<<

. 6
( 9)



>>

configure a separate subnet for the management and user VLANs. Enable trunking with subinterfaces on R1
to route between the management and user VLAN subnets.


Part 4. Configure SPAN and Monitor Traffic
Note: There are two tasks in this part of the lab, Task 1: Option 1 is to be performed using hands-on
equipment. Task 2: Option 2 is modified to be compatible with the NETLAB+ system but can also be
performed using hands-on equipment.

Cisco IOS provides a feature that can be used to monitor network attacks called Switched Port Analyzer
(SPAN). Cisco IOS supports local SPAN and remote SPAN (RSPAN). With local SPAN, the source VLANs,
source switch ports, and the destination switch ports are on the same physical switch.

In this part of the lab, you configure a local SPAN to copy traffic from one port where a host is connected to
another port where a monitoring station is connected. The monitoring station will run the Wireshark packet
sniffer application to analyze traffic.

Note: SPAN allows you to select and copy traffic from one or more source switch ports or source VLANs onto
one or more destination ports.


Task 1. Option 1: Configure a SPAN Session Using Hands-on Equipment.

Note: Option 1 assumes you have physical access to the devices shown in the topology for this
lab. NETLAB+ users accessing lab equipment remotely should proceed to Task 2: Option 2.

Step 1: Configure a SPAN session on S1 with a source and destination

a. Set the SPAN source interface using the monitor session command in global configuration mode.
The following configures a SPAN source port on FastEthernet 0/5 for ingress and egress traffic.
Traffic copied on the source port can be ingress only, egress only or both. Switch S1 port Fa0/5 is
connected to router R1, so traffic to (ingress) and from (egress) switch port Fa0/5 to R1 will be
monitored.
S1(config)#monitor session 1 source interface fa0/5 both
Note: You can specify to monitor tx (transmit) or rx (receive) traffic. The keyword both includes tx
and rx. The source can be a single interface, a range of interfaces, a single VLAN, or a range of
VLANs.

b. Set the SPAN destination interface.
S1(config)#monitor session 1 destination interface fa0/6


157
All traffic from S1 Fa0/5, where R1 is connected, will be copied to the SPAN destination port Fa0/6, where
PC-A with Wireshark is connected.

Note: The destination can be an interface or a range of interfaces.

Step 2: Verify the setup of the SPAN session on S1.

Confirm the SPAN session setup.

S1#show monitor session 1
Session 1
Type : Local Session
Source Ports :
Both : Fa0/5
Destination Ports : Fa0/6
Encapsulation : Native
Ingress : Disabled


Step 3: (Optional) Download and install Wireshark on PC-A.

a. Wireshark is a network protocol analyzer (also called a packet sniffer) that runs with Windows XP and
Vista. If Wireshark is not currently available on PC-A, you can download the latest version from
http://www.wireshark.org/download.html. This lab uses Wireshark version 1.0.5. The initial Wireshark
installation screen is shown here.




b. Click I Agree to the License agreement and accept the defaults by clicking Next when prompted.

Note: On the Install WinPcap screen, select the install WinPcap options and select Start WinPcap
service option if you want to have other users besides those with administrative privileges run Wireshark.

158
Step 4: Monitor switch S1 port Fa0/5 ping activity using Wireshark on PC-A.

a. If Wireshark is available, start the application.

b. From the main menu, select Capture > Interfaces.




c. Click the Start button for the local area network interface adapter with IP address 192.168.1.10.




d. Generate some traffic from PC-B (192.168.1.11) to R1 interface Fa0/1 (192.168.1.1) using ping. This
traffic will go from S2 port Fa0/18 to S2 port Fa0/1 across the trunk link to S1 port Fa0/1 and then exit
interface Fa0/5 on S1 to reach R1.
PC-B:\>ping 192.168.1.1
e. Observe the results in Wireshark on PC-A. Notice the initial ARP request broadcast from PC-B (Intel
NIC) to determine the MAC address of the R1 Fa0/1 interface with IP address 192.168.1.1 and the ARP
reply from the R1 Cisco Ethernet interface. After the ARP request, the pings (echo request and replies)
can be seen going from PC-B to R1 and from R1 to PC-B through the switch.

Note: Your screen should look similar to the one below. Some additional packets might be captured
in addition to the pings, such as the R1 Fa0/1 LOOP reply.




159
Step 5: Monitor switch S1 port Fa0/5 SuperScan activity using Wireshark on PC-A.

a. If SuperScan is not on PC-B, download the SuperScan 4.0 tool from the Scanning Tools group at
http://www.foundstone.com. Unzip the file into a folder. The SuperScan4.exe file is executable and
installation is not required.

b. Start the SuperScan program on PC-B. Click the Host and Service Discovery tab. Check the
Timestamp Request check box, and uncheck the Echo Request check box. Scroll through the UDP and
TCP port selection lists and notice the range of ports that will be scanned.

c. In the SuperScan program, click the Scan tab and enter the IP address R1 FA0/1 (192.168.1.1) in the
Hostname/IP field.

d. Click the right arrow to populate the Start IP and End IP fields.




