Back to Dashboard
Module 39
VPN Configuration (Review and Advanced)
โ Previous Module
Next Module โ
# ๐ CCNA 200-301 - Video 39: VPN Configuration (Review and Advanced) ## Deep Study Notes --- ## ๐ Learning Objectives By the end of this video, you should understand: - VPN configuration review (IPsec site-to-site) - Advanced VPN concepts (DMVPN, FlexVPN) - VPN troubleshooting techniques - VPN design considerations - VPN monitoring and verification - SSL VPN concepts --- ## ๐ง Core Concepts ### 1. IPsec Site-to-Site VPN Review **Basic IPsec Configuration Review:** ```cisco ! ========== PHASE 1: IKE/ISAKMP ========== crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 crypto isakmp key VPNKEY address 203.0.113.2 ! ========== PHASE 2: IPsec ========== crypto ipsec transform-set VPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode tunnel ! ========== CRYPTO MAP ========== crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set VPN-TRANSFORM set pfs group14 match address 110 ! ========== INTERESTING TRAFFIC ========== access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ========== APPLY TO INTERFACE ========== interface GigabitEthernet0/0 crypto map VPN-MAP ``` --- ### 2. IPsec VPN Verification Commands | Command | Purpose | |---------|---------| | `show crypto isakmp sa` | Display IKE Phase 1 SAs | | `show crypto ipsec sa` | Display IPsec Phase 2 SAs | | `show crypto map` | Display crypto map configuration | | `show crypto session` | Display active crypto sessions | | `show crypto ipsec transform-set` | Display transform sets | | `show crypto ipsec profile` | Display IPsec profiles | | `debug crypto isakmp` | Debug IKE Phase 1 | | `debug crypto ipsec` | Debug IPsec Phase 2 | **Example Outputs:** ```cisco Router# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 203.0.113.2 203.0.113.1 QM_IDLE 1001 ACTIVE Router# show crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: VPN-MAP, local addr 203.0.113.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 203.0.113.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 12345, #pkts encrypt: 12345, #pkts digest: 12345 #pkts decaps: 12345, #pkts decrypt: 12345, #pkts verify: 12345 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.0.113.1, remote crypto endpt.: 203.0.113.2 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x12345678(305419896) inbound esp sas: spi: 0x87654321(2271560481) transform: esp-aes-256 esp-sha256-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: VPN-MAP sa timing: remaining key lifetime (k/sec): (4608000/3585) IV size: 16 bytes replay detection support: Y Status: ACTIVE ``` --- ### 3. IPsec VPN Troubleshooting ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ IPSEC TROUBLESHOOTING FLOW โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ START: Tunnel not working โ โ โ โ โ โผ โ โ Check Phase 1 (IKE) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ show crypto isakmp sa โ โ โ โ โข No SA โ Check reachability, policies match, pre-shared key โ โ โ โ โข MM_NO_STATE โ ISAKMP policy mismatch โ โ โ โ โข MM_KEY_EXCH โ DH group mismatch โ โ โ โ โข MM_SA_SETUP โ Authentication failure โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ Check Phase 2 (IPsec) โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ show crypto ipsec sa โ โ โ โ โข No SA โ Check transform sets, ACL matches โ โ โ โ โข Packet counts increasing? โ Traffic flowing โ โ โ โ โข Errors โ MTU issues, routing problems โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โผ โ โ Check Interesting Traffic โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Verify ACL matches traffic flow โ โ โ โ โข Check that traffic is being encrypted (show crypto ipsec sa) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **Common Issues and Solutions:** | Issue | Symptom | Solution | |-------|---------|----------| | **IKE Phase 1 Fails** | `show crypto isakmp sa` shows nothing | Check peer reachability, ISAKMP policy match, pre-shared key | | **IKE Phase 2 Fails** | Phase 1 up, Phase 2 down | Check transform sets, ACLs, interesting traffic | | **Traffic Not Encrypted** | Packets sent, no encryption | Verify ACL matches traffic, crypto map on correct interface | | **MTU Issues** | Large packets fail | Adjust MTU on tunnel interface, configure TCP MSS | | **NAT Traversal Issues** | VPN behind NAT | Enable NAT-T with `crypto isakmp nat-traversal` | | **Routing Issues** | Can't ping remote network | Check routing to remote networks via VPN | --- ### 4. Advanced VPN: GRE over IPsec Review ```cisco ! ========== IPsec Profile ========== crypto ipsec transform-set GRE-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport crypto ipsec profile GRE-PROFILE set transform-set GRE-TRANSFORM ! ========== GRE Tunnel with IPsec ========== interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel protection ipsec profile GRE-PROFILE ! ========== Routing over Tunnel ========== router ospf 1 network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 ``` --- ### 5. DMVPN (Dynamic Multipoint VPN) **Definition:** DMVPN is a Cisco solution that combines mGRE, NHRP, and IPsec to create a scalable, dynamic VPN network with spoke-to-spoke tunnels. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ DMVPN ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ โโโโโโโโโโโโโโโโโโโ โ โ โ Hub Router โ โ โ โ (NHRP Server) โ โ โ โโโโโโโโโโฌโโโโโโโโโ โ โ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ โ โ โ โผ โผ โผ โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ โ Spoke 1 โ โ Spoke 2 โ โ Spoke 3 โ โ โ โ (NHRP Client)โ โ (NHRP Client)โ โ (NHRP Client)โ โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ โ โ DMVPN Features: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Dynamic spoke-to-spoke tunnels (no pre-configuration) โ โ โ โ โข NHRP resolves spoke public IPs โ โ โ โ โข Single GRE tunnel interface for all spokes โ โ โ โ โข IPsec encryption for all traffic โ โ โ โ โข Scalable (add spokes without hub reconfiguration) โ โ โ โ โข Supports routing protocols (EIGRP, OSPF, BGP) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` **DMVPN Hub Configuration:** ```cisco ! ========== IPsec Profile ========== crypto ipsec transform-set DMVPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-TRANSFORM set security-association lifetime seconds 3600 ! ========== mGRE Tunnel ========== interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNKEY ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ! ========== Routing (EIGRP) ========== router eigrp 100 network 10.0.0.0 0.0.0.255 no auto-summary ``` **DMVPN Spoke Configuration:** ```cisco ! ========== IPsec Profile ========== crypto ipsec transform-set DMVPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-TRANSFORM ! ========== mGRE Tunnel ========== interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNKEY ip nhrp map 10.0.0.1 203.0.113.1 ip nhrp map multicast 203.0.113.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ! ========== Routing (EIGRP) ========== router eigrp 100 network 10.0.0.0 0.0.0.255 no auto-summary ``` --- ### 6. DMVPN Verification Commands | Command | Purpose | |---------|---------| | `show dmvpn` | Display DMVPN status | | `show ip nhrp` | Display NHRP cache | | `show ip nhrp summary` | Display NHRP summary | | `show ip nhrp traffic` | Display NHRP statistics | | `show crypto session` | Display crypto sessions (spoke-to-spoke) | | `show interface tunnel [num]` | Display tunnel status | **Example Outputs:** ```cisco Router# show dmvpn Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete N - NATed, L - Local, X - No Socket # Ent --> Number of NHRP entries with same NBMA peer NHS Status: E --> Expecting Replies, R --> Responding UpDn Time --> Up or Down Time for a Tunnel Interface Tunnel0: Type:Hub NHRP Peers:3, # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb ----- --------------- --------------- ----- -------- ----- 1 203.0.113.2 10.0.0.2 UP 00:01:23 D 1 203.0.113.3 10.0.0.3 UP 00:00:45 D 1 203.0.113.4 10.0.0.4 UP 00:00:12 D Router# show ip nhrp 10.0.0.2/32 via 10.0.0.2 Tunnel0 created 00:01:23, expire 00:01:37 Type: dynamic, Flags: unique registered used NBMA address: 203.0.113.2 10.0.0.3/32 via 10.0.0.3 Tunnel0 created 00:00:45, expire 00:01:15 Type: dynamic, Flags: unique registered used NBMA address: 203.0.113.3 ``` --- ### 7. FlexVPN **Definition:** FlexVPN is Cisco's next-generation VPN solution that unifies site-to-site, remote access, and DMVPN into a single framework using IKEv2. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ FLEXVPN ARCHITECTURE โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ FlexVPN Benefits: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Single framework for all VPN types โ โ โ โ โข IKEv2 (more secure than IKEv1) โ โ โ โ โข Supports certificate and pre-shared key authentication โ โ โ โ โข Virtual Tunnel Interface (VTI) for site-to-site โ โ โ โ โข Dynamic VTI for DMVPN and remote access โ โ โ โ โข Enhanced routing support โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ FlexVPN Site-to-Site Configuration: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ crypto ikev2 proposal IKEV2-PROPOSAL โ โ โ โ encryption aes-cbc-256 โ โ โ โ integrity sha256 โ โ โ โ group 14 โ โ โ โ โ โ โ โ crypto ikev2 policy IKEV2-POLICY โ โ โ โ proposal IKEV2-PROPOSAL โ โ โ โ โ โ โ โ crypto ikev2 keyring KEYRING โ โ โ โ peer 203.0.113.2 โ โ โ โ address 203.0.113.2 โ โ โ โ pre-shared-key VPNKEY โ โ โ โ โ โ โ โ crypto ikev2 profile IKEV2-PROFILE โ โ โ โ match identity remote address 203.0.113.2 255.255.255.255 โ โ โ โ authentication remote pre-share โ โ โ โ authentication local pre-share โ โ โ โ keyring local KEYRING โ โ โ โ โ โ โ โ crypto ipsec profile IPSEC-PROFILE โ โ โ โ set ikev2-profile IKEV2-PROFILE โ โ โ โ set transform-set ESP-AES-256-SHA256 โ โ โ โ โ โ โ โ interface Tunnel0 โ โ โ โ ip address 10.0.0.1 255.255.255.0 โ โ โ โ tunnel source GigabitEthernet0/0 โ โ โ โ tunnel destination 203.0.113.2 โ โ โ โ tunnel protection ipsec profile IPSEC-PROFILE โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 8. SSL VPN (Remote Access) **Definition:** SSL VPN provides secure remote access using SSL/TLS, allowing users to connect from any web browser without client software. ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ SSL VPN TYPES โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ CLIENTLESS (Portal) VPN: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Browser-based access โ โ โ โ โข No client software required โ โ โ โ โข Limited application support (web apps) โ โ โ โ โข Best for: Guest access, limited application access โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ FULL TUNNEL (AnyConnect) VPN: โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Requires Cisco AnyConnect client โ โ โ โ โข Full network access โ โ โ โ โข Supports all applications โ โ โ โ โข Best for: Full remote access for employees โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 9. VPN Design Considerations ``` โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ VPN DESIGN CONSIDERATIONS โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค โ โ โ 1. PERFORMANCE โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Encryption overhead (CPU usage) โ โ โ โ โข Throughput requirements โ โ โ โ โข Latency considerations โ โ โ โ โข Hardware vs. software crypto โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 2. SCALABILITY โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Number of sites โ โ โ โ โข Hub-and-spoke vs. full mesh โ โ โ โ โข DMVPN for large deployments โ โ โ โ โข Hub capacity planning โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 3. SECURITY โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Strong encryption (AES-256) โ โ โ โ โข Strong hashing (SHA-256) โ โ โ โ โข Diffie-Hellman groups (14 or higher) โ โ โ โ โข Certificate-based authentication (preferred) โ โ โ โ โข Perfect Forward Secrecy (PFS) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 4. REDUNDANCY โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข Multiple VPN peers (crypto map with multiple peers) โ โ โ โ โข Backup WAN links โ โ โ โ โข Dual hubs for DMVPN โ โ โ โ โข Floating static routes โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โ 5. MTU CONSIDERATIONS โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โข IPsec adds 50-60 bytes overhead โ โ โ โ โข GRE over IPsec adds more โ โ โ โ โข Configure MTU on tunnel interfaces (1400) โ โ โ โ โข TCP MSS adjustment (1360) โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ ``` --- ### 10. VPN Monitoring and Troubleshooting **Monitoring Commands:** ```cisco ! Check IKE Phase 1 status Router# show crypto isakmp sa Router# show crypto isakmp peers ! Check IPsec Phase 2 status Router# show crypto ipsec sa Router# show crypto ipsec sa peer 203.0.113.2 ! Check DMVPN/NHRP Router# show dmvpn Router# show ip nhrp ! Check traffic statistics Router# show crypto ipsec sa | include pkts Router# show crypto session ! Check interface statistics Router# show interfaces tunnel 0 Router# show interfaces gigabitEthernet 0/0 ``` **Troubleshooting Commands:** ```cisco ! Debug IKE Phase 1 Router# debug crypto isakmp Router# debug crypto ikev1 ! Debug IKEv2 (FlexVPN) Router# debug crypto ikev2 ! Debug IPsec Phase 2 Router# debug crypto ipsec ! Debug DMVPN/NHRP Router# debug nhrp Router# debug nhrp packet ! Debug routing over VPN Router# debug ip routing Router# debug ip ospf events ! Clear VPN sessions (reset) Router# clear crypto isakmp Router# clear crypto sa Router# clear crypto session ``` --- ## ๐ง Complete Configuration Examples ### Lab 1: IPsec Site-to-Site VPN with PFS **Router A Configuration:** ```cisco