Activity Overview: In this graded activity, students will learn how to create an IPSec VPN tunnel on a Cisco network (via Packet Tracer). Students will configure end-to-end connectivity between two private networks, ISAKMP and IKE policies, and verify connectivity across the IPSec tunnel.

Activity Outcomes: After completing this activity students will be able to:

• Demonstrate configuration of IPSec S2S VPN tunnels
• Identify components of a functional S2S VPN
• Demonstrate verification of connectivity across S2S VPN

Deliverable: Upload all requested screenshots below, as a .pdf export from the editor of your choosing.

Naming convention: “lastnamefirstinitial_Activity#.pdf” e.g: “smithp_A1.1d.pdf”

Be sure to include your name, student number, and course (CNW-2511) at the top of your document.

Virtual Private Networks

In a modern organization, workers need to have access from anywhere in the world. In addition, many organizations are geographically-dispersed globally. Much of the information workers need to access is heavily controlled by internal and external policies and regulatory guidance.

The best method for ensuring both global access and data security, is through the use of Virtual Private Networks (VPN). These logical “tunnels” create an encrypted path which disregards traditional public network-traversal. VPN also provides authentication and authorization services, to ensure the data is from a trusted source and has not been tampered with. There are many methods for establishing VPN, and in the course of this lab you will be provisioning one type of Site-to-Site IPSec tunnel using Cisco Packet Tracer.

As you progress through this activity, your instructor will request that you capture a screenshot periodically (on Mac OS: “command+shift+3” to capture the whole screen, or “command+shift+4” then drag the cursor over the area you would like to capture). These screenshots are part of your required deliverable and will be graded.

Install and run Cisco Packet Tracer

Go to the website and create an account. You need to create an account in order to download the latest version of Packet Tracer. Network Academy will very likely put a short (24-48hr) hold on your account while they validate the information, so get this account created ASAP. Failure to create your account prior to the final weekend is not an excuse for missing this deliverable. See below for the backup plan. Please watch the Week 4 Part 1 lecture for further guidance, if needed.

Once logged in, navigate to the “Getting Started with Packet Tracer” course via the search bar at the top of the screen. Sign up for the course, then once you’ve accessed it, scroll down the main area of the course until you see the link to download packet tracer. Then, select the version of Packet Tracer which is compatible with your current Operating System, and install.

If you have issues creating an account or downloading the latest version from either site, here is a direct Gdrive link to download the software:

These versions have “guest login” capability. They do not require any account to function – each file is limited to 3 saves, however.

0:00 / 38:40

1x

VPN Activity Walkthrough

Topology of the network you will be creating during this activity

Provision Resources in Packet Tracer

1. Once Packet Tracer is installed and running, create and connect these devices:

Three (3) 1941 Routers
Two (2) 2960 Switches
Two (2) PC Clients

Connect the clients (eth0) to the switches (fa0/1) with straight-through cables

Connect the switches (gi0/1) to the routers (gi0/1) with straight-through cables

Connect R1 (gi0/0) to R2 (gi0/0) with a cross-over cable

Connect R2 (gi0/1) to R3 (gi0/0) with a cross-over cable

2. Configure port access-modes on both switches:

Input the following commands on both S1 and S2:

“enable > conf t > interface fa0/1 > switchport mode access” (enables access-mode for the client connection)

“interface gi0/1 > switchport mode trunk” (enables trunk mode for the router connection)

“do write” (saves the running-configuration to the startup-configuration, “do” enables this command to be input at any privilege level)

3. Configure the Default Gateway and IP Address on both clients:

C1: IP Address 192.168.0.100, Default Gateway 192.168.0.1
C2: IP Address 192.168.1.100, Default Gateway 192.168.1.1

Example of Client 1 gateway settings

Example of Client 1 NIC settings

Configure Routers (Remember to save your CLI configurations OFTEN – “wr” or “do wr”)

1. Configuration inputs for the three routers:

Router 1:

hostname LNFI-R1 (names the device, global config)

interface g0/0 (“enable > conf t > interface g0/0”, interface config)
ip address 10.0.0.1 255.255.255.0 (gives this interface an IP address)
no shut (turns the interface on)

interface g0/1
ip address 192.168.0.1 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 10.0.0.2 (establishes a static route to R2 – the “public” router from any network to any network, Global Config)

Router 2 (this router only needs to know its own IP addresses):

hostname LNFI-R2

interface g0/0
ip address 10.0.0.2 255.255.255.0
no shut

interface g0/1
ip address 10.0.1.2 255.255.255.0
no shut

Router 3:

hostname LNFI-R3

interface g0/0
ip address 10.0.1.1 255.255.255.0
no shut

interface g0/1
ip address 192.168.1.1 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 10.0.1.2

Before moving forward, verify your connectivity from both clients to their respective gateway via “ping”, by clicking on the client, then entering the desktop tab and clicking on “command prompt”.

