GNS3 - Configurar VPN Site to Site con Router

Hola,

Acá estan los Show run para poder configurar una VPN Site to Site

Cuando uno configura una VPN Site to Site debe de considerar 5 puntos fundamentales

• la Politica que utilizará ISAKMP

crypto isakmp key cisco address 1.1.1.2   << Se establece la IP del destino y el PSK
crypto isakmp keepalive 10 periodic << Periodo de tiempo de validación de que el peer esta vivo
crypto isakmp policy 10  << Politicas que se utilizarán en la VPN
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600

• la encriptación que tendra la VPN

crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac 

• El tráfico interesante

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 

• El crypto map

crypto map ESW1_To_ESW2 10 ipsec-isakmp  << Se deberá asociar a la interfaz que va hacia la Outside
 set peer 1.1.1.2
 set transform-set TS1
 match address 101  << Numero del Access list

• Habilitación de la VPN

interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map ESW1_To_ESW2  << Habilitación de VPN en la interfaz

Estos son los resultados de los "show" al finalizar la negociación VPN

ESW1#sh crypto isa sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime

1001  1.1.1.1         1.1.1.2                  ACTIVE aes  sha  psk  5  00:56:46
       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA

ESW1#sh crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: ESW1_To_ESW2, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
   current_peer 1.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xA1B8D655(2713245269)

     inbound esp sas:
      spi: 0xC80C0CAA(3356232874)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: ESW1_To_ESW2
        sa timing: remaining key lifetime (k/sec): (4492924/3382)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA1B8D655(2713245269)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: ESW1_To_ESW2
        sa timing: remaining key lifetime (k/sec): (4492924/3380)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Configuraciones Router 1

ESW1#

sh run
<--OMITIDO-->


hostname ESW1

<--OMITIDO>

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key cisco address 1.1.1.2
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto map ESW1_To_ESW2 10 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set TS1
 match address 101
!
<--OMITIDO-->
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map ESW1_To_ESW2
!
<--OMITIDO-->
!
ip route 10.10.20.0 255.255.255.0 1.1.1.2
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
no cdp log mismatch duplex
!
<--OMITIDO-->
end

ESW2

Configuraciones Router 2

ESW2#sh run

Building configuration...

<--OMITIDO-->

!

hostname ESW2

!

<--OMITIDO-->

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

 lifetime 3600

crypto isakmp key cisco address 1.1.1.1

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac

!

crypto map ESW2_To_ESW1 10 ipsec-isakmp

 set peer 1.1.1.1

 set transform-set TS1

 match address 101

!

<--OMITIDO-->

!

!

interface FastEthernet0/0

 ip address 10.10.20.1 255.255.255.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 1.1.1.2 255.255.255.0

 duplex auto

 speed auto

 crypto map ESW2_To_ESW1

!

<--OMITIDO-->

!

ip route 10.10.10.0 255.255.255.0 1.1.1.1

!

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

no cdp log mismatch duplex

!

<--OMITIDO-->

!

end

Estos son los resultados de los "show" al finalizar la negociación VPN Router 2

ESW2#ESW2#sh crypto isa sa de

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1001  1.1.1.2         1.1.1.1                  ACTIVE aes  sha  psk  5  00:55:27 D

       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA

ESW2#sh crypto ipse sa

interface: FastEthernet0/1

    Crypto map tag: ESW2_To_ESW1, local addr 1.1.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

   current_peer 1.1.1.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 1.1.1.2, remote crypto endpt.: 1.1.1.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0xC80C0CAA(3356232874)

     inbound esp sas:

      spi: 0xA1B8D655(2713245269)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: SW:1, crypto map: ESW2_To_ESW1

        sa timing: remaining key lifetime (k/sec): (4468820/3320)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xC80C0CAA(3356232874)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: SW:2, crypto map: ESW2_To_ESW1

        sa timing: remaining key lifetime (k/sec): (4468820/3319)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas: