CCNA Security – Default router config + IOS VPN config

As some of you may know, I have been studying for the CCNA Security exam. I have been reading, watching videos, labbing, and procrastinating every day for the last month-or-so. Inspired by a post in the Network Chuck Facebook group, I have decided to put up a configuration here and work through what each command (or block of commands) does. I am using GNS3 with the VIRL IOSv images. Let’s just jump right into it. Below is the topology I am using.

The g0/1 interface on the left is in the 10.10.10.0/24 network, the routers are connected using the g0/0 interfaces in the 200.100.10.0/30 network, and the right g0/1 interface is in the 192.168.1.0/24 network. Each router is a DHCP server for their respective g0/1 networks. I am running OSPF as well and all interfaces are in area 0. Now, here is the configuration for the router on the left:

Router#configure terminal
Router(config)#hostname Sun
Sun(config)#ip domain-name lab.net
Sun(config)#no ip domain-lookup
Sun(config)#service password-encryption
Sun(config)#username Admin privilege 15 algorithm-type scrypt secret Cisco123
Sun(config)#enable algorithm-type scrypt secret Enter
Sun(config)#crypto key generate rsa modulus 2048
Sun(config)#ip ssh version 2
Sun(config)#aaa new-model
Sun(config)#aaa authentication login default local-case enable
Sun(config)#no ip http server
Sun(config)#no ip http secure-server
Sun(config)#line console 0
Sun(config-line)#exec-timeout 0 0
Sun(config-line)#history size 25
Sun(config-line)#logging synchronous
Sun(config-line)#line vty 0 4
Sun(config-line)#logging synchronous
Sun(config-line)#exec-timeout 5 0
Sun(config-line)#history size 10
Sun(config-line)#login authentication default
Sun(config-line)#transport input ssh
Sun(config-line)#line aux 0
Sun(config-line)#transport input none
Sun(config-line)#logging synchronous
Sun(config-line)#exec-timeout 1 0
Sun(config-line)#history size 1
Sun(config-line)#exit
Sun(config)#interface gigabitethernet0/1
Sun(config-if)#ip address 10.10.10.1 255.255.255.0
Sun(config-if)#description LAN
Sun(config-if)#no shutdown
Sun(config-if)#interface gigabitethernet0/0
Sun(config-if)#ip address 200.100.10.1 255.255.255.252
Sun(config-if)#description WAN
Sun(config-if)#no shutdown
Sun(config-if)#exit
Sun(config)#ip dhcp pool LAN
Sun(dhcp-config)#network 10.10.10.0 255.255.255.0
Sun(dhcp-config)#default-router 10.10.10.1
Sun(dhcp-config)#exit
Sun(config)#ip dhcp excluded-address 10.10.10.0 10.10.10.99
Sun(config)#router ospf 1
Sun(config-router)#network 200.100.10.0 0.0.0.3 area 0
Sun(config-router)#network 10.10.10.0 0.0.0.255 area 0
Sun(config-router)#passive-interface default
Sun(config-router)#no passive-interface gigabitethernet0/0
Sun(config-router)#router-id 1.1.1.1
Sun(config-router)#exit
Sun(config)#crypto isakmp policy 10
Sun(config-isakmp)#authentication pre
Sun(config-isakmp)#encryption aes
Sun(config-isakmp)#group 5
Sun(config-isakmp)#hash sha512
Sun(config-isakmp)#lifetime 3600
Sun(config-isakmp)#exit
Sun(config)#crypto isakmp key VPNsecretKEY address 200.100.10.2
Sun(config)#crypto ipsec transform-set SUN esp-aes esp-sha512-hmac
Sun(config)#access-list 110 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Sun(config)#crypto map SUNEARTH 10 ipsec-isakmp
Sun(config-crypto-map)#match address 110
Sun(config-crypto-map)#set security-association lifetime secconds 3600
Sun(config-crypto-map)#set transform-set SUN
Sun(config-crypto-map)#set peer 200.100.10.2
Sun(config-crypto-map)#interface gigabitethernet0/0
Sun(config-if)#crypto map SUNEARTH
Sun(config-if)#end
Sun#

Lets walk through what I have done here. First, I did some housekeeping tasks. I set the hostname (using a planetary theme with the SUN at the “center”) and domain name. I disabled domain lookup so that I didn’t have to wait for the router to try to translate my typos to a domain name. Password encryption was for any legacy passwords that may exist on the router so that we can have better security (this is for a security certification after all). A local username (Admin) was created with a privilege level of 15 (they are an admin after all) and a password that is encrypted using the algorithm SCRYPT as it is the strongest encryption offered on this device. The enable password was also encrypted using SCRYPT. Generic encryption keys were generated using 2048-bit encryption and the ssh server was set to SSH version 2.

Next, AAA was enabled and two authentication profiles were created (well, one was created and the other was modified). The default profile was set to use the local user account with a case-sensitive username first and if no account exists it will fall back to use just the enable password for access. A new group called NOACCESS was created using no authentication, meaning that authentication will be denied. The HTTP and HTTPS servers were disabled. The console port was configured with a timeout of 0 0, meaning none, a history size of 25 (the number of previous commands the router will remember), and log messages will be displayed synchronously. The VTY lines were configured with synchronous logging, a timeout of 5 minutes, a command history of 10, they will use the default authentication profile, and will accept only SSH connections. The AUX port was configured with a timeout of 1 minute, a command history of 1, and to accept no incoming connections.

Now I configured the interfaces and IP addresses. G0/1 faces the internal LAN on the SUN router, so I gave it a description to match that. It is using IP address 10.10.10.1 with a 24-bit subnet mask. The interface was enabled as well. The g0/0 interfaces is the WAN interface and is using the IP address of 200.100.10.1 with a 30-bit subnet mask. These are just the IP addresses that I chose and can really be anything you want in a lab environment. Then the DHCP server was enabled using the name LAN. It will assign IP addresses in the 10.10.10.0/24 network and the default gateway of 10.10.10.1. I also excluded the first 100 addresses (.0 to .99) from DHCP assignment. OSPF was then enabled using a process ID of 1. Network 10.10.10.0 was added to area 0 as well as the 200.100.10.0 network. All interfaces on the router were placed into passive mode meaning that no OSPF messages will flow through the ports but the networks will still be advertised into OSPF. Interface g0/0 was then taken out of passive mode so that it could form a neighbor relationship with the other router. The router ID was also hard coded to 1.1.1.1 to make any troubleshooting easier. That is the basic configuration that I have been using for my labbing on my way to the CCNA Security. I feel that this is a good basic configuration that is easily built upon and changed depending on what my needs are. This would be mirrored on the connected router (EARTH in my lab). Now comes the fun stuff! Configuring the VPN!

Lets start by configuring IKE Phase 1. I used IKEv1 for this configuration. The ISAKMP policy was set to 10 (the lower the policy number the higher the priority). In ISAKMP configuration mode we set the parameters of the Phase 1 connection. I used pre-shared key authentication, AES encryption, Diffie-Hellman group 5, SHA512 for the hashing algorithm, and a lifetime of 3600 seconds (1 hour). The pre-shared key was then defined and associated with address 200.100.10.2, the neighboring peer. Next I configured IKE Phase 2. This phase will use AES for encryption and SHA512-HMAC for hashing. It is also using ESP to enable encryption. The traffic needs to be identified so that it can be matched to be used with the VPN. That is don with access list 110 in this case. Remember, the addresses in the access list are ordered source to destination so we start with the local address and end with the remote address. Now to tie it all together with the class map. It is set to match addresses in access list 110, sets the lifetime to 3600 seconds (1 hour), sets Phase 2 to our configured values, and identifies the peer address. The crypto map is then applied to the g0/0 interface and the configuration is complete! A mirror configuration would then need to be configured on the other router (called EARTH in my topology).

The configuration can be verified using a debug and ping. Issue debug crypto isakmp to start gathering log messages for IKE Phase 1 and generate traffic that should be used with the VPN using ping and sourcing it from the LAN interface (ping 192.168.1.1 source 10.10.10.1). If everything was entered correctly the debug will start scrolling messages and will end in a successful ping. The first packet or two might get lost as IKE negotiates Phase 1 and Phase 2 but a subsequent ping should go through just fine. Note that the debug will only scroll messages upon the first negotiation of Phase 1. If there is already an established Phase 1 then no new messages will scroll.

I hope this was informative or helped you in some way. Please, if there are any errors with my configuration or explanations do not hesitate to let me know and I will fix them. I am still learning this myself so I am bound to make mistakes here and there.

Until next time…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.