Friday, March 30, 2018

esp-aes esp-sha-hmac



                          50    ESP                Encap Security Payload             Y        [RFC4303]


















Step 1.  Load initial configurations.  (see below)



Step 2.  Turn off console logging on R1 because you are using the log keyword in your acl and you'll be getting a lot of hits.  Use the show logging | include ACCESS to look at your hits.

(Remember ip access-list log-update threshold 1 guys.)



Step 3.  remove tunnel protection on R3.



Step 4.  Clear access-list counters and logging buffer on R1.






Step 5.  apply tunnel-protection on R3.




Step 6.   Sit back and enjoy the show.

                                       

                                          Show your access-list and logging buffer.






initial configs


======== R1 ============


R1#sho run
Building configuration...

Current configuration : 2533 bytes
!
! Last configuration change at 22:34:25 UTC Fri Mar 30 2018
upgrade fpd auto
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 23.1.1.3
!
!
crypto ipsec transform-set IPSEC-TRANSFORM-SET esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set IPSEC-TRANSFORM-SET
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
 ip address 13.1.1.1 255.255.255.0
 tunnel source 12.1.1.1
 tunnel destination 23.1.1.3
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 ip address 12.1.1.1 255.255.255.0
 ip access-group PACKET-COUNTER in
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 0
 network 12.1.1.1 0.0.0.0 area 0
!
router bgp 100
 bgp log-neighbor-changes
 neighbor 13.1.1.3 remote-as 300
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip access-list extended PACKET-COUNTER
 permit gre host 23.1.1.3 host 12.1.1.1
 permit ospf any any
 permit tcp any eq bgp any
 permit tcp any any eq bgp
 permit icmp host 23.1.1.3 host 12.1.1.1 port-unreachable
 permit icmp any any 0 0 log
 permit icmp any any log
 permit ahp any any log
 permit esp any any log
 permit pcp any any log
 permit udp any any eq isakmp log
 permit ip any any log
!
ip access-list log-update threshold 1
no cdp log mismatch duplex
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

R1#
R1#
R1#
R1#



======== R2 ============

R2#sho run
Building configuration...

Current configuration : 1518 bytes
!
! Last configuration change at 20:48:23 UTC Fri Mar 30 2018
upgrade fpd auto
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 ip address 12.1.1.2 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 ip address 23.1.1.2 255.255.255.0
 serial restart-delay 0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

R2#





======== R3 ============


R3#sho run
Building configuration...

Current configuration : 2044 bytes
!
! Last configuration change at 23:52:44 UTC Fri Mar 30 2018
upgrade fpd auto
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 12.1.1.1
!
!
crypto ipsec transform-set IPSEC-TRANSFORM-SET esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set IPSEC-TRANSFORM-SET
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel1
 ip address 13.1.1.3 255.255.255.0
 tunnel source 23.1.1.3
 tunnel destination 12.1.1.1
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 ip address 23.1.1.3 255.255.255.0
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 0
 network 23.1.1.3 0.0.0.0 area 0
!
router bgp 300
 bgp log-neighbor-changes
 neighbor 13.1.1.1 remote-as 100
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
 transport input all
!
!
end

R3#



====================================================================

Drop these commands in to R1 to quickly clear counters and load show commands for ready up arrow usage........



enable




clear logging




clear access-list counters




show access-lists


show logging | include ACCESS




.




Posted by at