Cisco CCNP Security 300-730 SVPN – Site-to-Site Virtual Private Networks on Routers and Firewalls Part 4

9. DMVPN Phase 3 IKEv1

Hello guys. Welcome to a new video. And in this video we are going to be configuring DMVPN plus IQ version one. And yes, as you can see guys, I am not using GNS today. I’m using Evange, which is kind of cool. It’s a pain in the butt to add new image and I still haven’t figured out how to add the ASA ASM, but it is only a matter of time until I’m able to add that ACM.

So that’s why I’m not doing anything that has to do with an ACM because I haven’t figured out how to add it yet. So if you know how to add it, just leave a comment below or instructions. Just tell me how to do it because I’m losing my mind. But I’m liking even G. Okay, let’s go ahead and start with this video. Like I said, we’re going to do DMVPN plus I version one. I have configured all the IP addresses that are able to reach each other and all that is good. So let’s go ahead and start with that, guys. I’m going to start from the hub like I always do. We’re going to enable. Let’s make this a little bit smaller.

Am I able to do that? Yep. Am I able to do that over here? No, I should be able to do that. Here we go. There we go. That looks better. Before we do that, let’s see if we are able to paint that. Ten, nine, one, which is site one. Let’s go ahead and try to paint side two and site three. Okay, so we are able to paint everybody. We’re able to paint everything. So that’s good. That’s a good sign. So now let’s go ahead and do a conflict. So we are going to be using Ike version one.

Let’s go ahead and start with Ike version one. Configuration crypto isaccamp. Isaccamp stands for isaccamp is IC version one. Okay, then we’re going to do not profile. We’re going to do policy one. Encryption that we’re going to be using is going to three dash. The hashing algorithm is going to be let’s use MD five, group number Dfohma, group number two. And then the authentication method is going to be pressure key lifetime. You can just leave it as default. Since we are using a pressure key now, we need to go ahead and configure the preacher key, which is going to be crypto Isaacamp key, which is called Cisco address to any IP address. So what I’m saying right here is where is my there we go. So what I’m saying right here, I just configured Iverson one place one. So the first thing that I did was I created a policy.

And inside the policy you need to tell how we are going to connect. That phase one. And I’m saying that we’re going to use three desk for encryption, MDFI for hashing or data integrity, and this for data confidentiality. Right here how we are going to do the Asymmetric key is going to be using the behavior group two. And how are we going to authenticate? Is it going to be where a certificate or a pre share key? I’m saying it’s preshow key. The lifetime is what is the lifetime of that total and the lifetime is going to be 86,400 seconds. And since I’m doing a preshow key, I need to configure that key over here, isaacam key Cisco and then the address is going to be the IP address that I want. Who do I want to authenticate with this password, with this pre shared key. And I’m saying that I want anybody to use it. So I want two and three are going to be able to use it. Okay, so that’s done with aggression one. Phase one. Now we are going to configure aggression one. Phase two and now we need to do is a crypto IPsec transform set. Now the transform set is how we are going to this for phase two. So we configure aggression on phase one. We just create a phase one tonal and the tunnel is so we are able to set the parameters for the transform set which is how are we going to send the data. So aggression one, phase one is just to authenticate and create a secure tunnel.

So then we are able to send the aggression one, phase two so it is sent securely. Okay, so we are going to do ESP and you can do either ESP or authentication header if you do a question mark. There we go. You can do a bunch, you can either do authentication header or ESP which is encapsulated secure payload. And when you’re using ah, authentication header the original IP address is none. But when you’re using ESP we are going to grab the original IP and we’re going to add another IP. So the original IP is going to be on none for ESP and for ah, they are going to be able to know the overdue IP address. So we are going to use ESP so we can hide that they’re going to use as for data confidentiality, two, five, six and ESP sha for data integrity and we are going to use HMAC. Then we need to configure the crypto IPsec profile and this profile is what we are going to attach to the tunnel that we are going to be creating. So we are just going to call it IPsec profile. And over here we need to set the transform set that we just created which was called TSET right here. Okay? And after that is done, we have configured I version one is done. So now what we need to do is we need to go ahead and create the tonal interface tunnel. Let’s just call it tunnel zero.

The first thing that I want to do is an IP address of 192-1825 and it’s going to be the IP address for the tonal as you can see right here, 19218 is going to be for the Hub. That one for the site one, that two for site two and that three for site three. Okay. After that it’s only going to do no IP redirect. Then we’re going to do no IP next half your URP ten. Then? No IP split horizon. Then we’re going to do IPN SRP map and I want it to be a multicast and I want it to be dynamic. Then we’re going to do IP and as IP, I want it to do the network ID, which is going to be ten.

And then this needs to match inside one, side two and site three. Then we’re going to specify the tonal source, which is gigabyte. Then we are going to do an IP NhRP shortcuts, IP NhRP redirect. Good. Then we do the tonal mode GRE multipoint, then tonal protection. And here’s where we add the IPsec profile and we name that IPsec profile. And Isaac Camp is going to turn on. So Isaacamp is on. That means that I question one is now on. So now what I’m going to be doing, we’re going to do a show run section crypto and I’m going to copy everything that I configured for I version one. So we’re going to copy phase one and phase two because it’s going to be the same. So we are just going to copy and paste it into site one, site two and side three. So let’s go ahead and hide it. And let’s go ahead and go to site one, which is right here. Usually enable config t. You’re going to paste that in here. Let’s go and bring out site three, enable config t.

