Cisco IOS Site to Site Ipsec between routers
We will test site-to-site(lan-to-lan) Ipsec in this example:
Configuration of R2
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 5.5.5.5
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map maptest local-address Loopback0
crypto map maptest 1 ipsec-isakmp
set peer 5.5.5.5
set transform-set set2
match address 101
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
description Lan_Simulation
ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/1
description Wan_Interface
ip address 192.168.25.2 255.255.255.0
duplex auto
speed auto
crypto map maptest
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 22.22.22.22 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit ip host 22.22.22.22 host 55.55.55.55
Configuration of R5:
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map maptest local-address Loopback0
crypto map maptest 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set set2
match address 101
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Loopback55
description Lan_Simulation
ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/1
description Wan_Interface
ip address 192.168.25.5 255.255.255.0
duplex auto
speed auto
crypto map maptest
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 55.55.55.55 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit ip host 55.55.55.55 host 22.22.22.22
Lets do basic reachability tests:
R5#show ip route ospf
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 192.168.25.2, 00:09:31, FastEthernet0/1
22.0.0.0/32 is subnetted, 1 subnets
O 22.22.22.22 [110/11] via 192.168.25.2, 00:07:31, FastEthernet0/1
R5#
R5#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2.2.2.2 5.5.5.5 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R5#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: map2, local addr 5.5.5.5
protected vrf: (none)
local ident (addr/mask/prot/port): (55.55.55.55/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 204, #pkts encrypt: 204, #pkts digest: 204
#pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 5.5.5.5, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xC466B108(3295064328)
inbound esp sas:
spi: 0x6B29193A(1797855546)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4411479/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC466B108(3295064328)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4411479/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R5#
R5#ping 22.22.22.22 source 55.55.55.55 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 55.55.55.55
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 16/34/80 ms
We will test site-to-site(lan-to-lan) Ipsec in this example:
Configuration of R2
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 5.5.5.5
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map maptest local-address Loopback0
crypto map maptest 1 ipsec-isakmp
set peer 5.5.5.5
set transform-set set2
match address 101
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback22
description Lan_Simulation
ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/1
description Wan_Interface
ip address 192.168.25.2 255.255.255.0
duplex auto
speed auto
crypto map maptest
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 22.22.22.22 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit ip host 22.22.22.22 host 55.55.55.55
Configuration of R5:
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 2.2.2.2
!
!
crypto ipsec transform-set set2 esp-aes esp-sha-hmac
!
crypto map maptest local-address Loopback0
crypto map maptest 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set set2
match address 101
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Loopback55
description Lan_Simulation
ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/1
description Wan_Interface
ip address 192.168.25.5 255.255.255.0
duplex auto
speed auto
crypto map maptest
!
router ospf 1
router-id 5.5.5.5
log-adjacency-changes
network 5.5.5.5 0.0.0.0 area 0
network 55.55.55.55 0.0.0.0 area 0
network 192.168.25.0 0.0.0.255 area 0
!
access-list 101 permit ip host 55.55.55.55 host 22.22.22.22
Lets do basic reachability tests:
R5#show ip route ospf
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/11] via 192.168.25.2, 00:09:31, FastEthernet0/1
22.0.0.0/32 is subnetted, 1 subnets
O 22.22.22.22 [110/11] via 192.168.25.2, 00:07:31, FastEthernet0/1
R5#
R5#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2.2.2.2 5.5.5.5 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R5#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: map2, local addr 5.5.5.5
protected vrf: (none)
local ident (addr/mask/prot/port): (55.55.55.55/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 204, #pkts encrypt: 204, #pkts digest: 204
#pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 5.5.5.5, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xC466B108(3295064328)
inbound esp sas:
spi: 0x6B29193A(1797855546)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4411479/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC466B108(3295064328)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, crypto map: map2
sa timing: remaining key lifetime (k/sec): (4411479/3237)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R5#
R5#ping 22.22.22.22 source 55.55.55.55 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 55.55.55.55
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 16/34/80 ms
No comments:
Post a Comment