160
e. Clear the previous capture in Wireshark and start a new capture by clicking Capture > Start. When
prompted, click the Continue without saving button.

f. In the SuperScan program, click the blue arrow button in the lower left to start the scan.

g. Observe the results in the Wireshark window on PC-A. Notice the number and types of ports tried by
the simulated SuperScan attack from PC-B (192.168.1.11) to R1 Fa0/1 (192.168.1.1). Your screen should
look similar to the following:




161
Task 2. Option 2: Configure a SPAN Session Using NETLAB+ Remote Equipment.

Note: This portion of the lab has been rewritten to enhance compatibility with the NETLAB+
system.

On switch S1, you will configure a local SPAN to reflect the traffic exiting Port Fa0/5, in this case, the traffic
from PC-A to R1™s Fa0/1. This traffic should be received by switch S2, and forwarded to PC-B, where
Wireshark is capturing the packets. Refer to the following diagram which illustrates the SPAN traffic flow.

Note: To perform this Task, Wireshark should be installed on PC-B.




162
Note: Switch S2 is acting as a regular switch, forwarding frames based on destination MAC addresses and
switch ports. The traffic entering S2 through Port Fa0/1 utilizes the R1™s MAC address as destination for the
Ethernet frame, therefore in order to forward those packets to PC-B, the R1™s MAC address must be the same
as PC-B. To accomplish this, R1™s Fa0/1 MAC address is modified using the IOS CLI to simulate PC-B™s MAC
address. This requirement is specific to the NETLAB+ environment.


Step 1: Configure a SPAN session on S1 with Source and Destination:

a. Return the Fa0/1 on S1 and S2 to its default configuration. This link S1 Fa0/1 to S2 Fa0/1 is going to
be used to carry the traffic being monitored.
S1(config)#default interface fastethernet 0/1
S2(config)#default interface fastethernet 0/1
b. Write down the MAC address for PC-B

PC-B™s MAC Address: ___________________________

PC-B™s MAC Address in this example is 000c-299a-e61a

c. Configure the PC-B™s MAC address on R1™s Fa0/1.
R1(config)#interface fa0/1
R1(config-if)#mac-address 000c.299a.e61a

d. Set the SPAN Source Interface using the monitor session command in global configuration mode. The
following configures a SPAN source port on fastethernet0/5 for egress traffic. Traffic copied on the source
port can be ingress only, egress only or both. In this case, the egress traffic is the only one analyzed. On
Switch S1 port Fa0/5 is connected to router R1 so traffic to the switch port Fa0/5 to R1 will be monitored.
S1(config)#monitor session 1 source interface fa0/5 tx

Note: The source can be a single interface, a range of interfaces, a single VLAN, or range of VLANs.


163
e. Set the SPAN destination interface.
S1(config)#monitor session 1 destination interface fa0/1

All egress traffic from S1 Fa0/5, where R1 is connected, will be copied to the SPAN destination port
Fa0/1, where PC-B with WireShark is connected.

Note: The destination can be an interface or a range of interfaces.

Step 2: Verify the setup of the SPAN session on S1.

Confirm the SPAN session setup using the show monitor session 1 command.

S1#show monitor session 1
Session 1
Type : Local Session
Source Ports :
TX Only : Fa0/5
Destination Ports : Fa0/1
Encapsulation : Native
Ingress : Disabled




Step 3: (Optional) Download and install Wireshark on PC-B

WireShark is a network protocol analyzer (also called a packet sniffer) that runs with Windows XP and
Vista. If WireShark is not currently available on PC-B, you may download the latest version from
http://www.wireshark.org/download.html and install it as described in Part 4, Task 1, Step 3.


Step 4: Monitor Switch S1 port Fa0/5 ping activity using Wireshark on PC-B

a. If WireShark is available, start the application.

b. From the main menu, select Capture > Interfaces.

c. Click the Start button for the Local area network interface adapter.

d. Generate some traffic from PC-A (192.168.1.10) to R1 interface Fa0/1 (192.168.1.1) using ping. This
traffic will go from S1 port Fa0/6 to S1 port Fa0/5. In addition, the traffic going from PC-A to R1 interface
Fa0/1 is forwarded across the link between S1 and S2, and then S2 will forward this traffic to PC-B,
where Wireshark is capturing the packets. Before pinging, delete the ARP table on PC-A, so an ARP
request would be generated. Note that the SPAN session is configured only on S1, and S2 is operating
as a normal switch.
C:\>arp “d *
C:\>ping 192.168.1.1
e. Observe the results in WireShark on PC-B. Notice the initial ARP request broadcast from PC-A to
determine the MAC address of the R1 Fa0/1 interface with IP address 192.168.1.1 and the ARP reply
from the R1 Cisco Ethernet interface. After the ARP request the pings (echo requests) can be seen going
from PC-A to R1 through the switch.

Note: Your screen should look similar to the one below. There may be some addition packets captured,
in addition to the pings, such as the R1 Fa0/1 LOOP Reply and Spanning Tree Packets.

164
Step 5: Monitor Switch S1 port Fa0/5 SuperScan activity using Wireshark on PC-B

a. If SuperScan is not on PC-A, download the SuperScan 4.0 tool from the Scanning Tools group at
http://www.foundstone.com. Unzip the file into a folder. The SuperScan4.exe file is executable and
installation is not required.

b. Start the SuperScan program on PC-A. Click the Host and Service Discovery tab. Check the
Timestamp Request check box and uncheck the Echo Request check box. Scroll the UDP and TCP
port selection lists and notice the range of ports that will be scanned.

c. In the SuperScan program click the Scan tab and enter the IP address of R1 FA0/1 (192.168.1.1) in
the Hostname/IP field.

d. Click the right facing arrow to populate the Start and End IP fields.




165
e. Clear the previous capture in WireShark and start a new capture by clicking Capture > Start and when
prompted click the Continue without saving button.

f. In the SuperScan program click the button which is in the lower left of the screen, with the blue arrow on
it, to start the scan.

g. Observe the results on the WireShark window on PC-B. Notice the number and types of ports tried by
the simulated SuperScan attack from PC-A (192.168.1.11) to R1 Fa0/1 (192.168.1.1). Your screen should
look similar the following:




166
Step 6: Reflection.
a. Why should port security be enabled on switch access ports?
____________________________________________________________________________________
____________________________________________________________________________

b. Why should port security be enabled on switch trunk ports?
____________________________________________________________________________________
____________________________________________________________________________

c. Why should unused ports on a switch be disabled?
____________________________________________________________________________________
____________________________________________________________________________


Router Interface Summary Table

Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)

167
Router Interface Summary
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




168
Chapter 7: Lab A: Exploring Encryption Methods

Topology




Objectives
Part 1: (Optional) Build the Network and Configure the PCs

Connect the PCs and configure IP addresses.


Part 2: Decipher a Pre-encrypted Message Using the Vigenere Cipher

Given an encrypted message, a cipher key, and the Vigenere cipher square, decipher the message.


Part 3: Create a Vigenere Cipher Encrypted Message and Decrypt It

Work with a lab partner and agree on a secret password.

Create a secret message using the Vigenere cipher and the key.

Exchange messages and decipher them using the pre-shared key.

Use an interactive Vigenere decoding tool to verify decryption.


Part 4: Use Steganography to Embed a Secret Message in a Graphic7

Create a secret message and save it as a .txt file.

Use S-Tools to embed the secret text message into a .bmp graphic.

Send the graphic to a lab partner to reveal the embedded message.


Background

The Cisco IOS password encryption service uses a Cisco-proprietary algorithm that is based on the Vigenere
cipher. Vigenere is an example of a common type of cipher mechanism called polyalphabetic substitution.
Although not a strong encryption technique, Vigenere serves to illustrate a commonly used encryption and
decryption process.

Note: Students can work in teams of two for this lab.

169
Required Resources
2 switches (Cisco 2960 or comparable)


PC-A (Windows XP or Vista)


PC-B (Windows XP or Vista)


Ethernet cables as necessary



Part 1. (Optional) Build the Network and Configure the PCs
In Part 1 of this lab, you connect the PCs and configure IP addresses. This is not required to perform the lab,
unless you want to copy files between PCs.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.

Note: The switches in the topology can be omitted and the PCs connected directly together using a crossover
cable, if desired. This is only necessary if the files used in the lab are to be exchanged by copying them from
one PC to the other, If files are to be exchanged using removable media, such as a flash drive or floppy disk,
no cabling is required.


Step 2: Configure PC host IP settings.

Configure a static IP address and subnet mask for PC-A and PC-B as shown below. A default gateway is not
required because the PCs are on the same local network.

PC-A IP address: 192.168.1.1, Subnet mask 255.255.255.0

PC-B IP address: 192.168.1.2, Subnet mask 255.255.255.0


Step 3: Verify connectivity between PC-A and PC-B.

Ping from PC-A to PC-B.

Are the ping results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Part 2. Decipher a Pre-encrypted Message Using the Vigenere Cipher
In Part 2 of this lab, you analyze an encrypted message and decrypt it using a cipher key and the Vigenere
cipher square.


Step 1: Review the encrypted message.

The following message has been encrypted using the Vigenere cipher.

VECIHXEJZXMA

Can you tell what the message says? _________________________

170
Step 2: Review the cipher keyword.

The cipher keyword TCPIP was used to encrypt the message. The same keyword will be used to decrypt or
decipher the message.


Step 3: Review the structure of the Vigenere square.

A standard Vigenere square or table is used with the keyword to decipher the message.




Step 4: Decrypt the message using the keyword and Vigenere square.

a. Use the table below to help you decrypt the message. Start by entering the letters of the encrypted
message in the second row of cells, from left to right.

b. Enter the keyword TCPIP in the top row, repeating the letters until there is a keyword letter for each
letter of the encrypted message, even if the keyword letters at the end do not represent the complete
keyword.