hostname RouterA ! crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key VPNKEY address 203.0.113.2 ! crypto ipsec transform-set VPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode tunnel ! crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set VPN-TRANSFORM set pfs group14 match address 110 ! access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 crypto map VPN-MAP ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! ip route 192.168.2.0 255.255.255.0 203.0.113.2 ! end ``` **Router B Configuration:** ```cisco hostname RouterB ! crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key VPNKEY address 203.0.113.1 ! crypto ipsec transform-set VPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode tunnel ! crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.1 set transform-set VPN-TRANSFORM set pfs group14 match address 110 ! access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 crypto map VPN-MAP ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 ! ip route 192.168.1.0 255.255.255.0 203.0.113.1 ! end ``` --- ### Lab 2: GRE over IPsec with OSPF **Router A Configuration:** ```cisco hostname RouterA ! ! IPsec Profile crypto ipsec transform-set GRE-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport ! crypto ipsec profile GRE-PROFILE set transform-set GRE-TRANSFORM ! ! GRE Tunnel interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel protection ipsec profile GRE-PROFILE ! ! Physical interfaces interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! ! OSPF over tunnel router ospf 1 network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 ! end ``` **Router B Configuration:** ```cisco hostname RouterB ! crypto ipsec transform-set GRE-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport ! crypto ipsec profile GRE-PROFILE set transform-set GRE-TRANSFORM ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.1 tunnel protection ipsec profile GRE-PROFILE ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 ! router ospf 1 network 10.0.0.0 0.0.0.255 area 0 network 192.168.2.0 0.0.0.255 area 0 ! end ``` --- ### Lab 3: DMVPN Hub-and-Spoke **Hub Router Configuration:** ```cisco hostname Hub ! ! IPsec crypto ipsec transform-set DMVPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport ! crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-TRANSFORM ! ! mGRE Tunnel interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNKEY ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ! ! EIGRP router eigrp 100 network 10.0.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255 no auto-summary ! end ``` **Spoke Router Configuration:** ```cisco hostname Spoke1 ! ! IPsec crypto ipsec transform-set DMVPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode transport ! crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-TRANSFORM ! ! mGRE Tunnel interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNKEY ip nhrp map 10.0.0.1 203.0.113.1 ip nhrp map multicast 203.0.113.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ! ! EIGRP router eigrp 100 network 10.0.0.0 0.0.0.255 network 192.168.2.0 0.0.0.255 no auto-summary ! end ``` --- ## โ Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **IPsec Components** | IKE Phase 1 (ISAKMP), IKE Phase 2 (IPsec) | | **Transform Sets** | Encryption + hash + mode | | **Interesting Traffic** | ACL defining traffic to encrypt | | **DMVPN** | mGRE + NHRP + IPsec | | **NHRP** | Dynamic peer discovery (Next Hop Resolution Protocol) | | **IKEv2** | FlexVPN uses IKEv2 (more secure) | | **SSL VPN** | Remote access via browser or AnyConnect | ### Common Exam Scenarios: **Scenario 1:** "A VPN tunnel is established but traffic is not passing. What should be checked first?" - **Answer:** `show crypto ipsec sa` to verify packets are being encrypted/decrypted **Scenario 2:** "Which technology allows dynamic spoke-to-spoke tunnels without pre-configuration?" - **Answer:** DMVPN (using mGRE and NHRP) **Scenario 3:** "What is the purpose of Perfect Forward Secrecy (PFS) in IPsec?" - **Answer:** Ensures that compromise of one key does not compromise other keys --- ## ๐ Summary (1-Minute Revision) ``` VPN CONFIGURATION - REVIEW & ADVANCED: IPSEC SITE-TO-SITE: โโโ Phase 1: IKE/ISAKMP (encryption, hash, auth, DH group) โโโ Phase 2: IPsec (transform set, mode) โโโ Crypto map (peer, transform, ACL) โโโ Interesting traffic (ACL) VERIFICATION: โโโ show crypto isakmp sa โโโ show crypto ipsec sa โโโ show crypto map โโโ show crypto session DMVPN: โโโ mGRE (multipoint GRE) โโโ NHRP (dynamic peer discovery) โโโ IPsec (encryption) โโโ Hub: ip nhrp map multicast dynamic โโโ Spoke: ip nhrp nhs [hub-tunnel-ip] โโโ show dmvpn, show ip nhrp GRE OVER IPSEC: โโโ IPsec profile (transport mode) โโโ tunnel protection ipsec profile [name] โโโ Routing protocols over tunnel TROUBLESHOOTING: โโโ Debug crypto isakmp (Phase 1) โโโ Debug crypto ipsec (Phase 2) โโโ Debug nhrp (DMVPN) โโโ Clear crypto isakmp / clear crypto sa ``` --- ## ๐งช Practice Questions **1. Which command displays active IKE Phase 1 security associations?** - A) `show crypto ipsec sa` - B) `show crypto isakmp sa` - C) `show crypto map` - D) `show crypto session` <details> <summary>Answer</summary> <b>B) `show crypto isakmp sa`</b> - Displays IKE Phase 1 SAs. </details> **2. What does NHRP do in DMVPN?** - A) Encrypts traffic - B) Provides dynamic peer address resolution - C) Establishes GRE tunnels - D) Authenticates users <details> <summary>Answer</summary> <b>B) Provides dynamic peer address resolution</b> - NHRP resolves spoke IP addresses for direct tunnels. </details> **3. Which command displays DMVPN status?** - A) `show dmvpn` - B) `show vpn` - C) `show crypto dmvpn` - D) `show ip dmvpn` <details> <summary>Answer</summary> <b>A) `show dmvpn`</b> - Displays DMVPN tunnel status and peers. </details> **4. What is the purpose of PFS (Perfect Forward Secrecy) in IPsec?** - A) Faster key exchange - B) Keys are not derived from previous keys - C) Lower CPU usage - D) Smaller packet size <details> <summary>Answer</summary> <b>B) Keys are not derived from previous keys</b> - PFS ensures compromise of one key doesn't compromise others. </details> **5. Which DMVPN component enables dynamic spoke-to-spoke tunnels?** - A) mGRE - B) IPsec - C) NHRP - D) Both A and C <details> <summary>Answer</summary> <b>D) Both A and C</b> - mGRE allows multipoint tunnels, NHRP resolves spoke addresses. </details> **6. What is the default IKE Phase 1 lifetime?** - A) 3600 seconds - B) 86400 seconds - C) 14400 seconds - D) 7200 seconds <details> <summary>Answer</summary> <b>B) 86400 seconds</b> - Default IKE Phase 1 lifetime is 24 hours. </details> **7. Which command clears all IPsec security associations?** - A) `clear crypto isakmp` - B) `clear crypto sa` - C) `clear crypto ipsec` - D) `clear crypto session` <details> <summary>Answer</summary> <b>B) `clear crypto sa`</b> - Clears IPsec Phase 2 security associations. </details> **8. What is the purpose of the `ip nhrp map multicast dynamic` command on the DMVPN hub?** - A) Enable multicast over DMVPN - B) Allow spokes to register for multicast - C) Disable multicast - D) Configure IPsec <details> <summary>Answer</summary> <b>B) Allow spokes to register for multicast</b> - Allows dynamic registration of spoke multicast addresses. </details> **9. Which command displays NHRP cache?** - A) `show nhrp` - B) `show ip nhrp` - C) `show dmvpn nhrp` - D) `show crypto nhrp` <details> <summary>Answer</summary> <b>B) `show ip nhrp`</b> - Displays the NHRP cache with peer mappings. </details> **10. What is the purpose of TCP MSS adjustment on VPN tunnels?** - A) Increase throughput - B) Prevent fragmentation issues - C) Reduce latency - D) Improve security <details> <summary>Answer</summary> <b>B) Prevent fragmentation issues</b> - MSS adjustment prevents fragmentation of TCP packets. </details> **11. Which IPsec mode is used for GRE over IPsec?** - A) Tunnel mode - B) Transport mode - C) GRE mode - D) ESP mode <details> <summary>Answer</summary> <b>B) Transport mode</b> - Transport mode preserves original IP header for GRE. </details> **12. What does `crypto isakmp key VPNKEY address 203.0.113.2` configure?** - A) Encryption key - B) Pre-shared key for peer - C) Transform set - D) Crypto map <details> <summary>Answer</summary> <b>B) Pre-shared key for peer</b> - Configures the pre-shared key for authentication. </details> --- ## ๐ Next Steps After completing Video 39, you should be ready for: - **Video 40:** Firewall Technologies - **Video 41:** QoS (Quality of Service) Overview **Lab Practice:** 1. Configure IPsec site-to-site VPN with PFS 2. Verify with `show crypto isakmp sa` and `show crypto ipsec sa` 3. Configure GRE over IPsec with OSPF 4. Configure DMVPN hub and one spoke 5. Verify DMVPN with `show dmvpn` and `show ip nhrp` 6. Test spoke-to-spoke tunnel 7. Troubleshoot with debug commands --- **Ready for Video 40?** Share the link or say "next" and I'll continue with Firewall Technologies. I'll continue with **Video 40: Firewall Technologies** based on the standard CCNA 200-301 curriculum. ---