Tuesday, October 16, 2012

view VPN session form messages



 "What is VPN IPsec and how they work together"

HQ#
*Mar  1 01:45:36.431: ISAKMP: received ke message (1/1)
*Mar  1 01:45:36.435: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)   >> "Requesting profile"
*Mar  1 01:45:36.439: ISAKMP: Created a peer struct for 200.200.1.2, peer port 500  >> creating new peer, ISAKMP port 500
*Mar  1 01:45:36.439: ISAKMP: New peer created peer = 0x64946CF0 peer_handle = 0x80000002
*Mar  1 01:45:36.443: ISAKMP: Locking peer struct 0x64946CF0, IKE refcount 1 for isakmp_initiator
*Mar  1 01:45:36.447: ISAKMP: local port 500, remote port 500
*Mar  1 01:45:36.447: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 01:45:36.451: insert sa successfully sa = 655EB81C
*Mar  1 01:45:36.455: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 01:45:36.455: ISAKMP:(0:0:N/A:0):Looking for a matching key for 200.200.1.2 in default
*Mar  1 01:45:36.459: ISAKMP:(0:0:N/A:0): : success
*Mar  1 01:45:36.459: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.200.1.2
*Mar  1 01:45:36.467: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID   >> creating NAT Transparence tunnel
*Mar
HQ# 1 01:45:36.467: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 01:45:36.471: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 01:45:36.471: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 01:45:36.475: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1  >> IKE phase is ready (Sending packet no 1)

*Mar  1 01:45:36.479: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 01:45:36.483: ISAKMP:(0:0:N/A:0): sending packet to 200.200.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE  >> sending packet
*Mar  1 01:45:36.715: ISAKMP (0:0): received packet from 200.200.1.2 dport 500 sport 500 Global (I) MM_NO_STATE   >> Receiving Packet
*Mar  1 01:45:36.731: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:45:36.735: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2   >> Move into IKE phase 1 to IKE Phase 2 (Still in IKE Phase 1 and packet no 2)

