Home
Search results “Crypto isakmp policy 10 authentication pre-shared-key”
Create an IPsec VPN tunnel using Packet Tracer - CCNA Security
 
18:28
http://danscourses.com - Learn how to create an IPsec VPN tunnel on Cisco routers using the Cisco IOS CLI. CCNA security topic. 1. Starting configurations for R1, ISP, and R3. Paste to global config mode : hostname R1 interface g0/1 ip address 192.168.1.1 255.255.255.0 no shut interface g0/0 ip address 209.165.100.1 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 209.165.100.2 hostname ISP interface g0/1 ip address 209.165.200.2 255.255.255.0 no shut interface g0/0 ip address 209.165.100.2 255.255.255.0 no shut exit hostname R3 interface g0/1 ip address 192.168.3.1 255.255.255.0 no shut interface g0/0 ip address 209.165.200.1 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 209.165.200.2 2. Make sure routers have the security license enabled: license boot module c1900 technology-package securityk9 3. Configure IPsec on the routers at each end of the tunnel (R1 and R3) !R1 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 ! crypto isakmp key secretkey address 209.165.200.1 ! crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac ! crypto map IPSEC-MAP 10 ipsec-isakmp set peer 209.165.200.1 set pfs group5 set security-association lifetime seconds 86400 set transform-set R1-R3 match address 100 ! interface GigabitEthernet0/0 crypto map IPSEC-MAP ! access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 !R3 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 ! crypto isakmp key secretkey address 209.165.100.1 ! crypto ipsec transform-set R3-R1 esp-aes 256 esp-sha-hmac ! crypto map IPSEC-MAP 10 ipsec-isakmp set peer 209.165.100.1 set pfs group5 set security-association lifetime seconds 86400 set transform-set R3-R1 match address 100 ! interface GigabitEthernet0/0 crypto map IPSEC-MAP ! access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Views: 42189 danscourses
Create an IPsec VPN tunnel - CCNA Security | Hindi
 
19:18
Create an IPsec VPN tunnel - CCNA Security | Hindi #create_ipsec_vpn_tunnel #ccna_security #tech_guru_manjit access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 crypto isakmp key secretkey address 209.165.200.1 crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac crypto map IPSEC-MAP 10 ipsec-isakmp set peer 209.165.200.1 set pfs group5 set security-association lifetime seconds 86400 set transform-set R1-R3 match address 100 int g0/0 crypto map IPSEC-MAP Merchandise: https://goo.gl/W6BLhi ************* My Other Channel: https://www.youtube.com/channel/UC3SL1AJkIQvibobPsoJA4GQ Official Website ***************** https://nirankariinfotech.com Merchandise ************** https://teeshopper.in/store/techgurumanjit Some important Scripts ************************* Ganesh Chaturthi : https://imojo.in/7syjts Navratri : https://imojo.in/fnrhld Gadgets i Use ************************************ Green Screen : http://amzn.to/2mxnzld White Umbrella: http://amzn.to/2B2rFXL Tripod : http://amzn.to/2mG10eK Mini Lapel Microphone: http://amzn.to/2D4xeqs In Tech Guru Manjit we are uploading videos on various topics like technical, motivational, Blogging, SEO, travel guide etc. Request all our Subscriber & non Subscriber to see like and share our videos & if you have any idea or you need any other informational video us to make please drop us a mail at [email protected] Regards Tech Guru Manjit
Views: 444 Tech Guru Manjit
IPsec VPN Tunnel
 
26:46
Pre-setup: Usually this is the perimeter router so allow the firewall. Optional access-list acl permit udp source wildcard destination wildcard eq isakmp access-list acl permit esp source wildcard destination wildcard access-list acl permit ahp source wildcard destination wildcard You need to enable to securityk9 technology-package Router(config)#license boot module c2900 technology-package securityk9 Router(config)#reload Task 1: Configure the ISAKMP policy for IKE Phase 1 There are seven default isakmp policies. The most secure is the default. We will configure our own. You can remember this by HAGLE. Hash, Authentication, Group (DH), Lifetime, Encryption. Router(config)#crypto isakmp policy 1 Router(config-isakmp)#hash sha Router(config-isakmp)#authentication pre-share Router(config-isakmp)#group 5 Router(config-isakmp)#lifetime 3600 Router(config-isakmp)#encryption aes 256 We used a pre-shared key for authentication so we need to specify the password for the first phase. Router(config)#crypto isakmp key derpyisbestpony address 208.77.5.1 show crypto isakmp policy Task 2: Configure the IPsec Policy for IKE Phase 2 Configure the encryption and hashing algorithms that you will use for the data sent thought the IPsec tunnel. Hence the transform. Router(config)#crypto ipsec transform-set transform_name esp-aes esp-sha-hmac Task 3: Configure ACL to define interesting traffic Even though the tunnel is setup it doesn’t exist yet. Interesting traffic must be detected before IKE Phase 1 negotiations can begin. Allow the local lan to the remote lan. Router(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 show crypto isakmp sa Task 4: Configure a Crypto Map for the IPsec Policy Now that interesting traffic is defined and an IPsec transform set is configured, you need to bind them together with a crypto map. Rotuer(config)# crypto map map_name seq_num ipsec-isakmp What traffic will be interesting? The access-list we made before. Router(config-crypto-map)#match address 101 The transform-set we created earlier for the IPsec tunnel. Router(config-crypto-map)# set transform-set transform_name The peer router you’re connecting to. Router(config-crypto-map)#set peer 172.30.2.2 You need to set the type of DH you want to use. Router(config-crypto-map)#set pfs group5 How long these setting will last before it’s renegotiated Router(config-crypto-map)#set security-association lifetime seconds 900 Task 5: Apply the IPsec Policy Apply the crypto map to the interface. Router(config)#interface serial0/0/0 Router(config-if)#crypto map map_name show crypto map derpy: http://th03.deviantart.net/fs71/PRE/f/2012/302/6/1/derpy_hooves_by_freak0uo-d5jedxp.png twilight: http://fc03.deviantart.net/fs70/i/2012/226/e/5/twilight_sparkle_vector_by_ikillyou121-d56s0vc.png
Views: 13650 Derpy Networking
IPsec Site to SIte VPN on IOS Router
 
16:38
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key cisco address 23.0.0.2 - remote peer public IP crypto ipsec transform-set L2L esp-aes esp-sha-hmac mode tunnel crypto map L2L 10 ipsec-isakmp set peer 23.0.0.2 - remote peer public IP set transform-set L2L match address L2L ip access-list extended L2L 10 permit ip 10.1.45.0 0.0.0.255 10.1.12.0 0.0.0.255 - mirror this on remote side
What is PRE-SHARED KEY? What does PRE-SHARED KEY mean? PRE-SHARED KEY meaning & explanation
 
03:01
What is PRE-SHARED KEY? What does PRE-SHARED KEY mean? PRE-SHARED KEY meaning - PRE-SHARED KEY definition - PRE-SHARED KEY explanation. Source: Wikipedia.org article, adapted under https://creativecommons.org/licenses/by-sa/3.0/ license. SUBSCRIBE to our Google Earth flights channel - https://www.youtube.com/channel/UC6UuCPh7GrXznZi0Hz2YQnQ In cryptography, a pre-shared key (PSK) is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function is typically used. Such systems almost always use symmetric key cryptographic algorithms. The term PSK is used in Wi-Fi encryption such as Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), where the method is called WPA-PSK or WPA2-PSK, and also in the Extensible Authentication Protocol (EAP), where it is known as EAP-PSK. In all these cases, both the wireless access points (AP) and all clients share the same key. The characteristics of this secret or key are determined by the system which uses it; some system designs require that such keys be in a particular format. It can be a password, a passphrase, or a hexadecimal string. The secret is used by all systems involved in the cryptographic processes used to secure the traffic between the systems. Crypto systems rely on one or more keys for confidentiality. One particular attack is always possible against keys, the brute force key space search attack. A sufficiently long, randomly chosen, key can resist any practical brute force attack, though not in principle if an attacker has sufficient computational power (see password strength and password cracking for more discussion). Unavoidably, however, pre-shared keys are held by both parties to the communication, and so can be compromised at one end, without the knowledge of anyone at the other. There are several tools available to help one choose strong passwords, though doing so over any network connection is inherently unsafe as one cannot in general know who, if anyone, may be eavesdropping on the interaction. Choosing keys used by cryptographic algorithms is somewhat different in that any pattern whatsoever should be avoided, as any such pattern may provide an attacker with a lower effort attack than brute force search. This implies random key choice to force attackers to spend as much effort as possible; this is very difficult in principle and in practice as well. As a general rule, any software except a Cryptographically secure pseudorandom number generator should be avoided.
Views: 4408 The Audiopedia
Site to Site Ikev2 asymmetric  Pre Shared key explainnation with wireshark
 
16:49
Hi Friends, Please checkout my new video on Site to Site ikev2 VPN between routers with asymmetric Pre Share key . If you like this video give it a thumps up and subscribe my channel for more video. Have any question put it on comment section. Site to Site VPN with Certificate - Wireshark Capture https://youtu.be/BthdhJQzq9c Public Key Infrastructure - Explained https://youtu.be/kZETEaAJgYY Site to Site VPN on Router- Understanding and Explanation https://www.youtube.com/watch?v=_A6tm22lYsk Site to Site VPN Main mode negotiation with Wireshark Explanation https://www.youtube.com/watch?v=aaINqti3Hgc What is NAT-T ? What is use in Site to Site VPN with NAT -T wireshark capture and LAB explanation https://youtu.be/9yZSgJHdzCI Site Site Troubleshooting With Debug Messages https://youtu.be/EJ1dHw-KXXM Cisco ASA Site-to-Site VPN Configuration with certificate - Debug https://youtu.be/r9ooYhklbew Steps to configure Site to Site Ikev2 crypto ikev2 proposal VPN_PRO encryption 3des integrity sha256 group 2 crypto ikev2 policy 10 proposal VPN_PRO crypto ikev2 keyring KEY peer peer1 address 200.1.1.10 pre-shared-key local cisco pre-shared-key remote cisco1 crypto ikev2 profile PROFILE match identity remote address 200.1.1.10 255.255.255.0 authentication remote pre-share authentication local pre-share keyring local KEY crypto ipsec transform-set TSET esp-3des esp-md5-hmac mode tunnel crypto map CMAP 10 ipsec-isakmp set peer 19.19.4.10 set transform-set TRANS set ikev2-profile ccie match address IV2 int g0/0 crypto map CMAP E-mail ID : [email protected] #VPN #Ikev2 #bikashtech
Views: 64 Bikash's Tech
GNS3 Labs: IPsec VPN with NAT across BGP Internet routers: Wireshark captures. Answers Part 2
 
03:25
GNS3 Topology: https://goo.gl/p7p8pq Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. VPN Configuration: ====================================================== ! CONFIG FOR: C1 ! ! ====================================================== access-list 100 remark ****** Link to C2 ****** access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 8.8.11.2 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto map mymap 1 ipsec-isakmp description ****** Link to C2 ****** set peer 8.8.11.2 set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside !===================================================== ! CONFIG FOR: C2 ! ! ====================================================== access-list 100 remark ****** Link to C1 ****** access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 8.8.10.2 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto map mymap 2 ipsec-isakmp description ****** Link to C1 ****** set peer 8.8.10.2 set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside !========================================= Go here for more: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
Views: 1809 David Bombal
Learn about Cisco ASAv route based VPN (Demo connecting AWS and Azure)
 
13:27
Learn about Cisco ASAv route based VPN (Demo connecting AWS and Azure) ASAv (AWS) crypto ikev1 enable management ! crypto ikev1 policy 10  authentication pre-share  encryption aes  hash sha  group 2  lifetime 28800 ! crypto ipsec ikev1 transform-set AWS esp-aes esp-sha-hmac  ! crypto ipsec profile AWS  set ikev1 transform-set AWS  set pfs group2  set security-association lifetime seconds 3600 ! tunnel-group 104.43.128.159 type ipsec-l2l     ! tunnel-group 104.43.128.159 ipsec-attributes    ikev1 pre-shared-key cisco  isakmp keepalive threshold 10 retry 10 ! interface Tunnel1  nameif AWS  ip address 1.1.1.2 255.255.255.0   tunnel source interface management  tunnel destination 104.43.128.159  tunnel mode ipsec ipv4  tunnel protection ipsec profile AWS  no shut ! router bgp 64502  bgp log-neighbor-changes  address-family ipv4 unicast   neighbor 1.1.1.1 remote-as 64501   neighbor 1.1.1.1 activate   neighbor 1.1.1.1 default-originate   redistribute connected   redistribute static   no auto-summary   no synchronization  exit-address-family ! ASAv (Azure) crypto ikev1 enable management ! crypto ikev1 policy 10  authentication pre-share  encryption aes  hash sha  group 2  lifetime 28800 ! crypto ipsec ikev1 transform-set Azure esp-aes esp-sha-hmac  ! crypto ipsec profile Azure  set ikev1 transform-set Azure  set pfs group2  set security-association lifetime seconds 3600 ! tunnel-group 54.213.122.209 type ipsec-l2l     ! tunnel-group 54.213.122.209 ipsec-attributes    ikev1 pre-shared-key cisco  isakmp keepalive threshold 10 retry 10 ! interface Tunnel1  nameif Azure  ip address 1.1.1.1 255.255.255.0   tunnel source interface management  tunnel destination 54.213.122.209  tunnel mode ipsec ipv4  tunnel protection ipsec profile Azure  no shut ! router bgp 64502  bgp log-neighbor-changes  address-family ipv4 unicast   neighbor 1.1.1.1 remote-as 64501   neighbor 1.1.1.1 activate   neighbor 1.1.1.1 default-originate   redistribute connected   redistribute static   no auto-summary   no synchronization  exit-address-family !
Views: 1340 Anubhav Swami
Cisco ASA Site-to-Site VPN Configuration with certificate - Debug
 
08:44
Hi Friends, Please checkout my new video on Site to Site VPN between ASA to ASA with Certificate . If you like this video give it a thumps up and subscribe my channel for more video. Have any question put it on comment section. Site to Site VPN with Certificate - Wireshark Capture https://youtu.be/BthdhJQzq9c Public Key Infrastructure - Explained https://youtu.be/kZETEaAJgYY Site to Site VPN on Router- Understanding and Explanation https://www.youtube.com/watch?v=_A6tm22lYsk Site to Site VPN Main mode negotiation with Wireshark Explanation https://www.youtube.com/watch?v=aaINqti3Hgc What is NAT-T ? What is use in Site to Site VPN with NAT -T wireshark capture and LAB explanation https://youtu.be/9yZSgJHdzCI Site Site Troubleshooting With Debug Messages https://youtu.be/EJ1dHw-KXXM Steps to configure ASA with Certificate 1. Configure Interfaces interface GigabitEthernet0/0 ip address 10.10.4.200 255.255.255.0 nameif outside no shutdown interface GigabitEthernet0/1 ip address 192.168.0.20 255.255.255.0 nameif inside no shutdown 2. Configure ISAKMP policy crypto ikev1 policy 10 authentication pre-share encryption aes hash sha 3. Configure transform-set crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac 4. Configure ACL access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0 5. Configure Tunnel group tunnel-group 10.20.20.1 type ipsec-l2l tunnel-group 10.20.20.1 ipsec-attributes ikev1 trust-point VPN 6. Configure crypto map and attach to interface crypto map mymap 10 match address L2LAccessList crypto map mymap 10 set peer 10.10.4.108 crypto map mymap 10 set transform-set myset crypto map mymap 10 set reverse-route crypto map mymap interface outside 7. Enable isakmp on interface crypto isakmp enable outside E-mail ID : [email protected] #VPN #DigitalCertificate #bikashtech
Views: 200 Bikash's Tech
How to Configure IPSEC - SITE to SITE IPSEC VPN Policy Based VPN - LAB
 
14:36
In this Video, I am going to show you about, How to Configure IPSEC - SITE to SITE IPSEC VPN Policy Based VPN - LAB You can also look into my Blog: https://pgrspot.blogspot.in Tasks to be completed. 1. Configure IP Address as per the Topology 2. Make sure you have Reachability to the Peer End. 3. Configure IKE Phase 1 : Encryption : AES Authentication : pre-share preshare-key : pgrspot Hash : md5 group : 5 4. Configure IKE Phase 2 : Create a Crypto-map name IPSEC-MAP Create a Transform-set named IPSEC-TRANS Encryption : AES Hash : md5 5. Create an ACL named IPSEC-ACL Permit only packets from SERVER and PC to go through IPSEC Encryption. 6. Make sure only the packets from concerned source to destination is encrypted via IPSEC.
Views: 299 PGR Spot
IPSEC site to site vpn via asa 5520
 
11:39
ISKAMP phase 1 crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! crypto ikev1 enable outside tunnel-group 172.1.1.2 type ipsec-l2l tunnel-group 172.1.1.2 ipsec-attributes ikev1 pre-shared-key cisco ! IPsec Phase 2 access-list 100 permit ip 2.2.2.2 255.255.255.255 10.0.0.0 255.255.255.0 crypto ipsec ikev1 transform-set t-set esp-aes esp-sha-hmac crypto map VPN-MAP 10 match address 100 crypto map VPN-MAP 10 set peer 172.1.1.2 crypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHA crypto map VPN-MAP interface outside
Views: 1232 Zahid Latif
VPN en Cisco Packet Tracer
 
