Cisco Ipsec over Gre Tunnel Configuration Example
In this example we will test ipsec over gre tunnel.The tunnel will be established between Loopback0 ip addresses of R1 and R4 routers.We will use Ospf for reachability between Loopback0 interfaces.We will use eigrp through the gre tunnel for reachability of data networks in each sites.All packets that pass through the tunnel will be encrypted.
Configuration of R1
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 4.4.4.4
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set set1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback 11
ip address 11.11.11.11 255.255.255.255
!
interface Tunnel14
ip address 192.168.41.1 255.255.255.0
tunnel source Loopback0
tunnel destination 4.4.4.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile1
interface FastEthernet0/1
ip address 192.168.14.1 255.255.255.0
duplex auto
speed auto
router eigrp 100
network 11.11.11.11 0.0.0.0
network 192.168.41.0
no auto-summary
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.14.0 0.0.0.255 area 0
Configuration of R4
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set set1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface Loopback 44
ip address 44.44.44.44 255.255.255.255
!
interface Tunnel14
ip address 192.168.41.4 255.255.255.0
tunnel source Loopback0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile1
interface FastEthernet0/1
ip address 192.168.14.4 255.255.255.0
duplex auto
speed auto
router eigrp 100
network 44.44.44.44 0.0.0.0
network 192.168.41.0
no auto-summary
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 192.168.14.0 0.0.0.255 area 0
Lets check the connectivity and be sure the all packets that go through the gre tunnel are encrypted.
R1#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.41.4 Tu14 14 00:00:41 109 5000 0 3
R1#show ip route eigrp
44.0.0.0/32 is subnetted, 1 subnets
D 44.44.44.44 [90/297372416] via 192.168.41.4, 00:00:46, Tunnel14
R1#ping 44.44.44.44 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/84/116 ms
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 4.4.4.4 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Tunnel14
Crypto map tag: Tunnel14-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 4.4.4.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
#pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 4.4.4.4
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xEB366F8D(3946213261)
inbound esp sas:
spi: 0x6D746FAA(1836347306)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4537930/3524)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEB366F8D(3946213261)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4537930/3524)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
In this example we will test ipsec over gre tunnel.The tunnel will be established between Loopback0 ip addresses of R1 and R4 routers.We will use Ospf for reachability between Loopback0 interfaces.We will use eigrp through the gre tunnel for reachability of data networks in each sites.All packets that pass through the tunnel will be encrypted.
Configuration of R1
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 4.4.4.4
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set set1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback 11
ip address 11.11.11.11 255.255.255.255
!
interface Tunnel14
ip address 192.168.41.1 255.255.255.0
tunnel source Loopback0
tunnel destination 4.4.4.4
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile1
interface FastEthernet0/1
ip address 192.168.14.1 255.255.255.0
duplex auto
speed auto
router eigrp 100
network 11.11.11.11 0.0.0.0
network 192.168.41.0
no auto-summary
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 192.168.14.0 0.0.0.255 area 0
Configuration of R4
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set set1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile profile1
set transform-set set1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface Loopback 44
ip address 44.44.44.44 255.255.255.255
!
interface Tunnel14
ip address 192.168.41.4 255.255.255.0
tunnel source Loopback0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile profile1
interface FastEthernet0/1
ip address 192.168.14.4 255.255.255.0
duplex auto
speed auto
router eigrp 100
network 44.44.44.44 0.0.0.0
network 192.168.41.0
no auto-summary
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 192.168.14.0 0.0.0.255 area 0
Lets check the connectivity and be sure the all packets that go through the gre tunnel are encrypted.
R1#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.41.4 Tu14 14 00:00:41 109 5000 0 3
R1#show ip route eigrp
44.0.0.0/32 is subnetted, 1 subnets
D 44.44.44.44 [90/297372416] via 192.168.41.4, 00:00:46, Tunnel14
R1#ping 44.44.44.44 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/84/116 ms
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
1.1.1.1 4.4.4.4 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Tunnel14
Crypto map tag: Tunnel14-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 4.4.4.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 25, #pkts encrypt: 25, #pkts digest: 25
#pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 4.4.4.4
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0xEB366F8D(3946213261)
inbound esp sas:
spi: 0x6D746FAA(1836347306)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4537930/3524)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEB366F8D(3946213261)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4537930/3524)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
No comments:
Post a Comment