*Mar
HQ# 1 01:45:36.743: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 01:45:36.747: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 01:45:36.747: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:45:36.751: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar  1 01:45:36.755: ISAKMP:(0:0:N/A:0):Looking for a matching key for 200.200.1.2 in default   >> Try to Matching Pre-shared key of remote
*Mar  1 01:45:36.755: ISAKMP:(0:0:N/A:0): : success
*Mar  1 01:45:36.759: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.200.1.2  >> Found Pre-Shared Key of Remote
*Mar  1 01:45:36.759: ISAKMP:(0:0:N/A:0): local preshared key found >> matching with own Pre-shared key, success
*Mar  1 01:45:36.767: ISAKMP : Scanning profiles for xauth ...
*Mar  1 01:45:36.767: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 10 policy  >> sending priority 10 policy and checking policy 
*Mar  1 01:45:36.771: ISAKMP:      encryption AES-CBC
*Mar  1 01:45:36.775: ISAKMP:      keylength of 128
*Mar  1 01:45:36.779: ISAKMP:      hash SHA
*Mar  1 01:45:36.779: ISAKMP:      default group 2
*Mar  1 01:45:36.787: ISAKMP:      auth pre-share
*Mar  1 01:45:36.787: ISAKMP:      life type in seconds
*Mar  1 01:45:36.787: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 01:45:36.803: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0 >> attribute are acceptable
*Mar  1 01:45:36.911: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:45:36.915: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Mar  1 01:45:36.915: ISAKMP (0:134217729): vendor ID is NAT-T v7
*Mar  1 01:45:36.915: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:45:36.915: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 01:45:36.919: ISAKMP:(0:1:SW:1): sending packet to 200.200.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 01:45:36.923: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:45:36.923: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 01:45:37.115: ISAKMP (0:134217729): received packet from 200.200.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 01:45:37.123: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:45:37.123: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 01:45:37.135: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar  1 01:45:37.239: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar  1 01:45:37.239: ISAKMP:(0:0:N/A:0):Looking for a matching key for 200.200.1.2 in default
*Mar  1 01:45:37.243: ISAKMP:(0:0:N/A:0): : success
*Mar  1 01:45:37.243: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 200.200.1.2
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:45:37.247: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 01:45:37.251: ISAKMP:(0:1:SW:1):Send initial contact
*Mar  1 01:45:37.255: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 01:45:37.255: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 100.100.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:45:37.255: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 01:45:37.263: ISAKMP:(0:1:SW:1): sending packet to 200.200.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 01:45:37.263: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:45:37.267: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 01:45:37.395: ISAKMP (0:134217729): received packet from 200.200.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 01:45:37.403: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar  1 01:45:37.407: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 200.200.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 01:45:37.411: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Mar  1 01:45:37.415: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar  1 01:45:37.423: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 01:45:37.423: ISAKMP:(0:1:SW:1):SA has been authenticated with 200.200.1.2
*Mar  1 01:45:37.427: ISAKMP: Trying to insert a peer 100.100.1.2/200.200.1.2/500/,  and inserted successfully 64946CF0.
*Mar  1 01:45:37.431: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 01:45:37.435: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 01:45:37.443: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 01:45:37.447: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 01:45:37.459: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 01:45:37.459: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 01:45:37.471: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 1792755294
*Mar  1 01:45:37.487: ISAKMP:(0:1:SW:1): sending packet to 200.200.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 01:45:37.491: ISAKMP:(0:1:SW:1):Node 1792755294, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 01:45:37.491: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 01:45:37.495: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 01:45:37.499: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 01:45:37.687: ISAKMP (0:134217729): received packet from 200.200.1.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 01:45:37.699: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1792755294
*Mar  1 01:45:37.703: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1792755294
*Mar  1 01:45:37.707: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar  1 01:45:37.707: ISAKMP: transform 1, ESP_AES
*Mar  1 01:45:37.707: ISAKMP:   attributes in transform:
*Mar  1 01:45:37.711: ISAKMP:      encaps is 1 (Tunnel)
*Mar  1 01:45:37.711: ISAKMP:      SA life type in seconds
*Mar  1 01:45:37.715: ISAKMP:      SA life duration (basic) of 3600
*Mar  1 01:45:37.715: ISAKMP:      SA life type in kilobytes
*Mar  1 01:45:37.719: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  1 01:45:37.723: ISAKMP:      authenticator is HMAC-SHA
*Mar  1 01:45:37.723: ISAKMP:      key length is 128
*Mar  1 01:45:37.727: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar  1 01:45:37.735: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 1792755294
*Mar  1 01:45:37.739: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1792755294
*Mar  1 01:45:37.739: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 1792755294
*Mar  1 01:45:37.759: ISAKMP: Locking peer struct 0x64946CF0, IPSEC refcount 1 for for stuff_ke
*Mar  1 01:45:37.763: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Mar  1 01:45:37.767:         inbound SA from 200.200.1.2 to 100.100.1.2 (f/i)  0/ 0
        (proxy 192.168.10.0 to 172.16.10.0)
*Mar  1 01:45:37.771:         has spi 0x961E59E3 and conn_id 0 and flags 2
*Mar  1 01:45:37.771:         lifetime of 3600 seconds
*Mar  1 01:45:37.779:         lifetime of 4608000 kilobytes
*Mar  1 01:45:37.779:         has client flags 0x0
*Mar  1 01:45:37.779:         outbound SA from 100.100.1.2 to 200.200.1.2 (f/i) 0/0
        (proxy 172.16.10.0 to 192.168.10.0)
*Mar  1 01:45:37.783:         has spi -1471896333 and conn_id 0 and flags A
*Mar  1 01:45:37.791:         lifetime of 3600 seconds
*Mar  1 01:45:37.791:         lifetime of 4608000 kilobytes
*Mar  1 01:45:37.791:         has client flags 0x0
*Mar  1 01:45:37.799: ISAKMP:(0:1:SW:1): sending packet to 200.200.1.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 01:45:37.803: ISAKMP:(0:1:SW:1):deleting node 1792755294 error FALSE reason "No Error"
*Mar  1 01:45:37.807: ISAKMP:(0:1:SW:1):Node 1792755294, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 01:45:37.811: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Mar  1 01:45:37.827: ISAKMP: Locking peer struct 0x64946CF0, IPSEC refcount 2 for from create_transforms
*Mar  1 01:45:37.831: ISAKMP: Unlocking IPSEC struct 0x64946CF0 from create_transforms, count 1
HQ#
Posted by at No comments:
Labels:

How to Configure Site-to-Site IPSec VPN



This is document about configuring of Site-to-Site IPSec VPN:

"What is VPN IPsec and how they work together"

