Hola,
Acá estan los Show run para poder configurar una VPN Site to Site
Cuando uno configura una VPN Site to Site debe de considerar 5 puntos fundamentales
la Politica que utilizará ISAKMP
crypto isakmp key cisco address 1.1.1.2 << Se establece la IP del destino y el PSK
crypto isakmp keepalive 10 periodic << Periodo de tiempo de validación de que el peer esta vivo
crypto isakmp policy 10 << Politicas que se utilizarán en la VPN
encr aes 256
authentication pre-share
group 5
lifetime 3600
la encriptación que tendra la VPN
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
crypto map ESW1_To_ESW2 10 ipsec-isakmp << Se deberá asociar a la interfaz que va hacia la Outside
set peer 1.1.1.2
set transform-set TS1
match address 101 << Numero del Access list
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map ESW1_To_ESW2 << Habilitación de VPN en la interfaz
Estos son los resultados de los "show" al finalizar la negociación VPN
ESW1#sh crypto isa sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime
1001 1.1.1.1 1.1.1.2 ACTIVE aes sha psk 5 00:56:46
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
ESW1#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: ESW1_To_ESW2, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xA1B8D655(2713245269)
inbound esp sas:
spi: 0xC80C0CAA(3356232874)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: ESW1_To_ESW2
sa timing: remaining key lifetime (k/sec): (4492924/3382)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA1B8D655(2713245269)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: ESW1_To_ESW2
sa timing: remaining key lifetime (k/sec): (4492924/3380)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Configuraciones Router 1
ESW1#
sh run
<--OMITIDO-->
hostname ESW1
<--OMITIDO>
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 1.1.1.2
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto map ESW1_To_ESW2 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set TS1
match address 101
!
<--OMITIDO-->
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map ESW1_To_ESW2
!
<--OMITIDO-->
!
ip route 10.10.20.0 255.255.255.0 1.1.1.2
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
no cdp log mismatch duplex
!
<--OMITIDO-->
end
ESW2
Configuraciones Router 2
ESW2#sh run
Building configuration...
<--OMITIDO-->
!
hostname ESW2
!
<--OMITIDO-->
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key cisco address 1.1.1.1
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto map ESW2_To_ESW1 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS1
match address 101
!
<--OMITIDO-->
!
!
interface FastEthernet0/0
ip address 10.10.20.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map ESW2_To_ESW1
!
<--OMITIDO-->
!
ip route 10.10.10.0 255.255.255.0 1.1.1.1
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
no cdp log mismatch duplex
!
<--OMITIDO-->
!
end
Estos son los resultados de los "show" al finalizar la negociación VPN Router 2
ESW2#ESW2#sh crypto isa sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 1.1.1.2 1.1.1.1 ACTIVE aes sha psk 5 00:55:27 D
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
ESW2#sh crypto ipse sa
interface: FastEthernet0/1
Crypto map tag: ESW2_To_ESW1, local addr 1.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xC80C0CAA(3356232874)
inbound esp sas:
spi: 0xA1B8D655(2713245269)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: ESW2_To_ESW1
sa timing: remaining key lifetime (k/sec): (4468820/3320)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC80C0CAA(3356232874)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: ESW2_To_ESW1
sa timing: remaining key lifetime (k/sec): (4468820/3319)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: