Lab 7: VPN Fundamentals

Back to Week 6

Objectives

Network Topology

┌─────────────────┐ IPsec VPN Tunnel ┌─────────────────┐ │ HQ Router │ ════════════════════════════════ │ Branch Router │ │ 192.168.1.1 │ (AES-256-GCM/SHA256) │ 192.168.2.1 │ └─────────────────┘ └─────────────────┘ │ │ │ │ ┌────┴────┐ ┌────┴────┐ │ HQ LAN │ │Branch LAN│ │10.0.1.0/24 │10.0.2.0/24 └─────────┘ └─────────┘ Pre-Shared Key: CyberOps2026SecureKey! IKE Phase 1: AES-256, SHA-256, DH Group 14 IPsec Phase 2: AES-256-GCM, SHA-256
1. View Network Topology
Display the network diagram showing HQ and Branch site VPN configuration.
Use: show topology
2. Check IPsec SA Status (HQ)
View the IPsec Security Association status on the HQ router.
Use: show crypto ipsec sa
3. Ping Across VPN Tunnel
Test connectivity by ping from HQ LAN to Branch LAN through the VPN tunnel.
Use: ping 10.0.2.10
4. Verify IKE Phase 1
Check the IKE (Internet Key Exchange) phase 1 security association.
Use: show crypto isakmp sa
5. Check Tunnel Statistics (Branch)
Switch to Branch router and view VPN tunnel traffic statistics.
Switch to "Branch Router" tab and use: show crypto ipsec sa statistics
6. Compare IPsec vs SSL VPN
View a comparison of IPsec and SSL VPN configurations and use cases.
Use: show vpn comparison
7. Troubleshoot Broken Tunnel
Diagnose and identify a VPN tunnel misconfiguration (pre-shared key mismatch).
Use: debug crypto isakmp
HQ Router
Branch Router
Analyst Workstation
Cisco IOS XE Software - HQ Router
VPN Tunnel Configured: HQ <--> Branch
HQ-Router#
Cisco IOS XE Software - Branch Router
VPN Tunnel Configured: Branch <--> HQ
Branch-Router#
Analyst Workstation - Network Monitoring
Connected to: HQ Network (10.0.1.50)
analyst@workstation:~$

Lab Complete!

Excellent work! You've mastered VPN fundamentals and troubleshooting.

+25 XP