IKE Phase 1: Define ISAKMP Policy and other Required Elements:
IKE Phase 1 configure for establishing authentication and a secure tunnel for IKE Phase 2 (IPsec Tunnel) exchange data over VPN

The Required elements for IKE Phase 1 on both sites and some of elements must be match on both sites:
Remote peer IP or Hostname (IKE Phase 1) – IP address of both sites or may use hostname “Fully Qualified Domain Name” (Host name also good cause if your router get IP address from DHCP, means your IP constantly changes).
Key distribution method – what level of protection key you use, like DH (1,2,5,7) Asymmetric Algorithm.
Authentication method – you may have “pre-share key” or “Certificate” on both sites that say who you are.
Encryption Algorithm – After complete Asymmetric encryption (once the DH public key exchange), what symmetric encryption you use for Phase 1 encryption tunnel
Hashing Algorithm – may use MD5 or SHA
Lifetime – How long time you want to take for the IPsec VPN timeout (86,400 is Default)

Policy for both Routers of IKE Phase 1:
Encryption: AES 128
Hashing: SHA-1
Authentication: Pre-Shared
Protection: DH2
Lifetime: 86,400

IKE Phase 2: Define IPsec Policy and other Required Elements:
IKE Phase 2 focuses on Establishing secure IPsec tunnel for data transfer. (Once the Phase 1 is completed than bring separate tunnel for data transfer by using those keys)

The Required elements for IKE Phase 2 on both sites and some of elements must be match on both sites:
Transform Set – Set the level of encryption (DES, 3DES, AES) and hashing (MD5, SHA) use for data transfer tunnel
Peer Information – Just about IP address of both (Duplicate information)
Interesting Traffic – Configure Access-list for Interesting Traffic that need to be encrypted from one to other.

Policy for both Routers of IKE Phase 2 (IPsec tunnel):
Encryption – ESP-AES
Hassing – ESP-SHA-HMAC
 
About ISAKMP (Internet Security Association and Key Management Protocol) – this protocol defined by “RFC 2408” for establishing SA (Security Associations) and cryptographic key in an internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent protocols such as IKE (Internet Key Exchange) and KINK (Kerberized Internet Negotiation of Keys) provide authenticated keying material for use with ISAKMP. (Reference:http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol)


Here I design an simple topology for implement site to site IPsec VPN

Step by Step Configuration of IKE Phase 1 and 2 For IPSec VPN:

IKE Phase 1 Configuration step:
Step 1: Enable ISAKMP: (Must be enable)
HQ(config)#crypto isakmp enable 

Step 2: Create ISAKMP Policy (Configure policy as your requirement)
HQ(config)#crypto isakmp policy 10   >> 10 is Priority, Lower is best.
HQ(config-isakmp)#encryption aes 128  > aes with 128 bits
HQ(config-isakmp)#authentication pre-share  > use pre-share key
HQ(config-isakmp)#group 2  >>DH Level 2 (1024 bits encryption)
HQ(config-isakmp)#hash sha  >> 160 bits
HQ(config-isakmp)#lifetime 86400  > default lifetime
                             
Step 3: Configure ISAKMP Identity (May be Address/Hostname)
HQ(config)#crypto isakmp identity address

Step 4: Configure Pre-Shared Keys
HQ(config)#crypto isakmp key 0 cisco123 address 200.200.1.2  > 0 means password not encrypted.

IKE Phase 2 Configuration Step:
Step 1: Create Transform sets (Set encryption and hashing for data tunnel “IPsec”)
HQ(config)#crypto ipsec transform-set site2site esp-aes 128 esp-sha-hmac

Note: HQ(config)#crypto ipsec transform-set site2site esp-aes 128 esp-sha-hmac mode transport >> enable IPsec transport mode (everything is encrypted) over LAN environment. But tunnel mode is on by default.

Step 2: Configure IPsec Lifetime (Optional, may be time or kilobytes)
HQ(config)#crypto ipsec security-association lifetime “seconds/kilobytes” “number” >> configure as requirement (86400), but careful about Voice network

Step 3: Create access-list (ACLs) for interesting traffic (everything is encrypted)
HQ(config)#ip access-list extended hq2branch
HQ(config-ext-nacl)#permit ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255

Step 4: Set up IPsec Crypto-map (Crypto-map keep tied everything together)
HQ(config)#crypto map s2s_VPN 10 ipsec-isakmp > one sequence (10) no per interface
HQ(config-crypto-map)#match address hq2branch >> ACL
HQ(config-crypto-map)#set peer 200.200.10.2
HQ(config-crypto-map)#set pfs group2  >> DH L2 for data tunnel (Optional)
HQ(config-crypto-map)#set transform-set site2site

