====Lab 3-2
============BRANCH
!
interface tunnel 0
tunnel mode gre ip
tunnel source gigabitethernet 0/1
exit
!
============HQ
!
no interface tunnel 0
interface loopback 0
ip address 10.10.100.99 255.255.255.255
exit
!
interface virtual-template 1 type tunnel
ip unnumbered loopback 0
tunnel protection ipsec profile ccnp-ipsec-profile
exit
!
crypto ikev2 profile ccnp-ikev2-profile
virtual-template 1
!
=====TEST
============BRANCH
!
crypto key generate rsa modulus 2048 label branch-keypair
!
crypto pki trustpoint partner-isr
fqdn branch-isr.secure-x.public
subject-name CN=branch-isr,O=secure-x.public
serial-number none
ip-address none
rsakeypair branch-keypair
exit
!
crypto pki enroll partner-isr
!
!cisco
!yes
!
crypto ikev2 profile ccnp-ikev2-profile
no match identity remote fqdn hq-isr.secure-x.public
match identity remote fqdn domain secure-x.public
no authentication local pre-share
authentication local rsa-sig
no keyring local KR
exit
!
============HQ
!
crypto ikev2 profile ccnp-ikev2-profile
no match identity remote fqdn branch-isr.secure-x.public
match identity remote fqdn domain secure-x.public
no authentication remote pre-share
authentication remote rsa-sig
virtual-template 1
no keyring local KR
exit
!
=====TEST
============BRANCH
!
aaa new-model
aaa authorization network default local
!
============HQ
!
aaa new-model
aaa authorization network default local
!
no crypto ikev2 authorization policy default
ip local pool ccnp-pool 10.10.100.1 10.10.100.90
crypto ikev2 authorization policy ccnp-spokes
pool ccnp-pool
route set interface
exit
!
crypto ikev2 profile ccnp-ikev2-profile
aaa authorization group cert list default ccnp-spokes
exit
!
============BRANCH
!
crypto ikev2 profile ccnp-ikev2-profile
aaa authorization group cert list default default
exit
!
interface tunnel 0
ip address negotiated
!
=====TEST
============PARTNER
!
!
crypto pki trustpoint partner-isr
fqdn partner-isr.partner.public
subject-name CN=partner-isr,O=partner.public
enrollment url http://198.51.100.1:80
revocation-check none
serial-number none
ip-address none
exit
!
crypto pki authenticate partner-isr
!
!yes
!
crypto pki enroll partner-isr
!
!cisco
!
aaa new-model
aaa authorization network default local
!
crypto ikev2 authorization policy default
route set interface
exit
!
!
crypto ikev2 proposal ccnp-ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 20
exit
!
!
crypto ikev2 policy ccnp-ikev2-policy
proposal ccnp-ikev2-proposal
exit
!
no crypto ikev2 policy default
!
!
crypto ikev2 profile ccnp-ikev2-profile
match identity remote fqdn domain secure-x.public
identity local fqdn partner-isr.partner.public
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint partner-isr
aaa authorization group cert list default default
exit
!
crypto ipsec transform-set ccnp-ts esp-gcm 256
mode tunnel
exit
!
no crypto ipsec transform-set default
!
crypto ipsec profile ccnp-ipsec-profile
set transform-set ccnp-ts
set pfs group20
set ikev2-profile ccnp-ikev2-profile
exit
!
no crypto ipsec profile default
!
interface tunnel 0
ip address negotiated
tunnel source gigabitethernet 0/1
tunnel destination 192.0.2.3
tunnel protection ipsec profile ccnp-ipsec-profile
!
============HQ
!
crypto ikev2 profile ccnp-ikev2-profile
match identity remote fqdn domain partner.public
exit
!
============PARTNER
!
no interface tunnel 1
!
=====TEST