I want to take a look at a topic from the security core blueprint that being svtI based vpns svti, Meaning static, Virtual tunnel interface. This is actually a newer, More simple approach to vpn configuration that uses a tunnel interface, And that means we don't have to use crypto maps with access control lists.

Let's jump in and take a look. You can see the topology on screen with a couple of routers interconnected, Very simple: I'm going to configure a site-to-site ipsec vpn, And much of this will look the same as what we've previously done in our site-to-site vpn article router, One you can see is that 1010101 Router 2 is at 1010102, So here on router 1. Let's start with our ipsec phase 1 configuration so under global configuration mode, Let's say: crypto iso camp policy.

I want to give that a policy number which I'm just going to make one, And if we look at our contextual help options, We see those same attributes once again. Remember our hegel, Mnemonic, Which outlines all of the attributes we need to match on each side. The hash authentication group lifetime and encryption so let's say hash: sha 512 authentication pre-share, Let's say group 14 lifetime I'll set that to 3600.

Let's say: encryption: aes 256: let's configure our pre-shared keys. Now so let's say crypto isocamp key. I'm going to make that very simply cisco. We want to identify our remote peer by saying address, And the address is of course, 1010102 because we're working from router 1 at the moment, Let's say, Do - show crypto isocamp policy just to make sure everything's in place, And that looks good. Let's go over to r2.

Now we'll do something very similar: global configuration mode, Crypto, Iso camp policy, One we want to say hash, Sha, 512 authentication, Pre-share, We'll say group 14, Lifetime 3600 and encryption aes 256. Let's configure our pre-shared key crypto isocamp key that was cisco and for the address we want to point to router 1 at 1010101, We'll say, Do show crypto isa, Camp policy and everything looks good there. Now we can move to our phase 2 configuration I'm going to jump back to router 1 and we can say crypto instead of isocamp, We want to say ipsec. We want to configure the transform set.

We need to give that a name I'm going to make that remote in all caps, And we have to define one method for encryption and one method for authentication. You can see all of those options in our contextual help, I'm going to say esp aes 256, Followed by esp sha 512 dash hmac. Now we can set our mode by saying mode again. You can see we can do transport or tunnel mode this time we want to choose tunnel now we want to create an ipsec profile. So let's say crypto ipsec profile, Followed by a name, I'm going to make that very simply ipsec. In all caps.

We attach our transform set to this profile by saying set, Transform hyphen set and the name of that was remote. Let's go over to router 2 and do the same thing: crypto ipsec, Transform hyphen set. The name of that is remote.

350-401 Exam Questions

Crypto ipsec profile name is ipsec. Now we want to attach our transform set by saying set, Transform hyphen set. The name of that is remote and now what we do is we create a tunnel interface and add our ipsec profile to that. This is very similar to creating a normal gre tunnel where we would set a source and destination address.

So let's go back to r1 and under global configuration mode, Let's say interface tunnel 0. That gets us under tunnel interface configuration mode. You can see the tunnel state changed to down, Because now we've created a virtual tunnel, Let's say tunnel source to set the source to our local interface. I p address 1010101, It's tunnel destination. We want to set that to, Of course, 1010102 now we need to say tunnel mode and if we look at contextual help, You'll see some familiar options under there if we were creating a normal gre tunnel, If you're familiar with that, This is where we would typically Set that to gre mode in this case, We want to say ipsec and contextual help indicates that we need to specify ipv4 or ipv version 6.

Of course, In our case, We're using ipv4 and finally I'll hit enter. We can set our tunnel protection mode by saying tunnel protection. If we look at contextual help, You'll see that we can use a pre-shared key or we can use ipsec. We obviously want to choose ipsec, And you can probably guess. We of course need to specify our ipsec profile that we created by name which was ipsec in all caps, And I did forget the profile keyword. So I need to say profile first before I do that followed by ipsec.

So now, When we hit enter, We see a message, Letting us know that isocamp is on the tunnel. Interface is up so that all looks good. Let's go to r2 and let's do the same thing: let's go under global configuration mode interface, Tunnel, Zero and one thing I just realized: we forgot to do on r1: let's go back under our tunnel, We're still under there. We didn't give this tunnel an ip address.

So let's say ip address: we can make that anything. We want I'm just going to make that 5050501 with a 24-bit subnet mask so almost forgot to do that back over on r2 we've created our tunnel. Let's give it an ip address here.

Likewise, We'll make that 5050502, In this case, With a 24-bit subnet, Mask, Let's say tunnel source that is 1010102 tunnel destination 1010101 tunnel mode. We want ipsec and we want to indicate ipv4. We want to set our tunnel protection to ipsec. We want to call out the profile. The name of that profile is ipsec.

We'll hit enter we're going to see a similar message, Letting us know isa kemp is on and the tunnel is up if we break out of here and we say, Show ip interface brief. We'Re going to see our tunnel interface, Let's say, Show interface tunnel 0, And this is going to tell us that our tunnel is up the encapsulation is tunnel. We see our source and destination address. We see the address that we assigned it 5050502 in this case because we're on router 2 and we see that we are using ipsec. So all of that looks good if we break out of here and we say, Show crypto session, We see our peer listing over udp port 500.

Our pier is router 1 at 1010101 udp port 500 by the way is used by ipsec based vpns for establishing those secure tunnels. We also see that our session is in the up active state, Which is exactly what we would want to see. So that's a look at an svtI based vpn configuration

With the 350-401 Exam Questions, preparing for your actual certification exam becomes easy. You can use these exam questions to determine your readiness for certification. The certification is challenging, and some assistance goes a long way. Not only may you take this test numerous times, but you can also demonstrate that you comprehend the ideas presented on the certification exam.


Leave a comment