tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec
Table of Contents
Cisco: GRE over IPsec
Topology: 1:1 GRE over IPsec
IP
Project name: ccna-vpn-gre-0002-gre-over-ipsec-1
- R1
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- R2
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.200.0.2 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- R3
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- R4
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- PC-1
ip 10.100.0.101 255.255.255.0 10.100.0.1 save
- PC-2
ip 10.200.0.202 255.255.255.0 10.200.0.2 save
Configure Basic Routing Protocol(BGP, Static routing)
- R3
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 network 100.0.0.1 mask 255.255.255.255 exit ! end
- R4
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 network 200.0.0.2 mask 255.255.255.255 exit ! end
Configure PPPoE Server, Client
- R1
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
- R2
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
- R3
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 100.0.0.1 ! interface Loopback1 ip address 100.1.3.3 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
- R4
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 200.0.0.2 ! interface Loopback1 ip address 200.2.4.4 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
R1#ping 200.0.0.2 source 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds: Packet sent with a source address of 100.0.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms
Configure IPsec over GRE/PPPoE
- R1
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.1 255.255.255.252 ip mtu 1372 tunnel source Dialer 1 tunnel destination 200.0.0.2 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.100.0.1 0.0.0.0 area 0 network 192.168.12.1 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 100.0.0.1 host 200.0.0.2 exit ! ip access-list extended A-security permit esp host 200.0.0.2 host 100.0.0.1 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp permit icmp any any permit gre host 200.0.0.2 host 100.0.0.1 exit ! dialer-list 20 protocol ip permit ! end
- R2
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.2 255.255.255.252 ip mtu 1372 tunnel source Dialer 1 tunnel destination 100.0.0.1 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.200.0.2 0.0.0.0 area 0 network 192.168.12.2 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 200.0.0.2 host 100.0.0.1 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 200.0.0.2 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp permit icmp any any permit gre host 100.0.0.1 host 200.0.0.2 exit ! dialer-list 20 protocol ip permit ! end
Verification
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#crypto isakmp po
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#enc
R1(config-isakmp)#encryption 3de
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#has
R1(config-isakmp)#hash md
R1(config-isakmp)#hash md5
R1(config-isakmp)#auth
R1(config-isakmp)#authentication pre-
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#gro
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#cry
R1(config)#crypto isak
R1(config)#crypto isakmp key
R1(config)#crypto isakmp key pg1xpsk add
R1(config)#crypto isakmp key pg1xpsk address 200.0.0.2
R1(config)#cryp
R1(config)#crypto isak
R1(config)#crypto isakmp keepali
R1(config)#crypto isakmp keepalive 30 on-de
R1(config)#crypto isakmp keepalive 30 on-demand
R1(config)#crypto
R1(config)#crypto isakm
R1(config)#cryp
R1(config)#crypto ipse
R1(config)#crypto ipsec trans
R1(config)#crypto ipsec transform-set IPSEC esp-3de
R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-md
R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#mod
R1(cfg-crypto-trans)#mode trans
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exit
R1(config)#crypto
R1(config)#crypto map
R1(config)#crypto map M-ipsec 1 ipsec-isakm
R1(config)#crypto map M-ipsec 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer
R1(config-crypto-map)#set peer 200.0.0.2
R1(config-crypto-map)#set tran
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#mat
R1(config-crypto-map)#match add
R1(config-crypto-map)#match address A-ipsec
R1(config-crypto-map)#exit
R1(config)#int lo1
R1(config-if)#ip add
R1(config-if)#ip address
*Apr 17 21:54:02.848: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#ip address 100.0.0.1 255.255.255.255
R1(config-if)#int gig0/0
R1(config-if)#ip tcp adj
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#int gig0/1
R1(config-if)#cd
R1(config-if)#cdp en
R1(config-if)#cdp enable
% Cannot enable CDP on this interface, since CDP is not running
R1(config-if)#no cdp enable
R1(config-if)#pppoe
R1(config-if)#pppoe en
R1(config-if)#pppoe enable gro
R1(config-if)#pppoe enable group globa
R1(config-if)#pppoe enable group global
R1(config-if)#ppp
*Apr 17 22:02:48.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R1(config-if)#pppoe
*Apr 17 22:02:48.731: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R1(config-if)#pppoe-cli
R1(config-if)#pppoe-client dial
R1(config-if)#pppoe-client dial-pool-number 10
R1(config-if)#int tun0
R1(config-if)#ip a
*Apr 17 22:03:06.346: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip add
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#ip mt
R1(config-if)#ip mtu 1372
R1(config-if)#tu
R1(config-if)#tunnel so
R1(config-if)#tunnel source Di
R1(config-if)#tunnel source Dialer 1
R1(config-if)#tu
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#int dia 1
R1(config-if)#ip unnum
R1(config-if)#ip unnumbered lo1
R1(config-if)#ip mt
R1(config-if)#ip mtu 1454
R1(config-if)#enca
R1(config-if)#encapsulation ppp
R1(config-if)#dia
R1(config-if)#dialer poo
R1(config-if)#dialer pool 10
R1(config-if)#dia
R1(config-if)#dialer-gr
R1(config-if)#dialer-group 20
R1(config-if)#ppp
*Apr 17 22:04:13.522: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:04:13.527: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:04:15.350: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R1(config-if)#p
*Apr 17 22:04:15.369: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R1(config-if)#ppp auth
R1(config-if)#ppp authe
R1(config-if)#ppp authentication chap calli
R1(config-if)#ppp authentication chap callin
R1(config-if)#ppp cha
R1(config-if)#ppp chap hostna
R1(config-if)#ppp chap hostname cci
*Apr 17 22:04:37.611: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:04:37.613: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:04:37.713: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1e
R1(config-if)#ppp chap hostname ccie@esx
*Apr 17 22:04:37.730: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R1(config-if)#ppp chap hostname ccie@example.com
R1(config-if)#ppp cha
R1(config-if)#ppp chap pass
R1(config-if)#ppp chap password cc13
R1(config-if)#cry
R1(config-if)#crypto ma
R1(config-if)#crypto map M-ipsec
*Apr 17 22:04:59.894: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R1(config-if)#crypto map M-ipsec
*Apr 17 22:04:59.898: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R1(config-if)#crypto map M-ipsec
R1(config-if)#
*Apr 17 22:05:01.598: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R1(config-if)#
*Apr 17 22:05:02.145: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ip accee
R1(config-if)#ip access
R1(config-if)#ip access-group A-security in
R1(config-if)#no cde
R1(config-if)#no cdp
R1(config-if)#no cdp ?
