hacktracking: # Dynamic and static VTI

# Dynamic and static VTI

Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] vt1: 192.168.0.1/24 (virtual-template1)
[ROUTER-1] lo0: 192.168.0.1/24

[ROUTER-2] lo0: 192.168.0.2/24
[ROUTER-2] tu0: 192.168.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Dynamic VTI (Hub)

The hub cannot initiate a site-to-site VPN because it does not know the peer IP address.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto keyring KEYRING
ROUTER-1(conf-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key 0 SECRET_KEY
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto isakmp profile PROFILE
ROUTER-1(conf-isa-prof)# match identity address 0.0.0.0 0.0.0.0
ROUTER-1(conf-isa-prof)# keyring KEYRING
ROUTER-1(conf-isa-prof)# virtual-template 1
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set isakmp-profile PROFILE
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface lo0
ROUTER-1(config-if)# ip address 192.168.0.1 255.255.255.0
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface virtual-template1 type tunnel
ROUTER-1(config-if)# ip unnumbered lo0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel mode ipsec ipv4
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-1(config)# router ospf 1
ROUTER-1(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-1(config-router)# passive-interface default
ROUTER-1(config-router)# no passive-interface virtual-template1

Static VTI (Spoke)

The spokes initiate the site-to-site VPN.

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface lo0
ROUTER-2(config-if)# ip address 192.168.0.2 255.255.255.0
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip unnumbered lo0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel mode ipsec ipv4
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# router ospf 1
ROUTER-2(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-2(config-router)# passive-interface default
ROUTER-2(config-router)# no passive-interface tu0

# Dynamic and static VTI

No comments: