VPN and Overlay Commands

Question 1

Command to create a tunnel interface

Answer 1

Router(config)# int tunnel {number}

Question 2

Add an IP address to a GRE tunnel

Answer 2

Router(config-if)# ip address ip-address subnet-mask

Question 3

Define the source and destination of a tunnel interface

Answer 3

Router(config-if)# tunnel source {interface-id | ip-address}
Router(config-if)# tunnel destination {remote-ip-address}

Question 4

Define keepalives on a GRE tunnel

Answer 4

Router(config-if)# keepalives {seconds} {repeat-interval}

Question 5

Define the bandwidth of a GRE tunnel (optional)

Answer 5

Router(config-if)# bandwidth {kbps}

Question 6

Define the max MTU on a GRE tunnel (optional)

Answer 6

Router(config-if)# ip mtu {mtu-size}

Question 7

Adjust the TTL value on a GRE tunnel (optional)

Answer 7

Router(config-if)# tunnel ttl {1-255}

Question 8

The 6 commands needed to create the ISAKMP policy for the IKEv1 phase of the tunnel.

Answer 8

Router(config)# crypto isakmp policy {priority-number}
Router(config-isakmp)# hash {sha | sha256 | sha384 | md5}
Router(config-isakmp)# authentication {rsa-sig | rsa-encr | pre-share}
Router(config-isakmp)# group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}
Router(config-isakmp)# lifetime {*0 - *}
Router(config-isakmp)# encryption {des | 3des | aes | aes 192 | aes 256}

Question 9

If needed for authentication, create a isakmp pre-shared key.

Answer 9

Router(config)# crypto isakmp key SHAREDKEY address peer-ip-address [mask]

Question 10

Creates a IPSec Transform Set

Answer 10

Router(config)# crypto ipsec transform-set NAME {transform-1} {transform-2} [transform-3]

Question 11

Name common transforms for ESP encryption types.

Answer 11

• esp-aes
• esp-aes 192
• esp-aes 256
• esp-seal
• esp-gcm
• esp-gmac

Question 12

Name common transforms for ESP authentication types.

Answer 12

• esp-sha-hmac
• esp-sha256-hmac
• esp-sha512-hmac
• esp-md5-hmac

Question 13

Create an IPSEC profile and associate a Transform Set.

Answer 13

Router(config)# crypto ipsec profile NAME
Router(ipsec-profile)# set transform-set TRANS-SET-NAME

Question 14

Specify the ipsec tunnel mode

Answer 14

Router(config)# int tunnel number
Router(config)# tunnel mode ipsec {ipv4 | ipv6}

Question 15

Apply the IPSec Profile to the tunnel

Answer 15

Router(config)# int tunnel number
Router(config-if)# tunnel protection ipsec profile PROFILE-NAME

Question 16

Create a crypto access-list to define encrypted traffic for the tunnel (2 commands)

Answer 16

Router(config)# ip access-list extended NAME
Router(config-acl)# permit gre host {tunnel-source-ip} host {tunnel-destination-ip}

Question 17

Create a Crypto-Map (alternative to using IPSec Profiles) - 4 commands

Answer 17

Router(config)# crypto map NAME sequence-number ipsec-isakmp
Router(crypto-map)# match address ACL-NAME
Router(crypto-map)# set peer dest-ip-address
Router(crypto-map)# set transform-set TRANS-SET-NAME

Question 18

When creating a DMVPN or Flex VPN, what is the command to create a multipoint GRE tunnel?

Answer 18

R1(config)# int tunnel 0
R1(config-if)# tunnel mode gre multipoint

Question 19

Display information about ISAKMP Security Associations

Answer 19

Router# show crypto isakmp sa

Question 20

Display information about IPSEC security associations

Answer 20

Router# show crypto ipsec sa

Question 21

Display IPSEC connections

Answer 21

Router# show crypto engine connections active