Posts tagged IPSEC
I got this over at Networking-Forum.com, a member named Fred created it, he was even kind enough to provide the Visio diagram, IP scheme spreadsheet and, most importantly, the .net file for Dynagen/GNS3. I spent a lot of my Saturday working on this beast. I thought I should share it here as it is great practice for MPLS VPNs and BGP along with some OSPF, NAT, IPSEC and GRE exposure.
* The two Internet routers should serve as transit AS’s. No other routers should permit transit traffic.
* Internet sites (modeled by loopbacks) should be accessible by all lan IP’s.
What is PeerIX:
PeerIX is a project a bunch of other nerds and I are working on. Most of us know each other from HardForum and/or Networking-Forum. The idea is to develop a functional “mini-internet” to learn and gain experience with enterprise and service provider technologies.
What are the requirements?
A network device that supports IPsec, GRE and BGP. Other routing protocols may be considered but will be “corner case” as the core will be eBGP.
What devices work?
Currently most Cisco routers will work permitted that you are running an IOS that supports the core technologies above.
You can use the IOS feature navigator to verify if your IOS/device supports the required features.
What technologies are you talking about?
The sky is the limit here, but the main core technologies are IPSec, GRE and BGP. Right now we have limited things going on within this network but eventually the hope is to grow it much larger with more services.
In this article we will configure GRE/IPSEC tunnels. These are used in cases where there is a desire to run routing protocols across a VPN connection. This article is useful for CCNP (ISCW) and CCSP studies.
First we will create our ISAKMP Policy, then we will create a key and associate it with a peer, next we build our Transform Set, then the ACL with traffic to be encrypted, followed by the Crypto Map and finally to the Tunnel interface configuration.
Here’s our ISAKMP Policy:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5
We set the encryption to an AES 256 bit key, use pre-shared authentication (keys) and Diffie-Hellman Group 5.
Next we create a key and associate it with a peer:
crypto isakmp key Sup3rS3cr3tK3y address 18.104.22.168
Now we build the Transform Set:
crypto ipsec transform-set secure_transform esp-aes esp-sha-hmac
Next we make our ACL:
ip access-list extended GRE_IPSEC_TRAFFIC permit gre host 22.214.171.124 host 126.96.36.199
This is catching GRE traffic from 188.8.131.52 (us, the source) to 184.108.40.206 (our peer, the destination).