171
c. Refer to the Vigenere square or table shown in Step 3 and find the horizontal row that starts with the
first letter of the keyword (the letter T). Scan across that row and locate the first letter of the encrypted
message in the row (the letter V). The letter at the top of the column where the encrypted message
letter appears is the first letter of the decrypted message (the letter C).

d. Continue this process until you have decrypted the entire message and enter it in the following table.



Cipher
Keyword

Encrypted
Message

Decrypted
Message


Part 3. Create a Vigenere Cipher Encrypted Message and Decrypt It
In Part 3 of this lab, you work with a lab partner and agree on a secret password, referred to as the pre-
shared key. Each lab partner creates a secret message using the Vigenere cipher and the key. Partners
exchange messages and decipher them using their pre-shared key.

Note: If you do not have a partner, you can perform the steps by yourself.


Step 1: Determine the cipher keyword.

With your partner, establish a cipher keyword and enter it here. ___________________________________


Step 2: Create a plain text message and encrypt it (both partners).

Create a plain text (decrypted) message to be encrypted by your partner. _____________________

You can use the following table to help you encrypt the message. You can enter the unencrypted
message and cipher keyword here, but do not let your partner see it.

In the Vigenere table, locate the row that starts with the first letter of the cipher keyword. Next locate the
first letter to be encrypted at the top of the column in the table. The point (cell) at which the table row
(key letter) and column (message letter) intersect is the first letter of the encrypted message.
Continue this process until you have encrypted the entire message.

Note: This table is limited to messages of 12 characters. You can create longer messages if desired.
Message encryption and decryption is not case sensitive.

Cipher
Keyword

Encrypted
Message

Decrypted
Message


172
Step 3: Decrypt the message from your partner.

You can use the following table to help you decrypt your partner™s encrypted message. Enter the
encrypted message from your partner and the cipher keyword.

Use the same procedure described in Part 2, Step 4.

Note: This table is limited to messages of 12 characters. You can create longer messages if desired.

Cipher
Keyword

Encrypted
Message

Decrypted
Message




Step 4: Use an interactive decryption tool to confirm decryption.

A search for “vigenere decode” on the Internet shows that various cipher encryption and decryption tools
are available. Many of these are interactive.

One interactive tool is located at http://sharkysoft.com/misc/vigenere/. Go to this URL. Enter the
encrypted message from your partner in the top part of the screen and the cipher key in the middle.
Click the Decode button to see the clear text version of the message. You can also use this tool to
encrypt messages.

The following example shows using Sharky™s Vigenere Cipher tool for decoding the encrypted message
from Part 1 of the lab.




173
Part 4. Use Steganography to Embed a Secret Message in a Graphic
In Part 4 of this lab, you create a secret message for your partner, embed it into a graphic file, and then give it
to your partner to retrieve it. You embed the message in a graphic file using S-Tools. S-Tools is a
steganography tool that hides files in BMP, GIF, and WAV files. You start by opening S-Tools and then drag
graphics and sounds into the blank window. To hide files, you drag them into open graphics or sound
windows. Data is compressed before being encrypted and then hidden.

Note: The following steps should be performed by both partners, one at PC-A and the other at PC-B. If you
do not have a partner, you can perform the steps by yourself.


Step 1: (Optional) Download and install S-Tools.

If the S-Tools application is not installed on the PC, download it from
http://www.spychecker.com/program/stools.html or another site and unzip the files to a folder.


Step 2: Create a secret message text file (both partners).

On PC-A or PC-B, open the Windows Notepad application and create a message.

a. Save the message in a folder on the desktop and name it secret.txt.

b. Close the Notepad application.


Step 3: Create a simple .bmp graphics file.

Open the Windows Paint application and create a simple graphic. For example, you can write your first
name using the pencil tool or text tool and apply some color using the spray can or fill tool.

a. Save the graphic as a .bmp file in a folder on the desktop and name it graphic.bmp.

b. Close the Paint application.


Step 4: Create a secret password using the Vigenere cipher.

Choose a passphrase to be encrypted using the Vigenere cipher and record it here. ______________ Do
not share the passphrase with your partner. This passphrase will be used later to protect the text file
when it is embedded in the graphics file.

Choose a cipher keyword to be used when encrypting and decrypting the passphrase and record it here.
_________________________

Encrypt the passphrase using the cipher keyword and the procedure described in Part 3, Step 2. Record
the encrypted passphrase here. ________________________________________________


Step 5: Embed the message into a graphic image file.

Open the S-Tools.exe application.

a. Locate the file named graphic.bmp, which you saved previously. Determine its size by right-clicking
the file and selecting Properties. Record the file size, for example 2,359,350 bytes. ______________


174
b. Drag the graphic.bmp file into the S-Tools window.

c. Drag the file secret.txt, which you created in Step 2, and place it inside the graphic.bmp window. The
image should still be displayed. A dialog box is displayed showing the number of bytes being hidden. You
can enter a passphrase and select the encryption algorithm to be used. The default algorithm is IDEA.




Step 6: Use the unencrypted passphrase to protect the embedded text file.

a. Enter the unencrypted passphrase from Step 4 in the Passphrase and Verify passphrase fields.

b. Choose Triple DES from the Encryption Algorithm field and click OK. This creates a second image
with the name “hidden data”.

c. Right-click the hidden data graphic image and choose Save As from the menu. Name the file graphic2
and save it as a bmp file.

d. Close the S-Tools application.


175
Step 7: Provide the graphic2.bmp file to your partner.

Provide a copy of your graphic2.bmp file to your partner. You can do this by sharing folders (if PCs were
cabled together and IP addresses were assigned in Part 1 of the lab). You can also copy the file onto
a removable drive (flash drive or floppy disk), or send it as an email attachment if you are performing
the lab remotely.

Provide your partner with the Vigenere-encrypted passphrase from Step 4 and the cipher keyword that
you used to create it.


Step 8: Decrypt the Vigenere password from your partner.

Decrypt your partner™s passphrase using the procedure described in Part 1, Step 4. This is done so that
you can use it with S-Tools to reveal the hidden message embedded in your partner™s graphic.


Step 9: Reveal the embedded message from your partner.

Open the S-Tools application.

a. Locate the graphic2.bmp file from your partner, and determine how large it is using the same method
as in Step 5. Record the file size here. _______________________________________

b. Has the file size changed? _____

c. Drag the file into the S-Tools window. The image should be displayed. Can you tell that there is a
secret message embedded in the graphic image? _____

d. Right-click the image and choose Reveal from the menu.

e. Enter the Vigenere passphrase decrypted in Step 8 into the Passphrase field.

f. Choose Triple DES from the Encryption Algorithm field and click OK. This displays a revealed
archive.

g. Right-click the hidden message file and choose Save As from the menu. Name the file secret2.txt.

h. Close the S-Tools application.

i. Open the secret2.txt file from your partner to reveal the hidden message and write it here.
_______________________________________________________________________________


Step 10: Reflection

Could the Vigenere cipher be used to decode messages in the field without a computer?
_______________________________________________________________________________

Do an Internet search for Vigenere cipher cracking tools. Is the Vigenere cipher considered a strong
encryption system that is difficult to crack? _____________________________________________




176
Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and
SDM

Topology




IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18




177
Objectives
Part 1: Basic Router Configuration

Configure host names, interface IP addresses, and access passwords.

Configure the EIGRP dynamic routing protocol.


Part 2: Configure a Site-to-Site VPN Using Cisco IOS

Configure IPsec VPN settings on R1 and R3

Verify site-to-site IPsec VPN configuration

Test IPsec VPN operation


Part 3: Configure a Site-to-Site VPN Using SDM

Configure IPsec VPN settings on R1

Create a mirror configuration for R3

Apply the mirror configuration to R3

Verify the configuration

Test the VPN configuration using SDM


Background

VPNs can provide a secure method of transmitting data over a public network, such as the Internet. VPN
connections can help reduce the costs associated with leased lines. Site-to-Site VPNs typically provide a
secure (IPsec or other) tunnel between a branch office and a central office. Another common implementation
that uses VPN technology is remote access to a corporate office from a telecommuter location such as a
small office or home office.

In this lab, you build a multi-router network and configure the routers and hosts. You use Cisco IOS and SDM
to configure a site-to-site IPsec VPN and test it. The IPsec VPN tunnel is from router R1 to router R3 via R2.
R2 acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of
sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer,
protecting and authenticating IP packets between participating IPsec devices (peers), such as Cisco routers.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advanced IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the router model and Cisco IOS version, the commands available and output produced might
vary from what is shown in this lab.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.


Required Resources

3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)


2 switches (Cisco 2960 or comparable)


PC-A (Windows XP or Vista)


PC-C (Windows XP or Vista)



178
Serial and Ethernet cables as shown in the topology


Rollover cables to configure the routers via the console



Part 1. Basic Router Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP
addresses, dynamic routing, device access, and passwords.

Note: All tasks should be performed on routers R1, R2, and R3. The procedure for R1 is shown here as an
example.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.


Step 2: Configure basic settings for each router.

a. Configure host names as shown in the topology.

b. Configure the interface IP addresses as shown in the IP addressing table.

c. Configure a clock rate for the serial router interfaces with a DCE serial cable attached.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000

Step 3: Disable DNS lookup.

To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookup.
R1(config)#no ip domain-lookup

Step 4: Configure the EIGRP routing protocol on R1, R2, and R3.

a. On R1, use the following commands.
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary
b. On R2, use the following commands.
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
c. On R3, use the following commands.
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
R3(config-router)#no auto-summary




179
Step 5: Configure PC host IP settings.

a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP
addressing table.

b. Configure a static IP address, subnet mask, and default gateway for PC-C, as shown in the IP
addressing table.


Step 6: Verify basic network connectivity.

a. Ping from R1 to the R3 Fa0/1 interface at IP address 192.168.3.1.

Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.

Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: If you can ping from PC-A to PC-C, you have demonstrated that the EIGRP routing protocol is
configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses
are correct, use the show run and show ip route commands to help identify routing protocol-related
problems.


Step 7: Configure a minimum password length.
Note: Passwords in this lab are set to a minimum of 10 characters but are relatively simple for the benefit
of performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)#security passwords min-length 10

Step 8: Configure the basic console and vty lines.

a. Configure a console password and enable login for router R1. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout can be set to 0 0, which prevents
it from expiring. However, this is not considered a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
b. Configure the password on the vty lines for router R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login


180
c. Repeat these configurations on both R2 and R3.


Step 9: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)#service password-encryption

b. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why not?
________________________________________________________________________

c. Repeat this configuration on both R2 and R3.


Step 10: Save the basic running configuration for all three routers.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Step 11: Save the configuration on R1 and R3 for later restoration.

Use HyperTerminal or another means such as copy and paste to save the R1 and R3 running
configurations from Part 1 of this lab and edit them so that they can be used to restore the routers in Part
3 of the lab to configure the VPN with SDM.

Note: When editing the captured running config text, remove all occurrences of “- - More - -.” Remove
any commands that are not related to the items you configured in Part 1 of the lab, such as the Cisco IOS
version number, no service pad, and so on. Many commands are entered automatically by the Cisco IOS
software. Also replace the encrypted passwords with the correct ones specified previously and be sure to
use the no shutdown command for interfaces that need to be enabled.


Part 2. Configure a Site-to-Site VPN with Cisco IOS
In Part 2 of this lab, you configure an IPsec VPN tunnel between R1 and R3 that passes through R2. You will
configure R1 and R3 using the Cisco IOS CLI. You then review and test the resulting configuration.


Task 1. Configure Ipsec VPN Settings on R1 and R3

Step 1: Verify connectivity from the R1 LAN to the R3 LAN.

In this task, you verify that with no tunnel in place, the PC-A on the R1 LAN can ping the PC-C on R3 LAN.

a. From PC-A, ping the PC-C IP address of 192.168.3.3.
PC-A:\>ping 192.168.3.3
b. Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 2: Enable IKE policies on R1 and R3.

IPsec is an open framework that allows the exchange of security protocols as new technologies, such as
encryption algorithms, are developed.

181
There are two central configuration elements to the implementation of an Ipsec VPN:

Implement Internet Key Exchange (IKE) parameters


Implement Ipsec parameters


a. Verify that IKE is supported and enabled.

IKE Phase 1 defines the key exchange method used to pass and validate IKE policies between
peers. In IKE Phase 2, the peers exchange and match IPsec policies for the authentication and
encryption of data traffic.

IKE must be enabled for Ipsec to function. IKE is enabled by default on IOS images with
cryptographic feature sets. If it is disabled for some reason, you can enable it with the command
crypto isakmp enable. Use this command to verify that the router IOS supports IKE and that it is
enabled.
R1(config)#crypto isakmp enable

R3(config)#crypto isakmp enable


Note: If you cannot execute this command on the router, you need to upgrade the IOS image to one
with a feature set that includes the Cisco cryptographic services.

b. Establish an Internet Security Association and Key Management Protocol (ISAKMP) policy and view
the available options.

To allow IKE Phase 1 negotiation, you must create an ISAKMP policy and configure a peer
association involving that ISAKMP policy. An ISAKMP policy defines the authentication and
encryption algorithms and hash function used to send control traffic between the two VPN endpoints.
When an ISAKMP security association has been accepted by the IKE peers, IKE Phase 1 has been
completed. IKE Phase 2 parameters will be configured later.

Issue the crypto isakmp policy number configuration command on R1 for policy 10.
R1(config)#crypto isakmp policy 10
c. View the various IKE parameters available using Cisco IOS help by typing a question mark (?).
R1(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults

Step 3: Configure ISAKMP policy parameters on R1 and R3.

Your choice of an encryption algorithm determines how confidential the control channel between the
endpoints is. The hash algorithm controls data integrity, ensuring that the data received from a peer has
not been tampered with in transit. The authentication type ensures that the packet was indeed sent and
signed by the remote peer. The Diffie-Hellman group is used to create a secret key shared by the peers
that has not been sent across the network.


182
a. Configure an authentication type of pre-shared keys. Use AES 256 encryption, SHA as your hash
algorithm, and Diffie-Hellman group 5 key exchange for this IKE policy.

b. Give the policy a life time of 3600 seconds (one hour). Configure the same policy on R3. Older
versions of Cisco IOS do not support AES 256 encryption and SHA as a hash algorithm. Substitute
whatever encryption and hashing algorithm your router supports. Be sure the same changes are made on
the other VPN endpoint so that they are in sync.

Note: You should be at the R1(config-isakmp)# at this point. The crypto isakmp policy 10
command is repeated below for clarity.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#end

R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 5
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#end

c. Verify the IKE policy with the show crypto isakmp policy command.
R1#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES “ Advanced Encryption Standard (256 bit
keys).
Hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 3600 seconds, no volume limit

Step 4: Configure pre-shared keys.

Because pre-shared keys are used as the authentication method in the IKE policy, configure a key on
each router that points to the other VPN endpoint. These keys must match for authentication to be
successful. The global configuration command crypto isakmp key key-string address
address is used to enter a pre-shared key. Use the IP address of the remote peer, the remote
interface that the peer would use to route traffic to the local router.

Which IP addresses should you use to configure the IKE peers, given the topology diagram and IP
addressing table?
________________________________________________________________________________
________________________________________________________________________________

a. Each IP address that is used to configure the IKE peers is also referred to as the IP address of the
remote VPN endpoint. Configure the pre-shared key of cisco123 on router R1 using the following
command. Production networks should use a complex key. This command points to the remote peer R3
S0/0/1 IP address.
R1(config)#crypto isakmp key cisco123 address 10.2.2.1

183
b. The command for R3 points to the R1 S0/0/0 IP address. Configure the pre-shared key on router R1
using the following command.
R3(config)#crypto isakmp key cisco123 address 10.1.1.1

Step 5: Configure the IPsec transform set and life times.
a. The IPsec transform set is another crypto configuration parameter that routers negotiate to form a
security association. To create an Ipsec transform set, use the crypto ipsec transform-set tag
parameters. Use ? to see which parameters are available.
R1(config)#crypto ipsec transform-set 50 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
b. On R1 and R3, create a transform set with tag 50 and use an Encapsulating Security Protocol (ESP)
transform with an AES 256 cipher with ESP and the SHA hash function. The transform sets must match.
R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R1(cfg-crypto-trans)#exit

R3(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R3(cfg-crypto-trans)#exit
c. What is the function of the IPsec transform set?
____________________________________________________________________________________
____________________________________________________________________________

d. You can also change the IPsec security association life times from the default of 3600 seconds or
4,608,000 kilobytes, whichever comes first. On R1 and R3, set the Ipsec security association life time to
30 minutes, or 1800 seconds.
R1(config)#crypto ipsec security-association lifetime seconds 1800

R3(config)#crypto ipsec security-association lifetime seconds 1800

Step 6: Define interesting traffic.

To make use of the Ipsec encryption with the VPN, it is necessary to define extended access lists to tell
the router which traffic to encrypt. A packet that is permitted by an access list used for defining Ipsec
traffic is encrypted if the Ipsec session is configured correctly. A packet that is denied by one of these
access lists is not dropped, but sent unencrypted. Also, like any other access list, there is an implicit
deny at the end, which, in this case, means the default action is to not encrypt traffic. If there is no
Ipsec security association correctly configured, no traffic is encrypted, and traffic is forwarded as
unencrypted.

a. In this scenario, the traffic you want to encrypt is traffic going from R1™s Ethernet LAN to R3™s Ethernet
LAN, or vice versa. These access lists are used outbound on the VPN endpoint interfaces and must
mirror each other.

b. Configure the IPsec VPN interesting traffic ACL on R1.


184
R1(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0
0.0.0.255
c. Configure the IPsec VPN interesting traffic ACL on R3.
R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0
0.0.0.255
d. Does IPsec evaluate whether the access lists are mirrored as a requirement to negotiate its security
association?
____________________________________________________________________________________
____________________________________________________________________________


Step 7: Create and apply a crypto map.
A crypto map associates traffic that matches an access list to a peer and various IKE and Ipsec settings.
After the crypto map is created, it can be applied to one or more interfaces. The interfaces that it is
applied to should be the ones facing the Ipsec peer.

To create a crypto map, use the global configuration command crypto map name sequence-num
type to enter the crypto map configuration mode for that sequence number. Multiple crypto map
statements can belong to the same crypto map and are evaluated in ascending numerical order.
Enter the crypto map configuration mode on R1. Use a type of ipsec-isakmp, which means IKE is
used to establish Ipsec security associations.

a. Create the crypto map on R1, name it CMAP, and use 10 as the sequence number. A message will
display after the command is issued.
R1(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
b. Use the match address access-list command to specify which access list defines which traffic
to encrypt.
R1(config-crypto-map)#match address 101
c. To view the list of possible set commands that you can do in a crypto map, use the help function.
R1(config-crypto-map)#set ?
Identity Identity restriction.
Ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
Pfs Specify pfs settings
security-association Security association parameters
transform-set Specify list of transform sets in priority order
d. Setting a peer IP or host name is required, so set it to R3™s remote VPN endpoint interface using the
following command.
R1(config-crypto-map)#set peer 10.2.2.1
e. Hard code the transform set to be used with this peer, using the set transform-set tag
command. Set the perfect forwarding secrecy type using the set pfs type command, and also modify
the default IPsec security association life time with the set security-association lifetime
seconds seconds command.
R1(config-crypto-map)#set pfs group5
R1(config-crypto-map)#set transform-set 50


