CCNA LAB - 4.8 Virtual Private Network (VPN) - IPsec (Site-to-Site)

LAB 4-8: Virtual Private Network (VPN) – IPsec (Site-to-Site)

You are the Network Administrator at Ranet Branch Office, and have to newly configure the Ranet-Br router to let your own host connect to the internet and connect to the hosts in Headquarter ( via Site-to-Site IPsec VPN as below:
(configure via console terminal for Ranet-BR router)

1. Enable LAN interface on Ranet-BR and set IP address to be the first assignable IP of network.

2. Enable WAN interface on Ranet-BR and set IP address to be the last assignable IP of network.

3. Set IP address on Host-BR to be the last assignable IP of network, and set IP of Gateway and DNS server ( also.

4. Config the route and NAT on Ranet-BR to let the Hosts in LAN connect to the internet (do not forget to exclude the VPN traffic).
(for NAT, use access-list no.100 and pool name “Ranet” that contain the global IP received from ISP as –

5. Config the Site-to-Site IPsec VPN by using the properties as below:

- For IKE phase I:- Policy Priority 101; Encryption Alg. AES-128 bit; Hash Alg. Secure HAsh standard; Authen method. Pre-Shared Key; Diffie-Hellman group #5 and lifetime at 86,400 sec. Use “ranetvpnpass” as key. Please note that IP address of WAN interface of Ranet-HQ is
- For IKE phase II: Use Transform-set name “Ranet” and ESP transform using AES with HMAC-SHA as authentication Alg.
- Use crypto map name “Site-to-Site” with sequence no.101 and access-list no.101 to be the VPN traffic.

If everything is correct, Host-BR should be able to open website, and test ping with Server-HQ in Headquarter network.


Ranet-BR config
(copy & paste these command below to Ranet-BR router.)
conf t
int fa0/0
no sh
ip add
ip nat inside
int s0/0/0
no sh
ip add
ip nat outside

ip route s0/0/0
access-list 100 deny ip
access-list 100 permit ip any
ip nat pool Ranet netmask
ip nat inside source list 100 pool Ranet overload
crypto isakmp policy 101
encryption aes 128
hash sha
authentication pre-share
group 5
lifetime 86400

crypto isakmp key ranetvpnpass address
access-list 101 permit ip
crypto ipsec transform-set Ranet esp-aes esp-sha-hmac
crypto map Site-to-Site 101 ipsec-isakmp
set peer
set transform-set Ranet
match address 101

int s0/0/0
crypto map Site-to-Site

Ranet-BR#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 101
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Ranet-BR#sh crypto ipsec sa
interface: Serial0/0/0
Crypto map tag: Site-to-Site, local addr

protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Ranet-BR#copy run start
Destination filename [startup-config]?
Building configuration...


(Desktop > IP Configuration)
IP Address:
Subnet Mask:
Default Gateway:
DNS Server:

( Desktop > Command Prompt)
Packet Tracer PC Command Line 1.0

Pinging with 32 bytes of data:

Request timed out.
Request timed out.
Reply from bytes=32 time=32ms TTL=126
Reply from bytes=32 time=31ms TTL=126

Ping statistics for
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 32ms, Average = 31ms


(Desktop > Web Browser)
Output: RANET Co.,Ltd. - Ranet Co.,Ltd. We make iT easy! :)

----------------------- The End ---------------------
 Everything is OK. 

You can view and download this solution here

Để bắt đầu tham gia Giao dịch tài chính:

Viết nhận xét

Các bạn có thể viết lời nhận xét cho bài viết, nhưng cần tuân thủ một số quy tắc sau:

» Các nhận xét/bình luận phải nghiêm túc, không dung tục, không spam.
» Nội dung phải liên quan tới chủ đề bài viết.
» Viết bằng tiếng việt có dấu hoặc tiếng Anh. Nội dung viết không dấu sẽ bị xóa.
» Hãy để lại tên của bạn khi nhận xét/bình luận, để tôi có thể dễ dàng trả lời bạn khi cần.

Chúc các bạn tìm được những kiến thức bổ ích khi tình cờ ghé thăm blog này.