How to Configure IOS Site-Site With Self Signature

by | Jul 20, 2016 | VPN Free Study Material | 0 comments

IOS Site-Site VPN Configuration With Self Signature

Recommended Read: 

R1

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.101.1 255.255.255.0 
no shutdown 
int s0/0 no shutdown 
ip add 101.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 101.1.1.1 
ISP interface s0/0 
no shutdown 
ip add 101.1.1.1 255.255.255.0 
no shutdown 
int s0/1 
no shutdown 
ip add 102.1.1.1 255.255.255.0 
no shutdown

Here is the Video for Site to Site VPN Configuration with Self Signature

R2

interface fastEthernet 0/0 
no shutdown 
ip add 192.168.102.1 255.255.255.0 
no shutdown 
int s0/0 
no shutdown 
ip add 102.1.1.100 255.255.255.0 
no shutdown 
ip route 0.0.0.0 0.0.0.0 102.1.1.1 

R1

R1#ping 192.168.101.1 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 192.168.101.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/8 ms
 
R1#ping 102.1.1.100 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 102.1.1.100, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/26/80 ms 

R2

R2#ping 192.168.102.1 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 192.168.102.1, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 4/4/4 ms
 
R2# ping 101.1.1.100 
#Type escape sequence to abort. 
#Sending 5, 100-byte ICMP Echos to 101.1.1.100, 
#timeout is 2 seconds: !!!!! 
#Success rate is 100 percent (5/5), 
#round-trip min/avg/max = 1/22/80 ms

R1

R1(config)#ip domain-name trainonic.com 
R1(config)#crypto key generate rsa 
#The name for the keys will be: R1.trainonic.com 
#Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. 
#Choosing a key modulus greater than 512 may take a few minutes. 
#How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, 
#keys will be non-exportable...[OK]
#R1(config)# *Mar 1 00:04:23.927: %SSH-5-ENABLED: SSH 1.99 has been enabled 