Try to ping the distant client from each side (C1->C2, C2->C1), and notice that the pings will not be able to reach their destination. This is because there is no actual routes established for the two private 192.168.x.x networks.

We’re going to fix that with our VPN configurations.

2. Install the Security License Module on all three (3) routers:

license boot module c1900 technology-package securityk9 (enable>conf t, global config)

Type “y” when prompted

Remember to write your running-config to the startup-config (“wr”), then type:

“reload” or “do reload” (depending on what configuration mode you are in) all three routers.

3. Configure IPsec on the routers at each end of the VPN tunnel (R1 and R3)

Router 1 (Global Config):

crypto isakmp policy 10 (establishes the policy to be configured)
encryption aes 256 (the type of encryption to be used in this policy)
authentication pre-share (establishes that this policy will use a pre-shared password)
group 5 (establishes the Diffie-Hellman group to be used for this policy)

crypto isakmp key Fullsail1! address 10.0.1.1 (establishes the pre-shared key and the router to be shared with)

crypto ipsec transform-set R3 esp-aes 256 esp-sha-hmac (establishes the combination of encryption and hashing to be used for this specific R1-R3 IPSec tunnel)

crypto map IPSEC 10 ipsec-isakmp (establishes the settings for the overall VPN tunnel)
set peer 10.0.1.1 (identifies what device will be allowed to peer with this map)
set pfs group5 (establishes the Diffie-Hellman group for perfect forward security)
set security-association lifetime seconds 86400 (lifespan of the established connection regardless of time-outs)
set transform-set R3 (links the previously created transform set to this map)
match address 100 (links the access-list 100 to this map to permit communication)

interface GigabitEthernet0/0
crypto map IPSEC (attaches the previously created crypto map to this interface)

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 (creates the ACL for communication between private networks on either side of the VPN tunnel, Interface Config)

Router 3:

crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5

crypto isakmp key Fullsail1! address 10.0.0.1

crypto ipsec transform-set R1 esp-aes 256 esp-sha-hmac

crypto map IPSEC 10 ipsec-isakmp
set peer 10.0.0.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set R1
match address 100

interface GigabitEthernet0/0
crypto map IPSEC

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

Verify Connectivity and Tunnel Functionality

Once all configurations have been input and saved for each device, you can verify that the IPSec tunnel is up and functional in two ways:

1. Open the command prompt on each of your clients, then ping the distant client’s IP (Keep in mind you will likely have to ping multiple times before the IPSec tunnel establishes a connection):
   1. C1 -> C2 “ping 192.168.1.100” (SCREENSHOT)
   2. C2 -> C1 “ping 192.168.0.100” (SCREENSHOT)
2. Access the CLI for R1 and verify that the pings above have properly transversed the IPSec tunnel:
   1. In “enable” mode, type: “show crypto ipsec sa”
   2. There should be a number of packets listed by “pckts encap” and pckts encrypt” which demonstrates that the ping traversal was successful. (SCREENSHOT)
3. Repeat Step 2 on R3 (SCREENSHOT)

Example of “show crypto ipsec sa” output from Router 1 after successful transmission across the VPN tunnell

Required Screenshots and Configuration Text

Take your screenshots/copy running-config text after all configurations and lab steps have been completed.

1. Running-configurations: On each of the below devices (in “enable” mode) type: “show run”. Press spacebar until all of the information is listed and you are returned to the CLI prompt. Select all of the text output and copy this text into your deliverable document.
   1. Switch 1
   2. Switch 2
   3. Router 1
   4. Router 3
2. Take a screenshot of your successful PING outputs from:
   1. Client 1 to Client 2
   2. Client 2 to Client 1
3. Take a screenshot of the output from “show crypto ipsec sa” from:
   1. Router 1
   2. Router 3
4. Take a screenshot of your topology AFTER all connections have been verified functional (links should all be GREEN)

WRITE MY PAPER