07:35
Simulación de una VPN en Cisco Packet Tracer. Archivo pkt: https://mega.nz/#!u4ZVXahT!AC82eMt_JkYNltPowhdRJcFdZ8klOHEfIzUJYzsty2E Los comandos utilizados para configurar los routers son: (Router 1) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.2 (router 2) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20sho.0 0.0.0.255 (Direccion red 1 y red 2) crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.2 (Router 2) match address 101 set transform-set TSET exit interface fa0/1 (Interface a Router 2) crypto map CMAP do wr (Router 2) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.1 (router 1) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (Direccion red 2 y red 1) crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.1 (Router 1) match address 101 set transform-set TSET exit interface fa0/1 (Interface a Router 1) crypto map CMAP do wr Los comandos para ver los paquetes enviados y recibidos y comprobar que fueron encriptados/desencriptados son: show crypto isakmp sa show crypto ipsec sa
Views: 52208 José Martín
Vyatta to Cisco - Tunneling from ASA to Vyatta Using VMware and GNS
 
10:13
Please note that I am not the creator of this video therefore I do not take any credit for their creation. I am just endorsing them and spreading them so that other's can learn from them just as I did. All credit must go to the owner of this blog http://roggyblog.blogspot.com/ Connecting a Vyatta router to a Cisco ASA/PIX and creating a Lan to Lan Tunnel with some one to one src/dst NAT thrown in for good measure. Vyatta config: interfaces { ethernet eth0 { address 10.0.19.1/24 address 10.0.19.10/24 duplex auto hw-id 00:0c:29:5d:91:c6 smp_affinity auto speed auto } ethernet eth1 { address 192.168.10.1/24 duplex auto hw-id 00:0c:29:5d:91:d0 smp_affinity auto speed auto } ethernet eth2 { duplex auto hw-id 00:0c:29:5d:91:da smp_affinity auto speed auto } loopback lo { } } protocols { static { route 0.0.0.0/0 { next-hop 10.0.19.9 { } } } } service { nat { rule 5 { destination { address 10.20.0.0/24 } exclude outbound-interface eth0 source { address 192.168.10.0/24 } type masquerade } rule 100 { outbound-interface eth0 outside-address { address 10.0.19.10 } source { address 192.168.10.10 } type source } rule 110 { destination { address 10.0.19.10 } inbound-interface eth0 inside-address { address 192.168.10.10 } protocol tcp type destination } rule 900 { outbound-interface eth0 source { address 192.168.10.0/24 } type masquerade } } ssh { allow-root port 22 protocol-version v2 } } system { host-name R1 login { user vyatta { authentication { encrypted-password $1$Oxg1L7oM$v4Vi.4pW3Ai/fPFIzpDzC0 } level admin } } ntp-server 0.vyatta.pool.ntp.org package { auto-sync 1 repository community { components main distribution stable password "" url http://packages.vyatta.com/vyatta username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone GMT } vpn { ipsec { esp-group ESP-1W { compression disable lifetime 3600 mode tunnel pfs disable proposal 1 { encryption 3des hash sha1 } } ike-group IKE-1W { lifetime 86400 proposal 1 { dh-group 2 encryption 3des hash sha1 } } ipsec-interfaces { interface eth0 } nat-traversal enable site-to-site { peer 10.0.29.2 { authentication { mode pre-shared-secret pre-shared-secret letmein } ike-group IKE-1W local-ip 10.0.19.1 tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group ESP-1W local-subnet 192.168.10.0/24 remote-subnet 10.20.0.0/24
Views: 3760 Jason Morris
Ikev2 VPN configuration with debug and wireshark explaination
 
11:03
Hi Friends, Please checkout my new video on Site to Site ikev2 VPN with certificate between routers . If you like this video give it a thumps up and subscribe my channel for more video. Have any question put it on comment section. Please watch below video before watching this Site to Site Ikev2 asymmetric Pre Shared key explainnation with wireshark https://youtu.be/lheMAmlmoP4 Site to Site VPN with Certificate - Wireshark Capture https://youtu.be/BthdhJQzq9c Steps to Configure Ikev2 Site to Site VPN Define proposal crypto ikev2 proposal VPN_PRO encryption 3des integrity sha256 group 2 Put that proposal into policy crypto ikev2 policy 10 proposal VPN_PRO ! Define profile for authentication method crypto ikev2 profile PROFILE match identity remote address 200.1.2.10 255.255.255.0 authentication remote rsa-sign authentication local rsa-sig pki truspoint (truspoint name) access-list 101 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x Define transform set crypto ipsec transform-set TSET esp-3des esp-md5-hmac mode tunnel Define crypto map crypto map CMAP 10 ipsec-isakmp set peer 200.1.2.10 set ikev2-profile PROFILE match address 101 reverse-route static Apply this map to interface int g0/0 crypto map CMAP #Ikev2 #VPN #bikashtech
Views: 51 Bikash's Tech
7. Palo Alto Networks Firewall - Site-to-site VPN Configuration
 
07:14
In this video you will see how to configure site to site VPN with pre-shared keys. You can use this scenario for connection to any vendor. Palo Alto supports only route based VPN, but you can configure VPN to let's say Cisco ASA which suports policy based VPN only. For that you need to configure proxy-id explicitly, and that is all. Thank you for viewing and let me know if you have any questions - I will use it as an idea for new video. https://www.paloaltonetworks.com/ http://education.paloaltonetworks.com/learningcenter If you like the video and have questions about Palo Alto Networks Firewall - I would be happy for your comments and ideas for the further videos.
Views: 38012 Rafis Garipov
How to obtain certificates for IPSec VPN from a Windows CA
 
03:51
Using digital certificates for authentication instead of preshared keys in VPNs is considered more secure. In Dell SonicWALL UTM devices, digital certificates are one way of authenticating two peer devices to establish an IPsec VPN tunnel. The other is IKE using preshared key. The KB article describes the method to configure WAN GroupVPN and Global VPN Clients (GVC) to use digital certificates for authentication before establishing an IPsec VPN tunnel.
Views: 1374 Corporate Armor
How to Create a Site to Site VPN in Main Mode using Preshared Secret
 
08:02
How to create a site to site VPN between two SonicWALL UTM appliances in Main Mode using Preshared Secret
Views: 29595 Dell EMC Support
IPSec (parte 7) - Configurar routers com IPSec com chaves pré-partilhadas (PSK)
 
15:22
Neste vídeo mostro como fazer a configuração IPSec, com chaves pré-partilhadas, em routers cisco, de acordo com o enunciado apresentado no vídeo anterior. Em baixo seguem TODOS os comandos efetuados nos routers R1 e R2. Se acharam este vídeo útil não se esqueçam de carregar no botão "gosto". --- R1 (início)--------------------------------- hostname R1 ! crypto isakmp policy 110 encr 3des authentication pre-share group 2 lifetime 10800 crypto isakmp key cisco address 172.168.10.2 ! crypto ipsec transform-set TSET esp-aes esp-md5-hmac ! crypto map MAP 11 ipsec-isakmp set peer 172.168.10.2 set transform-set TSET match address 102 ! interface FastEthernet0/0 ip address 172.168.10.1 255.255.255.0 duplex auto speed auto crypto map MAP ! interface FastEthernet0/1 ip address 10.10.10.1 255.255.255.0 duplex auto speed auto ! router eigrp 100 network 10.10.10.0 0.0.0.255 network 172.168.10.0 0.0.0.255 auto-summary ! access-list 102 permit tcp 10.10.10.0 0.0.0.255 host 172.168.10.2 eq www ! end --- R1 (fim)------------------------------------ --- R2 (início)--------------------------------- hostname R2 ! username admin privilege 15 password 0 cisco ! crypto isakmp policy 105 encr 3des authentication pre-share group 2 lifetime 10800 crypto isakmp key cisco address 172.168.10.1 ! crypto ipsec transform-set TSET esp-aes esp-md5-hmac ! crypto map MAP 12 ipsec-isakmp set peer 172.168.10.1 set transform-set TSET match address 105 ! interface FastEthernet0/0 ip address 172.168.10.2 255.255.255.0 duplex auto speed auto crypto map MAP ! router eigrp 100 network 172.168.10.0 0.0.0.255 auto-summary ! ip http server ip http authentication local ! access-list 105 permit tcp host 172.168.10.2 eq www 10.10.10.0 0.0.0.255 ! end --- R2 (fim)------------------------------------
Views: 1340 Miguel Frade
GNS3 Labs: IPsec VPN with NAT across BGP Internet routers: Answers Part 1
 
14:54
GNS3 Topology: https://goo.gl/p7p8pq Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. VPN Configuration: ====================================================== ! CONFIG FOR: C1 ! ! ====================================================== access-list 100 remark ****** Link to C2 ****** access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 8.8.11.2 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto map mymap 1 ipsec-isakmp description ****** Link to C2 ****** set peer 8.8.11.2 set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside !===================================================== ! CONFIG FOR: C2 ! ! ====================================================== access-list 100 remark ****** Link to C1 ****** access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 8.8.10.2 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto map mymap 2 ipsec-isakmp description ****** Link to C1 ****** set peer 8.8.10.2 set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside !========================================= Go here for more: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
Views: 2632 David Bombal
FTD Site to Site VPN with ASA
 
09:58
Creating Site to Site IPSec VPN between FTD and ASA, FTD being managed by FMC. :::::::::::::::::::::::::::::::: access-list VPN_ACL extended permit ip 172.16.11.0 255.255.255.0 172.16.10.0 255.255.255.0 crypto ipsec ikev2 ipsec-proposal Ipsc-proposal-1 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm protocol esp integrity null crypto ipsec security-association pmtu-aging infinite crypto map CSM_Outside_map 1 match address VPN_ACL crypto map CSM_Outside_map 1 set peer 192.168.10.1 crypto map CSM_Outside_map 1 set ikev2 ipsec-proposal Ipsc-proposal-1 crypto map CSM_Outside_map 1 set reverse-route crypto map CSM_Outside_map interface outside crypto ikev2 policy 10 encryption aes-gcm-256 aes-gcm-192 aes-gcm integrity null group 21 20 19 14 5 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 enable outside tunnel-group 192.168.10.1 type ipsec-l2l tunnel-group 192.168.10.1 general-attributes default-group-policy .DefaultS2SGroupPolicy tunnel-group 192.168.10.1 ipsec-attributes ikev2 remote-authentication pre-shared-key cisco123 ikev2 local-authentication pre-shared-key cisco123 Linkedin: https://www.linkedin.com/in/nandakumar80/
Configuring site to site vpn with FTD using FDM
 
07:52
Configuring Site to site VPN on FTD using FDM Firepower Device Manager. ::::::::::::::::::::::::::::::::::::::::::::::::: access-list VPN_ACL extended permit ip 172.16.11.0 255.255.255.0 172.16.10.0 255.255.255.0 crypto ipsec ikev2 ipsec-proposal Ipsc-proposal-1 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm protocol esp integrity null crypto ipsec security-association pmtu-aging infinite crypto map CSM_Outside_map 1 match address VPN_ACL crypto map CSM_Outside_map 1 set peer 192.168.10.15 crypto map CSM_Outside_map 1 set ikev2 ipsec-proposal Ipsc-proposal-1 crypto map CSM_Outside_map 1 set reverse-route crypto map CSM_Outside_map interface outside crypto ikev2 policy 10 encryption aes-gcm-256 aes-gcm-192 aes-gcm integrity null group 21 20 19 14 5 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 enable outside tunnel-group 192.168.10.15 type ipsec-l2l tunnel-group 192.168.10.15 general-attributes default-group-policy .DefaultS2SGroupPolicy tunnel-group 192.168.10.15 ipsec-attributes ikev2 remote-authentication pre-shared-key cisco123 ikev2 local-authentication pre-shared-key cisco123 Linkedin: https://www.linkedin.com/in/nandakumar80/
Configuring Site to Site IPSec VPN Tunnel on Cisco Router
 
17:39
crypto isakmp policy 2 encr aes hash md5 authentication pre-share group 2 lifetime 600 crypto isakmp key kamran address 99.99.150.2 ! ! crypto ipsec transform-set MY-VPN esp-aes 256 esp-sha-hmac ! crypto map MAP 1 ipsec-isakmp set peer 99.99.150.2 set transform-set MY-VPN match address VPN_ACL ! interface FastEthernet0/0 ip address 188.72.150.2 255.255.255.252 duplex auto speed auto crypto map MAP ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 188.72.150.1 no ip http server no ip http secure-server ! ! ! ip access-list extended VPN_ACL permit ip 192.168.1.0 0.0.0.255 172.16.50.0 0.0.0.255
Views: 18232 Kamran Shalbuzov
Cisco ASA IPSec with NAT Overlap in URDU by Khurram Nawaz
 
19:46
== Configuration Pasted Below == In this Video, I will show you his the steps used to translate the VPN traffic that travels over a LAN-to-LAN (L2L) IPsec tunnel between two Cisco ASA Firewall in overlapping scenarios. If you found this video helpful and would like to see more like & subscribe. If you have any questions pease drop a comment, thanks! ==== ASA-SITE-A ==== object network INSIDE_10.0.0.0 subnet 10.0.0.0 255.255.255.0 object network INSIDE_MAP_192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network REMOTE_LAN_192.168.20.0 subnet 192.168.20.0 255.255.255.0 nat (inside,Outside) source static INSIDE_10.0.0.0 INSIDE_MAP_192.168.10.0 destination static REMOTE_LAN_192.168.20.0 REMOTE_LAN_192.168.20.0 access-list IPSEC-ACL extended permit ip object INSIDE_MAP_192.168.10.0 object REMOTE_LAN_192.168.20.0 access-list IPSEC-ACL extended permit icmp object INSIDE_MAP_192.168.10.0 object REMOTE_LAN_192.168.20.0 crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 3600 crypto ikev1 enable Outside tunnel-group 3.3.3.2 type ipsec-l2l tunnel-group 3.3.3.2 ipsec-attributes ikev1 pre-shared-key cisco123 crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map IPSEC_VPN_MAP 1 match address IPSEC-ACL crypto map IPSEC_VPN_MAP 1 set pfs crypto map IPSEC_VPN_MAP 1 set peer 3.3.3.2 crypto map IPSEC_VPN_MAP 1 set ikev1 transform-set ESP-AES-SHA crypto map IPSEC_VPN_MAP interface Outside policy-map global_policy class inspection_default inspect icmp ping 192.168.20.10 INSIDE ROUTER ON SITE B TO VERIFY ===== ASA-SITE-B ==== ASA-SITE-B object network INSIDE_10.0.0.0 subnet 10.0.0.0 255.255.255.0 object network INSIDE_MAP_192.168.20.0 subnet 192.168.20.0 255.255.255.0 object network REMOTE_LAN_192.168.10.0 subnet 192.168.10.0 255.255.255.0 nat (inside,Outside) source static INSIDE_10.0.0.0 INSIDE_MAP_192.168.20.0 destination static REMOTE_LAN_192.168.10.0 REMOTE_LAN_192.168.10.0 access-list IPSEC-ACL extended permit ip object INSIDE_MAP_192.168.20.0 object REMOTE_LAN_192.168.10.0 access-list IPSEC-ACL extended permit icmp object INSIDE_MAP_192.168.20.0 object REMOTE_LAN_192.168.10.0 crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 3600 crypto ikev1 enable Outside tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes ikev1 pre-shared-key cisco123 crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto map IPSEC_VPN_MAP 1 match address IPSEC-ACL crypto map IPSEC_VPN_MAP 1 set pfs crypto map IPSEC_VPN_MAP 1 set peer 2.2.2.2 crypto map IPSEC_VPN_MAP 1 set ikev1 transform-set ESP-AES-SHA crypto map IPSEC_VPN_MAP interface Outside policy-map global_policy class inspection_default inspect icmp ping 192.168.10.10 INSIDE ROUTER ON SITE B TO VERIFY
how to configure Remote VPN on Router and Explainning with Debug
 
20:14
Hi Friends, Please checkout my new video on Configuring Ikev1 Remote vpn on router with debug explanation. If you like this video give it a thumps up and subscribe my channel for more video. Have any question put it on comment section. Steps to configure Remote vpn on router aaa new-model aaa authentication login remotevpn local aaa authorization network remotevpn local username cisco password 0 cisco IP local pool VPNPOOL 192.168.1.10 192.168.1.20 access-list permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp client configuration group Remotevpn key cisco dns 10.1.1.50 pool VPNPOOL acl 101 === Only required for Split tunnel crypto ipsec transform-set TSET esp-3des esp-md5-hmac mode tunnel crypto dynamic-map DMAP 10 set transform-set TSET crypto map REMOTEVPN client authentication list remotevpn crypto map REMOTEVPN isakmp authorization list remotevpn crypto map REMOTEVPN client configuration address respond crypto map REMOTEVPN 10 ipsec-isakmp dynamic DMAP interface g0/0 crypto map REMOTEVPN Please checkout my video on Site to site vpn and other concepts as well Site to Site VPN on Router- Understanding and Explanation https://www.youtube.com/watch?v=_A6tm22lYsk Site to Site VPN Main mode negotiation with Wireshark Explanation https://www.youtube.com/watch?v=aaINqti3Hgc What is NAT-T ? What is use in Site to Site VPN with NAT -T wireshark capture and LAB explanation https://youtu.be/9yZSgJHdzCI #Remotevpn #VPN #bikashtech e-mail id : [email protected]
Views: 13 Bikash's Tech
Site to Site between FTD and VPN headend with Dynamic peer IP
 
