1-Define ISAKMP policy and pre-shared key.
2-Define the IPsec transform-set
3-Create an ACL for our "interesting" traffic.
4-Create a crypto map
5-Apply the crypto map to an interface.
6-Test!
When configuring IPsec it´s a good idea to create the configuration in notepad, so you can then copy and paste into the devices as required. The configuration steps below are for R1, for R3 they are exactly the same except for the peer address and the ACL will be an exact mirror of the one on R1. The commands are entered in config mode.
1-ISAKMP policy
crypto isakmp key 0 key address 23.23.23.3
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 3600
2-IPsec transform set
crypto ipsec transform-set TS esp-seal esp-sha-hmac
mode tunnel
3-ACL
access-list 103 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
4-Crypto map
crypto map CMAP 10 ipsec-isakmp
set transform-set TS
set peer 23.23.23.3
match address 103
5-Apply crypto map
R1(config)#int FastEthernet 1/0R1(config-if)#crypto map CMAP
6-Test the configuration!
To establish IPsec tunnel there must be interesting traffic, in this case we'll ping from 1.1.1.1 to 3.3.3.3, i'll have R3 with isakmp and IPsec debugging. The result should look like this in R1:
R1#ping 3.3.3.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 92/100/108 ms
In R3 you should see the negotiation and the SAs being created.
No comments:
Post a Comment