783

ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1
ip nhrp map multicast 15.0.0.1
ip nhrp shortcut

ip address 172.16.0.4 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
end

! R1 hub routing
show ip nhrp

To advertise networks:
R1#conf t
router eigrp 777
no auto-summary
network 10.0.0.0
network 172.16.0.0
exit


To disable split-horizon on eigrp:
interface tunnel 0
no ip next-hop-self eigrp 777 : to disable next-hop-self
no ip split-horizon eigrp 777
end

show ip protocols

!On R2-R3-R4
conf t
router eigrp 777
no auto-summary
network 10.0.0.0
network 172.16.0.0
end

!  R1
show ip eigrp neighbors
show ip route eigrp

! R2
show ip route eigrp

show ip route 10.4.4.4

show ip nhrp summary

show ip nhrp

debug nhrp

ping 10.4.4.4 repeat 1 source g 2/0

undebug all

show ip nhrp brief