07:22
Configuration Site to Site VPN between FTD with VPN headend with Dynamic peer IP. ::::::::::::::::::::::::::::::::::::::::::::::::::::::: access-list VPN_ACL extended permit ip 172.16.11.0 255.255.255.0 172.16.10.0 255.255.255.0 crypto ipsec ikev2 ipsec-proposal Ipsc-proposal-1 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm protocol esp integrity null crypto ipsec security-association pmtu-aging infinite crypto map CSM_Outside_map 1 match address VPN_ACL crypto map CSM_Outside_map 1 set peer 192.168.10.1 crypto map CSM_Outside_map 1 set ikev2 ipsec-proposal Ipsc-proposal-1 crypto map CSM_Outside_map 1 set reverse-route crypto map CSM_Outside_map interface outside crypto ikev2 policy 10 encryption aes-gcm-256 aes-gcm-192 aes-gcm integrity null group 21 20 19 14 5 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 enable outside tunnel-group 192.168.10.1 type ipsec-l2l tunnel-group 192.168.10.1 general-attributes default-group-policy .DefaultS2SGroupPolicy tunnel-group 192.168.10.1 ipsec-attributes ikev2 remote-authentication pre-shared-key cisco123 ikev2 local-authentication pre-shared-key cisco123 Linkedin: https://www.linkedin.com/in/nandakumar80/
Configurando VPN - Packet Tracer
 
15:47
Trabalho acadêmico de alunos do curso de Redes de computadores - UNIFACS Códigos: (Router 1) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.2 (router 2) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.2 (Router 2) match address 101 set transform-set TSET exit interface fa0/0 crypto map CMAP do wr (Router 2) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.1 (router 1) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.1 (Router 1) match address 101 set transform-set TSET exit interface fa0/0 crypto map CMAP do wr Para visualizar os pkts: show crypto isakmp sa show crypto ipsec sa
Views: 1650 Gustavo Calmon
DrayTek to Cisco Router IPSEC VPN
 
11:44
This video file include from DrayTek to Cisco Router IPSEC VPN Tunnel configiration / Bu video dosyası DrayTek den Cisco Router cihazına nasıl IPSEC VPN kurulumunu içermektedir. #-------------------Internet Router version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname INTERNET ! boot-start-marker boot-end-marker ! enable secret 5 $1$N5dU$xoGtoJCSMfgTfVYVfjCAc/ ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ip domain name lab.local ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 200.200.200.1 255.255.255.0 no shut duplex auto speed auto ! interface FastEthernet0/1 ip address 200.200.201.1 255.255.255.0 no shut duplex auto speed auto ! no ip http server no ip http secure-server ! ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end #----------------------------- VPN GW ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPNRouter ! boot-start-marker boot-end-marker ! enable secret 5 $1$.Cuf$Ri9YUNmHcdDDt9c2ewCEu/ ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ip domain name lab.local ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share lifetime 28800 crypto isakmp key 987654321 address 200.200.201.2 ! ! crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ! crypto map CMAP 10 ipsec-isakmp set peer 200.200.201.2 set security-association lifetime seconds 900 set transform-set 50 set pfs group1 match address 101 ! ! ! ! ! interface FastEthernet0/0 ip address 200.200.200.2 255.255.255.0 duplex auto speed auto crypto map CMAP ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 200.200.200.1 ! ! ! access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! ! end
Views: 6373 Ertan Erbek
Configuring IPsec VPN tunnel P.T v.7.2
 
15:05
download Packet tracer's lab: https://drive.google.com/file/d/1U4Gu7CfaJntjNt7DWb8lpbwcpBCIkx1b/view?usp=sharing https://www.youtube.com/user/MrSaleh970/videos?view_as=subscriber [CCNA Security, Configuring IPsec VPN tunnel using P.T. v.7.2 Configuring IPSec VPN Tunnel First you need to check the security license on the router installed , it is a trial evaluation license but you need it to configure IPSec. run this command: # show version If the license isn’t installed run this command: # license boot module c1900 technology-package securityk9 Then accept the license agreement Then save the configuration, after that reload the router. • On the ISP router, configure static route. # ip route 172.16.20.0 255.255.255.0 10.2.2.2 # ip route 172.16.10.0 255.255.255.0 10.1.1.1 On Router1 • Configure default route on Router1 # ip route 0.0.0.0 0.0.0.0 10.1.1.2 • The ACL to permit the traffic from one side of the network to the other side across the tunnel. # access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255 Phase1 ( ISAKMP Policy) - Crypto isakmp policy 10 - Encryption aes 256 - Authentication pre-share - DH group 5 - Lifetime 70000 • ISAKMP key # crypto isakmp key cisco address 10.2.2.2 • Phase 2 (IPsec Transform-set) # crypto ipsec transform-set VPN-SET esp-ases esp-sha-hmac • Creating the crypto map # crypto map VPN-MAP 10 ipsec-isakmp # set peer 10.2.2.2 # set pfs group5 # set security-association lifetime seconds 70000 # set transform-set VPN-SET # match address 101 • Apply the crypto map to the interface. # int s0/1/0 # crypto map VPN-MAP. On Router2 • The ACL to permit the traffic from one side of the network to the other side across the tunnel. # access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.10.0 0.0.0.255 Phase1 ( ISAKMP Policy) - Crypto isakmp policy 10 - Encryption aes 256 - Authentication pre-share - DH group 5 - Lifetime 70000 • ISAKMP key # crypto isakmp key cisco address 10.1.1.1 • Phase 2 (IPsec Transform-set) # crypto ipsec transform-set VPN-SET esp-ases esp-sha-hmac • Creating the crypto map # crypto map VPN-MAP 10 ipsec-isakmp # set peer 10.1.1.1 # set pfs group5 # set security-association lifetime seconds 70000 # set transform-set VPN-SET # match address 101 • Apply the crypto map to the interface. # int s0/1/1 # crypto map VPN-MAP.
Views: 77 Saleh Al-Moghrabi
SITE TO SITE VPN ROUTER PART 2
 
15:51
SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS These steps are: (1) Configure ISAKMP (ISAKMP Phase 1) (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1):- R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400 R1(config)# crypto isakmp key firewallcx address X.X.X.X(ROUTER-2 IP ADDRESS) CONFIGURE IPSEC:- R1(config)# ip access-list extended XXX(Name for access list) R1(config-ext-nacl)# permit ip x.x.x.x(R1-LOCAL internal Network) 0.0.0.255 x.x.x.x(R2LOCAL internal Network) 0.0.0.255 crypto ipsec transform-set TS esp-3des esp-md5-hmac R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer X.X.X.X(ROUTER-2 IP ADDRESS) R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match address XXX(Name for access list) R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SITE -2 PART-2 These steps are: (1) Configure ISAKMP (ISAKMP Phase 1) (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1):- R2(config)# crypto isakmp policy 1 R2(config-isakmp)# encr 3des R2(config-isakmp)# hash md5 R2(config-isakmp)# authentication pre-share R2(config-isakmp)# group 2 R2(config-isakmp)# lifetime 86400 R2(config)# crypto isakmp key antony address 1.1.1.1 CONFIGURE IPSEC:- R2(config)# ip access-list extended SITE-1-VPN R2(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 crypto ipsec transform-set TS-ANT esp-3des esp-md5-hmac R2(config)# crypto map CMAP 10 ipsec-isakmp R2(config-crypto-map)# set peer 1.1.1.1 R2(config-crypto-map)# set transform-set TS-ANT R2(config-crypto-map)# match addresS SITE-1-VPN R2(config)# interface SERIAL 0 R2(config- if)# crypto map CMAP WAIT 5 MIN.... TO SHARE THE KEY.... --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- R2 CONFIGURATION:- Router(config-if)#DO SHOW RUN Building configuration... Current configuration : 1862 bytes ! version 15.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ! ! ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool ccp-pool network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 ! ! ! ip cef no ipv6 cef ! ! ! ! license udi pid C819HGW-PT-K9 sn FTX1806BFM3 ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key antony address 1.1.1.1 ! ! ! crypto ipsec transform-set TS-ANT esp-3des esp-md5-hmac ! crypto map CMAP 10 ipsec-isakmp set peer 1.1.1.1 set transform-set TS-ANT match address SITE-1-VPN ! ! ! ! ! ! spanning-tree mode pvst ! ! ! ! ! ! interface GigabitEthernet0 ip address 192.168.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Serial0 ip address 1.1.1.2 255.255.255.0 ip nat outside crypto map CMAP ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 ! interface Cellular0 no ip address shutdown ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 10.10.10.1 255.255.255.248 ! ip nat inside source list 101 interface Serial0 overload ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ! ip flow-export version 9 ! ! access-list 23 permit 10.10.10.0 0.0.0.7 ip access-list extended SITE-1-VPN permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 remark nat access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 192.168.0.0 0.0.0.255 any access-list 101 remark nat1 ! ! ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! end Router(config-if)# ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- BRINGING UP AND VERIFYING THE VPN TUNNEL ping 20.20.20.1 source SERIAL 0 show crypto session
Views: 30 IT DEVELOPMENT
SITE TO SITE VPN ROUTER PART 1
 
06:32
SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS These steps are: (1) Configure ISAKMP (ISAKMP Phase 1) (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1):- R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400 R1(config)# crypto isakmp key firewallcx address X.X.X.X(ROUTER-2 IP ADDRESS) CONFIGURE IPSEC:- R1(config)# ip access-list extended XXX(Name for access list) R1(config-ext-nacl)# permit ip x.x.x.x(R1-LOCAL internal Network) 0.0.0.255 x.x.x.x(R2LOCAL internal Network) 0.0.0.255 crypto ipsec transform-set TS esp-3des esp-md5-hmac R1(config)# crypto map CMAP 10 ipsec-isakmp R1(config-crypto-map)# set peer X.X.X.X(ROUTER-2 IP ADDRESS) R1(config-crypto-map)# set transform-set TS R1(config-crypto-map)# match address XXX(Name for access list) R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SITE -1 These steps are: (1) Configure ISAKMP (ISAKMP Phase 1) (2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP) CONFIGURE ISAKMP (IKE) - (ISAKMP PHASE 1):- R1(config)# crypto isakmp policy 1 R1(config-isakmp)# encr 3des R1(config-isakmp)# hash md5 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# lifetime 86400 R1(config)# crypto isakmp key antony address 1.1.1.2 CONFIGURE IPSEC:- R1(config)# ip access-list extended SITE-2-VPN R1(config-ext-nacl)# permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 crypto ipsec transform-set TS-ANT esp-3des esp-md5-hmac R1(config)# crypto map CMAP-ANT 10 ipsec-isakmp R1(config-crypto-map)# set peer 1.1.1.2 R1(config-crypto-map)# set transform-set TS-ANT R1(config-crypto-map)# match address SITE-2-VPN R1(config)# interface FastEthernet0/1 R1(config- if)# crypto map CMAP-ANT -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- R1 CONFIGURATION: Router#SHOW RUN Building configuration... Current configuration : 1707 bytes ! version 15.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname Router ! ! ! ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool ccp-pool network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 ! ! ! no ip cef no ipv6 cef ! ! ! ! license udi pid C819HGW-PT-K9 sn FTX18066A3L ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key antony address 1.1.1.2 ! ! ! crypto ipsec transform-set TS-ANT esp-3des esp-md5-hmac ! crypto map CMAP-ANT 10 ipsec-isakmp set peer 1.1.1.2 set transform-set TS-ANT match address SITE-2-VPN ! ! ! ! ! ! spanning-tree mode pvst ! ! ! ! ! ! interface GigabitEthernet0 ip address 10.0.0.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Serial0 ip address 1.1.1.1 255.255.255.0 ip nat outside clock rate 2000000 crypto map CMAP-ANT ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 ! interface Cellular0 no ip address shutdown ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 10.10.10.1 255.255.255.248 ! ip nat inside source static 10.0.0.2 1.1.1.1 ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ! ip flow-export version 9 ! ! access-list 23 permit 10.10.10.0 0.0.0.7 ip access-list extended SITE-2-VPN permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 ! ! ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! end Router# SO WATCH MY SECOND VIDEO FOR SITE 2 VPN CONNECTION. ---------------------------------------------------------------------------------------------------------------------------- PART-2 VIDEO LINK https://youtu.be/EAOdHo-W0ww
Views: 41 IT DEVELOPMENT
Cấu hình vpn (từ phút 2:50)
 
09:38
cấu hình vpn: crypto isakmp policy ___ hash ___ authentication pre-share crypto isakmp key ___ address ___ lifetime seconds ___ access-list ___ permit ip ___ ___ ___ ___ crypto ipsec transform-set ___ esp-sha esp-sha-hmac crypto map ___ 10 ipsec-isakmp set peer ___ set transform-set ___ match address 100 inter ___ crypto map ___
Views: 13 Abubu
cisco router VTI and fortigate vpn
 
10:58
crypto isakmp key cisco123 address 192.168.20.1 crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 2 lifetime 86400 exit crypto ipsec transform-set myset esp-aes 256 esp-sha256-hmac mode transport exit crypto ipsec profile myprof set security-association lifetime seconds 28800 set transform-set myset set pfs group2 exit interface Tunnel1 ip unnumbered FastEthernet0/0 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 192.168.20.1 tunnel protection ipsec profile myprof exit ip route 3.3.3.3 255.255.255.255 tunnel1
Views: 38 Adnan Khalid
Cisco Site to Site IPSecVPN 簡易演示
 
41:56
簡單的IPSec VPN實作 基本的設定如圖,相關設定已經設定完畢,並且設定 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 三大區塊均無法通過WAN的 e0/0 與 e0/1 IPSec VPN 摘要步驟 1. 定義『封包加密組合』(Transform-set) crypto ipsec transform-set [自訂義A] esp-aes 256 esp-sha-hmac ^^^^^^^^^^^^^^^^^^^^^^^^^^加密的支援(建議看Router的效能而定) 2. 定義『封包加密腳本』(Crypto Map IPSEC) 2.1 access-list [自訂義extend-A] permit ip [來源網段] [目的網段] 2.2 crypto map [自訂義B] [序號] ipsec-isakmp description 註解(建議予以註解,以免在於更多台之VPN環境時會予以混淆) set peer [對方介面VPN所使用之IP] set pfs group5 (定義群組) set security-association lifetime seconds 120 set transform-set [自訂義A] (自訂義A = 步驟一之名稱) match address [自訂義extend-A] (套用access-list,就是定義該來源網段到目的網段所該走的腳本,在後面步驟將會套用於介面上) 3. 定義『VPN Gateway 溝通協議』之加密機制(Crypto ISAKMP Policy) crypto isakmp policy [序號] encryption aes (前面都用aes,後面也就跟著用吧!定義加密模式) authentication pre-share group 5 lifetime 60 4. 定義『身分認證專用金鑰』(Crypto Key) crypto isakmp key [自訂key] address [對方介面VPN所使用之IP] 5. 套用『封包加密腳本』於VPN構聯之介面上(Crypto map on interface) interface xxxxx (套用) crypto map [自訂義B] 建立完畢後 1. 先至 Client 1 or 2 進行 ping 對方之動作 (觸發VPN) 2. 至 IPSECA or B 之 console 進行 2.1 show crypto session 查看 status 是否為 UP-Active 還是為Down 2.2 debug crypto routing 與 ipsec 當中可以清楚看到 IPSec之相關構連過程 undebug all 可取消所有debug即時性的運作! 以上,演示完畢!
Views: 2288 Chung Xie
KSG2 U3 EA ROBL
 
07:10
Simular una red en Cisco Packet Tracer y configurar una VPN (Router 1) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 178.234.30.2 crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 178.234.30.2 match address 101 set transform-set TSET exit interface fa0/1 crypto map CMAP do wr (Router 2) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 178.234.30.1 crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 178.234.30.1 match address 101 set transform-set TSET exit interface fa0/1 crypto map CMAP do wr
Views: 52 RODRIGO BELTRAN
GNS3 Labs: Dynamic IPsec VPNs and NAT across BGP Internet routers: Answers Part 3
 
