VPN Site to Site Packet Tracer 5
Content
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Home > Certifications > Security (CCNA Security) > IINS Exam > Documents
VPN site to site packet tracer 5.3 lab
Created by Yasser Ramzy Auda CCIE R&S# 45694 ,CCSI# 34215 ,CCNP Security on 19Dec2010 12:22. Last modified by Yasser
Ramzy Auda CCIE R&S# 45694 ,CCSI# 34215 ,CCNP Security on 19Dec2010 12:42.
first of all you need to study Well the concepts of IPSec , VPN types , CRYPTOLOGY before you read this document
Its just show you how to type the right commands on both router sides using packet tracer 5.3
We will have the following topology
Notice you will set static route between the two routers while on real live both will connected through ISP’s
for router 1 we will type the following commands :
Router(config)#crypto isakmp enable <=== enable IPsec
Router(config)#crypto isakmp policy 1 <=== set new policy with number 1
Router(configisakmp)#authentication preshare <=== using shred key authentication method (if use certification
use rsasig instead of preshare)
Router(configisakmp)#encryption aes <=== use symmetric encryption AES
Router(configisakmp)#hash sha <=== use hash alghorthim sha for data integrity
Router(configisakmp)#group 2 <=== use diffe helman group 2
Router(configisakmp)#exit
Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used with next site , next site ip
address 11.0.0.1 and note on packet tracer you use 0.0.0.0 instead of subnetmask
Router(config)#crypto ipsec transformset yasser espaes espshahmac <=== set transform set called yasser and
esp is the protocol will be used , u can use AH on internal VPN
Router(config)#crypto ipsec securityassociation lifetime seconds 86400 <=== key expire after 86400 seconds
Router(config)#ip accesslist extended ramzy <=== ACL called ramzy to tell which
traffic will use the vpn tunnel
Router(configextnacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Router(configextnacl)#exit
Router(config)#crypto map auda 100 ipsecisakmp <=== create crypto map called auda with seq
number 100
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(configcryptomap)#match address ramzy <=== link above ACL to this crypto map
Router(configcryptomap)#set peer 11.0.0.1 <=== link next site ip address to this crypto
map
Router(configcryptomap)#set pfs group2 <=== link DH group 2 to this crypto map
Router(configcryptomap)#set transformset yasser <=== link above transform set to this
crypto map
Router(configcryptomap)#ex
Router(config)#int fa 0/1 <=== apply crypto map auda to interface face the next site link.
Router(configif)#crypto map auda
*Jan 3 07:16:26.785: %CRYPTO6ISAKMP_ON_OFF: ISAKMP is ON
Router(configif)#do wr
Building configuration...
[OK]
Router(configif)#^Z
Router#
for router 0 we will type the following commands :
Router(config)#crypto isakmp enable
Router(config)#crypto isakmp policy 1
Router(configisakmp)#authentication preshare
Router(configisakmp)#encryption aes
Router(configisakmp)#group 2
Router(configisakmp)#hash sha
Router(configisakmp)#exit
https://learningnetwork.cisco.com/docs/DOC10756
1/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Router(config)#crypto isakmp key 0 address 11.0.0.2 0.0.0.0
Router(config)#crypto ipsec transformset yasser espaes espshahmac
Router(config)#crypto ipsec securityassociation lifetime seconds 86400
Router(config)#ip accesslist extended ramzy
Router(configextnacl)#permit ip 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255
Router(configextnacl)#exit
Router(config)#crypto map auda 100 ipsecisakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(configcryptomap)#match address ramzy
Router(configcryptomap)#set peer 11.0.0.2
Router(configcryptomap)#set pfs group2
Router(configcryptomap)#set transformset yasser
Router(configcryptomap)#exit
Router(config)#interface fastEthernet 0/1
Router(configif)#crypto map auda
*Jan 3 07:16:26.785: %CRYPTO6ISAKMP_ON_OFF: ISAKMP is ON
Router(configif)#exit
Router(config)#do wr
Building configuration...
[OK]
Router(config)#
now lets go to router 0 and do some show commands :
Router#show crypto Isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: PreShared Key
DiffieHellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: RivestShamirAdleman Signature
DiffieHellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Router#
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state connid slot status
11.0.0.1 11.0.0.2 QM_IDLE 1062 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router#
Router#show crypto map
Crypto Map auda 100 ipsecisakmp
Peer = 11.0.0.1
Extended IP access list ramzy
accesslist ramzy permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Current peer: 11.0.0.1
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): Y
Transform sets={
yasser,
}
Interfaces using crypto map auda:
FastEthernet0/1
Router#
Router#sh crypto ipsec transformset
Transform set yasser: { { espaes espshahmac }
will negotiate = { Tunnel, },
https://learningnetwork.cisco.com/docs/DOC10756
2/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Router#
now lets make pc0 ping pc1
Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: auda, local addr 11.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (12.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 11.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 11.0.0.2, remote crypto endpt.:11.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x12D96D50(316239184)
inbound esp sas:
spi: 0x590D14F4(1494029556)
transform: espaes espshahmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:1, crypto map: auda
sa timing: remaining key lifetime (k/sec): (4525504/86170)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x12D96D50(316239184)
transform: espaes espshahmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:1, crypto map: auda
sa timing: remaining key lifetime (k/sec): (4525504/86170)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
packet tracer file :
yasser ramzy auda
CCNA,CCNA security,CCNA voice ,CCDA,CCNP,CCIP,CCNP security (CCSP).
vpn 1.pkt.zip
7.0 K
No security policy violations found.
The file was last scanned 6 months ago.
No security policy violations found.
The file was last scanned 6 months ago.
116491 Views
Categories: Tags:
https://learningnetwork.cisco.com/docs/DOC10756
3/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Average User Rating
(9 ratings)
MOST LIKED
8 Comments
sami 24Nov2012 22:12
Thank You Mr.yasser .. ^__^ ..
Actions
ChristianQuiroga 01Mar2013 08:58
Thanks
Actions
hpardo1987 07Apr2013 05:05
I tried using these same settings (different IP's) with a 2811 in the middle acting as the internet, made sure i could ping all
the way through using nat overload to all the public facing IP's, but not to where i could ping the private ip's of the other
network. I tried to build the tunnel but my phase 1 isakmp tunnel wont build its sa peer..... i followed your configs exactly
with adjustments for my IP's... will this not work on packet tracer with another router acting as a cloud? if anyone wants to
try and help me out i can email them the saved file from packet tracer.
Actions
Rahul 03Jun2014 09:53
HI,
I am entering the ipsec command "Router(config)#crypto ipsec transformset OES espaes espshahmac"
but it takes me in to a subcategeory "#Router(cfgcryptotrans)#"
this is happeing on a cisco 2911.
but when i use this command on patket tracer i dont get it.
am i doing something wrong
Actions
NetwrkRyan 03Nov2014 09:40
Good work!
Actions
danisimanjuntak 30Mar2015 21:19
Good job!
Actions
ganesh 19Apr2015 08:05
sir when i give command show crypto isakmp sa
Router#sh cr is sa
IPv4 Crypto ISAKMP SA
dst src state connid slot status
11.0.0.2 11.0.0.1 QM_IDLE 1044 0 ACTIVE (deleted)
Pv6 Crypto ISAKMP SAI
and not able to ping another pc
Actions
CARLOS 27May2015 16:47
https://learningnetwork.cisco.com/docs/DOC10756
4/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Great Work!!!
Actions
Terms & Conditions
Privacy Statement
Cookie Policy
https://learningnetwork.cisco.com/docs/DOC10756
Trademarks
Languages
Follow us:
5/5
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Home > Certifications > Security (CCNA Security) > IINS Exam > Documents
VPN site to site packet tracer 5.3 lab
Created by Yasser Ramzy Auda CCIE R&S# 45694 ,CCSI# 34215 ,CCNP Security on 19Dec2010 12:22. Last modified by Yasser
Ramzy Auda CCIE R&S# 45694 ,CCSI# 34215 ,CCNP Security on 19Dec2010 12:42.
first of all you need to study Well the concepts of IPSec , VPN types , CRYPTOLOGY before you read this document
Its just show you how to type the right commands on both router sides using packet tracer 5.3
We will have the following topology
Notice you will set static route between the two routers while on real live both will connected through ISP’s
for router 1 we will type the following commands :
Router(config)#crypto isakmp enable <=== enable IPsec
Router(config)#crypto isakmp policy 1 <=== set new policy with number 1
Router(configisakmp)#authentication preshare <=== using shred key authentication method (if use certification
use rsasig instead of preshare)
Router(configisakmp)#encryption aes <=== use symmetric encryption AES
Router(configisakmp)#hash sha <=== use hash alghorthim sha for data integrity
Router(configisakmp)#group 2 <=== use diffe helman group 2
Router(configisakmp)#exit
Router(config)#crypto isakmp key 0 address 11.0.0.1 0.0.0.0 <=== 0 is the key will used with next site , next site ip
address 11.0.0.1 and note on packet tracer you use 0.0.0.0 instead of subnetmask
Router(config)#crypto ipsec transformset yasser espaes espshahmac <=== set transform set called yasser and
esp is the protocol will be used , u can use AH on internal VPN
Router(config)#crypto ipsec securityassociation lifetime seconds 86400 <=== key expire after 86400 seconds
Router(config)#ip accesslist extended ramzy <=== ACL called ramzy to tell which
traffic will use the vpn tunnel
Router(configextnacl)#permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Router(configextnacl)#exit
Router(config)#crypto map auda 100 ipsecisakmp <=== create crypto map called auda with seq
number 100
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(configcryptomap)#match address ramzy <=== link above ACL to this crypto map
Router(configcryptomap)#set peer 11.0.0.1 <=== link next site ip address to this crypto
map
Router(configcryptomap)#set pfs group2 <=== link DH group 2 to this crypto map
Router(configcryptomap)#set transformset yasser <=== link above transform set to this
crypto map
Router(configcryptomap)#ex
Router(config)#int fa 0/1 <=== apply crypto map auda to interface face the next site link.
Router(configif)#crypto map auda
*Jan 3 07:16:26.785: %CRYPTO6ISAKMP_ON_OFF: ISAKMP is ON
Router(configif)#do wr
Building configuration...
[OK]
Router(configif)#^Z
Router#
for router 0 we will type the following commands :
Router(config)#crypto isakmp enable
Router(config)#crypto isakmp policy 1
Router(configisakmp)#authentication preshare
Router(configisakmp)#encryption aes
Router(configisakmp)#group 2
Router(configisakmp)#hash sha
Router(configisakmp)#exit
https://learningnetwork.cisco.com/docs/DOC10756
1/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Router(config)#crypto isakmp key 0 address 11.0.0.2 0.0.0.0
Router(config)#crypto ipsec transformset yasser espaes espshahmac
Router(config)#crypto ipsec securityassociation lifetime seconds 86400
Router(config)#ip accesslist extended ramzy
Router(configextnacl)#permit ip 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255
Router(configextnacl)#exit
Router(config)#crypto map auda 100 ipsecisakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router(configcryptomap)#match address ramzy
Router(configcryptomap)#set peer 11.0.0.2
Router(configcryptomap)#set pfs group2
Router(configcryptomap)#set transformset yasser
Router(configcryptomap)#exit
Router(config)#interface fastEthernet 0/1
Router(configif)#crypto map auda
*Jan 3 07:16:26.785: %CRYPTO6ISAKMP_ON_OFF: ISAKMP is ON
Router(configif)#exit
Router(config)#do wr
Building configuration...
[OK]
Router(config)#
now lets go to router 0 and do some show commands :
Router#show crypto Isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: PreShared Key
DiffieHellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: RivestShamirAdleman Signature
DiffieHellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Router#
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state connid slot status
11.0.0.1 11.0.0.2 QM_IDLE 1062 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router#
Router#show crypto map
Crypto Map auda 100 ipsecisakmp
Peer = 11.0.0.1
Extended IP access list ramzy
accesslist ramzy permit ip 12.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
Current peer: 11.0.0.1
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): Y
Transform sets={
yasser,
}
Interfaces using crypto map auda:
FastEthernet0/1
Router#
Router#sh crypto ipsec transformset
Transform set yasser: { { espaes espshahmac }
will negotiate = { Tunnel, },
https://learningnetwork.cisco.com/docs/DOC10756
2/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Router#
now lets make pc0 ping pc1
Router#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: auda, local addr 11.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (12.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 11.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 11.0.0.2, remote crypto endpt.:11.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x12D96D50(316239184)
inbound esp sas:
spi: 0x590D14F4(1494029556)
transform: espaes espshahmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: FPGA:1, crypto map: auda
sa timing: remaining key lifetime (k/sec): (4525504/86170)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x12D96D50(316239184)
transform: espaes espshahmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: FPGA:1, crypto map: auda
sa timing: remaining key lifetime (k/sec): (4525504/86170)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
packet tracer file :
yasser ramzy auda
CCNA,CCNA security,CCNA voice ,CCDA,CCNP,CCIP,CCNP security (CCSP).
vpn 1.pkt.zip
7.0 K
No security policy violations found.
The file was last scanned 6 months ago.
No security policy violations found.
The file was last scanned 6 months ago.
116491 Views
Categories: Tags:
https://learningnetwork.cisco.com/docs/DOC10756
3/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Average User Rating
(9 ratings)
MOST LIKED
8 Comments
sami 24Nov2012 22:12
Thank You Mr.yasser .. ^__^ ..
Actions
ChristianQuiroga 01Mar2013 08:58
Thanks
Actions
hpardo1987 07Apr2013 05:05
I tried using these same settings (different IP's) with a 2811 in the middle acting as the internet, made sure i could ping all
the way through using nat overload to all the public facing IP's, but not to where i could ping the private ip's of the other
network. I tried to build the tunnel but my phase 1 isakmp tunnel wont build its sa peer..... i followed your configs exactly
with adjustments for my IP's... will this not work on packet tracer with another router acting as a cloud? if anyone wants to
try and help me out i can email them the saved file from packet tracer.
Actions
Rahul 03Jun2014 09:53
HI,
I am entering the ipsec command "Router(config)#crypto ipsec transformset OES espaes espshahmac"
but it takes me in to a subcategeory "#Router(cfgcryptotrans)#"
this is happeing on a cisco 2911.
but when i use this command on patket tracer i dont get it.
am i doing something wrong
Actions
NetwrkRyan 03Nov2014 09:40
Good work!
Actions
danisimanjuntak 30Mar2015 21:19
Good job!
Actions
ganesh 19Apr2015 08:05
sir when i give command show crypto isakmp sa
Router#sh cr is sa
IPv4 Crypto ISAKMP SA
dst src state connid slot status
11.0.0.2 11.0.0.1 QM_IDLE 1044 0 ACTIVE (deleted)
Pv6 Crypto ISAKMP SAI
and not able to ping another pc
Actions
CARLOS 27May2015 16:47
https://learningnetwork.cisco.com/docs/DOC10756
4/5
04/10/2015
VPN site to site packet tracer 5.3 lab The Cisco Learning Network
Great Work!!!
Actions
Terms & Conditions
Privacy Statement
Cookie Policy
https://learningnetwork.cisco.com/docs/DOC10756
Trademarks
Languages
Follow us:
5/5
