subscribe

FREE CCNA Security Lab: Configuring a Site-to-Site IPsec VPN for the ccna exam

FREE CCNA Lab: CCNA Security – Configuring a Site-to-Site IPsec VPN for the ccna security exam.

Guided step-by-step Lab Guide and Assessment PDF: http://bit.ly/2WwwZhF
Lab Guide and Assessment PDF only: http://bit.ly/2H9A7L6
Assessment File: Assessment – CCNA Security IPsec VPN.zip: http://bit.ly/2VPDQFL
Answer File: Answer – CCNA Security IPsec VPN.zip: http://bit.ly/2LyWP3l
Playlist: http://bit.ly/2DjEhxm

Connect with Brian:
Twitter: https://twitter.com/65Briangallagh
LinkedIn: https://www.linkedin.com/in/bgallagh/

Connect with David:
Twitter: https://twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal/
LinkedIn: https://www.linkedin.com/in/davidbombal/

#CCNA #CCENT #FreeLabFriday

ACME Corporation have been really satisfied with your work to date. However, during a recent failover scenario, when the backup GRE tunnel was being used, some data has recently been identified as intercepted as it travelled across the unencrypted tunnel. Fortunately, the data was not sensitive. However, the CIO for ACME Corp has asked that the GRE Tunnel be replaced with an IPsec VPN connection between the Branch and HQ routers.
The GRE Tunnel should be removed from the device configuration. The IPsec VPN should be established between the Branch and HQ routers internet facing interfaces.
The following parameters must be adhered to from the brief given by the CIO

The Phase 1 ISAKMP policy should follow the below setup.

Policy Number : 10
H – Hash algorithm : sha
A – Authentication (Pre-Share or RSA) : Pre-Shared key
G – Group (Diffie Hellman Group exchange) : Group 5 (max supported in PT)
L – Lifetime (SA or Security Association lifetime) : 86400
E – Encryption (DES, 3DES or AES) : AES256

ISAKMP Key : VPNkey123!

The Phase 2 IPsec policy should follow the below setup.

The name of the cypher text transformation set should be VPN-TSET
The cypher text transformation should use esp-aes and esp-sha-hmac

The attached Site-to-Site IPsec VPN should follow the below setup.

Name : VPN-MAP
Type : IPSEC-ISAKMP
Description : IPsec VPN connection to HQ
Peer IP Address : Outside Interface IP on both Routers
IPsec transformation: VPN-TSET
Interesting Traffic :Access-list 150 on both Routers
Branch 10.1.0.0 /16 to HQ 172.16.0.0 /16
HQ 172.16.0.0 /16 to Branch 10.1.0.0 /16
The ACL used should have a single statement on each router to reflect the above criteria.
Clients on the Branch office LAN network must still be able to reach all internet resources by name and IP addressing. Traffic from LAN Clients should not be translated. Traffic from the Branch LAN to the HQ Server farm and Data Centre Networks should travel across the IPsec VPN. Any interesting traffic identifier used on the Branch router for the existing NAT mode must use number 100 and have only two entries as follows:

Interesting Traffic for NAT : Access-list 100 on Branch Router ONLY
NAT Exemption Rule : 10.1.0.0 /16 to HQ 172.16.0.0 /16
NAT Traffic : 10.1.0.0 /16 to anywhere else

Ensure that PC1 and PC2 can ping the following addresses from both PC1 and PC2

HQ server farm IP Addresses
172.16.1.100
172.16.2.100
172.16.3.100
172.16.4.100

Data Centre networks
172.16.51.100
172.16.51.101
172.16.51.102
172.16.51.103

You will be able to Check Results for your score and use this as possible hints and tips as
to what to check to get the 100% score. There are connectivity test built into this Packet Tracer scenario to test the successful pings in the last verification step. You must ensure these test are completed to ensure that you receive the 100% from the assessment.