HomeОбразованиеRelated VideosMore From: danscourses

Create an IPsec VPN tunnel using Packet Tracer - CCNA Security

380 ratings | 29008 views
http://danscourses.com - Learn how to create an IPsec VPN tunnel on Cisco routers using the Cisco IOS CLI. CCNA security topic. 1. Starting configurations for R1, ISP, and R3. Paste to global config mode : hostname R1 interface g0/1 ip address 192.168.1.1 255.255.255.0 no shut interface g0/0 ip address 209.165.100.1 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 209.165.100.2 hostname ISP interface g0/1 ip address 209.165.200.2 255.255.255.0 no shut interface g0/0 ip address 209.165.100.2 255.255.255.0 no shut exit hostname R3 interface g0/1 ip address 192.168.3.1 255.255.255.0 no shut interface g0/0 ip address 209.165.200.1 255.255.255.0 no shut exit ip route 0.0.0.0 0.0.0.0 209.165.200.2 2. Make sure routers have the security license enabled: license boot module c1900 technology-package securityk9 3. Configure IPsec on the routers at each end of the tunnel (R1 and R3) !R1 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 ! crypto isakmp key secretkey address 209.165.200.1 ! crypto ipsec transform-set R1-R3 esp-aes 256 esp-sha-hmac ! crypto map IPSEC-MAP 10 ipsec-isakmp set peer 209.165.200.1 set pfs group5 set security-association lifetime seconds 86400 set transform-set R1-R3 match address 100 ! interface GigabitEthernet0/0 crypto map IPSEC-MAP ! access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 !R3 crypto isakmp policy 10 encryption aes 256 authentication pre-share group 5 ! crypto isakmp key secretkey address 209.165.100.1 ! crypto ipsec transform-set R3-R1 esp-aes 256 esp-sha-hmac ! crypto map IPSEC-MAP 10 ipsec-isakmp set peer 209.165.100.1 set pfs group5 set security-association lifetime seconds 86400 set transform-set R3-R1 match address 100 ! interface GigabitEthernet0/0 crypto map IPSEC-MAP ! access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Html code for embedding videos on your blog
Text Comments (64)
Saad Ibrahim (7 days ago)
Cool ، your explain was amazing bro ، thank you
Koen van der rijt (9 days ago)
/me furiously typing to configure the routers.. and then comes the "you can copy paste with these" ;-) (I like to type it anyway but still funny) and a question? I janked a network cable out. The tunnel wasnt automatically coming up again after reconnecting the cable. How do I reconnect te tunnel?
alehandro del (13 days ago)
you are the best! you really make the CISCO enjoyable ! Thanks.
Diego Gudino (19 days ago)
Great explanation. I have a question, can I create an ipsec vpn tunnel with a router where the wan port is connected on the local network? It means that the outside ip will be a private address. Thank you very much
Volf Khat (25 days ago)
Hola Dan, In your Phase-1 HAGLE, we don't see you configure the "Hash" or the "Lifetime". What gives?? **gracias**
chao d (26 days ago)
Do we need any static route ?? I followed ur instructions line by line.. But that didn't work for me
chao d (26 days ago)
ignore.. please .. it is working now :) Thx Sir ... Though i dont get any replies.. but like commenting on ur videos and like putting forth questions
chao d (29 days ago)
Sir, do u have any videos on IPSEC over DMVPN ?
Abiyot Tesfay (1 month ago)
I am self learner .it is clear and eay to understand. keep up making such lesson.
Rizwanullah Muhammad (1 month ago)
Your videos are very precise thumbs uppp bro
Rathsara Relapanawa (1 month ago)
By the way, what about the Hash type on the crypto isakmp policy. Isn't that necessary ?
Volf Khat (25 days ago)
Agreed. just asked the same Q...
Rathsara Relapanawa (1 month ago)
Thank you very much for this. It worked like a charm.
David Cardoza (1 month ago)
I admire your teaching method, Dan...I appreciate that you don't rush through your tutorials. Packet Tracer has become a kind of video game to me. Please keep up the great work. Thank you!
priti2003 (2 months ago)
You are great at explaining concepts. Thanks for the video.
RasChristian (3 months ago)
Hey I am CCNA Security and you have explained everything so clearly, thank you very much mate from Costa Rica excellent
Fatima El-amin (3 months ago)
Very Beneficial, Thanks alot!
Shithanshu Mishra (3 months ago)
is this the same as remote access VPN?
Derek Xue (3 months ago)
wah wow~
Suyog Dahal (3 months ago)
@danscourses what if we have large subnets on both side at that time how do you provide acl command in range. Is there a way to permit individual networks.Please help me! with regards, Suyog Dahal
Mike Brooks (4 months ago)
how can i nat or pat with multiple subnets???
Suyog Dahal (3 months ago)
the main thing to look out for while configuring NAT or PAT for a multiple subnets is Access list . Here you have to permit every network available within the router where you want to nat or pat. and for the command you can search on net
Mharbi Rim (4 months ago)
Hello , thank you for this video , i'm trying to do the same at my topology , i had choose 2811 router , but i can't verify if the securityK9 is activated or not , the commands show version don't show anything about it and show license command it's not available in 2811 router, how can i make it work please ? thank's
Ilham Satyabudi (4 months ago)
Hello sir, your fan from indonesia here. Thx to your videos, i passed ccna rs with 912 and now have a full time job in network engineering. You are a life-saver instructor, make a difficult subject to be easy while keeping it practical. Please keep making video like this, i just want you to know, your videos are life-changer, for me and for other students around the world!
Darryl Mitchell (4 months ago)
Thanks for the Level up!!!
Nader Abbaspour (5 months ago)
That's what I was looking for thanks for the tutorial
Yassine Settai (5 months ago)
Not working for me :/
SeLiM Kerimoglu (3 months ago)
add Nat translation in your configuration
Tray Amp (5 months ago)
Terrific video! How could I adjust this to work when the LANS on R1 and R3 are overlapping?
tony li (5 months ago)
Wow. These explanation is magnificent!!!! Really useful!
Muhammad Zubair Khalid (5 months ago)
Tried a couple of time... could not ping at all
Sarah Adha Adam (3 months ago)
bro, mine can't ping either. stupid qn, but does he configure the ISP router other than what is stated in the first part of the video description? (eg hostname, interface)
Muhammad Zubair Khalid (3 months ago)
that would be great. btw I no more work on it. however it will be help in future. thanks anyway
Tlamelo Motlhatlhedi (3 months ago)
alright ill send you the solution here once i figure out what the issue is
Muhammad Zubair Khalid (3 months ago)
+Tlamelo Motlhatlhedi aah nope... Didn't try again..
Tlamelo Motlhatlhedi (3 months ago)
me too but the configurations are correct.any luck?
Mohsin Mushtaq (6 months ago)
Why do you have same ip address on both legs of ISP router ?
Volf Khat (25 days ago)
he doesnt. the 3rd octet is different :]
Rune Rocker (6 months ago)
Does this work with a router 2811 or only with 1941 ?
Digital Brekke (2 months ago)
For the 2911 you can type: license boot module c2900 technology-package securityk9 When i tried the 2811 router, I didn't need to insert a license. I might be wrong, but it seems like it's already installed on the 2811
rochdi fezai (6 months ago)
great video, but why you didn't configure Nat Translation i'm wondering in that case, should we ignore Nating network going from one site to another site ?
Ilias Abrams (6 months ago)
Hi, nice job, however I was wondering If you should add static routes into ISP router configuration, points to both networks (192.168.1.0 and 3.0) ?
Volf Khat (25 days ago)
No man. Thats the whole point of an IPsec tunnel. The ISP router is "in the middle"... but they CAN'T see who you are REALLY talking to on the other side. It's by Design
Chris C (7 months ago)
I don't know how your videos don't have thousands and thousands of upvotes. Your video series is amazingly good.
Muhammad Idham Habibie (7 months ago)
Hi , thanks for your help in this video. I'm just wondering, I have tried couple times for reloading the license (using reload command in the packet tracer). However, I'm not sure that it boots my license anyway.
Montathar Hayder (7 months ago)
you are legend
NitrousUp (7 months ago)
Great tutorial but in the beggining you said "remember to connect router with crossover cable" i think if someone doesnt know this already he/she should NOT watch this video! :P
Luay Elias (8 months ago)
indeed wonderful course, thanks so much
its one of the best in among all YouTube vedios.appreciate
Catalytic Centaur (8 months ago)
Pretty cool, indeed. Thank you.
Abubakar Al-bakri (8 months ago)
Awesome tutorial! Thanks for making it!
leroy williams (9 months ago)
your videos are fantastic! will you be adding more security 210-260 videos?
AndroidGameplay4All (9 months ago)
no one ever has able to explain ipsec like you on YouTube, Hats off.
Saad Ibrahim (7 days ago)
Totally
mrnaamila (7 months ago)
Totally agree with you..
uwagboe onaolapo (9 months ago)
Thanks Boss....I introduced a layer 3 router in between to set up a multiple site to site VPN. site A, B and C. But after the whole process i couldn't reach the main site A from site C. Kindly guide me on this. Thanks. Awaits your response.
uwagboe onaolapo (9 months ago)
I would like you to give it a try boss...
danscourses (9 months ago)
Not sure, but it sounds like an interesting project to try out in Packet Tracer.
Matlesylc (9 months ago)
Awesome tutorial! Thanks for making it!
surin salaeh (9 months ago)
+ + +
Spectr3 L. (9 months ago)
and I can't enter the gateway, or the tech....
Spectr3 L. (9 months ago)
too long.. I don't have kronos
Yeudy Jimenez (9 months ago)
Like always your videos are great!!! Thanks and greetings from Costa Rica!
danscourses (9 months ago)
Thanks! Pura Vida!

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.