Pass Cisco SVPN 300-730 Exam in First Attempt Easily

Basic

1. VPN Concepts

So let's go ahead and start with that great PowerPoint that I have created for you guys. It might be a little bit long, so make sure that you have time to watch this video completely. If not, you can just stop and come back. It doesn't hurt. So before we do anything, we have to go back to three things that we need to know. And I just wanted to refresh our minds on what hashing is. Hashing is just a protocol or method that provides data verification, so it provides data integrity, and it does this with this protocol. Yeah, I would say there are protocols or technologies like MD5, the Secure Hash Algorithm, and also the Secure Hash Algorithms One and Two. And also, we need to know what symmetric encryption is. Symmetry is the one that uses the same key to encrypt and decrypt. That one, as well as Auses Des Three Desks. AES, which is the one used by the government, and the other one, asymmetric encryption, use two different keys that work together as a pair. Asymmetric encryption is RSA. Key exchange protocol EL, GAMA, DSAECC, and elliptic curve cryptography Asymmetric encryption is the one used to get symmetry encryption. So we use asymmetric encryption whenever we are going to share the symmetric encryption key. Just remember that just to go back and refresh our minds, I believe this one was Chapter 2, Section 2, or 1. I don't believe it was in Section 1, where we went over these technologies, and I just wanted to go back to us so we could refresh our minds before we got into this VPN, because VPNs are just symmetric, asymmetric, and have a lot of hashing going on. And what is IPsec? Well, the first thing I need to know is that IPsec is a framework that brings or combines protocols together to make a secure internet connection. So it is like bringing together a hash and authentication group like Key Exchange, Limited Lifetime, and encryption. So it brings all that together, and all those things together form IPsec because it is a framework and there are two different flavours that you can use. One is an authentication header, and the other is an encapsulating security payload, or ESP. and we're going to go over those two. and the first one, which is the authentication header. And this one does what IPsec uses authentication header H to do: provide data integrity authentication and interior life functions for IPsec VPN. The only bad thing about Ah is that it does not provide any data encryption, so it doesn't provide confidentiality. So the authentication header for Ah can be used to provide data integrative services to ensure that the data is not tempered during its journey. So it only provides hashing. And you can hash with MD Five or Sha One like we did before here, right? MD five, SHA one, and SHA two. It's also down here on this PowerPoint, too. I forgot to put it there. But this is what it uses. message digest five, MD five, secure hashtag, ribbon one, and also two. That's what it does. And I'm going to show you a picture of what it does. It's a little bit blurry because I got it from Ipprotv.com. If you want to go ahead and go to ITProTV and use the promo code, you will get 30% off and a seven-day trial so you can try their website. And this is what it does, the H. What it does is it takes the IP header, it takes the data payload, HMAC, and also MD Five, and that forms the Ah header. And then it also takes the original package of datagrams and runs it through the hashing algorithm. After that, we get this Ah header right here. And then it puts that in the IP data that goes to wherever it needs to go on the other side. So you still see the IP header right here. So the stores and destination are still visible, and you can still see the data payload. But what you can get is that nobody's able to change any data in it because we have the hash table, which has an empty five-hash algorithm. So whenever you send it to the other side, what it's going to do is take the IP header and the payload because this is what was used to form the Ah header. And after it takes that, it's going to run the same hashing algorithm that we use. Then we should have this Ah header. And then we double-check to ensure that it is the same as the one we received because these two are identical. So if you run it through the MD Five, we should get the same. Even if we get the same, we accept that traffic. If it's not the same, that means that somebody changed that data while it was on the way to the destination. And then it's going to get rejected, and then we move on to the ESP. And ESP stands for Calculating Security Payload, and the iPad uses ESP to provide data integrity, encryption, authentication, and anti-replay functions for IPsec VPN. So the big difference between ESP and Ah is that ESP provides encryption, and Ah does not. AW only provides data integrity by hashing both the IP header and the data payload. And Cisco IPsec implementations use Des Three, Dash, and AES for data encryption. So that is what ESP uses. So it uses symmetric encryption to encrypt that data, and ESP authenticates the data within the VPN and shows the data integrity and that it is coming from the correct source, right? And I'm going to show you a couple of modesty modes ESP has, the first of which is a tonal mode. and in tonal mode. The original IP package is encapsulated. As you can see over here, there's a tonne of music. This is the other one that we want to talk about on the other side. But if you go to the tournament, you can see that what ESP Turner Mode does is that the original IP database form is encapsulated with an Ah Header. So we are actually using Ah header, and then we use encryption to encrypt the entire package. As you can see over here, what we do in Turner Mode is that we get that IP Header that the Transfer Mode inserts in there. And we do this by encapsulating it in the Ah header. So we get that. And then we have the ESP header, which is encrypted with three des. And also we have the real IP header, the data pillow, the ESP charter, and the ESP authentication data. This provides authentication. And what this gets right here is what we insert over here; we do not insert the true source and destination IP addresses. What we insert here are the VPN IP addresses. So the source and the destination for the VPN or for the firewall are what we insert right here, right? And as you can see right here, the IP address of the newly added outer IP header is that of the VPN Gateway. So it's this one right here. and this is done when connecting to a remote connection. So whenever you are going to go through the Internet, you want to use Toner Mode. And as we can see over here, this is for the transfer mode and the transfer mode only. The payload of the IP data drive is secured by IPsec. The IP Header is the original IP Header, and the IPsec inserts its header between the IP Header and the Upper Level Headers. IPsec Transfer Mode can be used when encrypting traffic between two hosts or between a host and a VPN gateway. Okay? So what we do is take the IP header, the data payload, and encrypt it with 3DES; we can also use AES to encrypt that data. And what Transform Mode does is that it inserts that true source and IP Address of the IP Address of the host is inserting right there. And the destination of the IP address is also inserted right here. But in Turner Mode, what we do is we insert this IP Header. Let's go back to this IP header right here. We insert that. We insert that right here, and we encrypt it. And what we put here is a new header that has the IP address of the VPN gateways, okay? So the source and the destination are right here. So it's not the true IP address, okay? because it is encrypted over here. Because when you're going to go out on the Internet, you don't want anybody to have your true source and destination IP addresses, right? You only want the IP address of the VPN gateway or firewall that we are connecting to before moving on. This is the Internet Key Exchange, and the IKE is an IPsec standard protocol used to ensure security for virtual private network VPN negotiation and remote host or network access. So what this does is that it defines an automatic means of negotiation and authentication for IPSQ security associations. Security associations are security policies defined for communications between two or more entities. The relationship between the entities is represented by a key at This IKE protocol ensures security for essay communication without the pre-configuration that would otherwise be required. So what IKE does is actually use asymmetric encryption, right? And the one that it uses is the DH, which is the DC Herman Key Exchange protocol. So that's what I use for asymmetric encryption. So it can establish a VPN connection between two hosts. Okay? And as you can see over here, what he uses to negotiate is something that a lot of people use, and it's called haggling. So the firewalls need to agree on the same hash algorithm for authentication. So using an RSA signature or something else and also using a group, which is the TP home and one, two, five, or seven And he also needs to agree on a lifespan, which is the time of the connection, how long the connection is going to be on, and also the encryption. As a result, AES or triple des So when the two VPNs are trying to connect to a formal VPN tunnel, this is what they need to agree on. If they do not have the same authentication group, lifespan, encryption, or even a hash algorithm, they won't be able to form a VPN tunnel. And after they agree or after they are done negotiating, what they're going to do is they're going to form a tonal agreement, and then after that they're going to use either Ah or they're going to use ESP, right? And then here's how the two firewalls are able to agree on. So this is phase one of the IKE, the Internet Key Exchange. So Phase One establishes two-way communication for management traffic. Bertraders have agreed on hashing. Like I said, I need to review the hashing of the authentication group number, which is the DP Helman lifetime or encryption, right? So they are going to agree on that, and after they agree on that, they are going to form a VPN tunnel either using Ah or ESP, like I said before, right? And like this picture says, over here is one group. We are two on Haggle, right? And Hagle is the A that stands for hashing, authentication, grouping, lifetime, and encryption. Just remember that. Then, in phase two, they will either do it in the main mode or in the aggressive mode. That's phase two that they need to agree on. either domain mode or aggressive mode. And as you can see right here, you can see the other one. And the face one is trying to go with is the IPsec, IKE, or Internet Key Exchange face. And as you can see, the first phase is trying to get the Hagle communication going on. And then after that, phase two is that they are going to either agree on aggressive mode or the main mode, and then that's going to form a VPN tunnel, right? Either using ESP or Ah And this is it for this PowerPoint, guys.

2. IKEV1 Phases

So let's go ahead and start with this nice PowerPoint that I put together for you guys. So like version one. Internet Key Interface Version One Then what is IKE Version One? what I stand for. Internet Key Exchange. There are two Internet Key Exchanges. There's IKEA Version 1. I forgot to put the V one here. In the IPsec protocol suite, IKE version 2 is a protocol used to establish a security association. I built upon the Oculi Protocol. and Isaac camp comes in two phases. So phase one and phase two, which we are going to also talk about them. So what is the scope of Phase One? Well, phase one, the scope is it wants to negotiate a secure transmission channel between the VPN and points. And while they do this transmission, what they want to do is share the secret key that comes from the different helmet exchanges. It also comes from other additional keys from that phase-one scope for that phase one. Furthermore, the scope of phase one is to secure parts of phase one negotiation, about which we'll talk and you'll see which parts are secure. But the main reason why Phase One actually happens is because you want to secure Phase Two negotiations. So let's go ahead and talk about Face One mode. There are two modes in phase one. So the first one is the main mode, which is the default mode, and the other one is the aggressive mode. So the main mode is when you're going to implement a site, say a VPN, and you're going to use it. You're now going to use Aggressive Mode, and it has three bidirectional message exchanges or six unidirectional message exchanges. The first four messages are in clear text, and the last two are going to be encrypted. And these last two messages that the main mode sends are encrypted because you want to protect the identity of the end points. So that's why the last two packets are encrypted, because you want to protect the identity of the end points. Right? But in aggressive mode, you are usually going to configure aggressive mode when you have a remote access VPN; site to site, you're going to use main mode, which I said mode, but I meant to say main mode. So when you use Main Mode, you're going to be configured in Aggressive Mode, and you're usually going to use a remote access VPN. And this one only has three unit-directional messages. So it has three less than main Mode. So it's a little bit faster than Main Mode. But since it is faster, it is not really secure because the last message is encrypted, but it's not mandatory. So a lot of people do not encrypt that last message. And with the last message, what it does is protect the identity of the endpoints if you encrypt it. If you do not encrypt, anybody can see the identity of the endpoint, which is not really secure on the surface. One negotiation parameter When you are negotiating during phase one, what we negotiate are the following parameters, and the following parameters actually need to match, which is authentication. So, if you're going to use a pressure key on one endpoint, you either used to or have to use pressure key on the other endpoint. Otherwise, phase one negotiations are not going to happen, and phase two is also not going to happen. Also, if you're going to use an RSA or an RSA SIG, you must also do the same thing on the other endpoint. Or if you're going to use the RSA encryption endpoint, the other endpoint needs to have the same one configured, and then we have the encryption. If you're going to use Triple Desk or AES, they have to be matching for security reason. You are going to be better off by using AES, which is approved by the government. Also, the hashing needs to match if you're going to use 75 shots for one or two rounds. And the DP home and group number also need to match. If you're either going to use 2514, 15 or 1617, or 18, it needs to match. what does not need to match. The parameters that do not need to match are the SA lifestyle parameters, which are in seconds and do not need to match. It is negotiated to the lowest value between the VPN peers. So you could have a lower value than the other endpoints or an equal value. That's all you have to do. So if it doesn't match, it needs to be lower than the other endpoint. If it is higher, it's not going to work in phase one and is not going to be negotiated. So for IKE phase two, what is the scope of phase two? The scope of phase two is to negotiate the IP set tunnel as well as what to protect and how to protect it. That's the scope of Phase Two. And upon successful negotiation, two additional keys are derived from phase one key material by default, unless you have configured PFS, which stands for perfect forward secrecy. If perfect forward secrecy is enabled, then there are more steps that need to happen, and we're going to talk about PFS on another video. And these two keys that come from phase one are used to encrypt data for the IPsec tunnel. So remember that on phase two, on phase one you want to protect phase two negotiation, and on phase two you want to protect the IPsec tunnel and you also want to know how to protect that phase two tunnel. And there's only one mode for IE version one on page two. The only one you can use is Quick mode. And Quick Mode only has three unidirectional messages that are secure through the key material of phase one. So here are the phase two, version one, phase two negotiation parameters. And these ones are the ones that need to match. So the first thing I need to match is what you're going to protect, which is also called the proxy ACL or the encryption domain, and how you're going to protect it using that transform set. And when you configure that transform set, we want to be matching the encapsulation protocol. Either way, if you want to use the authentication header and the Ah, it does not perform encryption, so there's no confidentiality, but it does do data integrity authentication and anchor replay. It just does not encrypt the package. And we're going to check up a picture on how Ash and ESPS work together, how they work separately and also how they work together. For a better encapsulation protocol, you want to use a you want to use both of them together. And I also want to show you a picture of how both of them work together. Another parameter that must match for phase two is either new with no encryption, desktop desk, AS-AS-S GCM-AS with Gmcgmac, MD-5, SHA-1, or SHA-2 hashing, and tunnel or transport mode with or without UDP. So, when you use the toner mode, we encrypt the entire package and simply insert a new IP header into that packet. But for transfer mode, what happens is that we do not encrypt the entire package, and the source and destination are both unknown. That's the difference between tunnel and transport mode. And they need to match on both end points. Either if you're going to use tonal or transfer mode, both ends need to be matching, and these are the parameters that do not need to match. Like on phase one, the security association lifetime in seconds and traffic volume do not need to match the actual traffic volume; you do not configure that for phase one, only the lifetime. So the lowest values are negotiated. So the lifetime needs to be either lower or equal to the other endpoint. It cannot be higher, otherwise it's not going to work. So the highest value needs to initiate the point; it needs to initiate the tone. So this is how it works. If I say the second on tunnel one or at the end is 800 and the other endpoint is 400, then the latter, the 800, must initiate the tunnel. Because if the 400 initiatives, the tunnel and the other one is higher than it's not going to work. So here's the control plane. So how first one and the control plane protection works. For phase one, it always starts on UDP port number 500. But if no device is detected, no transparent is going to be negotiated, and then it's going to be changed over to UDP for the 500. So when that T is negotiated, then we are going to switch to this port. But if we don't have any natural stations, then we are going to keep using QDP 500. That's for phase one. For phase two, the IPsec control plane, it follows up on phase one. So if phase one is using port 500, as you can see right here in phase one's finish on UDP port 500, then phase two's IPsec control plane is going to be using port 500. Put phase one finishing touches on UDB ports 4 to 500. Then this phase two control plane is contribution theory for 500, which is how we protect the data plan. And this is for phase two only. Phase One does not do this. So if phase two ends up on UDP 500, then we are going to use either ESP or Ah for encapsulation. Optionally, you can use both A and ESP together because one of them provides ESP encryption for the entire package and the other provides authentication for the entire package. And, since I'm going to show you a picture of ESP, each encrypts the entire package when we do ESP. Even the original IP header encrypts that. And what it does is it inserts another IP header for the endpoints, but that IP header is not authenticated, and that's why you want to use AH for authentication so we can authenticate that IP header. And if phase two ends up using UTP 4500, then you want to use ESP inside the UDP4 to 500 cancellation because the Authentication header is not friendly because it authenticates the IP header. And since we'll be changing that IP Header with that translation, you don't want to use that, which, as you can see at the bottom, authenticates the IP Header but not ESP. which is why you will choose Ah and ESP together when you're not using that. And here is the authentication header. A lot of people do not know what that means. Well, the Authentication Header Protocol provides data origin, authentication data integrity, and replay protection. and, like I said, does not provide encryption. However, like I said, AH does not provide data confidentiality, which is encryption. which means that all of your data is sent in clear text hashes. And the way that it works is that it does a hashing algorithm, and then it adds a preshare key that's going to be equal to the authentication header. It employs a hashing algorithm, five share ones or share two, and a pre-share key. Okay? And this is how it actually works. So here's the original IP package. As you can see right here, the IP header, TCP header, and the data are right here. But when you are using the Ah or Authentication Header in transform mode, what happens is we are inserting an Ah header right here between the TCP Header and the IP header, and we are going to authenticate the entire package all the way from the IP Header to the data. But when you are using ESPencryption, this is what happens. This is for the ESP Transport Mode package. And as you can see here, this is the original package. And what happens is that we insert the ESP header between the IP header and the TCP header. We insert that right here, the ESP header, and then, at the end of the data, we insert the ESP trailer and then we do the ESP authentication. As you can see, we are only going to encrypt the TCP package and also the data, right? And we are only going to authenticate from the ESP Header to the ESP Trailer. As you can see, we are leaving the original IP. It's known by everybody, so anybody can sniff it and see the original IP address, destination IP address, and source IP address. But when we use an ESP Honor Mode, what you can see right here is that we insert the ESP Header in front of the original IP. instead of being in front of the ESP header. When using Transfer Mode, we actually insert the ESP Header in front of the original IP. As you can see right here, this is for ESP's tournament package. And then we insert a new IP header. And I believe this IP header uses not the original, but the endpoint's source and destination IP addresses. And it's not being authenticated. The only thing that is being authenticated is the ESP header all the way to the ESP Trainer, which has the IP, TCP, and data in it. And that's why you want to use Ah with ESP, because this is what happens when you use both of them together. So what happens is that you see the original right here. So in Transport, when we are in Transport Mode, we will authenticate the entire IPHeader all the way to the application data, and then that will be, but as you can see right here, this one is only for the Ah. and as you can see, it is authenticating the entire package. And this one right here is for the ESP by itself. This one is ESP by itself, and this one is an authentication header by itself. But when we combine both of them together, this is what we get. So now, as you can see right here, we actually authenticate the entire package inside the new IPHeader that we insert when we use ESP. And, as you can see right here, only the authentication and encryption are from ESP all the way to the ASP trailer, all the way to the ASP header, all the way to the ESP trailer. But over here, when we use the AuthenticationHeader, we actually authenticate the new IP header. And over here, we do not do it. That's why you want to use a combination of both as an ESP, and this is it for this video. So hope.

3. IKEV1 Phases Packet Encryption

Hello guys. Welcome to a new video. And in this new video we are going to go over how, like version one, phase two actually encrypts the package. We will discuss how Ah does not encrypt the package, but rather how it is derived from the original IPHeader and how we can transform it into the AhTransfer Mode and the Ah Turner Mode. Then we'll do one for not only Ah Transfer Mode but also ESP Transport Mode, followed by another for ESP Turner Mode. And then, to end, we are going to end with the last one, which is going to be when we use ESP and also the Authentication Header and ESP. So let's go ahead and start. So the first thing that we are going to do is we're actually going to when you are going to do a transport mode in ah the way that it happens is we are going to insert an Ah Header inside right here between the IP Header and the TCP Header. So let's go ahead and do that. So this is how the transport mode itis not encrypted but how transformed this package. So we're going to insert this IP header right here, and then after that, we are going to insert this out to the kitchen header right here. So let's go ahead and do that. We're going to insert the EH header right here, and then after that, what happens is that we are going to then insert all the data, which is a TCP header and the data. So let's go ahead and pick this one right here, and this is how it works and what we are going to perform. The ah is going to be all the way right here. So this is what it is. Let me delete that. This is what is being authenticated right here, all the way from the IP header all the way down to the data. So this is how the AH does it. What the heck does it do? Let me go ahead and copy and paste it. Put it right here. You probably won't have to move this one down here so we can have more room. Let's put it right here for now. Let's actually just move everything. Put it right here for now. So what it does is this: it runs a hashing argument as well as the pressure key of the entire package, including the IP header, okay? And this is only for the AH transport mode. And the difference between transport mode and toner mode is: let me put this toner right here. The difference is that Transfer Mode uses the same original IP header as Turner Mode, whereas Turner Mode does not. We actually use a new IP header. So let's go ahead and do Turner Mode. It's going to look almost the same as this one. But actually, let's just go ahead and delete this. We don't need all of this. If we can, we could simply copy and paste from this original header right here. There you go. So for the Authentication Header Turner mode, what we actually going to do is we are going to move this right here and move this right actually go I And we