You’re going to paste that in here. Let’s go ahead and hide it. Let’s go ahead and go to site two, enable config t. And let’s go ahead and paste that over here. So what’s going to change is going to be the tunnel. So let’s go ahead and create the tonal. Actually, I forgot to do something from the Hub. And is that we need to do a config g network or actually routerp routerp ten, no auto summary and we need to add to show IP interface brief. So we need to advertise the loop pack address and the tonal address. So network eight, eight, eight and then network 192-1810. That’s two five. Good. So that’s done. Let’s go ahead and hide the Hub. And let’s go ahead and go into site one. So we need to specify the tonal IP address. It’s going to be that one. Then we do Ipnsrp. Ipnsrp Network ID ten ipnsrp shortcut. And then after that we need to specify the next app address.

So Ipnsrp NHS and the next app server, which is the Hub. We’re going to need that one to eight. And then we’re going to do MBMA, which is the IP address of that physical interface which is 1010 ad one, which is the IP address of gigabyte zero. And we do multicast at the end. After that is done, we need to specify the source, which is gigabyte one for site one over here. Good. Then we need to do the tono mode, Dr e mode to point and then we do the tono protection IPsec profile. And we need to add the IPsec profile that was created when we copy and paste it. So that’s done. Then we do a router here at URP ten. This will do. Show IP interface group. So you can see the networks that we’re going to advertise the loopback and the tonal. So network. Let’s just do the summary first. Let’s do network 101. Then let’s do network 121810 and that should form a neighbor relationship. There we go. So if you bring up the Hub, you can see that we have that we can do a Show IP neighbors. You can see that we have the neighbor, that one. And if we go hide it and we do two Show IP neighbors, you should see that neighbor, which is the Hub. Also you can do a show IP and SRP.

You can see that we have a static via this interface, which is the tonal interface, and you can reach it at 1081. You can also do the Show IP route. You can see that you are able to reach eight to eight to eight to eight via tunnel zero, which is going to be encrypted. And we can also let me see. And that’s it. You can also do a show. Crypto Isacamp essay. So you can see Isaac amp phase one, the destination 81, the source ten one and it is active. And if you want to do the IG version one, phase two, you can do a Showcrypto IPsec SA. And here it is, local identity ten one, remote identity 81. You can see the packets that have been sent and no errors. Good, good. Now let’s go ahead and configure. Configure site two. So on site two, IP address one and two eight two Ipnsrp network ID, ten Ipnsrp shortcut, Ipnsrp multicast and then tonal source gigabyte two forsite two. Then we do network ID. Yeah, let’s do tonal mode GRE motor point. Can we do the tono protection IPsec profile? IPsec profile. And there we go. Second one to exit routerp ten, no auto summary. This is Show IP interface brief turning to add the two network and the tono. So network two, two network 19218. That one dot 0245 and Y didn’t looks like it didn’t come up for some reason. So why is it not up here? You neighbors.

We don’t have any neighbors. Let’s go ahead and go to the Hub. We did receive the one. That two show IP NhRP. So they say negative, they will not add. Then let me see where I missed my configuration. Okay, so this is one. So we need to delete that. Let’s go ahead and config t interface tunnel zero and we’re going to say no. And we’re going to looks like I got disconnected. Okay, there we go. No, we need to remove this right here. It needs to be NhRP NHS 1921-6818 MBMA 10 10 81 multicast and there we go. Erjrp and show IP NSRP you can see it now show IP ERP neighbor. And there it is, a neighbor. And if you go to the hub, show ipannis RP. Now you can see that it is there to show IP route. We can see the route to the one network and to the two network. If you do show crypto. Isaaccamp SA now we have this one was deleted because it was configured first, but it was not configured correctly because the next app server IP address was configured incorrectly.

And then we fixed that. And then we have the other essay right here. Good. So that’s good. Now let’s go ahead and hide this. And let’s go ahead and configure site three. We are going to do interface tournament zero IP address 192-168-1324 ipnsrp network ID ten Ipnsrp shortcut IP NSRP NHS 192-1818 MBMA 10 10 81 multitask. Then we do the Tono source gigabytes three, I believe it is. And let me make it smaller so you guys can see it. Here it is, gigabytes three and then tono mode GRE multipoint toner protection, IPsec profile. IPsec profile. And I believe that’s done. Yup. Isaacabase now on. So now let’s go ahead and configure router EIGRP ten. No auto summary to show IP interface breathe. So we need to add network three and we also going to add network one. I 218102 by five. That should bring up a network relationship. So IP route, we should see route two, the one, the two and that threenet and those network. We should also see it from the hub. Let’s do a show IP neighbor.

We have three networks show crypto a second. And now we have three, the 30, the two and the ten. Good. So it is working. Now let’s go ahead and see where let’s go ahead and do a trace route to one. Now on the 101, which is site one, let’s see what happens. So it’s going to send it to the hub and what is it going to happen then we send it to writer one. Okay. So IP MSRP. Okay, let’s go ahead and do press hard again. There you go. So it looks like it is working. I’m able to get to from site three. I’m able to get to site one and also to site two. So this is it for this video, guys. I hope you guys enjoy this video.

• Category: Uncategorized