R2

R2(config)# ip domain-name trainonic.com 
R2(config)# crypto key generate rsa 
#The name for the keys will be: R2.trainonic.com 
#Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. 
#Choosing a key modulus greater than 512 may take a few minutes. 
#How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, 
#keys will be non-exportable...[OK] 
#R2(config)# *Mar 1 00:05:14.555: %SSH-5-ENABLED: SSH 1.99 has been enabled 
#R1 R1#sh crypto key mypubkey rsa % Key pair was generated at: 00:04:23 UTC Mar 1 2002 Key name:
#R1.trainonic.com Storage Device: not specified Usage: 
#General Purpose Key Key is not exportable. 
#Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00DF7DAA 212F6F44 543AAB40 E03A913F 49000631 48940173 D75A76A1 D74B38A7 8AFEE09C C28650C7 A1BBE380 0DA3675D 5FD6A018 489170FD 5ADEB2E9 FB607244 9F02B3AA EF2A8C22 E5E047B8 DF368E50 D2A01315 DFFDA9CF 7B5A1E6B 1CAB073B 8842DCDC 150D30A7 AD6BBD00 5BF86918 EE825B87 DDE773EF 094741E0 F6F15E7E D9020301 0001 
#% Key pair was generated at: 00:04:24 UTC Mar 1 2002 
#Key name: R1.trainonic.com.server 
#Temporary key Usage: Encryption Key Key is not exportable. 
#Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B764CF B05FB0D6 6713AF6A 1B7A38AA A0A4E2C9 A1D154D2 4ADFA48F 7C892823 2A037ECA 0D2230FF 949AC6BE 9AEBBA52 741A7B7D 5C8910A4 1FA89950 C25A7D44 4895E5AD A161AEEF 2DC0D538 40ACDABA 9002CAEC DC3D2599 C5AA7862 742FA320 D1020301 0001 Copy R1 Public Keys & 
#Paste them on R2 R2(config)#crypto key pubkey-chain rsa 
#R2(config-pubkey-chain)#addressed-key 101.1.1.100 
#R2(config-pubkey-key)#key-string 
#Enter a public key as a hexidecimal number .... 
#R2(config-pubkey)#$64886F7 0D010101 05000381 8D003081 89028181 00DF7DAA R2(config-pubkey)#$03A913F 49000631 48940173 D75A76A1 D74B38A7 8AFEE09C R2(config-pubkey)#$DA3675D 5FD6A018 489170FD 5ADEB2E9 FB607244 9F02B3AA R2(config-pubkey)#$F368E50 D2A01315 DFFDA9CF 7B5A1E6B 1CAB073B 8842DCDC R2(config-pubkey)#$BF86918 EE825B87 DDE773EF 094741E0 F6F15E7E D9020301 0001 R2(config-pubkey)#quit R2(config-pubkey-key)#end R2# R2#sh crypto key mypubkey rsa % 
#Key pair was generated at: 00:05:14 UTC Mar 1 2002 
#Key name: R2.trainonic.com Storage Device: not specified Usage: 
#General Purpose Key Key is not exportable. 
#Key Data: 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C7A31E 9F401FA9 5CB3BE3A 27BB3A3B F895FAD5 CC0909E9 AFA11D7C FDB7B061 72EE198D E7212DA4 D820EA4C 659096DD 556709F9 E0C4B66A 67B2A09A BC76D6CE D0CAEF34 82509609 67A89017 095271DC 524EAACE 778A2A2F 531F1642 2949E51A 4FFAACDC BF544E0D 9F46F50F 699694AA 2E021938 669C62D9 A84A9218 71C8983E FB020301 0001 % Key pair was generated at: 00:05:15 UTC Mar 1 2002 Key name: R2.trainonic.com.server 
#Temporary key Usage: Encryption Key Key is not exportable. 
#Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DD569D 24CD32CD 79D32736 6882422A C6C3A3D5 48C01CE5 24C0D57C 6D0AFDD0 6104EFE4 3E550332 16D52BA9 1A705AAC 189C946E 45D76CD4 F849E2EB C9AD9712 15356DE4 B355D4B0 67BA1C92 CA95F625 1E76D4B2 F4BD5724 8619BCF7 243A36FF 57020301 0001 Copy R2 Public Keys & Paste them on R1 R1(config)#crypto key pubkey-chain rsa R1(config-pubkey-chain)
#addressed-key 102.1.1.100 R1(config-pubkey-key)#key-string Enter a public key as a hexidecimal number .... #R1(config-pubkey)#$64886F7 0D010101 05000381 8D003081 89028181 00C7A31E R1(config-pubkey)#$7BB3A3B F895FAD5 CC0909E9 AFA11D7C FDB7B061 72EE198D R1(config-pubkey)#$59096DD 556709F9 E0C4B66A 67B2A09A BC76D6CE D0CAEF34 R1(config-pubkey)#$95271DC 524EAACE 778A2A2F 531F1642 2949E51A 4FFAACDC R1(config-pubkey)#$99694AA 2E021938 669C62D9 A84A9218 71C8983E FB020301 0001 
#R1(config-pubkey)#quit 
#R1(config-pubkey-key)#end
 

R1

R1(config)#router eigrp 100 
R1(config-router)#no auto-sum 
R1(config-router)#network 192.168.0.0 0.0.255.255

R2

R2(config)# router eigrp 100 
R2(config-router)# no auto-sum 
R2(config-router)# network 192.168.0.0 0.0.255.255

R1

crypto isakmp policy 1 
authentication rsa-sig encryption aes hash sha group 5 
lifetime 1800 
exit 
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel 
exit 
crypto ipsec profile shiva 
set transform-set t-set int t0 ip add 192.168.1.1 255.255.255.0 
tunnel source s0/0 
tunnel destination 102.1.1.100 
tunnel mode gre ip 
tunnel protection ipsec profile shiva