185
R1(config-crypto-map)#set security-association lifetime seconds 900
R1(config-crypto-map)#exit
f. Create a mirrored matching crypto map on R3.
R3(config)#crypto map CMAP 10 ipsec-isakmp
R3(config-crypto-map)#match address 101
R3(config-crypto-map)#set peer 10.1.1.1
R3(config-crypto-map)#set pfs group5
R3(config-crypto-map)#set transform-set 50
R3(config-crypto-map)#set security-association lifetime seconds 900
R3(config-crypto-map)#exit
g. The last step is applying the maps to interfaces. Note that the security associations (SAs) will not be
established until the crypto map has been activated by interesting traffic. The router will generate a
notification that crypto is now on.

h. Apply the crypto maps to the appropriate interfaces on R1 and R3.
R1(config)#interface S0/0/0
R1(config-if)#crypto map CMAP
*Jan 28 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#end

R3(config)#interface S0/0/1
R3(config-if)#crypto map CMAP
*Jan 28 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)#end

Task 2. Verify Site-to-Site IPsec VPN Configuration

Step 1: Verify the Ipsec configuration on R1 and R3.

Previously, you used the show crypto isakmp policy command to show the configured ISAKMP
policies on the router. Similarly, the show crypto ipsec transform-set command displays the
configured Ipsec policies in the form of the transform sets.
R1#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },


R3#show crypto ipsec transform-set
Transform set 50: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },




186
Use the show crypto map command to display the crypto maps that will be applied to the router.
R1#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.2.2.1
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Current peer: 10.2.2.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map MYMAP: Serial0/0/0

R3#show crypto map
Crypto Map "CMAP" 10 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/900 seconds
PFS (Y/N): Y
DH group: group5
Transform sets={
50: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map MYMAP: Serial0/0/1
Note: The output of these show commands does not change if interesting traffic goes across the
connection. You test various types of traffic in the next task.


Task 3. Verify IPsec VPN Operation

Step 1: Display isakmp security associations.

The show crypto isakmp sa command reveals that no IKE Sas exist yet. When interesting traffic is
sent, this command output will change.
R1#show crypto isakmp sa

dst src state conn-id slot status

Step 2: Display Ipsec security associations.

The show crypto ipsec sa command shows the unused SA between R1 and R3. Note the number
of packets sent across and the lack of any security associations listed toward the bottom of the
output. The output for R1 is shown here.
R1#show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: CMAP, local addr 10.1.1.1

protected vrf: (none)

187
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. Failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)

inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
a. Why have no security associations (SAs) been negotiated?
____________________________________________________________________________________
____________________________________________________________________________


Step 3: Generate some uninteresting test traffic and observe the results.

Ping from R1 to the R3 S0/0/1 interface IP address 10.2.2.1. Were the pings successful? _____

Issue the show crypto isakmp sa command. Was an SA created between R1 and R3? _____

Ping from R1 to the R3 Fa01 interface IP address 192.168.3.1. Were the pings successful? _____

a. Issue the show crypto isakmp sa command again. Was an SA created for these pings? Why or
why not?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________

b. Issue the command debug eigrp packets. You should see EIGRP hello packets passing between
R1 and R3.
R1#debug eigrp packets
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB,
SIAQUERY, SIAREPLY)
R1#
*Jan 29 16:05:41.243: EIGRP: Received HELLO on Serial0/0/0 nbr 10.1.1.2
*Jan 29 16:05:41.243: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ
un/rely 0/0 pe
erQ un/rely 0/0
*Jan 29 16:05:41.887: EIGRP: Sending HELLO on Serial0/0/0
*Jan 29 16:05:41.887: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ
un/rely 0/0
R1#


188
*Jan 29 16:05:43.143: EIGRP: Sending HELLO on FastEthernet0/1
*Jan 29 16:05:43.143: AS 101, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ
un/rely 0/0
R1#
Turn off debugging with the no debug eigrp packets or undebug all command.

Issue the show crypto isakmp sa command again. Was an SA created between R1 and R3? Why or
why not?
________________________________________________________________________________
________________________________________________________________________________


Step 4: Generate some interesting test traffic and observe the results.

a. Use an extended ping from R1 to the R3 Fa01 interface IP address 192.168.3.1. Extended ping allows
you to control the source address of the packets. Respond as shown in the following example. Press
enter to accept the defaults, except where a specific response is indicated.
R1#ping
Protocol [ip]:
Target IP address: 192.168.3.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/92/92 ms
b. Issue the show crypto isakmp sa command again.
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.2.2.1 10.1.1.1 QM_IDLE 1001 0 ACTIVE
c. Why was an SA created between R1 and R3 this time?
____________________________________________________________________________________
____________________________________________________________________________

d. What are the endpoints of the IPsec VPN tunnel? ________________________________________

e. Ping from PC-A to PC-C. Were the pings successful? _____

f. Issue the show crypto ipsec sa command. How many packets have been transformed between
R1 and R3?
_____________________________________________________________________R1#show crypto

<<

. 6
( 9)



>>