dokuwiki

User Tools

Site Tools

Trace: victron video-url ausbildung site-to-site_ipsec_vpn_asr-asa
dardan:ccna_security:labs:site-to-site_ipsec_vpn_asr-asa
Configuring the ISR as a Site-to-Site IPsec VPN Endpoint Using the CLI
## ASR ##  
##Verify connectivity from the R3 LAN to the ASA
PC-C:\> ping 209.165.200.226 

## Enable IKE policies on R3
R3(config)# crypto isakmp enable
R3(config)# crypto isakmp policy 10

##Configure ISAKMP policy parameters on R3
R3(config)# crypto isakmp policy 10 
R3(config-isakmp)# authentication pre-share 
R3(config-isakmp)# encryption 3des 
R3(config-isakmp)# hash sha 
R3(config-isakmp)# group 2 

R3# show crypto isakmp policy

##Configure pre-shared keys
R3(config)# crypto isakmp key SECRET-KEY address 209.165.200.226

##Configure the IPsec transform set and lifetime
R3(config)# crypto ipsec transform-set ESP-TUNNEL esp-3des esp-sha-hmac 

## Define interesting traffic
R3(config)# ip access-list extended VPN-ACL 
R3(config-ext-nacl)# remark Link to the 
CCNAS-ASA R3(config-ext-nacl)# permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255

## Create and apply a crypto map. 
R3(config)# crypto map S2S-MAP 10 ipsec-isakmp
R3(config-crypto-map)# match address VPN-ACL
R3(config-crypto-map)# set peer 209.165.200.226 
R3(config-crypto-map)# set transform-set ESP-TUNNEL 
R3(config)# interface Serial0/0/1 
R3(config-if)# crypto map S2S-MAP 



## ASA ##
##ASA site is config done via ASDM

object network NETWORK_OBJ_172.16.3.0_24
  subnet 172.16.3.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_0
  subnet 172.22.56.144 255.255.255.240

access-list OUT_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 172.16.3.0 255.255.255.0 
group-policy GroupPolicy_10.2.2.1 internal
group-policy GroupPolicy_10.2.2.1 attributes
  vpn-tunnel-protocol ikev2 ikev1

tunnel-group 10.2.2.1 type ipsec-l2l
tunnel-group 10.2.2.1 general-attributes
  default-group-policy GroupPolicy_10.2.2.1

tunnel-group 10.2.2.1 ipsec-attributes
  ikev1 pre-shared-key **********
  ikev2 local-authentication pre-shared-key **********
  ikev2 remote-authentication pre-shared-key **********
  isakmp keepalive threshold 10 retry 2

crypto map OUT_map 1 match address OUT_cryptomap
crypto map OUT_map 1 set  peer  10.2.2.1
crypto map OUT_map 1 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUT_map 1 set  ikev2 ipsec-proposal  AES256 AES192 AES 3DES DES
crypto map OUT_map interface  OUT
nat (IN,OUT) 1 source static NETWORK_OBJ_192.168.1.0_0 NETWORK_OBJ_192.168.1.0_0 destination static NETWORK_OBJ_172.16.3.0_24 NETWORK_OBJ_172.16.3.0_24 no-proxy-arp route-lookup
dardan/ccna_security/labs/site-to-site_ipsec_vpn_asr-asa.txt · Last modified: 2019/02/05 11:52 by dardan
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki