
R1
interface fastEthernet 0/0
no shutdown
ip add 192.168.101.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 101.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 101.1.1.1
ISP interface s0/0
no shutdown
ip add 101.1.1.1 255.255.255.0
no shutdown
int s0/1
no shutdown
ip add 102.1.1.1 255.255.255.0
no shutdown
int f0/0
no shutdown
ip add 192.168.105.1 255.255.255.0
no shutdown
R2
interface fastEthernet 0/0
no shutdown
ip add 192.168.102.1 255.255.255.0
no shutdown
int s0/0
no shutdown
ip add 102.1.1.100 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 102.1.1.1
R1
R1# ping 192.168.101.1
#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1#ping 192.168.105.100
#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:
#.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 8/14/24 ms
R1# ping 102.1.1.100
#Type #escape sequence to abort. Sending 5, 100-byte ICMP Echos to 102.1.1.100, timeout is 2 seconds:
#!!!!!
#Success rate is 100 percent (5/5), round-trip min/avg/max = 4/18/44 ms
R2
R2# ping 192.168.102.1
#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.102.1,
#timeout is 2 seconds: !!!!! #Success rate is 100 percent (5/5),
#round-trip min/avg/max = 4/4/4 ms
R2#ping 192.168.105.100
#Type #escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.105.100, timeout is 2 seconds:
#!!!!! Success rate is 100 percent (5/5),
#round-trip min/avg/max = 8/12/20 ms
R2#ping 101.1.1.100
#Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 101.1.1.100,
#timeout is 2 seconds: !!!!!
#Success rate is 100 percent (5/5),
#round-trip min/avg/max = 1/14/44 ms
#ISP ISP#clock set 15:43:45 18 jan #2016 ISP(config)#ntp master
R1(config)# ntp server 101.1.1.1
R2(config)# ntp server 101.1.1.1
R1#sh #clock 15:44:39.428 UTC Mon Jan 18 2016
R2#sh clock 15:44:43.644 UTC Mon Jan 18 2016
#R1 crypto ca trustpoint #ttt enrollment
#url http://192.168.105.100/certsrv/mscep/mscep.dll revocation-check none exit
R1(config)# crypto ca authenticate ttt
#Certificate has the following attributes: Fingerprint MD5: C0952B98 #E5B8A10A A233B5A6 48DEE923 Fingerprint SHA1: D6238A4D CFC01F9F C2B23404 5E30B345 A7668E19 %
#Do you accept #this certificate? [yes/no]: yes
#Trustpoint CA certificate accepted.
R1(config)# crypto ca enroll ttt % % #Start certificate enrollment .. %
#Create a challenge password.
#You will need to verbally provide this #password
#to the CA Administrator in order to revoke your certificate.
#For security reasons your password #will not be saved in the configuration.
#Please make a note of it. Password: 05287B6712D04F84
#Jan 18 15:45:48.729: RSA key size needs to be atleast 768 bits for ssh version 2
#Jan 18 15:45:48.741: %SSH-5-#ENABLED: SSH 1.5 has been enabled
#Jan 18 15:45:48.745: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
#Re-enter password: 05287B6712D04F84 % The subject name in the certificate will include:
#R1.lab.local % #Include the router serial number in the subject name? [yes/no]:
#n % Include an IP address in the subject #name? [no]: n Request certificate from CA? [yes/no]: yes % #Certificate request sent to Certificate #Authority %
#The 'show crypto ca certificate ttt verbose' commandwill show the fingerprint.
#R1(config)# Jan #18 15:46:45.774: CRYPTO_PKI: Certificate Request Fingerprint MD5: 9183CBF5 AAF82FA0 #3988E942 A484CBFF Jan #18 15:46:45.782: CRYPTO_PKI: Certificate Request Fingerprint SHA1: F5C0FD62 DF75A859 #E311818A AD8E1690 #B54D6D6C R1(config)# Jan 18 15:46:48.098: %PKI-6-CERTRET: Certificate received from Certificate Authority #Obtain OTP from

R1#sh crypto ca certificates Certificate Status:
#Available Certificate Serial Number: 0x6108AC93000000000004
#Certificate Usage: General Purpose Issuer: #cn=CA
#Subject: Name: R1.lab.local hostname=R1.lab.local CRL
#Distribution Points: #http://ca/CertEnroll/CA.crl
#Validity Date: start date: 10:06:45 UTC Jan 18 2016
#end date: 10:16:45 UTC Jan #18 2017
#Associated Trustpoints: ttt
#CA Certificate Status: Available Certificate
#Serial Number: #0x7DF36B80B94A57814E744D2283267CA4
#Certificate Usage: Signature Issuer: cn=CA
#Subject: cn=CA CRL
#Distribution Points: http://ca/CertEnroll/CA.crl
#Validity Date: start date: 09:45:09 UTC Jan 18 2016
#end date: 09:54:59 UTC Jan 18 2021
#Associated Trustpoints: ttt R2 crypto ca trustpoint ttt enrollment url http://192.168.105.100/certsrv/mscep/mscep.dll
#revocation-check none exit R2(config)#crypto ca authenticate #ttt Certificate has the following attributes: #Fingerprint MD5: C0952B98 E5B8A10A A233B5A6 48DEE923
#Fingerprint SHA1: D6238A4D CFC01F9F C2B23404 5E30B345 #A7668E19 % Do you accept this certificate? [yes/no]: #yes Trustpoint CA certificate accepted. R2(config)#crypto ca enroll ttt % % Start certificate enrollment .. #% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.
#For security reasons your password will not be saved in the #configuration.
#Please make a note of it. Password: Jan 18 15:54:14.652:
#RSA key size needs to be atleast #768 bits for ssh version 2
#Jan 18 15:54:14.660: %SSH-5-ENABLED:
#SSH 1.5 has been enabled Jan 18 #15:54:14.664:
#%CRYPTO-6-AUTOGEN: Generated new 512 bit key pair Re-enter password: %
#The subject name in #the certificate will include: R2.lab.local %
#Include the router serial number in the subject name? #[yes/no]: n %
#Include an IP address in the subject name? [no]: n Request certificate from CA? [yes/no]: yes
#% Certificate request sent to Certificate Authority %
#The 'show crypto ca certificate ttt verbose' #commandwill show the fingerprint.
#R2(config)# Jan 18 15:54:36.721: CRYPTO_PKI: Certificate Request
#Fingerprint MD5: 9059692A 18DB2D9A 8E6BA1D0 E7C91B2D Jan 18 15:54:36.729:
#CRYPTO_PKI: Certificate Request
#Fingerprint SHA1: 532D69C7 3220722D B82FA9A0 1BC02403 8B78A018
#R2(config)# Jan 18 15:54:39.025: %PKI-6-#CERTRET: Certificate received from Certificate Authority
#R2#sh crypto ca certificates
#Certificate Status: Available
#Certificate Serial Number: 0x610FDC04000000000005
#Certificate Usage: General Purpose
#Issuer cn=CA
#Subject: Name: R2.lab.local hostname=R2.lab.local CRL
#Distribution Points: http://ca/CertEnroll/CA.crl
#Validity Date: start date: 10:14:36 UTC Jan 18 2016
#end date: 10:24:36 UTC Jan 18 2017 Associated
#Trustpoints: ttt CA Certificate Status: Available #Certificate Serial Number: #0x7DF36B80B94A57814E744D2283267CA4
#Certificate Usage: Signature
#Issuer: cn=CA Subject: cn=CA CRL
#Distribution Points: http://ca/CertEnroll/CA.crl
#Validity Date: start date: 09:45:09 UTC Jan 18 2016
#end date: 09:54:59 UTC Jan 18 2021
#Associated Trustpoints: ttt R1 crypto isakmp policy 1 authentication rsa-sig
#encryption aes hash sha group 5
#lifetime 1800
#exit crypto
#ipsec transform-set t-set esp-aes esp-sha-hmac
#mode tunnel exit
#crypto ipsec profile shiva
#set transform-set t-set int t0
#ip add 192.168.1.1 255.255.255.0
#tunnel source serial 0/0
#tunnel destination 102.1.1.100
#tunnel mode ipsec ipv4
#tunnel protection ipsec
#profile shiva R2 crypto isakmp policy 1
#authentication rsa-sig encryption aes
#hash sha group 5
#lifetime #1800
#exit crypto
#ipsec transform-set t-set esp-aes esp-sha-hmac
#mode tunnel exit
#crypto ipsec profile shiva
#set transform-set t-set
#int t0 ip add 192.168.1.2 255.255.255.0
#tunnel source s0/0
#tunnel destination #101.1.1.100
#tunnel mode ipsec ipv4
#tunnel protection ipsec profile shiva
#R1 int t0 ip ospf 100 area 0
#int #f0/0 ip ospf 100 area 0
#R2 int t0 ip ospf 100 area 0
#int f0/0 ip ospf 100 area 0
#R1#sh ip ospf neighbor
#Neighbor ID Pri State Dead Time Address Interface 192.168.102.1 0 FULL/ - 00:00:39 192.168.1.2 Tunnel0
#R1#sh ip route ospf O 192.168.102.0/24 [110/11121] via 192.168.1.2, 00:00:08,
#Tunnel0 R2#sh ip route ospf O 192.168.101.0/24 [110/11121] via 192.168.1.1, 00:00:52,
#Tunnel0 R2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 192.168.101.1 0 FULL/ -
#00:00:38 192.168.1.1 Tunnel0 R1 R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100 Type escape
#sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: Packet sent
#with a source address of 192.168.101.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100),
#round-trip min/avg/max = 40/54/72 ms
#R1#sh crypto ipsec sa interface: Tunnel0
#Crypto map tag: Tunnel0-head-0,
#local addr 101.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
#remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
#current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,}
#pkts encaps: 119, #pkts encrypt: 119, #pkts digest: 119 #pkts decaps: 117,
#pkts decrypt: 117, #pkts verify: 117 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0,
#pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
#local crypto endpt.: 101.1.1.100, #remote crypto endpt.: 102.1.1.100 path mtu 1500, ip mtu 1500, ip mtu idb
#Serial0/0 current outbound spi: 0x3D1AA06C(1025155180) inbound esp sas: spi: 0xC5C37F5(207370229)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: SW:1, crypto map:
#Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4479465/3459) IV size: 16 bytes replay detection
#support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3D1AA06C(1025155180)
#transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: SW:2, crypto map:
#Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4479464/3458) IV size: 16 bytes replay detection
#support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA
#dst src state conn-id slot status 101.1.1.100 102.1.1.100 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA R2
#R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100
#Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 192.168.101.1,
#timeout is 2 seconds: Packet sent with a source address of 192.168.102.1
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Success rate is 100 percent (100/100),
#round-trip min/avg/max = 44/54/72 ms
#R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100
#QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag:
#Tunnel0-head-0, local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port):
#(0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 101.1.1.100
#port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221 #pkts
#decaps: 223, #pkts decrypt: 223, #pkts verify: 223 #pkts compressed: 0, #pkts decompressed: 0 #pkts not
#compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0,
#recv errors 0 local crypto endpt.: 102.1.1.100, remote crypto endpt.: 101.1.1.100 path mtu 1500, ip mtu
#1500, ip mtu idb Serial0/0 current outbound spi: 0xC5C37F5(207370229) inbound esp sas: spi:
#0x3D1AA06C(1025155180) transform: esp-aes esp-sha-hmac