05:45
Can you complete this Dynamic, IPsec, NAT& BGP lab? GNS3 Topology: https://goo.gl/tPAcjd Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.Can you complete this Dynamic, IPsec, NAT& BGP lab? GNS3 Topology: https://goo.gl/tPAcjd Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. ! ======================================================== ! Code created by Network Experts Limited ! ! Find us at www.ConfigureTerminal.com ! ! ======================================================== ! CONFIG FOR: c1.davidbombal.com ! ! ======================================================== access-list 100 remark ****** Link to c2.davidbombal.com ****** access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 hostname c2.davidbombal.com ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto dynamic-map dynmap 120 description ****** Dynamic Map to c2.davidbombal.com ****** set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! crypto map mymap 130 ipsec-isakmp dynamic dynmap ! crypto map mymap 110 ipsec-isakmp description ****** Static VPN MAP to c2.davidbombal.com ****** set peer c2.davidbombal.com dynamic set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside ! ======================================================== ! Code created by Network Experts Limited ! ! Find us at www.ConfigureTerminal.com ! ! ======================================================== ! CONFIG FOR: c2.davidbombal.com ! ! ======================================================== access-list 100 remark ****** Link to c1.davidbombal.com ****** access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 hostname c1.davidbombal.com ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto dynamic-map dynmap 120 description ****** Dynamic Map to c2.davidbombal.com ****** set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! crypto map mymap 130 ipsec-isakmp dynamic dynmap ! crypto map mymap 110 ipsec-isakmp description ****** Static VPN MAP to c2.davidbombal.com ****** set peer c1.davidbombal.com dynamic set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside
Views: 2183 David Bombal
GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7
 
07:58
Can you complete this DMVPN, IPsec, NAT& BGP lab? GNS3 Topology: https://goo.gl/udfNPL Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. ! ====================================================== ! Code created by David Bombal ! ! Find us at www.davidbombal.com ! ! ====================================================== ! CONFIG FOR: C1 ! ! ====================================================== ! HUB SITE ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport ! crypto ipsec profile cisco set transform-set myset set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface Tunnel 111 description ****** DMVPN GRE Tunnel ****** ip address 192.168.1.1 255.255.255.0 bandwidth 1000 delay 1000 ip nhrp holdtime 360 ip nhrp network-id 100000 ip nhrp authentication cisco ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp map multicast dynamic tunnel source G0/1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco no ip split-horizon eigrp 100 no ip next-hop-self eigrp 100 ! router eigrp 100 network 192.168.1.1 0.0.0.0 network 10.0.0.0 0.255.255.255 no auto-summary !====================================================== ! Code created by David Bombal ! ! Find us at www.davidbombal.com ! ! ====================================================== ! CONFIG FOR: C2 ! ! ====================================================== ! SPOKE SITE ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport ! crypto ipsec profile cisco set transform-set myset set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface Tunnel 111 description ****** DMVPN GRE Tunnel ****** ip address 192.168.1.2 255.255.255.0 bandwidth 1000 delay 1000 ip nhrp holdtime 360 ip nhrp network-id 100000 ip nhrp authentication cisco ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp nhs 192.168.1.1 ip nhrp map multicast 8.8.3.2 ip nhrp map 192.168.1.1 8.8.3.2 tunnel source G0/1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco ! router eigrp 100 network 192.168.1.2 0.0.0.0 network 10.0.0.0 0.255.255.255 no auto-summary
Views: 687 David Bombal
GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 8
 
07:18
Can you complete this DMVPN, IPsec, NAT& BGP lab? GNS3 Topology: https://goo.gl/udfNPL Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. ! ====================================================== ! Code created by David Bombal ! ! Find us at www.davidbombal.com ! ! ====================================================== ! CONFIG FOR: C1 ! ! ====================================================== ! HUB SITE ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport ! crypto ipsec profile cisco set transform-set myset set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface Tunnel 111 description ****** DMVPN GRE Tunnel ****** ip address 192.168.1.1 255.255.255.0 bandwidth 1000 delay 1000 ip nhrp holdtime 360 ip nhrp network-id 100000 ip nhrp authentication cisco ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp map multicast dynamic tunnel source G0/1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco no ip split-horizon eigrp 100 no ip next-hop-self eigrp 100 ! router eigrp 100 network 192.168.1.1 0.0.0.0 network 10.0.0.0 0.255.255.255 no auto-summary !====================================================== ! Code created by David Bombal ! ! Find us at www.davidbombal.com ! ! ====================================================== ! CONFIG FOR: C2 ! ! ====================================================== ! SPOKE SITE ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport ! crypto ipsec profile cisco set transform-set myset set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface Tunnel 111 description ****** DMVPN GRE Tunnel ****** ip address 192.168.1.2 255.255.255.0 bandwidth 1000 delay 1000 ip nhrp holdtime 360 ip nhrp network-id 100000 ip nhrp authentication cisco ip mtu 1400 ip tcp adjust-mss 1360 ip nhrp nhs 192.168.1.1 ip nhrp map multicast 8.8.3.2 ip nhrp map 192.168.1.1 8.8.3.2 tunnel source G0/1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco ! router eigrp 100 network 192.168.1.2 0.0.0.0 network 10.0.0.0 0.255.255.255 no auto-summary
Views: 597 David Bombal
Configuring GRE over IPSEC VPN (Tested with Ethereal)
 
09:47
Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI R1# show run ! hostname R1 ! interface Tunnel0 ip address 172.16.13.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 192.168.23.3 ! interface Loopback0 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 duplex full speed 100 crypto map mymap no shutdown ! router eigrp 1 network 192.168.12.0 no auto-summary !int router eigrp 2 network 172.16.0.0 no auto-summary ! end R2# show run hostname R2 ! interface FastEthernet0/0 ip address 192.168.12.2 255.255.255.0 duplex full speed 100 no shutdown ! interface Serial1/0 ip address 192.168.23.2 255.255.255.0 clock rate 64000 no shutdown ! router eigrp 1 network 192.168.12.0 network 192.168.23.0 no auto-summary ! R3# show run hostname R3 ! interface Loopback0 ip address 172.16.3.1 255.255.255.0 ! interface Tunnel0 ip address 172.16.13.3 255.255.255.0 tunnel source Serial1/0 tunnel destination 192.168.12.1 ! interface Serial1/0 ip address 192.168.23.3 255.255.255.0 crypto map mymap no shutdown ! router eigrp 1 network 192.168.23.0 no auto-summary ! router eigrp 2 network 172.16.0.0 no auto-summary ! line vty 0 4 password cisco login end ----------------------- ISAKMP Policies ----------------------- Step1: crypto isakmp policy 100 encr 3des hash md5 authentication pre-share group 5 lifetime 1600 ! Step2: crypto isakmp key CCNP-K3Y address 192.168.23.3 crypto ipsec transform-set VPN-LINK ah-md5-hmac esp-aes 256 ! Step3: crypto map DEMO 10 ipsec-isakmp set peer 192.168.23.3 set transform-set VPN-LINK match address 100 ! access-list 100 permit gre host 192.168.12.1 host 192.168.23.3 ------------ SWitch(Remote SPAN Configuration) ------------ hostname Switch ! monitor session 1 source interface fa1/5 monitor session 1 destination interface fa1/8 ! int range fa1/5 - 8 no shutdown switchport mode access speed 100 duplex half ! end
Views: 9985 ucatalg
Criando VPN com ACL - BATTLEFIELD SECURITY
 
14:01
Prezados, Esse video tem como finalidade mostrar a criação passo a passo de uma com VPN com ACL e o seu funcionado em tempo real. Links: - Download da VPN: https://goo.gl/QqyXW1 - Comandos utilizados para criação da VPN: (Router 1) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.2 (router 2) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.2 (Router 2) match address 101 set transform-set TSET exit interface fa0/0 crypto map CMAP do wr (Router 2) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.1 (router 1) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.1 (Router 1) match address 101 set transform-set TSET exit interface fa0/0 crypto map CMAP do wr
Views: 41 Alexandre Vinicius
GNS3 Labs: Dynamic IPsec VPNs and NAT across BGP Internet routers: Answers Part 2
 
11:04
Can you complete this Dynamic, IPsec, NAT& BGP lab? GNS3 Topology: https://goo.gl/tPAcjd Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.Can you complete this Dynamic, IPsec, NAT& BGP lab? GNS3 Topology: https://goo.gl/tPAcjd Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. ! ======================================================== ! Code created by Network Experts Limited ! ! Find us at www.ConfigureTerminal.com ! ! ======================================================== ! CONFIG FOR: c1.davidbombal.com ! ! ======================================================== access-list 100 remark ****** Link to c2.davidbombal.com ****** access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.1.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 hostname c2.davidbombal.com ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto dynamic-map dynmap 120 description ****** Dynamic Map to c2.davidbombal.com ****** set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! crypto map mymap 130 ipsec-isakmp dynamic dynmap ! crypto map mymap 110 ipsec-isakmp description ****** Static VPN MAP to c2.davidbombal.com ****** set peer c2.davidbombal.com dynamic set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside ! ======================================================== ! Code created by Network Experts Limited ! ! Find us at www.ConfigureTerminal.com ! ! ======================================================== ! CONFIG FOR: c2.davidbombal.com ! ! ======================================================== access-list 100 remark ****** Link to c1.davidbombal.com ****** access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 ! access-list 101 remark ****** NAT ACL ****** access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 any ! ip nat inside source route-map nonat interface G0/1 overload ! route-map nonat permit 10 match ip address 101 ! crypto isakmp policy 10 hash md5 authentication pre-share encryption 3des group 2 lifetime 86400 ! crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp key cisco123 hostname c1.davidbombal.com ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel ! crypto dynamic-map dynmap 120 description ****** Dynamic Map to c2.davidbombal.com ****** set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! crypto map mymap 130 ipsec-isakmp dynamic dynmap ! crypto map mymap 110 ipsec-isakmp description ****** Static VPN MAP to c2.davidbombal.com ****** set peer c1.davidbombal.com dynamic set transform-set myset set pfs group2 match address 100 set security-association lifetime seconds 86400 set security-association lifetime kilobytes 4608000 ! interface G0/1 crypto map mymap ip nat outside ! interface G0/0 ip nat inside
Views: 818 David Bombal
VPN
 
