subscribe

GNS3 Labs: IPsec VPN with NAT across BGP Internet routers: Wireshark captures. Answers Part 2

GNS3 Topology: https://goo.gl/p7p8pq
Get the VPN Config Generator and all my videos as part of a subscription here: https://goo.gl/mJMZGW
Cisco documentation: https://goo.gl/hjmdFR

For lots more content, visit http://www.davidbombal.com – learn about GNS3, CCNA, Packet Tracer, Python, Ansible and much, much more.

VPN Configuration:

======================================================
! CONFIG FOR: C1 !
! ======================================================

access-list 100 remark ****** Link to C2 ******
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
!
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat inside source route-map nonat interface G0/1 overload
!
route-map nonat permit 10
match ip address 101
!
crypto isakmp policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto isakmp key cisco123 address 8.8.11.2
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
crypto map mymap 1 ipsec-isakmp
description ****** Link to C2 ******
set peer 8.8.11.2
set transform-set myset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000
!
interface G0/1
crypto map mymap
ip nat outside
!
interface G0/0
ip nat inside

!=====================================================
! CONFIG FOR: C2 !
! ======================================================

access-list 100 remark ****** Link to C1 ******
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.2.0 0.0.0.255 any
!
ip nat inside source route-map nonat interface G0/1 overload
!
route-map nonat permit 10
match ip address 101
!
crypto isakmp policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto isakmp key cisco123 address 8.8.10.2
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
crypto map mymap 2 ipsec-isakmp
description ****** Link to C1 ******
set peer 8.8.10.2
set transform-set myset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000
!
interface G0/1
crypto map mymap
ip nat outside
!
interface G0/0
ip nat inside

!=========================================

Go here for more: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/IPsecPG1.html