R2

crypto isakmp policy 1 
authentication rsa-sig encryption aes hash sha group 5 
lifetime 1800 
exit 
crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel 
exit 
crypto ipsec profile shiva set transform-set t-set int t0 ip add 192.168.1.2 255.255.255.0 
tunnel source serial 0/0 
tunnel destination 101.1.1.100 
tunnel mode gre ip 
tunnel protection ipsec profile shiva

R1

R1#sh ip eigrp neighbors IP-EIGRP 
#neighbors for process 100 H Address Interface 
#Hold Uptime SRTT RTO Q Seq (sec) (ms) 
#Cnt Num 0 192.168.1.2 Tu0 14 00:00:28 81 5000 0 3 

R1#sh ip route eigrp 
#D 192.168.102.0/24 [90/297270016] via 192.168.1.2, 00:00:31, Tunnel0 

R2

R2#sh ip eigrp neighbors IP-EIGRP 
#neighbors for process 100 H Address Interface 
#Hold Uptime SRTT RTO Q Seq (sec) (ms) 
#Cnt Num 0 192.168.1.1 Tue 0 11 00:01:09 82 5000 0 3 

R2#sh ip route eigrp 
#D 192.168.101.0/24 [90/297270016] via 192.168.1.1, 00:01:11, 
#Tunnel0 

R1 R1#ping 192.168.102.1 source fastEthernet 0/0 repeat 100 
#Type escape sequence to abort. 
#Sending 100, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds: 
#Packet sent with a source address of 192.168.101.1 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #Success rate is 100 percent (100/100), 
#round-trip min/avg/max = 44/60/80 ms 
#R1#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100 #QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA R1#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: #Tunnel0-head-0, local addr 101.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): #(101.1.1.100/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (102.1.1.100/255.255.255.255/47/0) #current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 130, #pkts encrypt: 130, #pkts digest: 130 #pkts decaps: 130, #pkts decrypt: 130, #pkts verify: 130 #pkts compressed: 0, #pkts #decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress #failed: 0 #send errors 18, #recv errors 0 local crypto endpt.: 101.1.1.100, remote crypto endpt.: #102.1.1.100 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0xBAB745A9(3132573097) #inbound esp sas: spi: 0x663E75E0(1715369440) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } #conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): #(4566455/3477) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: #outbound esp sas: spi: 0xBAB745A9(3132573097) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } #conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): #(4566455/3477) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp #sas: R2 R2#ping 192.168.101.1 source fastEthernet 0/0 repeat 100 Type escape sequence to abort. Sending #100, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds: Packet sent with a source address of #192.168.102.1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (100/100), round-trip min/avg/max = 44/59/84 ms #R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 101.1.1.100 102.1.1.100 #QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA R2#sh crypto ipsec sa interface: Tunnel0 Crypto map tag: #Tunnel0-head-0, local addr 102.1.1.100 protected vrf: (none) local ident (addr/mask/prot/port): #(102.1.1.100/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (101.1.1.100/255.255.255.255/47/0) #current_peer 101.1.1.100 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262 #pkts decaps: 262, #pkts decrypt: 262, #pkts verify: 262 #pkts compressed: 0, #pkts #decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress #failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 102.1.1.100, remote crypto endpt.: #101.1.1.100 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x663E75E0(1715369440) #inbound esp sas: spi: 0xBAB745A9(3132573097) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } #conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): #(4572455/3329) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: #outbound esp sas: spi: 0x663E75E0(1715369440) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } #conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): #(4572455/3329) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp #sas:

I-Medita

I-Medita is an ISO 9001:2015 certified Professional Training Company. I-Medita is India's Most Trusted Networking Training Company. We help in providing industry oriented skill training to networking enthusiasts and professionals to kick-start their career in Networking domains. Our efforts are to keep momentum with the Industry technological demands and diversifying universe of knowledge.
Register for Free Demo Session