15:42
VPN
(Roteador 1) crypto isakmp policy 10 authentication pre-share hash sha encryption aes 256 group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.2 (IP do roteador 2) crypto ipsec transform-set TSET esp-aes esp-sha-hmac access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 10.10.10.2 (IP do roteador 2) match address 101 set transform-set TSET exit interface fa0/0 (interface entre os roteadores) crypto map CMAP do wr roteador 2 é a mesma coisa entretanto onde está ip do roteador 2 é 1, e na acces é o ip da primeira rede primeira.
Views: 38 Breno Augusto
VPN remote akses pada packet tracer
 
03:14
Fondasi utamanya laptop (client remote access vpn) harus bisa ping ke router vpn server(router yang melayani koneksi vpn). Hal ini mengisyaratkan bahwa nat di router branch sudah ready/ok dalam menterjemahkan alamat IP private si laptop ke alamat IP publik interface outside si router branch. Dengan settingan yang sama kita bisa membuat remote vpn di real router misalnya cisco 880. Router corporate: aaa new-model aaa authentication login rtr-remote local aaa authorization network rtr-remote local username Cisco password 0 Cisco crypto isakmp policy 1 encr aes 256 hash md5 authentication pre-share group 2 lifetime 21600 crypto isakmp client configuration group rtr-remote key cisco123 pool dynpool crypto ipsec security-association lifetime seconds 86400 crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route crypto map dynmap client authentication list rtr-remote crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond crypto map dynmap 10 ipsec-isakmp dynamic dynmap ip local pool dynpool 30.30.30.20 30.30.30.30 interface FastEthernet0/0 crypto map dynmap
Views: 840 Totz Freelance
Cisco ASA - Remote Access VPN (IPSec)
 
08:49
How to quickly set up remote access for external hosts, and then restrict the host's access to network resources.
Views: 146824 Blog'n'Vlog
GNS3   VPN Site to Sites   parte 3
 
21:01
R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 5 R1(config-isakmp)# exit R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2 R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac R1(config)# exit R1(config)# crypto map VPN-MAP 10 ipsec-isakmp R1(config-crypto-map)# description VPN connection to R3 R1(config-crypto-map)# set peer 10.2.2.2 R1(config-crypto-map)# set transform-set VPN-SET R1(config-crypto-map)# match address 110 R1(config-crypto-map)# exit R1(config)# interface s0/0/0 (veja qual é a sua serial) R1(config-if)# crypto map VPN-MAP ====================== R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 R3(config)# crypto isakmp policy 10 R3(config-isakmp)# encryption aes 256 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# group 5 R3(config-isakmp)# exit R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2 R3(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac R3(config)# exit R3(config)# crypto map VPN-MAP 10 ipsec-isakmp R3(config-crypto-map)# description VPN connection to R1 R3(config-crypto-map)# set peer 10.1.1.2 R3(config-crypto-map)# set transform-set VPN-SET R3(config-crypto-map)# match address 110 R3(config-crypto-map)# exit R3(config)# interface s0/0/1 (veja qual é a sua serial) R3(config-if)# crypto map VPN-MAP ======================== Parte 3: Verifique se o VPN IPsec // teste R1# show crypto ipsec sa comando em R1. Note-se que o número de pacotes encapsulados, cifrada, descapsulados, e desencriptados são todos definidos como 0. // teste Ping PC-B do PC-A. Note-se que o número de pacotes não mudou, que verifica que o tráfego não é criptografado desinteressante.
Views: 23 Alexandre Ferreira
GNS3 Labs: IPSec VPN with NAT across BGP Internet routers: Can you complete the lab?
 
07:05
Can you complete this IPSec VPN & NAT lab? GNS3 Topology: https://goo.gl/p7p8pq Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW Cisco documentation: https://goo.gl/hjmdFR For lots more content, visit http://www.davidbombal.com - learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more. IPsec Overview: A secure network starts with a strong security policy that defines the freedom of access to information and dictates the deployment of security in the network. Cisco Systems offers many technology solutions for building a custom security solution for Internet, extranet, intranet, and remote access networks. These scalable solutions seamlessly interoperate to deploy enterprise-wide network security. Cisco System's IPsec delivers a key technology component for providing a total security solution. Cisco's IPsec offering provides privacy, integrity, and authenticity for transmitting sensitive information over the Internet. IPsec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters which should be used to protect these sensitive packets, by specifying characteristics of these tunnels. Then, when the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. More accurately, these tunnels are sets of security associations (SAs) that are established between two IPsec peers. The security associations define which protocols and algorithms should be applied to sensitive packets, and also specify the keying material to be used by the two peers. Security associations are unidirectional and are established per security protocol (AH or ESP). With IPsec you define what traffic should be protected between two IPsec peers by configuring access lists and applying these access lists to interfaces by way of crypto map sets. Therefore, traffic can be selected based on source and destination address, and optionally Layer 4 protocol, and port. The access lists used for IPsec only determine which traffic should be protected by IPsec, not which traffic should be blocked or permitted through the interface. Separate access lists define blocking and permitting at the interface. A crypto map set can contain multiple entries, each with a different access list. The crypto map entries are searched in order—the router attempts to match the packet to the access list specified in that entry. It is good practice to place the most important crypto map entries at the top of the list. When a packet matches a permit entry in a particular access list, and the corresponding crypto map entry is tagged as cisco, then CET is triggered, and connections are established if necessary. If the crypto map entry is tagged as ipsec-isakmp, IPsec is triggered. If no security association exists that IPsec can use to protect this traffic to the peer, IPsec uses the Internet Key Exchange protocol (IKE) to negotiate with the remote peer to set up the necessary IPsec security associations on behalf of the data flow. The negotiation uses information specified in the crypto map entry as well as the data flow information from the specific access list entry. If the crypto map entry is tagged as ipsec-manual, IPsec is triggered. If no security association exists that IPsec can use to protect this traffic to the peer, the traffic is dropped. In this case, the security associations are installed via the configuration, without the intervention of IKE. If the security associations did not exist, IPsec did not have all of the necessary pieces configured. Once established, the set of security associations (outbound, to the peer) is then applied to the triggering packet as well as to subsequent applicable packets as those packets exit the router. Applicable packets are packets that match the same access list criteria that the original packet matched. For example, all applicable packets could be encrypted before being forwarded to the remote peer. The corresponding inbound security associations are used when processing the incoming traffic from that peer. If IKE is used to establish the security associations, the security associations will have lifetimes set so that they periodically expire and require renegotiation, thus providing an additional level of security. Multiple IPsec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of security associations. For example, some data streams might be just authenticated while other data streams must both be encrypted and authenticated. Go here for more: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html
Views: 3098 David Bombal
Bài 8: cấu hình VPN
 
08:29
- crypto isakmp policy 10 authentication pre-share // Xác thực = pre-share key hash sha // hàm băm mật mã sha ecryption aes 256 // phương thức giải mã aes group 2 lifetime 86400 exit crypto isakmp key toor address 10.0.0.2 crypto ipsec transform-set TSET esp-aes esp-sha-hmac // mã hóa + giải mã access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 crypto map CMAP 10 ipsec-isakmp set peer 10.0.0.2 match address 102 set transform-set TSET exit int f0/1 (interf ra ngoai router) crypto map CMAP do wr - kiểm tra end show crypto ipsec sa
Views: 2470 Hải Hoàng
How to Configure an ASA VPN Split-Tunnel: Cisco ASA Training 101
 
10:37
http:--www.soundtraining.net-cisco-asa-training-101 Learn how to configure a split-tunnel for use with a Cisco ASA VPN to allow your remote users direct access to the Internet when using a VPN. IT author-speaker Don R. Crawley demonstrates how to configure a split-tunnel using the Cisco ASA Security Appliance Command-Line Interface.
Views: 39710 soundtraining.net