VPN_Lab_Assessment_AdvDip_NetSec(Student).docx (Date Updated: 1 August 2016) 1
Site-to-Site VPN Using Cisco IOS Lab Assessment
Topology (TTF Network)
IP Addressing Table
| Device | Interface | IP Address | Subnet Mask | Default Gateway | Switch Port |
| ADELAIDE | F0/1 | 192.168.1.1 | 255.255.255.0 | N/A | S1 F0/1 |
| S0/0/0 (DCE) | 10.10.10.1 | 255.255.255.252 | N/A | N/A | |
| HQ | S0/0/0 | 10.10.10.2 | 255.255.255.252 | N/A | N/A |
| S0/0/1 (DCE) | 10.20.20.2 | 255.255.255.252 | N/A | N/A | |
| SYDNEY | F0/1 | 192.168.2.1 | 255.255.255.0 | N/A | S2 F0/1 |
| S0/0/1 | 10.20.20.1 | 255.255.255.252 | N/A | N/A | |
| SERVER | NIC | 192.168.1.100 | 255.255.255.0 | 192.168.1.1 | S1 F0/24 |
| PC | NIC | 192.168.2.10 | 255.255.255.0 | 192.168.2.1 | S2 F0/24 |
| S1 | Management Interface |
192.168.1.200 | 255.255.255.0 | 192.168.1.1 | N/A |
| S2 | Management Interface |
192.168.2.200 | 255.255.255.0 | 192.168.2.1 | N/A |
Background / Scenario
Site-to-Site VPNs typically provide a secure (IPsec or other) tunnel between a branch office and a central
office. Another common implementation of VPN technology is remote access to a corporate office from a
telecommuter location, such as a small office or home office. VPNs help create that tunnel securely without
the need for leased lines. It provide a safer environment to transmit data over the internet which is the most
prefereble choice of connect nowadays because of its reduced costs.
VPN_Lab_Assessment_AdvDip_NetSec(Student).docx (Date Updated: 1 August 2016) 2
In this lab, you will build and configure the TTF network which includes the HQ, Adelaide and Sydney sites.
You will secure your networking devices and use Cisco IOS to configure a site-to-site IPsec VPN. This VPN
connection which will connect the Sydney office to the Adelaide network which will enable users to access
resources and servers. Then, you will test the VPN connection. The IPsec VPN tunnel is from ADELAIDE to
SYDNEY via HQ. HQ acts as a pass-through and has no knowledge of the VPN. IPsec provides secure
transmission of sensitive information over unprotected networks, such as the Internet. IPsec acts at the
network layer and protecting and authenticating IP packets between participating IPsec devices (peers), such
as Cisco routers.
Objectives
Section A: Configure Devices
| |
Configure hostnames, interface IP addresses, and access passwords. Configure the OSPF dynamic routing protocol. Verify connectivity between hosts and routers. Troubleshoot any issues or connection failure. Save the basic running configuration for all devices |
Section B: Secure Devices
| |
Configure and encrypt all passwords on all devices. Configure a login warning banner on all devices. Configure SSH access on all devices. Secure the Cisco IOS image and configuration files Configure OSPF Authentication using SHA256 Verify OSPF Authentication Save the running configuration for all devices |
Section C: Configure a Site-to-Site VPN Using Cisco IOS
| |
Configure IPsec VPN settings on ADELAIDE and SYDNEY. Verify site-to-site IPsec VPN configuration. Test IPsec VPN operation. Save the running configuration for all devices |
Required Resources
| |
Cisco Packet Tracer 3 routers (Cisco 1841) 2 switches (Cisco 2960) 1 Server and 1 PC. Serial and Ethernet cables, as shown in the topology |
VPN_Lab_Assessment_AdvDip_NetSec(Student).docx (Date Updated: 1 August 2016) 3
Section A: Configure Devices
In Section A, you will set up the network topology and configure basic settings, such as the interface IP
addresses, dynamic routing, device access, and passwords. The first thing you need to do is to use Cisco
packet tracer to build the topology and attach the devices as shown in the topology diagram and cable as
necessary.
1. Configure basic settings for each router.
a. Configure hostnames, as shown in the topology.
b. Configure the interface IP addresses, as shown in the IP Addressing Table.
c. Configure a clock rate of 64000 for the serial router interfaces with a DCE serial cable attached.
d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands.
e. Configure a static IP address, subnet mask, and default gateway for SERVER, as shown in the IP
Addressing Table.
f. Configure a static IP address, subnet mask, and default gateway for PC, as shown in the IP Addressing
Table.
2. Configure the OSPF routing protocol on ADELAIDE, HQ, and SYDNEY.
g. Configure OSPF routing and use process ID 100. All routers are in Area 0. Apply recommended security
practices on interfaces not participating in routing.
3. Verify basic network connectivity.
h. Use appropriate network commands to test the connectivity.
4. Troubleshoot network connectivity.
i. If network connectivity testing is unsuccessful, troubleshoot the basic device configurations before
continuing.
5. Save the basic running configuration for all devices
j. Save the running configuration to the startup configuration on all devices.
Section B: Secure Devices
In Section B, you will secure and harden your network devices and operations to ensure that your network is
implementing the recommended security practices.
1. Configure and encrypt passwords.
Configure the same settings for HQ, ADELAIDE, SYDNEY and the switches.
k. Use an appropriate minimum password length.
l. Configure the enable secret password on all devices with a password of ttf1234567.
m. Create a local ttfadmin account with the highest possible privilege level using ttfadminpass for the
password.
VPN_Lab_Assessment_AdvDip_NetSec(Student).docx (Date Updated: 1 August 2016) 4
n. Encrypt all clear text passwords on all devices.
o. Configure the console to use the local database for login. For additional security, configure the line to log
out after five minutes of inactivity. Issue the appropriate command to prevent console messages from
interrupting command entry.