are going to insert a new IP header over here. and then the Ah header is going to be right here. So, if we can only change the colour of this one, let's go with a green color. There we go. And let's move this right here. So this new IP header is going to be right here for Toner Mode, and then the original is going to be in here. What we're going to do over here is insert the Ah header right here. just like that. We are almost there. There it is. And now we can insert the TCP header and that data header right here. Let's make it a little bit better than that. There we go. So here's how the Ah-Toner mode works. The difference, like I said, between the transform mode and the toner mode is that we actually insert a new IP header and we are going to authenticate the source of the original IP header. I'm so bad. I copy-selected this. Go ahead and move right here. There it is. Just like that, we can move right here. So for the Ah Transfer Mode, we keep the same original source and destination header, the IP Header. And for the Toner mode, we are actually searching a new one right here and it's going to do a authentication. Why can't it can I move it? There we go. Okay. So since internal mode is more secure because they will not see the real IP header because it's going to be inside the Ah header, as you can see right here, So those are the two ones. And whenever the Ah is working, what it does is run a hashing algorithm, either MD-5, MD-5, shot one, or shot two, with a pre-shared key that you can set up yourself. Okay? So now let's move on and let's do ESP transport mode. And the transport mode is the same as ESP transport and the Ah transport mode, respectively. But the difference between ESP and Ah is that ESP encrypts the data and the latter does not provide encryption. It does not provide data confidentiality. but ESP does. So here I'm going to show you guys how the transfer mode works. The first thing is that for the Transfer mode, we do not insert a new we do not insert a new IP Header. So we're going to use this over and over again. So we can do it; we can even just use this one right here. Put it right here. But we are going to insert this ESP header right here. This looks horrible. See if we can get it right. It is bothering me that it's not aligned. Aligning. Well, there we go. Let's just say that for now, right? You will get it. Okay, so the ESP adds a header and also adds a trailer down here, right? So this one is the ESP, or is the ESP header still the same ESP? Let's make it smaller so we can fit. There we go. ESP Header. And over here adds an ESP trailer. There we go. So that is how the ESP transformer works. And the only thing that we are going to encrypt is because this is what ESP does—it provides encryption. The only thing that we're going to encrypt over here is going to be between the ESP header and the ESP trailer. So now, as you can see right here, the IP header, which is outside this encryption zone, is going to be known by any hacker. So the true source and the true destination—or the original destination IP address—are going to be known by hackers. So I just put it here with encryption. And with the encryption, you can either run As, Triple S, or Death right here, right? And this is how our ESP Transport Mode works. And now let's go ahead and provide you with a tonne of mode and toner mode. The way Toner Mode is going to actually work is if we go ahead and pick the same one right here. The way it works is just basically the same as these tonne of mode over here works. So we're actually going to have the IP be in here, and the ESP Header is going to be moved in front of the IP Header because we are going to now encrypt the IP Header and provide encryption to all of this. And then after we do that, what happens is we are going to insert a new IP header right here. Now this one, the last one, is right here, but now make more space. Here we go. So this is the encryption: So we're now in ESP Turner mode down here. I don't have a lot of space. Okay, you guys should get what I'm doing right now. So, as you can see right here, when we do Turner mode, we actually insert a new IP header down here and we do the ESP authentication and encryption. So ESP provides integrity with hashing and confidentiality with encryption like AES, Triple, Death, or Death. And it also provides anti-replay protection. And this is how it works. It protects the original source and IP address, like Ah does. But Ah does not provide encryption. It only provides hashing with a preshared key, anti-replay, and integrity. So now this is why you want to use ESP plus Ah. Because as you can see right here, even though we are encrypting this entire package, we are leaving this new IP header by itself, and the hackers are going to know that. new IP header right here, and you don't want them to know that. So what you want to do is you want to do let me move this, move this entire thing higher so we can have more space. see if I'm able to do that. Move it up. Okay. It's so hard to do it in here. There we go. There it is. Okay, so since we want to be using both because ESP, as you can see, only protects the IP header, the TCP header, and the data, But it leaves this one behind, over here, by itself. But as you can see in Tonal Mode for Ah, it actually runs the hashing algorithm with a precise key for the new IP header. So you want it to be able to do that. So if you want to be able to do that, what you want to do is actually run ESP with Ah. And how this works is that the first thing that will happen is We are going to have a new IP header right here. the new IP header right here. Right Correct. And then we are going to see if we can copy this. Actually, let's just put this one right here. So we are going to insert it right here, which is the AH header. So after you do the Ah header, what's going to happen is we are going to have the ESP header. It's going to go right here. Actually, let's just change the color, and the colour that we're going to pick is some weird color. There we go. Okay, so ESP Header is going to be in here, and then you want to scrape and paste all this. Let's just delete that, and there you go. So this data right here, which has the true or original source and IP address over here on the IP header, is going to be inside these ESP headers. And then the last one is going to be the ESP trailer, which is going to be all the way down here, and let's provide the same color. I think it was this one, maybe. That looks similar. Okay, there you go. Good. So now let's go ahead and try to move this a little bit higher so we have more space. There we go. Okay, so what's going to happen is we are going to provide encryption right between the ESP Header and the ESP Header, and the ESP trailer is going to be encrypted. And if we change the color, you can see the difference. This one is brown. Make it thicker. Eight points. There you go. So this one is going to be encrypted, and then for the authentication header, it's going to be run in the entire package. So here it is. This is why you should do ASB with Ah because it provides better encryption because it runs ESP, which has encryption, and then Ah, which provides a cache algorithm with a precise key and hides the new IP address header, which ESP Turner mode does not. And that's why it is better to use ESP plus ah. Hopefully, this was a good idea, and you guys understood the difference between Ah transport mode. Ah, Turner mode. ESP transport mode. ESP Turner mode, and also, why do you want to be using ESPN? Because you want to hide this new IP address and header from the world, you're just running a hashing algorithm with a pre-shared key. What this does is simply provide data integrity for the new IP header that is inserted right there because you want to ensure that the new IP header was inserted by the IP edge router, the edge router with which you want to form the VPN tunnel. Okay, so this is for this video, guys.

4. IKEv2

Talk about it. So Ike version two, guys, let's give you an overview of what Ike version two is. And here it is. It still uses the same UDP 504 addresses when we're using network address translation. So whenever you see that we are going to use port 4500, when we're not using that, we are going to use port 500. So it is still the same as version one, and it still has the same scope and goal as version one as well. But it does not have any backwards compatibility with IKE version 1. So you cannot use Egg version one and version two. If you're going to have Aggress version two, you need to configure II on both endpoints and gateways. And if you want to choose the I version option, it will be on both gateways as well. So what are the changes that they made to this for ICO version two? Well, the first one was that there were no additional RFS or even a standard. Everything is now built in one main RFC. So, on Ike version two, they implemented everything. So Isocamp and ESP IPsec with DOI TPDnot, which are not transparent and mobile configurations, So everything is pre-built for version two. Because what happened with I version 1 was that it was ignored. Iversion 1 was created a while ago, really a long time ago. And every time they faced a challenge, what happened was they just implemented a solution. And one of the solutions was Isacam. So they implemented Isacam into Ike one that you can work both of them together. And then something else happened, and you needed to encapsulate the package and encrypt the package. That's why they created the authentication header and the ESP: they wanted to encrypt data while maintaining data integrity and confidentiality. And that's why they came out with this. With IPsec, there was another problem. So they came out with DPD as another thing. So they came out with DPD as well. Nat's translation came up. So they needed to have some net transparency. So they did that for every problem that they faced in version one; they needed a solution. And here are all the solutions. And the solutions are like a standard by themselves. But now in Ike version two, they are all implemented inside Ike version two. And that's just the changes that they made for IKE version two. All right, so what are the IKE version's two faces? Is it faster, or what's going on? So there's only one phase now, which is faster because you don't have to remember phase one and phase two. Isaac Camp, have you configured Isaac Camp or IPsec for version one versus version two? Now everything runs in one single phase, which is cool. It makes it a lot faster as well. And he only has two mandatory messages, which have an IKE essay in them, which is the Isaac authentication and the IKE authentication, which are basically like the IPsec or the transform set in that everything is combined in one phase. So this is happening in one phase, which is a lot faster and a lot cleaner than Ike version one. And then there are other optional messages. I believe the create child essay is when they are rekindled and the informational is when they are I do not remember that. I should know that. And here are the faces—there are no faces, only one face. I should put on one. So for IKE version two, exchanges are how it happens. It all happens in one day. Like I said before, the first one has Ike's essay in it, and over here, what happens is the ignorant security association essay establishment. So it is both a proposal for a solution and the key exchange. It happened on this first message on the only phase of aggression that phase two has, which is phase one. And then there are two other messages that are interchanged right here, and this one is to create a mutual authentication and identity exchange. This one is initial IPsec. If you want to configure certificate exchange or if you have configured that to have a certificate exchange, it will happen over here as well as the configuration exchange. It's going to happen here, and it's optional because you can use pre-shared keys for authentication. So how does Version 2 do authentication? It does it differently and a lot better than the Igression one, of course. And in Igression two, integration happens in the IKE authentication, which is in this second message. That's when authentication happens in aggregate with two supports. asymmetric peer authentication, which is really cool. So asymmetric means that we are going to use two different keys to perform authentication, and you can have different pre-shared keys for pre-shared key authentication. So for one end, let's say you have a right over here and a route over here. What you could have is a pressure key that is one to three over here and a pressure key over here that is going to be ABC, and they are able to perform asymmetric peer authentication with different pre-shared keys. Which is really cool because, if you remember from before my configuration, you have to put the same pre-share key for both gateways, otherwise it won't work. But for aggression two, you do not have to do that. You can use different pre-shared keys. And also another way that you can authenticate is by using one side you can use pressure key authentication and on the other side you can use PKI authentication. And PK authentication involves having a digital certificate that you can have there. So you can have a picture on one end, and on the other end, you can have a digital certificate and more on authentication. Like I said before, it happens at the IKE Authentication message, which is the second message right here. And it requires an additional minimum of four message exchanges. Message exchanges can increase up to twelve to sixteen. It depends right here, depending on the authentication that you are trying to perform on the remote access client. And here are the different authentications that you can perform with I version too. So we are going to use EAP, which is used to authenticate the initiator, and the tunnelling that you could use for that authentication is TLS. TLS uses your certificate, EAP-PEEP. PSK uses of course a short key and they are also known tunnelling authentications that you can use which is Ms.Chap version two, MD six, I think it's MD five, MD five and E GT. In addition, Cisco released their own product, any connect, which you can use or configure for any connect and use at the same time. And remember this: The responder is always authenticated using certificates, and since they are going to use a certificate, the client needs to trust that certificate that is coming from a trusted CA or certificate authority. And for Ike version 2, platform support So IPsec did not change at all, which is for Adversion 1, while IPsec was faced with Adversion 2, and only the key management framework was the one that changed in both ASA and iOS. Routers support aggression 2, which is really cool, and assuming that you run the proper code that you configure correctly, it is going to work on both ends, and you could do it for site-to-site and also for remote access. They both support site-to-site and remote access, and here are the supported VPN types that you could configure. You can configure a crypto map VPN type, and this is the ASA that only supports crypto maps, so the essay cannot use the GRE Donnell with the Ipscond Top, it cannot use the SVTI or Dvti, and it cannot use the DMVPN or get VPN. So if you are going to configure Aggression Two as a firewall, you are only allowed to use the crypto map, which is not really recommended but was kept because ASA only supports the crypto map. But if you are going to configure Artversion 2 on a browser, you could use Crypto Map, which is not recommended. So we're not going to use it, but you could use it with GRE, and you can run Ipsecon, tapSVTI, or Dvti DMVPN and get VPN on Cisco routers. Okay, the ASA can only use crypto maps. So Cisco is now becoming a little bit more friendly, as you can see right here. Any connect client, which is software that you can run on your computer either on a Windows computer or on a Mac computer, Linux computer or Mac computer You can run this. You can use the software, and the software supports both II and SSL. It also supports, for example, version 1 of course, and has X. Authentication is now a standard, so anybody can use it. So Cisco is becoming more friendly because this one could be used for any device. Now, as you can see here, you can also use other vendor clients to connect to a Cisco VPN gateway, so you do not have to only use Cisco clients to connect to a Cisco VPN gateway. And you can also use the built-in native clients within the operating system to connect to a Cisco VPN gateway. To conclude this video, the last change or new thing introduced with Igression 2 is routing, because II can push routes into the IPS Erouting table and I select Version 1. This was not available. This was only available for remote access via VPN. However, to please video guys, it is now available for site-to-site and remote access VPN.

5. IKEv1 vs IKEv2

Hello guys. Welcome to another video. And in this video, we are going to be configuring, and we are also going to go over a couple of PowerPoints that I have. As you guys know, I don't really like doing just PowerPoints. I like to configure everything. So I'm going to be going over I Version One and I Version Two and how they are different and all that good stuff. So it's going to be a little bit of a long video. So if you don't have time, just go ahead and save this video and watch it later because it is going to be long. You guys are going to see it because you guys are going to see the time on YouTube, right? So let's go ahead and start Version One versus Version Two. As you can see right here, this is basically me seeing if I let it go present. This is basically the bottle to secure IP set. What is IKEA, guys? Well, IKE stands for Internet Key Exchange, and it's a key management protocol that's used to authenticate IPsec peers, negotiate, and distribute IPsec encryption keys into automatically established IPsec security associations or essays. That's why they call it aggression one, which is also I should have put right here Aggression One. It's also called Internet Security Association and Key Management Protocol, or Axacamp. And there are two types of personal ones: this one, internet Security Association, and Key Management Protocol. And we have version two, or Ikebay two. And like Cisco's FlexVPN, don't ask me why. And Ike, version one. The Ike version one negotiation comprises two phases. Phase one negotiates a security association between two IKE peers, which enables the peers to communicate securely in phase two, and phase two is IPsec. During phase two negotiation, IKE establishes security associations for other applications such as IPsec, which is done in phase two. Phase one has two modes. One is main mode, and the other one is aggressive mode. The default mode is Main Mode. main mode versus aggressive mode. Well, as you can see right here in this picture, you can see how many messages are exchanged. As you can see in the main mode you can see that there is more stuff that are being negotiated and aggressive mode is less stuff, therefore it is faster. But the bad thing about aggressive mode is that it does not encrypt anything. Everything is sent in clear text, but in May mode everything is encrypted, and the hackers or whoever is sniffing the network can now see the parameters that are being exchanged. Phase one sets up motion authentication of the peers, negotiates cryptographic parameters, and creates session keys. The phase-one parameters used by NSX are the following or those used by any layer-three device, like a router or a layer-three switch. You can substitute triple S for 26. You can also use asgcm well, you cannot use as GCM because it is now supported in phase one, but you can use it for phase two which is IPsec and this is for data encryption. Then we go ahead and configure shot one or shot two for data integrity. This is the hashing algorithm. Then you can go ahead and configure the Heman group number—either 25, 14, 15, or 16, or any one of those. For authentication, you can use a pre-share key, which is a secret key, or you could use a dealer certificate, and the lifetime for that is 2800 seconds or 8 hours. no live or you could In ISOTAMP, aggressive mode is disabled; therefore, main mode is the default mode. And then we go ahead and move to phase two of aggression phase one. For aggression one and aggression two, it's the same, which is just configuring IPsec. And Ipsq provides data encryption at the IP packet level and offers a rebooted security solution that is standards based. IP Security, or IPsec, is a standard suite of protocols between two communication points across the IP network that provide data authentication, integrity, and confidentiality. It also supports and to reply if you use ESP, which we are going to talk about later, ESPN Ah, it also defines the encrypted, decrypted, and dedicated packets. The protocols needed for secure key exchange and key management are defined in It, which we're going to do later when we start computing ichory one. Check the parameters that you could do from here in the phase two parameters, which is IP. And this is for phase two. You simply encrypt the data that will be transmitted because phase one, which is Igorone or Igression two, will be aggression one. Phase one encrypts a tunnel where phase two is going to get on, which is IPsec. And in IPsec you can also encrypt that data using triple desk as 128, as 26 and as GCM. And as we said before, GCM is not a supporter in aggregate. And you can also do for integrity shot one or shot two. And for the tonal modes, you could either do ESP Tonal Mode or Ah. You also have complete forward concealment for your bikini. And here's the saga of 3600 seconds or 1 hour: We have live bytes Riki selectors for all IP protocols and all ports between two networks that use an IPV4 subnet. And what is the difference between ESP and AH? And this is done in the IPSSEC because IPSite has two modes. ESP, as previously stated, has ESP Turner mode or Ah mode, which means encapsulating security payload. It provides data integrity, encryption, and authentication and aims to perform replay functions for IPsec VPN. And ESP also authenticates the data within the VPN, ensuring data integrity by ensuring it's coming from the correct source, right? And for authentication header provides data integrity authentication. But this is incorrect because it does notreplay function, it doesn't provide anchoreplay functions. I don't know why that is there. I said that incorrectly. But the difference between ESP and Ah is that Ah does not provide interplay functions like ESP does. And that's why nobody configures IPsec with AH. Everybody does it with ESP because it provides data and provides anti-replay, which an authentication header does not provide. So let's go ahead and configure acquisition one since we are done talking about acquisition one. So we're going to go to my E and G topology. I have configured all the IP addresses over here. So let's go ahead and do that. This one is going to be Igression 1, right here, and over here is going to be Igression 2. So let's go ahead and hop onto our eleven. Like I said, I have configured all the IP addresses, so if we do a ping two, we should be able to ping it with good configuration for IP one. The first thing they need to configure is a policy. So you can do a crypto camp. We do not call it "aggression one," we call it "accident policy," and you can name the policy whatever you want. From one to ten thousand policies. how many policies you can have. You can have up to 10,000 policies. You are probably going to configure policy 1. For the time being, if you enter a question mark, we will provide the authentication, encryption difference, group number, hashing, and lifetime. So let's go ahead and do authentication. We are going to be using pressure key encryption. We are going to use three desks for hashing. We are going to use Shop. Do we have a good number? You are going to use two, and the last time we are going to keep it at the default, which is $400.So that is done. We have configured aggression as one policy. So since we are going to use the authentication that we are going to use in a pressure key, we need to go ahead and configure that pressure key now, and this needs to match between the R11 router and the R13 router. If this does not match, we won't be able to authenticate or create that first tunnel so IPsec can be created afterwards. So if Igrush one, the first one, is not created, then Ike verse one, the first two, which are IPsec, are not going to be created either. So let's go ahead and generate that crypto isacamp key, and we'll just say the key is going to CNP security, and it's going to the address, which is about 13. So we are done with that. Now we must configure IG two and determine what IGOR 1 is. Phase Two is IPsec. So let's go ahead and do a cryptographic IPsec transform set. Going to use ESP because we're not going to use Ah does not provide an option to reply. So we want to do ESP AES 25 six-ESPshot, and we're also going to be using XMax, and the tunnel mode or the mode that we're going to be doing for this is going to be exit. Here we go. So after that is done, we need to go and create the IPsec profile, and inside this IPsec profile we are going to attach the transform set, and then we are going to attach that IPsec profile to our tunnel interface. So it's going to do that cryptographic IPsec profile. We are going to name this IPsec profile, and all we need to do is set the transform set. So we need to attach the transform set that we created, and that's it. We are done with Igorage One Phase 1 and Igorage One. Phase two. After that is done, we are going to create a tonal interface. You're just going to call a tunnel zero, and from here we need to specify the source of the tunnel that is kicking. As you can see right here, that's the one connected. Then we need to specify the destination. The destination is going to be 21 to 2, the router mode being GRE, which is not GRE because if you use GRE, it's not going to use IPsec. So we want to do IPsec or IPV4 because we are going to use an IP address. Then we can just go ahead and configure the IP address of this interface; that's the other one. After that, you can do it by showing run interface 20, and you can see my configuration. You could also do a "show interface" and you can see more over here. You can see the IP address of it. You can see their protocols down there; you can see the tonal source, which is gigabit zero. You can see the destination; you can see the MTU; you can see the bandwidth; you can see a lot of stuff on here. After that is done, what we need to do is go ahead and attach the tunnel protection profile or IP set profile. Just IP. Set profile. There it is. So now Isacamp is on Isacamp, and Isacamp stands for IC version one. Good. So now we could just end it. You can do a show crypto Isacamp SA to see the security associations, and you can see that we have one right now that has no state and says it's active, but nothing is happening because we haven't configured router 13th for Igoration One. Phase one. If you want to see Igoration One, page two, you can do a show crypto Ipsegasa, and you can see right here the pier, which is a remote IP address of 13. You can see the local address, which means that we haven't received any packages or anything like that. After that is done, one last thing that we need to do is go ahead and show the IP interface in brief. Since we are using the tonal interface, which is SBTi, we are able to do a dynamic routing protocol. So we are going to go ahead and do a router ERP, and we're going to configure ERP to do the summary now. Then we are going to add network one to one, which is the IP address of my lookback address, and then we need to add the tonal address also, or the tonal network will end. There we go. So now we are done with router eleven. Now we must repeat the process for router 13, and we only need to configure router 13 so that we can communicate with the eleven configuration. What do we need to do? First, we need to go ahead and configure one-phase one, which is the policy, the pressure key, and then we need to configure the IG, which is the IPsec transfer set and IPsec profile. So crypto is a camp policy one, and this needs to match with the same parameters that router 11 has, which means authentication. We are going to do a crypto isocamp key and this key also needs to match CC and P security and the address needs to be the remote IP address of router eleven. We are done with oneFace one and we need to go ahead and configure Igran one two which is IPsec. So crypto IPsec transport set TSET ESP and this one also needs to match two by six ESP chat with H Mac mode. It's going to return to exit mode. Then we're going to go ahead and configure the IPsec profile and the name does not need to match to router eleven. So we just want to keep it the same, just because there we go. And finally, we must set the transform setting to TSET exit. Now we need to go and configure the interface number; it does not need to match. So you can just do one for this one, and that is fine. We need to specify the source, which is gigabyte tonal, the destination, which is mode, which is IPsec with IPV4, and what else we need to do. We need to do the tunnel protection IPsec profile and attach the IPsec profile that we created. One thing that we are missing is the IP address. So let's do IP addresses. Then we go ahead and do the router, and this does need to match for the autonomous system number ten. Then there will be no more summaries. Let's go ahead and do a show IP interface brief so we can see which IP address we need to add. So we need to add IP address of this loop back and this IP address of the interface tunnel network and the network. And then after we add this network we are going to form a neighbour relationship with router eleven. There we go. Show IP HRP neighbors. We see that neighbour over here. You can see that association right here if we do a show crypto isacmp essay. And this is for ignition, one for one. You can just do IPSE if you want to do or cushion one-first-two. Like I say, you can see right here, we keep sending packets because of EIGRP sends a hello message, I think every 10 seconds. And that's why we see the data being encrypted and decrypted. You can see the current peer, which is this one. We always import 500 because we're not using traversal. If you were using that traversal, then this one was going to become port number four to Like I so, if you show IP route, you can see that we have a route of two, and this is going via one, for a total of one. And since it's taking 21, it's going to be encrypted, right? You can also do the same for Router 11. If you do a show IP neighbors, you can see which neighbor's show IP route you can see the route to, and it's taking the tunnel. If it's taking the tunnel, it is going to be encrypted. We do a show on crypto, our second SA. You are going to see that security association between the two routers for Ikea and OnePlus. One. You can show crypto Ipsega if you want to see Ike version one place two. And here it is. Alright, so that's good. We are done with Ike version 1, phase one. And I grew up. So now let's go ahead and talk a little bit about IKE version two. So Ike version two. Ike Version Two For IKE version two, the Internet Key Exchange version two protocol dynamically establishes and maintains a shared state between the end points of an IP datagram. I version two performs multiple authentication between two parties and establishes the aggression two security association. And it only has one mode. Remember that in aggression 1, we had two modes: main mode and aggressive mode? Main mode encrypts everything. Aggressive mode does not encrypt anything. It sends everything in clear text. And the default mode for aggression one is main mode. Okay, so in quick mode, it's similar to an aggressive mode IKE negotiation, except the negotiation must be protected within an IKE essay. Quick mode negotiates the algorithm for the data encryption and manages the key exchange for that IP security association. And a lot of folks do not really know how to configure aggression. Phase two. For aggression one, phase two, you have to configure either a proposal or a policy, but a default exists. So we are going to use the default for that. You also need to configure the policy and there is a default for it and we are going to use default. You also need to configure the Aggression Two keyring, which is mandatory since we're going to use PIN or pre-shared key authentication, and also need to configure the Iverson Two profile and the Igression Two transform sets, or the IPsec transform set and IPsec profile for Aggression Two phase two. So this is just for phase one of aggression. For this configuration, whenever you configure the keyword, you need to attach it to the profile. Then we configure the transform set and then the IPsec profile. And inside the IPsec profile we need to attach two things the IPCC profile which has the key in already attached to it, and then we need to attach the transform set which you guys are going to see later on. And what is the difference? How like aggression two, the first one. Aggression one. Well, the first one is that I version 2 fixes the style cookie mechanism. Aggression two has fewer rounds trips in a negotiation than aggression one aggregation. The transform options, or Ed, are available in two transforms, which means you can specify multiple options in a single proposal rather than creating separate unique proposals for each allowed combination. I'll show you that aggression two has built-in peer detection as well. Aggression does not. Aggression two has a built in configuration for payload and user deduction mode. Irish 2 does not have traversal built in, and Igression 2 uses a single security association that can protect multiple subnets, which improves scalability. And you can also use an asymmetric authentication inside-outside VPN where each side of a tunnel can have different pre-shared keys and different certificates. One side a key and the other side a certificate. Either way, in aggravation one, you cannot do that at all. And this is it for this firepoint. So now let's go ahead and configure IG version two and you can see how different I version two is. Let's go ahead and go into even G, and we are going to start with router twelve. So let's go ahead and bring up Router Twelve. Okay, enable configuration G. And like I said, the first two things I need to configure are the aggression policy and the version two proposal. But there's a default for each one of them. And if you want to see it, you can do a Duke show-crypto So now let's go a I think that's the policy. Am I doing this incorrectly? Show crypto. Irish and two proposals There we go. Irish and two proposal. You can see the proposal and the difference between the Iverson one and I version two proposal is that in aggression two you are allowed to have multiple combinations. As you can see right here, we have CBC encryption, and if that router does not have that encryption, then we can support 192. If they don't have 192, then we can support 128. In IGirison One, you will have to configure a different proposal for each option that you want. But in Iworthy 2, you can have different options in the same proposal. As you can see right here, there's the default. And if you want to see the default policy, you can just do policy, and here's the default policy, which has the default proposal attached to it. Okay, let's go ahead and go to config and since we are not going to configure the Ikeversion two proposal or the Ike version two policy, we are going to just use the default. So we're not going to touch any of that. And since we're not going to touch any of that, the next step is to configure the Ike version two key ring. So let's go ahead and do that cryptoI version two key ring and we're going to just call it iversion two Kiring. There we go. And inside of here we need to specify the name of the pier which is router 14 and then we need to specify the IP address of that pier which is 31 two, as you can see it over here. And after that we need to do a picture key for the remote and what we're going to be using. Since the remote you can use different keys. For aggression two. For aggression one, you have to use just one set of keys. But for aggression two, you can use two sets of keys. For the remote user, it's going to be, and for the local user, we are just going to say "local" and we're going to say "R 12." So this needs to match on router 14. So on router 14, we are going to have the remote key, which is going to be router twelve, and the local key is going to be the R-14 key. That's going to be the pre shared key. All right. So after that is done we need to go ahead and configure the igration two profile. And the way that you do that you need to go and exit and do a crypto IQ two profileand we're going to name this IG two profile insider here we need to do the authentication for the localis going to be using a preshow key. You can either do a pressure key, or you can use an ECD, a SIG, an EAP, or an AAP pressure key, or RSA if you are going to use a pressure key. The authentication for the remote is also going to be using a pressure key, and you could either use a picture key for the local and a certificate for the remote or a certificate for the local and a picture key for the remote. But since we're seeing picture keys for both, we're going to specify that we are going to use the precir key for both of them. After that, we need to do a match identity for the remote address, and we need to add the address of that remote device, which is this one right here, which is 32. Then we need to determine the identity of the local—which has the address of 30—and then enter. Good. After that, we need to attach the local keyword that we configured and name this aggression two key ring. So now we are done with the "aggression two" profile, and since that is done, we are done with "aggression two. Phase one. Now we need to go ahead and configure version two, phase two, which is the IPsec transform set and then the IPsec profile. So let's go ahead and exit, and let's go ahead and do a cryptographic IPsec transfer set. The first one we are going to rename is this TSET. We're going to use ESPAS, and this needs to match the e address If this one does not match, we won't be able to form phase two of aggression with H. Mac. As you can see the IP SEC is not changing. The only thing that is changing is the configuration of the Igression one and Igression two IPsec stays the done with So we are done with that. Then we need to make a cryptographic IPsec profile. We are going to name this IPsec profile, and inside are two things I will need to attach. If you recall from Episode 1, we only attached the transform set. However, in Igression 2, you must attach two items. The Iversion two profile and the IP set transform set. So let's go ahead and do a T-Set transfer set. We name it TSET and set the IGU-2 profile. We name that aggregate and if you spell it wrong it will tell you that it is not correct. It will tell you that the agreement to profile is not there. I'm just letting you guys know. Exit. So after that is done, what we want to configure is the tonal interface. The tone is going to be set in the same way that we configure for aggression, and we're also going to be configuring the ERP. So let's go and do the interface. Tonal zero. It's going to have the tonal source of gigabit zero as a destination. It's going to be 30. That one. That's eight. That one. Then we need to attach that IPsec profile. IPsec protection, IPsec profile, IPsec profile, and Ipsecam should come up. There we go. if you speNow we need to go and do router edge IP ten no out of summary network. Before we do that, we do show the IP interface, so we can see that loop backwards that we have. So we need to add this network as well as this network. So network two, followed by network. Good. So now we are done with Router Twelve. Now we must repeat the process for Router 14, and everything must match. If it doesn't match then we won't be able to form that aggression two. Phase one, or "aggression 2," is phase two, which is to be 30. That o Now let's go ahead and go to router 14, and let's go ahead and finish this. You could either just go ahead and copy everything from AutoCAD and edit it or just do it like I'm going to be doing it from scratch. Config t and since we are going to be using, if we do show crypto proposal, you can see that proposal, the default proposal that we're going to be using, it is the same as router twelve and if you want to see the policy she's the same as router twelve. So we are not going to edit any of this. If we create a new one, a new proposal on a new policy and we do a different encryption and integrity, then we need to match it to router 14. But since we defaulted, we are going to keep the default for router 14 as well. So what we need to do is go ahead and create the crypto. I could be two quering. We are going to recall this IP two queuing. The name does not need to match. As far as well since I'm used to doing the same, I'm just going to keep it the same like with you gearing. And inside right here we need to specify a peer and the peer is router twelve. The address of the peer is because it needs to be the IP address of that physical interface of gigabyte zero zero, that is right here. After that is done we need to do a pressure key for the local. Remember that for the local is R 14 and then the pressure key for the remote is going to be R twelve. And as you can see right here, we're using an Asymmetric asymmetric keys because we're using two different keys. It just needs to match because in Router 12, we specify the local to be R 12 and the remote to be R 14. Therefore, we need to do the opposite. For router 14 we need to do the local R 14 for the key and the remote R twelve like that and that is done. After that is done, what do we configure? We configure the crypto IG-two profile, and you can just name that IG-two profile or whatever you want. It does not need to match. And right here, we need to do the authentication for the remote using the authentication for the local. Also, pre-order the key because we specify it here, and then you can do key ring local. I agree to e using an AAfter that is done we need to do the match identity remote address and identity local address 31two, right the IP address of my remote. So that's good. We have completed II phase one configuration. Now let's go ahead and configure I version two, phase two, which is IPsec, and it is the same as I version one, phase two. So we create a cryptographic IPsec transform set. We named this T set so we could keep it simple. ESP, this needs to match. Remember, we use "two by six" and "ESP shaft," and we also use "HMAC." We can go ahead and exit. And what do we need to do at the end? Well, at the end, Guys, we need to go ahead and create a crypto IPsec profile, and we're going to name this IPsec profile. We need to set the transform, setTSET, and are we done, guys? We are not done. We need to set the IG-Two profile and name it. I agree, two profile. So done. We are now done with aggression two-phase one and aggression two-phase two. Now what we need to do is we need to go ahead and create a tunnel and attach that IPsec profile to that tunnel interface. Whatever you want. Let's go ahead and say you can do whatever. First, let's go and do the IP address of one and two that wants eight, that one, two, four tonal six" and what is the last step that we need to do or whatever? What are we missing? We need to create the tonal protection IPsec profile and name that IPsec profile. And if you spell this incorrectly, it's going to tell you that it's not defined, but this one is defined, and it's not going to give an error. And you can see I signed came up and the protocol the interface also came up and now we need to do a rather p ten. And if you do show the IP interface brief, and I believe that the IP address is four, we did not specify a loopback. So let's go ahead and do Iploop zero, not IP interface interface and then with the IP address for that done. Go ahead and go back to your let's just go and do an auto summary. Go ahead and do the network for those four, and then we do the network. And what do you think is going to happen? We are going to form an EHRP relationship. And there it is. So now we are done. Let's go ahead and do a couple of commands that are going to be helpful. The first command is going to be to verify the aggression to essay. So you do show crypto. What do you think we're going to do? ISAC camp? No, it's not a second we're going to do. I agree. Two essay. And you can see right here the local ID of the local router. One, you can see the encryption that we use, which is CBC. Key size is two, five, six we are using for integrity shop 512 number five. And for authentication we are using Preserve Key. You can see right here that PSK stands for Preserve Key. If you want to see II Phase 2, do a show crypto, and it will be the same because IPsec did not change. So Ipsecsi and there it to happen? We You can also do a show IP vijrp neighbours to see if we have a neighbour once it's eight, which is around a twelve via tonal 14. So, that is good. You can also use the tonal interface 14 to do a show IP route and see that route to two, that one state to one. Also if you want to see that it is actually working, you can do let's go ahead and do show IP, show crypto IP status. You can see how many packets we have sent. So what I'm going to do now, we are going to ping to the going to repeat it 100 times and I do as hortcut up and you can see that it increased by 100 because we sent 100 ICMP echoes and that went on to the tunnel. And if you want to verify that it's actually going to the tunnel, you can do a trace route to two at you're going to see that and it's actually going to happen on that interface tunnel and it's going to send it and it's going to encrypt it via this interface right here, which is using ignition one for two and also IPsec here we go. It is going via the tonal one. It is not sending that via 31 to 1, right? Because we specified to send it via the tunnel when we did that and all that good stuff, right? So guys, I believe that's it for this video. I hope you guys enjoy this video and if you guys did enjoy this video, on the ignorance one, which is ignoring two configuration and how they are different, I did a small PowerPoint small talk. I don't like to do a lot of PowerPoints, or I do like doing PowerPoints so you can see, like, a graphic or what I'm going to be doing. But I don't like to do a lot of these PowerPoints. I like to just do a small PowerPoint and then do a big configuration so you guys can see how it actually works. That's how I learned I needed to actually do it. I do not just like talking about it. So you guys know how IKEv1 is configured for aggression; two is better than ignoring one, or you can add picture key to your certificate. IPsec is still the same even when you use IKEv1 or IKEv2; we configure the tunnel interface, and all that good stuff. So if you guys like this video.

Hide