LAB 4-8: Virtual Private Network (VPN) – IPsec (Site-to-Site)
You are the Network Administrator at Ranet Branch Office, and have to newly configure the Ranet-Br router to let your own host connect to the internet and connect to the hosts in Headquarter (192.168.0.0/24) via Site-to-Site IPsec VPN as below:
(configure via console terminal for Ranet-BR router)
1. Enable LAN interface on Ranet-BR and set IP address to be the first assignable IP of 192.168.1.0/28 network.
2. Enable WAN interface on Ranet-BR and set IP address to be the last assignable IP of 202.170.100.28/30 network.
3. Set IP address on Host-BR to be the last assignable IP of 192.169.1.0/28 network, and set IP of Gateway and DNS server (202.170.100.54) also.
4. Config the route and NAT on Ranet-BR to let the Hosts in LAN connect to the internet (do not forget to exclude the VPN traffic).
(for NAT, use access-list no.100 and pool name “Ranet” that contain the global IP received from ISP as 202.170.100.9 – 202.170.100.14)
5. Config the Site-to-Site IPsec VPN by using the properties as below:
- For IKE phase I:- Policy Priority 101; Encryption Alg. AES-128 bit; Hash Alg. Secure HAsh standard; Authen method. Pre-Shared Key; Diffie-Hellman group #5 and lifetime at 86,400 sec. Use “ranetvpnpass” as key. Please note that IP address of WAN interface of Ranet-HQ is 202.170.100.130.
- For IKE phase II: Use Transform-set name “Ranet” and ESP transform using AES with HMAC-SHA as authentication Alg.
- Use crypto map name “Site-to-Site” with sequence no.101 and access-list no.101 to be the VPN traffic.
If everything is correct, Host-BR should be able to open website www.ranet.co.th, and test ping with Server-HQ 192.168.0.7 in Headquarter network.
Solution:
Read more »
