Just another Cisco blog
Posts tagged IPSEC
Great MPLS and BGP Lab
Oct 12th
I got this over at Networking-Forum.com, a member named Fred created it, he was even kind enough to provide the Visio diagram, IP scheme spreadsheet and, most importantly, the .net file for Dynagen/GNS3. I spent a lot of my Saturday working on this beast. I thought I should share it here as it is great practice for MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure.
(click image for fullsize)
Internet
* The two Internet routers should serve as transit AS’s. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IP’s.
PeerIX Project
Sep 16th
What is PeerIX:
PeerIX is a project a bunch of other nerds and I are working on. Most of us know each other from HardForum and/or Networking-Forum. The idea is to develop a functional “mini-internet” to learn and gain experience with enterprise and service provider technologies.
What are the requirements?
A network device that supports IPsec, GRE and BGP. Other routing protocols may be considered but will be “corner case” as the core will be eBGP.
What devices work?
Cisco routers
Vyatta
Currently most Cisco routers will work permitted that you are running an IOS that supports the core technologies above.
You can use the IOS feature navigator to verify if your IOS/device supports the required features.
What technologies are you talking about?
The sky is the limit here, but the main core technologies are IPSec, GRE and BGP. Right now we have limited things going on within this network but eventually the hope is to grow it much larger with more services.
GRE/IPSEC Tutorial
Aug 26th
In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.
First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.
Here’s our ISAKMP Policy:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 |
We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.
Next we create a key and associate it with a peer:
crypto isakmp key Sup3rS3cr3tK3y address 5.5.5.5 |
Now we build the Transform Set:
crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac |
Next we make our ACL:
ip access-list extended GRE_IPSEC_TRAFFIC permit gre host 4.4.4.4 host 5.5.5.5 |
This is catching GRE traffic from 4.4.4.4 (us, the source) to 5.5.5.5 (our peer, the destination).
Recent Comments