Home   | CCNA Certification  |   CCNP Training   | CompTIA |  Boot Camps  |  Free Tutorials   | MS Vista | About Me
 

Get My Exclusive FREE 7-Part Report,
"How To Pass The CCNA", Daily FREE
Cisco And CompTIA Exam Questions,
And All The Latest Certification News
In My Daily Newsletter!

Privacy Policy

Name:
Email:
  More Testimonials >
Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!


 

Basic Cisco VPN Commands

A Cisco Certification Exam Review

By Chris Bryant, CCIE #12933

ISAKMP is enabled by default - but just in cast, here's how to enable it.

R1(config)#crypto isakmp enable

To view the default policy:

R1#show crypto isakmp policy

Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

 

Creating an additional policy, with all options shown:

R1(config)#crypto isakmp policy 100
R1(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature

R1(config-isakmp)#authentication pre-share

R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES - Advanced Encryption Standard.
des DES - Data Encryption Standard (56 bit keys).

R1(config-isakmp)#encryption 3des

R1(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5

R1(config-isakmp)#group 5

R1(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard

R1(config-isakmp)#hash md5

R1(config-isakmp)#lifetime ?
<60-86400> lifetime in seconds

R1(config-isakmp)#lifetime 43200

 

Viewing all policies:

R1#show crypto isakmp policy

Global IKE policy
Protection suite of priority 100
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 43200 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

 

Creating a policy, options not shown:

R2(config)#crypto isakmp policy 100
R2(config-isakmp)#hash md5
R2(config-isakmp)#lifetime 40000
R2(config-isakmp)#group 5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#encryption 3des

Creating an IKE key, options shown:

R1(config)#crypto isakmp key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow

R1(config)#crypto isakmp key 0 ?
WORD The UNENCRYPTED (cleartext) user password

R1(config)#crypto isakmp key 0 CCNP ?
address define shared key with IP address
hostname define shared key with hostname

R1(config)#crypto isakmp key 0 CCNP address ?
A.B.C.D Peer IP address

R1(config)#crypto isakmp key 0 CCNP address 172.12.123.2

Creating a transform set, options shown on R1, not shown on R2.

R1(config)#crypto ipsec transform-set R1_TRANSFORM_SET ah-md5-hmac
R1(cfg-crypto-trans)#?
Crypto transform configuration commands:
default Set a command to its defaults
exit Exit from crypto transform configuration mode
mode encapsulation mode (transport/tunnel)
no Negate a command or set its defaults

R1(cfg-crypto-trans)#mode tunnel

R2(config)#crypto ipsec transform-set R2_TRANSFORM_SET ah-md5-hmac
R2(cfg-crypto-trans)#mode tunnel

Defining IPSec SA lifetime:

R1(config)#crypto ipsec security-association lifetime seconds 1800

Writing and applying a crypto access list and map:

access-list 123 permit ip 172.10.1.0 0.0.0.255 172.10.5.0 0.0.0.255

access-list 123 permit ip 172.10.5.0 0.0.0.255 172.10.1.0 0.0.0.255

R1(config)#crypto map CCNP 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 123
R1(config-crypto-map)#set peer 172.12.123.2
R1(config-crypto-map)#set transform-set R1_TRANSFORM_SET

R1(config-crypto-map)#interface serial 0/1
R1(config-if)#crypto map CCNP
R1(config-if)#
*Apr 1 17:27:04.807: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Finally, here are three valuable VPN show commands.

R2#show crypto isakmp sa
dst src state conn-id slot status
172.12.123.1 172.12.123.2 QM_IDLE 1 0 ACTIVE

R2#show crypto map
Crypto Map "CCNP" 100 ipsec-isakmp
Peer = 172.12.123.1
Extended IP access list 123
access-list 123 permit ip host 172.12.123.2 host 172.12.123.1
Current peer: 172.12.123.1
Security association lifetime: 4608000 kilobytes/1800 seconds
PFS (Y/N): N
Transform sets={
R2_TRANSFORM_SET,
}
Interfaces using crypto map CCNP:
Serial0/1

R2#show crypto ipsec transform-set
Transform set R3_TRANSFORM_SET: { ah-md5-hmac }
will negotiate = { Tunnel, },

Transform set R2_TRANSFORM_SET: { ah-md5-hmac }
will negotiate = { Tunnel, },

To your success,

Chris Bryant

CCIE #12933

chris@thebryantadvantage.com

 

 

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package

CCNP CIT Exam Study Package | CCNP BSCI Exam Study Guide

CCNA CBT Video Boot Camp | CCNP BSCI Video Boot Camp

Cisco Training Tutorials And Cisco Certification Articles

CCNP CBT BCMSN Video Boot Camp | CCNP CBT BCRAN Video Boot Camp

CompTIA Network+ Exam Study Package

CompTIA Security+ Exam Study Package

CompTIA A + Certification Exam Study Package

CCNA Training Store | CCNP Certification Training Store

CompTIA Certification Training Store

Cisco Lab Router And Switch Home Lab Help

Site Map | Home Page | Testimonials

Microsoft Windows Vista Certification Updates And News

The Bryant Advantage Blog | About Chris Bryant, CCIE #12933