Apply on Interface:
HQ(config)#interface s0/0
HQ(config-if)#crypto map s2s_VPN

Note: Configure as same on other site router (Branch), just change Peer and ACL as your requirement

IPsec VPN Verification Command Lists, for more details check out below:
HQ#show crypto isakmp policy
HQ#show crypto map 
HQ#show running-config | section crypto map
HQ#show crypto ipsec transform-set
HQ#show crypto isakmp sa
HQ#show crypto ipsec sa  

HQ#debug crypto ipsec
HQ#debug crypto isakmp
HQ#clear crypto sa  

IPsec VPN Verification Command with More Details:

HQ#show crypto isakmp policy  >> to view isakmp policy that I created
HQ#show crypto map  >> to view crypto map
Before apply "HQ(config-if)#crypto map s2s_VPN" command

After apply "HQ(config-if)#crypto map s2s_VPN" command
HQ#show running-config | section crypto map >> to view only such crypto section
HQ#show crypto ipsec transform-set
HQ#show crypto isakmp sa >> SA (Security Association) to show IKE Phase 1 tunnel
View IKE Phase 1 without passing any traffic through tunnel (interesting traffic)
View IKE Phase 1 after passing traffic through tunnel (interesting traffic)
Note: first time you may see there are no entry, when some traffic pass through tunnel than you will see the entry (destination and source addresses, QM_IDLE – means the tunnel is engaged and good to go, Active – means the tunnel is active)

HQ#show crypto ipsec sa  >> SA (Security Association) to show IKE Phase 2 tunnel
View IKE Phase 2 without Creating IPsec Session 
View IKE Phase 2 after Creating IPsec Session
Note: If something unmatched found on above marked fields, than something was wrong in tunnel 2 (like crypto map, ACL etc).

HQ#debug crypto ipsec
HQ#debug crypto isakmp > to show message how to VPN form
HQ#clear crypto sa  > Clear VPN sessions, on #debug crypto iskmp command before apply #clear crypto sa command to see all messages  

Important: Here we see more details about all of messages of VPN sessionform.

Running Configuration of all routers on above topology (VPN):

Router HQ:
!
hostname HQ
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 200.200.1.2
no crypto isakmp ccm
!
crypto ipsec transform-set site2site esp-aes esp-sha-hmac
!
crypto map s2s_VPN 10 ipsec-isakmp
 set peer 200.200.1.2
 set transform-set site2site
 match address hq2branch
!
interface Serial0/0
 description "Connected to IPS"
 ip address 100.100.1.2 255.255.255.252
 serial restart-delay 0
 no dce-terminal-timing-enable
 crypto map s2s_VPN
!
interface FastEthernet1/0
 description "Connected to HQ Inside Network"
 ip address 172.16.10.1 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended hq2branch
 permit ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255
!
end

Router Branch:
!
hostname Branch
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 100.100.1.2
no crypto isakmp ccm
!
crypto ipsec transform-set site2site esp-aes esp-sha-hmac
!
crypto map s2s_VPN 10 ipsec-isakmp
 set peer 100.100.1.2
 set transform-set site2site
 match address branch2hq
!
interface Serial0/1
 description "Connected to ISP"
 ip address 200.200.1.2 255.255.255.252
 serial restart-delay 0
 no dce-terminal-timing-enable
 crypto map s2s_VPN
!
interface FastEthernet1/0
 description "Connected to Branch Inside Network"
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1
!
ip access-list extended branch2hq
 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255
!
end

Router ISP:
!
hostname ISP
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface Serial0/0
 description "Connected to HQ"
 ip address 100.100.1.1 255.255.255.252
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
!
interface Serial0/1
 description "Connected to Branch"
 ip address 200.200.1.1 255.255.255.252
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
!
no ip http server
no ip http secure-server
ip classless
ip route 100.100.1.0 255.255.255.252 Serial0/0
ip route 200.200.1.0 255.255.255.252 Serial0/1
!
end



Posted by at 1 comment:
Labels:

Wednesday, September 26, 2012

How to configure a Route as Frame Relay Switch


What is Frame Relay?

Here I am going to configure about how a router act as frame relay switch. One important thing is that Frame-Relay switch must be configured as DCE. (The Frame-Relay switch must be DCE. In GNS3 on both sites serial interface is DCE, whatever that need to configure clock rate. Clock rate depend on cable type you have. Check out about DCE or DTE by typing ##show controller interface s0/1 command)
Topology of network:

Frame-Relay Network Topology:

Step 1: Turn on Frame-Relay PVC switching capable feature on this route.

FrameRelay(config)#frame-relay switching >> Global Config mode

Step 2: Configure Serial interface to provide Frame-Relay switching
FrameRelay(config)#interface serial 0/0
FrameRelay(config-if)#encapsulation frame-relay
FrameRelay(config-if)#clock rate 64000  >> For DCE
FrameRelay(config-if)#frame-relay intf-type dce  >> Configure a FR DCE
FrameRelay(config-if)#no frame-relay inverse-arp >> to disable inverse-arp

Step 3: Now configure Frame-Relay router, it’s configure under the interface.
FrameRelay(config)#interface serial 0/0 >> under this interface
FrameRelay(config-if)#frame-relay route 102 interface serial 0/1 201
FrameRelay(config-if)#frame-relay route 103 interface serial 0/2 301

What the command does? # frame-relay route 103(the incoming DLCI into s0/0) interface serial 0/1(Outgoing interface toward destination DLCI) 301(Destination DLCI)

If we put the “FrameRelay(config-if)#frame-relay intf-type dce command without having “FrameRelay(config)#frame-relay switching” command than we get this message:

Note: From above example configure all interfaces as your requirement.

Step 4: Configure Frame-Relay client router as point-to-point or multipoint
Frame-Relay Point-to-Point example:
HQ(config)#interface serial 0/0
HQ(config-if)#encapsulation frame-relay
HQ(config-if)#exit
HQ(config-if)#no shutdown >> apply after all configuration

Configure Sub Interface -
HQ(config)#interface serial 0/0.102 point-to-point
HQ(config-subif)#ip address 192.168.1.1 255.255.255.252
HQ(config-subif)#frame-relay interface-dlci 102 >>
HQ(config-subif)#exit

HQ(config)#interface serial 0/0.103 point-to-point
HQ(config-subif)#ip address 192.168.2.1 255.255.255.252
HQ(config-subif)#frame-relay interface-dlci 103 >>
HQ(config-subif)#exit

HQ(config-subif)#frame-relay interface-dlci 103 What the command does? If any time you (Traffic) use this sub interface, make sure that you use this (102 (Local DLCI)) DLCI to go out. No map necessary, no broadcast keyword as like multipoint configuration.

Note: Like same configuration to all routers who act as frame-relay client.

Frame Relay Show or Troubleshoot command:
Frame-Relay Switch (Router):
FrameRelay#show frame-relay pvc
FrameRelay#show frame-relay route  >> to show the Frame-Relay route
FrameRelay#show frame-relay lmi

Frame-Relay Client (Router):
HQ#show frame-relay map
HQ#show frame-relay lmi
HQ#show frame-relay pvc

Ping test:



Show Running Configuration of topology routers:
FrameRelay (Router):
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 102 interface Serial0/1 201
 frame-relay route 103 interface Serial0/2 301
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 104 interface Serial0/2 401
 frame-relay route 201 interface Serial0/0 102
!
interface Serial0/2
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
 no frame-relay inverse-arp
 frame-relay intf-type dce
 frame-relay route 301 interface Serial0/0 103
 frame-relay route 401 interface Serial0/1 104
!
HQ (Router):
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/0.102 point-to-point
 ip address 192.168.1.1 255.255.255.252
 frame-relay interface-dlci 102  
!
interface Serial0/0.103 point-to-point
 ip address 192.168.2.1 255.255.255.252
 frame-relay interface-dlci 103  
!
Branch1 (Router):
!
interface Serial0/1
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/1.104 point-to-point
 ip address 192.168.3.1 255.255.255.252
 frame-relay interface-dlci 104  
!
interface Serial0/1.201 point-to-point
 ip address 192.168.1.2 255.255.255.252
 frame-relay interface-dlci 201  
!
Branch2 (Router):
!
interface Serial0/2
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no dce-terminal-timing-enable
!
interface Serial0/2.301 point-to-point
 ip address 192.168.2.2 255.255.255.252
 frame-relay interface-dlci 301  
!
interface Serial0/2.401 point-to-point
 ip address 192.168.3.2 255.255.255.252
 frame-relay interface-dlci 401  
!
 



Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)