IPSec

1. Crypt traffic between Host1 and Host2
2.  
3.  
4. [Host1]-----------------[R1]---{R2_Cloud}---[R3]-----------------[Host2]
5.  
6. 192.168.1.100 - 192.168.1.1 [] === crypted === [] 192.168.2.1 - 192.168.2.100
7.  
8. 192.168.1.0/24 10.0.0.0/30[]10.0.0.4/30 192.168.2.0/24
9.  
10.  
11.  
12. hostname Host1
13. interface FastEthernet0/0
14. ip address 192.168.1.100 255.255.255.0
15. no shut
16. line con 0
17. exec-timeout 0 0
18. ip route 0.0.0.0 0.0.0.0 192.168.1.1
19.  
20.  
21. hostname Host2
22. interface FastEthernet0/0
23. ip address 192.168.2.100 255.255.255.0
24. no shut
25. line con 0
26. exec-timeout 0 0
27. ip route 0.0.0.0 0.0.0.0 192.168.2.1
28.  
29.  
30. hostname R1
31. policy-map shaper
32. class class-default
33. shape average 2000000
34. interface FastEthernet0/0
35. no shut
36. description LAN
37. ip address 192.168.1.1 255.255.255.0
38. load-interval 30
39. duplex auto
40. speed auto
41. interface FastEthernet0/1
42. no shut
43. description WAN
44. ip address 10.0.0.2 255.255.255.252
45. load-interval 30
46. duplex auto
47. speed auto
48. service-policy output shaper
49. line con 0
50. exec-timeout 0 0
51. ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.0.0.1
52.  
53.  
54. hostname R2
55. policy-map shaper
56. class class-default
57. shape average 2000000
58. interface FastEthernet0/0
59. no shut
60. description WAN_1
61. ip address 10.0.0.1 255.255.255.252
62. load-interval 30
63. duplex auto
64. speed auto
65. interface FastEthernet0/1
66. no shut
67. description WAN_2
68. ip address 10.0.0.5 255.255.255.252
69. load-interval 30
70. duplex auto
71. speed auto
72. service-policy output shaper
73. line con 0
74. exec-timeout 0 0
75. ip route 192.168.1.0 255.255.255.0 FastEthernet0/0 10.0.0.2
76. ip route 192.168.2.0 255.255.255.0 FastEthernet0/0 10.0.0.6
77.  
78.  
79. hostname R3
80. policy-map shaper
81. class class-default
82. shape average 2000000
83. interface FastEthernet0/0
84. no shut
85. description LAN
86. ip address 192.168.2.1 255.255.255.0
87. load-interval 30
88. duplex auto
89. speed auto
90. interface FastEthernet0/1
91. no shut
92. description WAN
93. ip address 10.0.0.6 255.255.255.252
94. load-interval 30
95. duplex auto
96. speed auto
97. service-policy output shaper
98. line con 0
99. exec-timeout 0 0
100. ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.0.0.5
101.  
102.  
103.  
104. Crypto config:
105.  
106. !R1
107. crypto isakmp policy 1
108. authentication pre-share
109. encr 3des
110. group 2
111. !
112. crypto isakmp key 0 CISCO address 10.0.0.6
113. !
114. crypto isakmp invalid-spi-recovery
115. crypto isakmp keepalive 30 10 periodic
116. !
117. crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
118. mode transport
119. crypto ipsec profile MyProfile
120. set transform-set MyTransSet
121. !
122. access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
123. !
124. crypto map MyMap 10 ipsec-isakmp
125. set peer 10.0.0.6
126. set transform-set MyTransSet
127. match address 101
128. !
129. interface FastEthernet0/1
130. crypto map MyMap
131.  
132.  
133. !R3
134. crypto isakmp policy 1
135. authentication pre-share
136. encr 3des
137. group 2
138. !
139. crypto isakmp key 0 CISCO address 10.0.0.2
140. !
141. crypto isakmp invalid-spi-recovery
142. crypto isakmp keepalive 30 10 periodic
143. !
144. crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
145. mode transport
146. crypto ipsec profile MyProfile
147. set transform-set MyTransSet
148. !
149. access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
150. !
151. crypto map MyMap 10 ipsec-isakmp
152. set peer 10.0.0.2
153. set transform-set MyTransSet
154. match address 101
155. !
156. interface FastEthernet0/1
157. crypto map MyMap