Question

1 Approved Answer

Posted on Sep 04, 2024

configure hostname as student id also LIKE R1(SUKD1900337) Packet tracer file (.pkt) I need MUST.. LAB-Lab on Configure and Verify a Site-to-Site IPsec VPN using

configure hostname as student id also LIKE R1(SUKD1900337)

Packet tracer file (.pkt) I need MUST..

image text in transcribed

LAB-Lab on Configure and Verify a Site-to-Site IPsec VPN using CLI through Cisco Packet Tracer Simulation Software. Learning Objectives Upon completion of this activity, you will be able to: Part 1: All Configuration, Interfaces & Test Connectivity of the Topology. Part 2: Configure IPsec Parameters on RI Part 2: Configure IPsec Parameters on R2 Part 3: Verify the IPsec VPN [Verify connectivity throughout the network and Configure Rl to support a site-to-site IPsec VPN with R2.] TOPOLOGY Coco Packet Tracer File Edit Options View Tools Extensions Help 7QQQE Logical Physical x 1546. y: 122 192.168.3.0/24 41941 R3 2960-24TT S3 PC PT PC3 192.168.3.3 192.168.1.0/24 192.168.2.0/24 VPN 2960-24TT S1 1941 R2 1941 R1 2960-24TT S2 PC PT PC1 192.168.1.3 PC-PT PC2 192.168.2.3 Diagram 1: IPSEC Topology Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port GO/O 192.168.1.1 255.255.255.0 N/A S1 F0/1 R1 S0/0/0 10.1.1.1 255.255.255.252 N/A N/A GO/O 192.168.3.1 255.255.255.0 N/A S3 FO/2 R3 so/0/0 10.1.1.2 255.255.255.252 N/A N/A so/0/1 10.2.2.1 255.255.255.252 N/A N/A GO/O 192.168.2.1 255.255.255.0 N/A S2 F0/5 R2 SO/0/1 10.2.2.2 255.255.255.252 N/A N/A PC-1 NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FO/2 PC-2 NIC 192.168.2.3 255.255.255.0 192.168.2.1 S2 F0/1 PC-3 NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 F0/18 Objectives Verify connectivity throughout the network. Configure R1 to support a site-to-site IPsec VPN with R3. Background / Scenario The network topology shows three routers. Your task is to configure R1 and R2 to support a site-to-site IPsec VPN when traffic flows between their respective LANs. The IPsec VPN tunnel is from R1 to R2 via R3. R3 acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive information over unprotected networks, such as the Internet. IPsec operates at the network layer and protects and authenticates IP packets between participating IPsec devices (peers), such as Cisco routers. R1 R3 ISAKMP AES 256 ISAKMP Phase 1 Policy Parameters Parameters Key Distribution Method Manual or ISAKMP Encryption Algorithm DES, 3DES, or AES Hash Algorithm MD5 or SHA-1 Authentication Method Pre-shared keys or RSA Key Exchange DH Group 1, 2, or 5 IKE SA Lifetime 86400 seconds or less ISAKMP Key SHA-1 ISAKMP AES 256 SHA-1 pre-share DH 5 pre-share DH 5 86400 vpnpa55 86400 vpnpa55 Note: Bolded parameters are defaults. Only unbolded parameters have to be explicitly configured. IPsec Phase 2 Policy Parameters R1 R2 VPN-SET VPN-SET esp-aes AASIAAAAAAA Parameters Transform Set Name ESP Transform Encryption ESP Transform Authentication Peer IP Address Traffic to be Encrypted esp-sha-hmac 10.2.2.2 Access-list 110 (source 192.168.1.0 dest 192.168.2.0) VPN-MAP ipsec-isakmp esp-aes esp-sha-hmac 10.1.1.1 Access-list 110 (source 192.168.2.0 dest 192.168.1.0) VPN-MAP ipsec-isakmp Crypto Map Name SA Establishment The routers have been pre-configured with the following: Password for console line: ciscoconpa55 Password for yty lines: ciscovtypa55 Part 1: All Configurations, Interfaces & Test connectivity of the topology. Screenshot of your topology based on Diagram 1. All devices should be labelled with your Student ID. Example: SUKD12345_R1 Part 2: Configure IPsec Parameters on R1 Step 1: Test connectivity. Ping from PC-1 to PC-2. Step 2: Enable the Security Technology package. a. On R1, issue the show version command to view the Security Technology package license information. b. If the Security Technology package has not been enabled, use the following command to enable the package. c. Accept the end-user license agreement. d. Save the running-config and reload the router to enable the security license. e. Verify that the Security Technology package has been enabled by using the show version command. Step 3: Identify interesting traffic on Rl. Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R2 as interesting. This interesting traffic will trigger the IPsec VPN to be implemented when there is traffic between the R1 to R2 LANs. All other traffic sourced from the LANs will not be encrypted. Because of the implicit deny all, there is no need to configure a deny ip any any statement. Step 4: Configure the IKE Phase 1 ISAKMP policy on R1. Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key vpnpa55. Refer to the ISAKMP Phase 1 table for the specific parameters to configure. Default values do not have to be configured. Therefore, only the encryption method, key exchange method, and DH method must be configured. Note: The highest DH group currently supported by Packet Tracer is group 5. In a production network, you would configure at least DH 14. REMARKS: Please check your peer IP address Step 5: Configure the IKE Phase 2 IPsec policy on R1. a. Create the transform-set VPN-SET to use esr:aes and ear-sha-hmas- b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an insec-isakmp map. REMARKS: Please check your peer address Step 6: Configure the crypto map on the outgoing interface. Bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface. Part 3: Configure IPsec Parameters on R2 Step 1: Enable the Security Technology package. a. On R2, issue the show version command to verify that the Security Technology package license information has been enabled. b. If the Security Technology package has not been enabled, enable the package and reload R2. Step 2: Configure router R2 to support a site-to-site VPN with R1. Configure reciprocating parameters on R2. Configure ACL 110 identifying the traffic from the LAN on R2 to the LAN on R1 as interesting. REMARKS: Please check your in address Step 3: Configure the IKE Phase 1 ISAKMP properties on R2. Configure the crypto ISAKMP policy 10 properties on R2 along with the shared crypto key vpnpa55. REMARKS: Please check your peer address Step 4: Configure the IKE Phase 2 IPsec policy on R2. a. Create the transform-set VPN-SET to use ear:aes and ear-sha-hmas. b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an insec-isakmp, map. REMARKS: Please check your peer address Step 5: Configure the crypto map on the outgoing interface. Bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface. Note: This is not graded. Part 4: Verify the IPsec VPN Step 1: Verify the tunnel prior to interesting traffic. Issue the show crypto ipses sa command on R1. Notice that the number of packets encapsulated, encrypted, decapsulated and decrypted are all set to 0. Step 2: Create interesting traffic. Ping PC-2 from PC-1. Step 3: Verify the tunnel after interesting traffic. On R1, re-issue the show crypto ipses sa command. Notice that the number of packets is more than 0, which indicates that the IPsec VPN tunnel is working. Step 4: Create uninteresting traffic. Ping PC-3 from PC-1. Note: Issuing a ping from router R1 to PC-3 or R3 to PC-1 is not interesting traffic. Step 5: Verify the tunnel. On R1, re-issue the show crypto inses sa command. Notice that the number of packets has not changed, which verifies that uninteresting traffic is not encrypted