This is network lab I used to configure VPN in GNS3. I used my LAN to simulate the Internet and the network is 10.143.88.0 /24, and two LAN’s I want connect via VPN, 192.168.100.0/24 and 192.168.200.0/24.
After connecting on router R1 using CCP go to Security/VPN/Site-to-Site VPN
Then press “Launch the selected task”…
… And choose “Step by step wizard”
Then you should choose interface for VPN connection, enter ip address of peer and select “Pre-shared Keys” (the value for Pre-shared Keys must be the same on peer side to.)
Now you have to configure the Phase 1…
…and the Phase 2.
After that you have to press “Generate Mirror” and you use that configuration to configure remote side, but you should do some adjustments and change your NAT translation on booth side.
To do so, change or made new access list for NAT.
ip access-list extended NAT_ADDRESSES
deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
! First line will deny lan and remote network to be translated over NAT but will be permitted with SDM_ access list which is made through configuration in CCP.
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
After that we can check isakmp Security Associations
But first you have to generate some VPN traffic, the best way to do thet is extended ping.
Ping remote site (192.168.200.1) with source ip address 192.168.100.1 interface fastethernet 0/1 (LAN)
R1#show crypto isakmp sa
dst src state conn-id slot status
10.143.88.160 10.143.88.150 QM_IDLE 1 0 ACTIVE
dst src state conn-id slot status
10.143.88.160 10.143.88.150 QM_IDLE 1 0 ACTIVE
After ping you will have encapsulated and decapsulated packets.
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 10.143.88.150
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer 10.143.88.160 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.143.88.150, remote crypto endpt.: 10.143.88.160
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x448CF935(1150089525)
interface: FastEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 10.143.88.150
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer 10.143.88.160 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.143.88.150, remote crypto endpt.: 10.143.88.160
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x448CF935(1150089525)
No comments:
Post a Comment