In this configuration example we will provide Cisco IOS Ipsec configuration with Reverse Route Injection configuration.
Reverse route injection is the ability for static routes to be automatically inserted into the routing tables of Ipsec routers.Then these routes can be redistributed into other routing protocols such as Ospf, Bgp.So these routes are learned by other routers behind the Ipsec routers.
Here is the topology for this example:
Configuration of R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
crypto map testmap
!
router ospf 1
router-id 10.10.10.1
log-adjacency-changes
redistribute static subnets
network 10.10.10.0 0.0.0.255 area 0
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Configuration of R3:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.1
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/1
ip address 20.20.20.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
crypto map testmap
!
router ospf 1
router-id 20.20.20.1
log-adjacency-changes
redistribute static subnets
network 20.20.20.0 0.0.0.255 area 0
access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Configuration of R5:
interface FastEthernet0/0
ip address 10.10.10.5 255.255.255.0
router ospf 1
router-id 10.10.10.5
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
Configuration of R4:
interface FastEthernet0/0
ip address 20.20.20.4 255.255.255.0
router ospf 1
router-id 20.20.20.4
log-adjacency-changes
network 20.20.20.0 0.0.0.255 area 0
Lets test the configuration:
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.3 192.168.1.1 QM_IDLE 1001 0 ACTIVE
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: testmap, local addr 192.168.1.3
protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40
#pkts decaps: 41, #pkts decrypt: 41, #pkts verify: 41
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.3, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDFE372FD(3756225277)
inbound esp sas:
spi: 0xBD622F15(3177328405)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4497245/3534)
IV size: 8 bytes
replay detection support: Y
--More--
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.3 to network 0.0.0.0
20.0.0.0/24 is subnetted, 1 subnets
S 20.20.20.0 [1/0] via 192.168.1.3
10.0.0.0/24 is subnetted, 1 subnetsC 10.10.10.0 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
R5#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
O E2 20.20.20.0 [110/20] via 10.10.10.1, 00:01:14, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnetsC 10.10.10.0 is directly connected, FastEthernet0/0
R5#ping 20.20.20.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 20.20.20.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 20/97/208 ms
Reverse route injection is the ability for static routes to be automatically inserted into the routing tables of Ipsec routers.Then these routes can be redistributed into other routing protocols such as Ospf, Bgp.So these routes are learned by other routers behind the Ipsec routers.
Here is the topology for this example:
Configuration of R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.3
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.3
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
crypto map testmap
!
router ospf 1
router-id 10.10.10.1
log-adjacency-changes
redistribute static subnets
network 10.10.10.0 0.0.0.255 area 0
access-list 101 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Configuration of R3:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 192.168.1.1
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set testset esp-3des esp-md5-hmac
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set testset
match address 101
reverse-route
!
interface FastEthernet0/1
ip address 20.20.20.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
crypto map testmap
!
router ospf 1
router-id 20.20.20.1
log-adjacency-changes
redistribute static subnets
network 20.20.20.0 0.0.0.255 area 0
access-list 101 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Configuration of R5:
interface FastEthernet0/0
ip address 10.10.10.5 255.255.255.0
router ospf 1
router-id 10.10.10.5
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 0
Configuration of R4:
interface FastEthernet0/0
ip address 20.20.20.4 255.255.255.0
router ospf 1
router-id 20.20.20.4
log-adjacency-changes
network 20.20.20.0 0.0.0.255 area 0
Lets test the configuration:
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.1.3 192.168.1.1 QM_IDLE 1001 0 ACTIVE
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: testmap, local addr 192.168.1.3
protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40
#pkts decaps: 41, #pkts decrypt: 41, #pkts verify: 41
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.3, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDFE372FD(3756225277)
inbound esp sas:
spi: 0xBD622F15(3177328405)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: testmap
sa timing: remaining key lifetime (k/sec): (4497245/3534)
IV size: 8 bytes
replay detection support: Y
--More--
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.3 to network 0.0.0.0
20.0.0.0/24 is subnetted, 1 subnets
S 20.20.20.0 [1/0] via 192.168.1.3
10.0.0.0/24 is subnetted, 1 subnetsC 10.10.10.0 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
R5#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
O E2 20.20.20.0 [110/20] via 10.10.10.1, 00:01:14, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnetsC 10.10.10.0 is directly connected, FastEthernet0/0
R5#ping 20.20.20.4 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 20.20.20.4, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 20/97/208 ms
No comments:
Post a Comment