2. Configure a warning message to display prior to login on all devices.
p. Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner. The banner
should follow the recommended security practices.
3. Configure SSH Server on all devices.
q. Configure a domain name ttf.com.
r. Configure the RSA keys with a secure number of modulus bits.
s. Issue the command to force the use of SSH version 2.
t. Configure the vty lines on HQ, ADELAIDE, SYDNEY and the switches to use the local database for login.
Remote access to the routers should only be allowed using SSH. Configure the vty lines to logout after
five minutes of inactivity.
4. Secure the Cisco IOS image and archive a copy of the running configuration.
u. Enable Cisco IOS image resilience, which secure the IOS image hides the file from the dir command and
show commands. Then, securely archive the routers running configuration in persistent storage (flash).
v. Verify that your image and configuration are secured. Use the appropriate command for verification.
5. Configure OSPF Routing Protocol Authentication using SHA256 Hashing
w. Configure a key chain on all three routers.
o Assign a key chain name “TTFchain“ and number “1”.
o Assign the authentication key string “TTFkeystring”.
o Configure the encryption algorithm to be used for authentication, use SHA256 encryption.
x. Configure the OSPF participating interfaces to use OSPF authentication on all routers.
6. Verify OSPF Routing and Authentication.
y. Issue the appropriate command to verify that Authentication Key has been assigned to the interfaces on
all routers.
z. Issue the appropriate to verify that each router lists the other routers in the network as neighbors.
aa. Issue the appropriate to verify that all networks display in the routing table on all routers.
bb. Use the appropriate command to verify connectivity between PC and SERVER.
If not successful, troubleshoot before continuing.
7. Save the running configuration for all devices.
Save the running configuration to the startup on all devices.
VPN_Lab_Assessment_AdvDip_NetSec(Student).docx (Date Updated: 1 August 2016) 5
Section C: Configure a Site-to-Site VPN with Cisco IOS
In Section C of this lab, you will configure an IPsec VPN tunnel between ADELAIDE and SYDNEY that
passes through HQ. You will configure ADELAIDE and SYDNEY using the Cisco IOS CLI. You will then
review and test the resulting configuration.
1. Configure IPsec VPN Settings on ADELAIDE and SYDNEY.
cc. Verify connectivity from the ADELAIDE LAN to the SYDNEY LAN.
If unsuccessful, troubleshoot the basic device configurations before continuing.
dd. Enable IKE policies on ADELAIDE and SYDNEY.
IPsec is an open framework that allows for the exchange of security protocols as new technologies, and
encryption algorithms as they are developed.
There are two central configuration elements in the implementation of an IPsec VPN:
| |
Implement Internet Key Exchange (IKE) parameters Implement IPsec parameters |
ee. Verify that IKE is supported and enabled.
ff. Configure the IKE Phase 1 ISAKMP policy on ADELAIDE and SYDNEY.
Configure an ISAKMP policy with a priority of 10. Use pre-shared key as the authentication type, aes
256 for the encryption algorithm, sha as the hash algorithm, and the Diffie-Hellman group 14 key
exchange. Give the policy a lifetime of 3600 seconds (one hour).
gg. Configure the same policy on SYDNEY.
hh. Verify the IKE policy with the appropriate commands.
| ii. | Each IP address that is used to configure the IKE peers is also referred to as the IP address of the remote VPN endpoint. Configure the pre-shared key of ttf12345 on router ADELAIDE. Production networks should use a complex key. Configure the pre-shared key ttf12345 on router SYDNEY. |
| jj. |
kk. On ADELAIDE and SYDNEY, create a transform set with tag 50 and use an ESP transform with an AES
256 cipher with ESP and the SHA hash function. The transform sets must match.
| ll. | You can also change the IPsec security association lifetime from the default of 3600 seconds. On ADELAIDE and SYDNEY, set the IPsec security association lifetime to 30 minutes, or 1800 seconds. |
mm. Define interesting traffic: In this scenario, from the perspective of ADELAIDE, the traffic you want to
encrypt is traffic going from ADELAIDE’s Ethernet LAN to SYDNEY’s Ethernet LAN or vice versa from the
perspective of SYDNEY. Use access lists to define this traffic in each site and they must mirror each
other.
nn. Configure the IPsec VPN interesting traffic ACL on ADELAIDE.
oo. Configure the IPsec VPN interesting traffic ACL on SYDNEY.
pp. Create the crypto map on ADELAIDE, name it CMAP, and use 10 as the sequence number.
qq. Use the appropriate command to specify which access list defines which traffic to encrypt.
rr. Setting a peer IP or hostname is required. Set it to SYDNEY’s remote VPN endpoint interface.
ss. Use the appropriate command to hard code the transform set to be used with this peer. Set the perfect
forwarding secrecy type using the appropriate command, and modify the default IPsec security
association life time with the appropriate command to 900 seconds.
tt. Create a mirrored matching crypto map on SYDNEY.
VPN_Lab_Assessment_AdvDip_NetSec(Student).docx (Date Updated: 1 August 2016) 6
uu. Apply the crypto map to interfaces.
2. Verify the Site-to-Site IPsec VPN Configuration and Operation.
vv. Verify the IPsec configuration and operation on ADELAIDE and SYDNEY using appropriate show
commands.
3. Test IPsec VPN operation.
ww.Generate some uninteresting test traffic and observe the results. Use appropriate show and debug
commands to test VPN operation
4. Save the running configuration for all devices.
Save the running configuration to the startup configuration on all devices. Finally, save your Packet Tracer file
as VPN_Lab_YOUR_NAME.