enable Enable CDP on interface
filter-tlv-list Apply tlv list filter on interface
log Log messages generated by CDP
tlv Enable exchange of specific tlv information
R1(config-if)#no cdp en
R1(config-if)#no cdp enable
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 dia
R1(config)#ip route 0.0.0.0 0.0.0.0 dialer 1
R1(config)#router ospf
*Apr 17 22:06:05.374: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up1
R1(config)#router ospf 1
R1(config-router)#netwo
R1(config-router)#network 10.100.0.1 0.0.0.0 area 0
R1(config-router)#netwo
R1(config-router)#network 192.168.0.1 0.0.0.0 area 0
R1(config-router)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-ipsec
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-security
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit es
R1(config-ext-nacl)#permit esp hos
R1(config-ext-nacl)#permit esp host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#permit
R1(config-ext-nacl)#permit udp hos
R1(config-ext-nacl)#permit udp host 200.0.0.2 hos
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol
(500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
non500-isakmp Internet Security Association and Key Management Protocol
(4500)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isa
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isak?
isakmp
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq ?
<0-65535> Port number
biff Biff (mail notification, comsat, 512)
bootpc Bootstrap Protocol (BOOTP) client (68)
bootps Bootstrap Protocol (BOOTP) server (67)
discard Discard (9)
dnsix DNSIX security protocol auditing (195)
domain Domain Name Service (DNS, 53)
echo Echo (7)
isakmp Internet Security Association and Key Management Protocol
(500)
mobile-ip Mobile IP registration (434)
nameserver IEN116 name service (obsolete, 42)
netbios-dgm NetBios datagram service (138)
netbios-ns NetBios name service (137)
netbios-ss NetBios session service (139)
non500-isakmp Internet Security Association and Key Management Protocol
(4500)
ntp Network Time Protocol (123)
pim-auto-rp PIM Auto-RP (496)
rip Routing Information Protocol (router, in.routed, 520)
snmp Simple Network Management Protocol (161)
snmptrap SNMP Traps (162)
sunrpc Sun Remote Procedure Call (111)
syslog System Logger (514)
tacacs TAC Access Control System (49)
talk Talk (517)
tftp Trivial File Transfer Protocol (69)
time Time (37)
who Who service (rwho, 513)
xdmcp X Display Manager Control Protocol (177)
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq 500
R1(config-ext-nacl)#per
R1(config-ext-nacl)#permit ic
R1(config-ext-nacl)#permit icmp an
R1(config-ext-nacl)#permit icmp any an
R1(config-ext-nacl)#permit icmp any any
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit gre hos
R1(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#exit
R1(config)#do sh ip access-lists
Extended IP access list A-ipsec
10 permit gre host 100.0.0.1 host 200.0.0.2 (13 matches)
Extended IP access list A-security
10 permit esp host 200.0.0.2 host 100.0.0.1
20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
30 permit icmp any any (4 matches)
40 permit gre host 200.0.0.2 host 100.0.0.1
R1(config)#dial
R1(config)#dialer-li
R1(config)#dialer-list 20 pro
R1(config)#dialer-list 20 protocol ip ?
deny Deny specified protocol
list Add access list to dialer list
permit Permit specified protocol
R1(config)#dialer-list 20 protocol ip per
R1(config)#dialer-list 20 protocol ip permit
R1(config)#^Z
R1#ping 1
*Apr 17 22:10:56.299: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 100.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
R1#ping 34.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R1#ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int tun0
R1(config-if)#ip addr 192.168.12.1 255.255.255.255
R1(config-if)#router ospf 1
R1(config-router)#netwo
R1(config-router)#no network 192.168.0.1 0.0.0.0 area 0
R1(config-router)#network 192.168.12.1 0.0.0.0 area 0
R1(config-router)#^Z
R1#
*Apr 17 22:40:44.546: %SYS-5-CONFIG_I: Configured from console by console
R1#ip int tun0 | i Internet
^
% Invalid input detected at '^' marker.
R1#sh ip int tun0 | i Internet
Internet address is 192.168.12.1/32
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int tun0
R1(config-if)#ip addr 192.168.12.1 255.255.255.252
R1(config-if)#^Z
R1#
*Apr 17 22:47:45.429: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.100.0.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Dialer1 100.0.0.1 YES TFTP up up
Loopback1 100.0.0.1 YES manual up up
Tunnel0 192.168.12.1 YES manual up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
R1#
*Apr 17 22:53:40.588: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
R1#ping 34.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:08:09, Tunnel0
R1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.100.0.0/24 is directly connected, GigabitEthernet0/0
L 10.100.0.1/32 is directly connected, GigabitEthernet0/0
O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:08:12, Tunnel0
100.0.0.0/32 is subnetted, 2 subnets
C 100.0.0.1 is directly connected, Loopback1
C 100.1.3.3 is directly connected, Dialer1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/30 is directly connected, Tunnel0
L 192.168.12.1/32 is directly connected, Tunnel0
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int dia1
R1(config-if)#no cryp
R1(config-if)#no crypto ma
R1(config-if)#no crypto map M-ipsec
R1(config-if)#
*Apr 17 23:03:12.961: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config-if)#
*Apr 17 23:03:13.473: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#
*Apr 17 23:03:16.596: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1(config-if)#^Z
R1#
*Apr 17 23:04:29.084: %SYS-5-CONFIG_I: Configured from console by console
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#cry
R2(config)#crypto isa
R2(config)#crypto isakmp po
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#enc
R2(config-isakmp)#encryption 3de
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#has
R2(config-isakmp)#hash md5
R2(config-isakmp)#auth
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#cry
R2(config)#crypto isak
R2(config)#crypto isakmp ke
R2(config)#crypto isakmp key
R2(config)#crypto isakmp key pg1xpsk add
R2(config)#crypto isakmp key pg1xpsk address 100.0.0.1
R2(config)#cry
R2(config)#crypto isakm
R2(config)#crypto isakmp kee
R2(config)#crypto isakmp keepalive 30 on
R2(config)#crypto isakmp keepalive 30 on-demand
R2(config)#cryp
R2(config)#crypto ipse
R2(config)#crypto ipsec trans
R2(config)#crypto ipsec transform-set IPSEC esp-3de
R2(config)#crypto ipsec transform-set IPSEC esp-3des es
R2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md
R2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
R2(cfg-crypto-trans)#mo
R2(cfg-crypto-trans)#mode tra
R2(cfg-crypto-trans)#mode transport
R2(cfg-crypto-trans)#exit
R2(config)#cry
R2(config)#crypto ma
R2(config)#crypto map M-ipsec 1 ipse
R2(config)#crypto map M-ipsec 1 ipsec-isa
R2(config)#crypto map M-ipsec 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set pee
R2(config-crypto-map)#set peer 100.0.0.1
R2(config-crypto-map)#set tran
R2(config-crypto-map)#set transform-set IPSEC
R2(config-crypto-map)#mat
R2(config-crypto-map)#match add
R2(config-crypto-map)#match address A-ipsec
R2(config-crypto-map)#int lo1
R2(config-if)#
*Apr 17 22:14:02.754: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R2(config-if)#ip add
R2(config-if)#ip address 200.0.0.2 255.255.255.255
R2(config-if)#int gig0/0
R2(config-if)#ip tcp
R2(config-if)#ip tcp ad
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int gig0/1
R2(config-if)#no ip addre
R2(config-if)#no ip address
R2(config-if)#pppoe enabl
R2(config-if)#pppoe enable group glboa
R2(config-if)#pppoe enable group glboa
R2(config-if)#
*Apr 17 22:15:01.244: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2(config-if)#
*Apr 17 22:15:01.249: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R2(config-if)#no pppoe enable group glboa
R2(config-if)#pppoe enable group ?
WORD BBA Group name
global Attach global PPPoE group
R2(config-if)#pppoe enable group global
R2(config-if)#pppoe enable group global
R2(config-if)#pppoe-cli
R2(config-if)#pppoe-client dia
R2(config-if)#pppoe-client dial-pool-number 10
R2(config-if)#int tun0
R2(config-if)#i
*Apr 17 22:15:40.205: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to downp
R2(config-if)#ip add
R2(config-if)#ip address 192.168.0.2 255.255.255.252
R2(config-if)#ip mt
R2(config-if)#ip mtu 1372
R2(config-if)#tu
R2(config-if)#tunnel so
R2(config-if)#tunnel source Dia
R2(config-if)#tunnel source Dialer 1
R2(config-if)#tun
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#int dia1
R2(config-if)#ip unnum
R2(config-if)#ip unnumbered Lo1
R2(config-if)#int tun0
R2(config-if)#ip addr 192.168.12.2 255.255.255.252
R2(config-if)#int dia1
R2(config-if)#ip annu
R2(config-if)#ip unnum
R2(config-if)#ip unnumbered lo1
R2(config-if)#ip mt
R2(config-if)#ip mtu 1454
R2(config-if)#enca
R2(config-if)#encapsulation ppp
R2(config-if)#dia
R2(config-if)#dialerpo
R2(config-if)#dialer po
R2(config-if)#dialer pool 10
R2(config-if)#dialer
R2(config-if)#dialer-gro
R2(config-if)#dialer-group
*Apr 17 22:42:29.361: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:42:29.366: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:42:31.142: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#dialer-grou
R2(config-if)#dialer-group
*Apr 17 22:42:31.161: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#dialer-group 20
R2(config-if)#ppp authe
R2(config-if)#ppp authentication cha
R2(config-if)#ppp authentication chap call
R2(config-if)#ppp authentication chap calli
R2(config-if)#ppp authentication chap callin
R2(config-if)#
*Apr 17 22:42:53.414: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:42:53.419: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:42:53.520: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#
*Apr 17 22:42:53.536: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#
*Apr 17 22:43:15.688: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:43:15.692: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:43:15.798: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#
*Apr 17 22:43:15.814: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#
*Apr 17 22:43:37.969: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:43:37.971: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:43:38.072: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#
*Apr 17 22:43:38.087: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp chap
R2(config-if)#ppp chap hostn
R2(config-if)#ppp chap hostname
*Apr 17 22:44:00.244: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:44:00.246: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:44:00.345: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#ppp chap hostname c
*Apr 17 22:44:00.361: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp chap hostname ccie@example.com
R2(config-if)#ppp chap
R2(config-if)#ppp chap pass
R2(config-if)#ppp chap password cc13
R2(config-if)#cry
R2(config-if)#crypto ma
R2(config-if)#crypto map M-ipsec
*Apr 17 22:44:22.531: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R2(config-if)#crypto map M-ipsec
*Apr 17 22:44:22.535: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R2(config-if)#crypto map M-ipsec
*Apr 17 22:44:24.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R2(config-if)#crypto map M-ipsec
R2(config-if)#
*Apr 17 22:44:26.211: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#ip accee
R2(config-if)#ip access
R2(config-if)#ip access-group A-security in
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 dia 1
R2(config)#do ping 34.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
R2(config)#pi
*Apr 17 22:45:29.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config)#do ping 200.2.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.2.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.200.0.2 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Dialer1 200.0.0.2 YES TFTP up up
Loopback1 200.0.0.2 YES manual up up
Tunnel0 192.168.12.2 YES manual up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
R2(config)#router ospf 1
R2(config-router)#netw
R2(config-router)#network 10.200.0.2 0.0.0.0 are
R2(config-router)#network 10.200.0.2 0.0.0.0 area 0
R2(config-router)#netwoq
R2(config-router)#netwo
R2(config-router)#network 192.168.12.2 0.0.0.0 area 0
R2(config-router)#exit
R2(config)#ip acc
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-ipsec
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit gre hos
R2(config-ext-nacl)#permit gre host 200.0.0.2 hos
R2(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R2(config-ext-nacl)#exit
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-security
R2(config-ext-nacl)#permi e
*Apr 17 22:53:39.944: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Dones
R2(config-ext-nacl)#permi es
R2(config-ext-nacl)#permi esp hos
R2(config-ext-nacl)#permi esp host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
R2(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permit icm
R2(config-ext-nacl)#permit icmp any any
R2(config-ext-nacl)#exit
R2(config)#dial
R2(config)#dialer-li
R2(config)#dialer-list 20 pro
R2(config)#dialer-list 20 protocol ip per
R2(config)#dialer-list 20 protocol ip permit
R2(config)#^Z
R2#
*Apr 17 22:55:05.489: %SYS-5-CONFIG_I: Configured from console by console
R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/17 ms
R2#ping 34.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
R2#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/15/18 ms
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int dia1
R2(config-if)#no cry
R2(config-if)#no crypto ma
R2(config-if)#no crypto map M-ipsec
R2(config-if)#
*Apr 17 23:02:40.826: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R2(config-if)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config-if)#
*Apr 17 23:03:15.867: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2(config-if)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/13 ms
R2(config-if)#^Z
R2#
*Apr 17 23:04:31.255: %SYS-5-CONFIG_I: Configured from console by console
R2#
PC-1> PC-1> ping 10.200.0.202 84 bytes from 10.200.0.202 icmp_seq=1 ttl=62 time=26.335 ms 84 bytes from 10.200.0.202 icmp_seq=2 ttl=62 time=14.656 ms 84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=9.719 ms 84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=11.283 ms 84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=10.332 ms PC-1> ping 10.200.0.202 10.200.0.202 icmp_seq=1 timeout 10.200.0.202 icmp_seq=2 timeout 84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=5.233 ms 84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=7.190 ms 84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=8.222 ms PC-1>
Topology: 1:N GRE over IPsec
IP
Project name: ccna-vpn-gre-0003-gre-over-ipsec-1-n
- R1
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- R2
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 no shutdown exit interface GigabitEthernet 0/1 ip address 200.0.0.2 255.255.0.0 no shutdown exit ! end write
- R3
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit interface GigabitEthernet 0/2 ip address 35.0.0.3 255.255.255.0 no shutdown exit ! end write
- R4
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit interface GigabitEthernet 0/2 ip address 45.0.0.4 255.255.255.0 no shutdown exit ! end write
- R5
enable configure terminal ! hostname R5 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 35.0.0.5 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit interface GigabitEthernet 0/2 ip address 45.0.0.5 255.255.255.0 no shutdown exit ! end write
- R6
enable configure terminal ! hostname R6 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.6.0.6 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- PC-1
ip 10.100.0.101 255.255.255.0 10.100.0.1 save
- PC-2
ip 10.200.0.202 255.255.255.0 10.200.0.2 save
- PC-5
ip 10.6.0.105 255.255.255.0 10.6.0.6 save
Configure Basic Routing Protocol(BGP, Static routing)
- R3
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 neighbor 35.0.0.5 remote-as 5 network 100.0.0.1 mask 255.255.255.255 exit ! end
- R4
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 neighbor 45.0.0.5 remote-as 5 network 200.0.0.2 mask 255.255.255.255 exit ! end
- R5
configure terminal ! router bgp 5 neighbor 35.0.0.3 remote-as 3 neighbor 45.0.0.4 remote-as 4 network 106.0.0.6 mask 255.255.255.255 exit ! end
Configure PPPoE Server, Client
- R1
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
- R2
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
- R3
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 100.0.0.1 ! interface Loopback1 ip address 100.1.3.3 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
- R4
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 200.0.0.2 ! interface Loopback1 ip address 200.2.4.4 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
- R5
configure terminal ! username ccie@isp3.pg1x.net password cc13 ! ip local pool POOL1 106.0.0.6 ! interface Loopback1 ip address 106.5.6.5 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
- R6
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 106.0.0.6 255.255.255.255 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@isp3.pg1x.net ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
Configure IPsec over GRE/PPPoE
- R1
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption aes ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 crypto isakmp key pg1xpsk address 106.0.0.6 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address A-ipsec1 exit crypto map M-ipsec 2 ipsec-isakmp set peer 106.0.0.6 set transform-set IPSEC match address A-ipsec2 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.1 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 200.0.0.2 exit ! interface Tunnel 1 ip address 192.168.16.1 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 106.0.0.6 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.100.0.1 0.0.0.0 area 0 network 192.168.12.1 0.0.0.0 area 0 network 192.168.16.1 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec1 permit gre host 100.0.0.1 host 200.0.0.2 exit ! ip access-list extended A-ipsec2 permit gre host 100.0.0.1 host 106.0.0.6 exit ! ip access-list extended A-security permit esp host 200.0.0.2 host 100.0.0.1 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp permit gre host 200.0.0.2 host 100.0.0.1 permit esp host 106.0.0.6 host 100.0.0.1 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp permit gre host 106.0.0.6 host 100.0.0.1 permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
- R2
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption aes ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.2 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 100.0.0.1 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.200.0.2 0.0.0.0 area 0 network 192.168.12.2 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 200.0.0.2 host 100.0.0.1 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 200.0.0.2 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp permit gre host 100.0.0.1 host 200.0.0.2 permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
- R6
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption aes ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 106.0.0.6 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.16.6 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 100.0.0.1 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@isp3.pg1x.net ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.6.0.6 0.0.0.0 area 0 network 192.168.16.6 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 106.0.0.6 host 100.0.0.1 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 106.0.0.6 permit udp host 100.0.0.1 host 106.0.0.6 eq isakmp permit gre host 100.0.0.1 host 106.0.0.6 permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#crypto isakmp po
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr
R1(config-isakmp)#encryption aes
R1(config-isakmp)#has
R1(config-isakmp)#hash sha
R1(config-isakmp)#hash sha?
sha sha256 sha384 sha512
R1(config-isakmp)#hash sha
R1(config-isakmp)#encryption aes?
aes
R1(config-isakmp)#encryption aes
R1(config-isakmp)#atuh
R1(config-isakmp)#atuhe
R1(config-isakmp)#authen
R1(config-isakmp)#authentication pre-sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#gro
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#cryp
R1(config)#crypto isak
R1(config)#crypto isakmp key pg1
R1(config)#crypto isakmp key pg1xpsk add
R1(config)#crypto isakmp key pg1xpsk address 200.0.0.2
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#crypto isakmp key pg1xpsk address 106.0.0.6
R1(config)#cry
R1(config)#crypto isakm
R1(config)#crypto isakmp kee
R1(config)#crypto isakmp keepalive 30 on
R1(config)#crypto isakmp keepalive 30 on-demand
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#cry
R1(config)#crypto ipse
R1(config)#crypto ipsec trans
R1(config)#crypto ipsec transform-set IPSEC es
R1(config)#crypto ipsec transform-set IPSEC esp-ae
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sh
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha?
esp-sha-hmac esp-sha256-hmac esp-sha384-hmac esp-sha512-hmac
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-h
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#mod
R1(cfg-crypto-trans)#mode tra
R1(cfg-crypto-trans)#mode transport
R1(cfg-crypto-trans)#exit
R1(config)#cryp
R1(config)#crypto ma
R1(config)#crypto map M-ipsec 1 ipse
R1(config)#crypto map M-ipsec 1 ipsec-isakm
R1(config)#crypto map M-ipsec 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set pee
R1(config-crypto-map)#set peer 200.0.0.2
R1(config-crypto-map)#set tra
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#mat
R1(config-crypto-map)#match add
R1(config-crypto-map)#match address A-ipsec1
R1(config-crypto-map)#exit
R1(config)#cry
R1(config)#crypto ma
R1(config)#crypto map M-ipsec 2 ipsec
R1(config)#crypto map M-ipsec 2 ipsec-isa
R1(config)#crypto map M-ipsec 2 ipsec-?
ipsec-isakmp ipsec-manual
R1(config)#crypto map M-ipsec 2 ipsec-isak
R1(config)#crypto map M-ipsec 2 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set pee
R1(config-crypto-map)#set peer 106.0.0.6
R1(config-crypto-map)#set tra
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#mat
R1(config-crypto-map)#match add
R1(config-crypto-map)#match address A-ipsec2
R1(config-crypto-map)#exit
R1(config)#int
R1(config)#interface Loo
R1(config)#interface Loopback 1
R1(config-if)#
*Apr 21 02:23:38.914: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#100.0.0.1 255.255.255.255
^
% Invalid input detected at '^' marker.
R1(config-if)#ip address 100.0.0.1 255.255.255.255
R1(config-if)#int gig0/0
R1(config-if)#ip tcp
R1(config-if)#ip tcp ad
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#int gig0/1
R1(config-if)#no ip address
R1(config-if)#pppoe en
R1(config-if)#pppoe enable grou
R1(config-if)#pppoe enable group glo
R1(config-if)#pppoe enable group global
R1(config-if)#
*Apr 21 02:26:56.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R1(config-if)#
*Apr 21 02:26:56.043: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R1(config-if)#pppoe-clie
R1(config-if)#pppoe-client dia
R1(config-if)#pppoe-client dial-pool-number 1
R1(config-if)#no cdp en
R1(config-if)#no cdp enable
R1(config-if)#int tun0
R1(config-if)#ip
*Apr 21 06:53:54.706: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#ip mt
R1(config-if)#ip mtu 1372 tun
R1(config-if)#ip mtu 1372 tunn
R1(config-if)#ip mtu 1372
R1(config-if)#tunn
R1(config-if)#tunnel sou
R1(config-if)#tunnel source di
R1(config-if)#tunnel source dialer 1
R1(config-if)#tunn
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#int tun1
R1(config-if)#ip
*Apr 21 06:56:07.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to downa
R1(config-if)#ip address 192.168.16.1 255.255.255.0
R1(config-if)#ip mt
R1(config-if)#ip mtu 1372
R1(config-if)#tun
R1(config-if)#tunnel sou
R1(config-if)#tunnel source Di
R1(config-if)#tunnel source Dialer 1
R1(config-if)#tunn
R1(config-if)#tunnel desti
R1(config-if)#tunnel destination 106.0.0.6
R1(config-if)#int dia1
R1(config-if)#ip unnu
R1(config-if)#ip unnumbered Lo1
R1(config-if)#ip mt
R1(config-if)#ip mtu 1454
R1(config-if)#enca
R1(config-if)#encapsulation ppp]
^
% Invalid input detected at '^' marker.
R1(config-if)#encapsulation ppp
R1(config-if)#dial
R1(config-if)#dialer poo
R1(config-if)#dialer pool 10
R1(config-if)#dial
R1(config-if)#dialer-gr
R1(config-if)#dialer-group 20
R1(config-if)#ppp auth
R1(config-if)#ppp authe
R1(config-if)#ppp authentication chap call
R1(config-if)#ppp authentication chap calli
R1(config-if)#ppp authentication chap callin
R1(config-if)#ppp chap hostname ccie@example.com
R1(config-if)#ppp chap password cc13
R1(config-if)#crypto
R1(config-if)#crypto ma
R1(config-if)#crypto map M-ipsec
R1(config-if)#
*Apr 21 06:58:25.154: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ip acce
R1(config-if)#ip access-group A-security in
R1(config-if)#no cdp
R1(config-if)#no cdp en
R1(config-if)#no cdp enable
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 Di
R1(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1
R1(config)#router
*Apr 21 06:59:06.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R1(config)#router ospf 1
*Apr 21 06:59:13.722: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config)#router ospf 1
R1(config-router)#netwo
R1(config-router)#network 10.100.0.1 0.0.0.0 area 0
R1(config-router)#netwo
R1(config-router)#network 192.168.12.1 0.0.0.0 area 0
R1(config-router)#netwo
R1(config-router)#network 192.168.16.1 0.0.0.0 area 0
R1(config-router)#exit
R1(config)#int gig0/1
R1(config-if)#pppoe-cli
R1(config-if)#pppoe-client dial
R1(config-if)#pppoe-client dial-pool-number 10
R1(config-if)#do sh ru
*Apr 21 07:01:36.902: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 07:01:36.906: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R1(config-if)#do sh run
*Apr 21 07:01:40.329: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R1(config-if)#do sh run int gi0/1
Building configuration...
Current configuration : 202 bytes
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
pppoe enable group global
pppoe-client dial-pool-number 10
pppoe-client dial-pool-number 1
no cdp enable
end
R1(config-if)#no pppoe-client dial-pool-number 1
R1(config-if)#do sh run int gi0/1
Building configuration...
Current configuration : 169 bytes
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
pppoe enable group global
pppoe-client dial-pool-number 10
no cdp enable
end
R1(config-if)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-ipsec1
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit gre hos
R1(config-ext-nacl)#permit gre host 100.0.0.1 hos
R1(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-ipsec2
R1(config-ext-nacl)#permit gre host 100.0.0.1 host 106.0.0.6
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-security
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit es
R1(config-ext-nacl)#permit esp host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit udp hos
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isak
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit es
R1(config-ext-nacl)#permit gr
R1(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#permit esp host 106.0.0.6 host 100.0.0.1
R1(config-ext-nacl)#permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakm
R1(config-ext-nacl)#permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakmp
R1(config-ext-nacl)#permit udp host 106.0.0.6 host 100.0.0.1 eq isa
R1(config-ext-nacl)#permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
R1(config-ext-nacl)#permit gre host 106.0.0.6 host 100.0.0.1
R1(config-ext-nacl)#permit icmp any any
R1(config-ext-nacl)#exit
R1(config)#do sh ip access-lists
Extended IP access list A-ipsec1
10 permit gre host 100.0.0.1 host 200.0.0.2 (22 matches)
Extended IP access list A-ipsec2
10 permit gre host 100.0.0.1 host 106.0.0.6 (18 matches)
Extended IP access list A-security
10 permit esp host 200.0.0.2 host 100.0.0.1
20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
30 permit gre host 200.0.0.2 host 100.0.0.1
40 permit esp host 106.0.0.6 host 100.0.0.1
50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
60 permit gre host 106.0.0.6 host 100.0.0.1
70 permit icmp any any (2 matches)
R1(config)#do sh ip access-lists
Extended IP access list A-ipsec1
10 permit gre host 100.0.0.1 host 200.0.0.2 (23 matches)
Extended IP access list A-ipsec2
10 permit gre host 100.0.0.1 host 106.0.0.6 (20 matches)
Extended IP access list A-security
10 permit esp host 200.0.0.2 host 100.0.0.1
20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
30 permit gre host 200.0.0.2 host 100.0.0.1
40 permit esp host 106.0.0.6 host 100.0.0.1
50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
60 permit gre host 106.0.0.6 host 100.0.0.1
70 permit icmp any any (4 matches)
R1(config)#diea
R1(config)#diale
R1(config)#dialer-li
R1(config)#dialer-list 20 pro
R1(config)#dialer-list 20 protocol ip per
R1(config)#dialer-list 20 protocol ip permit
R1(config)#^Z
R1#pign
*Apr 21 07:06:47.551: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 100.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms
R1#
*Apr 21 08:27:32.430: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1#
*Apr 21 08:51:45.863: %OSPF-5-ADJCHG: Process 1, Nbr 106.0.0.6 on Tunnel1 from LOADING to FULL, Loading Done
R1#sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.6.0.0/24 [110/1001] via 192.168.16.6, 00:05:58, Tunnel1
O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:30:11, Tunnel0
R1#sh ip ospf neigh
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
106.0.0.6 0 FULL/ - 00:00:34 192.168.16.6 Tunnel1
200.0.0.2 0 FULL/ - 00:00:36 192.168.12.2 Tunnel0
R1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.6.0.0/24 [110/1001] via 192.168.16.6, 00:06:15, Tunnel1
C 10.100.0.0/24 is directly connected, GigabitEthernet0/0
L 10.100.0.1/32 is directly connected, GigabitEthernet0/0
O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:30:28, Tunnel0
100.0.0.0/32 is subnetted, 2 subnets
C 100.0.0.1 is directly connected, Loopback1
C 100.1.3.3 is directly connected, Dialer1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Tunnel0
L 192.168.12.1/32 is directly connected, Tunnel0
192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.16.0/24 is directly connected, Tunnel1
L 192.168.16.1/32 is directly connected, Tunnel1
R1#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#cryp
R2(config)#crypto isakm
R2(config)#crypto isakmp poli
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encr
R2(config-isakmp)#encryption aes
R2(config-isakmp)#encryption aes
R2(config-isakmp)#has
R2(config-isakmp)#hash sha
R2(config-isakmp)#auth
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#cry
R2(config)#crypto isakm
R2(config)#crypto isakmp key pg1xpsk address 100.0.0.1
R2(config)#cryp
R2(config)#crypto isak
R2(config)#crypto isakmp kee
R2(config)#crypto isakmp keepalive 30 on-de
R2(config)#crypto isakmp keepalive 30 on-demand
R2(config)#cry
R2(config)#crypto ipsec tran
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sh
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hp
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hm
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
R2(cfg-crypto-trans)#mod
R2(cfg-crypto-trans)#mode tra
R2(cfg-crypto-trans)#mode transport
R2(cfg-crypto-trans)#exit
R2(config)#cryp
R2(config)#crypto ma
R2(config)#crypto map M-ipsec 1 ipsec
R2(config)#crypto map M-ipsec 1 ipsec-isakm
R2(config)#crypto map M-ipsec 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set pee
R2(config-crypto-map)#set peer 100.0.0.1
R2(config-crypto-map)#set tran
R2(config-crypto-map)#set transform-set IPSEC
R2(config-crypto-map)#mat
R2(config-crypto-map)#match add
R2(config-crypto-map)#match address A-ipsec
R2(config-crypto-map)#exit
R2(config)#int lo1
R2(config-if)#ip ad
*Apr 21 07:09:56.490: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R2(config-if)#ip address 200.0.0.2 255.255.255.255
R2(config-if)#int gig0/0
R2(config-if)#ip tcp adj
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int gig0/1
R2(config-if)#no ip address
R2(config-if)#pppoe
R2(config-if)#pppoe enabl
R2(config-if)#pppoe enable gro
R2(config-if)#pppoe enable group glo
R2(config-if)#pppoe enable group global
R2(config-if)#
*Apr 21 07:10:45.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2(config-if)#p
*Apr 21 07:10:45.184: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to upp
R2(config-if)#pppoe-cli
R2(config-if)#pppoe-client dial
R2(config-if)#pppoe-client dial-pool-number 10
R2(config-if)#no cdp
R2(config-if)#no cdp en
R2(config-if)#no cdp enable
R2(config-if)#int tunn0
R2(config-if)#
*Apr 21 07:11:01.908: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#ip add
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#ip mt
R2(config-if)#ip mtu 1372
R2(config-if)#tunn
R2(config-if)#tunnel sou
R2(config-if)#tunnel source Di
R2(config-if)#tunnel source Dialer 1
R2(config-if)#tunn
R2(config-if)#tunnel desi
R2(config-if)#tunnel desti
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#int dia1
R2(config-if)#ip unnu
R2(config-if)#ip unnumbered Lo1
R2(config-if)#ip mt
R2(config-if)#ip mtu 1454
R2(config-if)#enca
R2(config-if)#encapsulation ppp dia
R2(config-if)#encapsulation ppp
R2(config-if)#dia
R2(config-if)#dialer poo
R2(config-if)#dialer pool ?
<1-255> Dialer pool number
R2(config-if)#dialer pool 10
R2(config-if)#diale
R2(config-if)#dialer
*Apr 21 08:24:59.932: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:24:59.937: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:25:01.832: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#dialer-g
*Apr 21 08:25:01.849: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#dialer-gr
R2(config-if)#dialer-group 20
R2(config-if)#ppp auth
R2(config-if)#ppp auth
R2(config-if)#ppp authe
R2(config-if)#ppp auth?
authentication authorization
R2(config-if)#ppp authe
R2(config-if)#ppp authentication
*Apr 21 08:25:24.154: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:25:24.156: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:25:24.266: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#ppp authentication
*Apr 21 08:25:24.282: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp authentication chap
R2(config-if)#ppp authentication chap call
R2(config-if)#ppp authentication chap calli
R2(config-if)#ppp authentication chap callin
R2(config-if)#ppp cha
R2(config-if)#ppp chap hos
R2(config-if)#ppp chap hostname ccie@example.com
R2(config-if)#ppp chap password
*Apr 21 08:25:46.486: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:25:46.490: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:25:46.586: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#ppp chap password cc1
*Apr 21 08:25:46.601: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp chap password cc13
R2(config-if)#cry
R2(config-if)#crypto ma
R2(config-if)#crypto map M-ipsec
R2(config-if)#
*Apr 21 08:26:04.464: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#ip acce
R2(config-if)#ip access-group A-
*Apr 21 08:26:08.819: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R2(config-if)#ip access-group A-secur
*Apr 21 08:26:08.824: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to upity in
R2(config-if)#ip access-group A-security in
*Apr 21 08:26:10.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R2(config-if)#ip access-group A-security in
R2(config-if)#no cdp en
R2(config-if)#no cdp enable
R2(config-if)#no shut
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 Dia
R2(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1
R2(config)#router ospf 1
R2(config-router)#netwo
R2(config-router)#network 10.
*Apr 21 08:26:41.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-router)#network 10.200.0.2 0.0.0.0 area 0
R2(config-router)#netwo
R2(config-router)#network 192.168.12.2 0.0.0.0 area 0
R2(config-router)#exit
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-ipsec
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit gre host 200.0.0.2 hos
R2(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R2(config-ext-nacl)#exit
R2(config)#ip
*Apr 21 08:28:05.450: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2(config)#ip acc
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-security
R2(config-ext-nacl)#permit esp host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit gre hos
R2(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permit icmp any any
R2(config-ext-nacl)#exit
R2(config)#dialer
R2(config)#dialer-li
R2(config)#dialer-list 20 pro
R2(config)#dialer-list 20 protocol ip
R2(config)#dialer-list 20 protocol ip per
R2(config)#dialer-list 20 protocol ip permit
R2(config)#^Z
R2#
*Apr 21 08:29:29.695: %SYS-5-CONFIG_I: Configured from console by console
R2#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
100.0.0.1 0 FULL/ - 00:00:37 192.168.12.1 Tunnel0
R2#sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 10.100.0.0/24 [110/1001] via 192.168.12.1, 00:02:14, Tunnel0
O 192.168.16.0/24 [110/2000] via 192.168.12.1, 00:02:14, Tunnel0
R2#ping 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms
R2#ping 192.168.16.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.16.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/32 ms
R2#
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#cry
R6(config)#crypto isakm
R6(config)#crypto isakmp poli
R6(config)#crypto isakmp policy 1
R6(config-isakmp)#ecn
R6(config-isakmp)#encr
R6(config-isakmp)#encryption aes
R6(config-isakmp)#encryption aes
R6(config-isakmp)#has
R6(config-isakmp)#hash sh
R6(config-isakmp)#hash sha
R6(config-isakmp)#auh
R6(config-isakmp)#auth
R6(config-isakmp)#authentication pre
R6(config-isakmp)#authentication pre-share
R6(config-isakmp)#gr
R6(config-isakmp)#group 2
R6(config-isakmp)#exit
R6(config)#cry
R6(config)#crypto isak
R6(config)#crypto isakmp key pg1xpsk address 100.0.0.1
R6(config)#cry
R6(config)#crypto isakm
R6(config)#crypto isakmp kee
R6(config)#crypto isakmp keepalive 30 on-de
R6(config)#crypto isakmp keepalive 30 on-demand
R6(config)#cry
R6(config)#crypto ipsec trans
R6(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-h
R6(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
R6(cfg-crypto-trans)#mod
R6(cfg-crypto-trans)#mode tra
R6(cfg-crypto-trans)#mode transport
R6(cfg-crypto-trans)#exit
R6(config)#cryp
R6(config)#crypto ma
R6(config)#crypto map M-ipsec 1 ipsec-isakm
R6(config)#crypto map M-ipsec 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R6(config-crypto-map)#set pee
R6(config-crypto-map)#set peer 100.0.0.1
R6(config-crypto-map)#set tra
R6(config-crypto-map)#set transform-set IPSEC
R6(config-crypto-map)#mat
R6(config-crypto-map)#match add
R6(config-crypto-map)#match address A-ipsec
R6(config-crypto-map)#exit
R6(config)#int lo1
R6(config-if)#ip a
*Apr 21 08:42:20.177: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R6(config-if)#ip addre
R6(config-if)#ip address 106.0.0.6 255.255.255.255
R6(config-if)#inter
R6(config-if)#int gig0/0
R6(config-if)#ip tc
R6(config-if)#ip tcp ad
R6(config-if)#ip tcp adjust-mss 1332
R6(config-if)#int gig0/1
R6(config-if)#no ip add
R6(config-if)#no ip address
R6(config-if)#pppoe
R6(config-if)#pppoe ena
R6(config-if)#pppoe enable grou
R6(config-if)#pppoe enable group globa
R6(config-if)#pppoe enable group global
R6(config-if)#ppp
*Apr 21 08:44:04.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R6(config-if)#pppoe
R6(config-if)#pppoe
*Apr 21 08:44:04.975: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R6(config-if)#pppoe-cli
R6(config-if)#pppoe-client dial
R6(config-if)#pppoe-client dial-pool-number 10
R6(config-if)#no cdp ena
R6(config-if)#no cdp enable
R6(config-if)#exit
R6(config)#inter tunn
R6(config)#inter tunnel 0
R6(config-if)#
*Apr 21 08:44:25.068: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R6(config-if)#ip address 192.168.16.6 255.255.255.0
R6(config-if)#ip mt
R6(config-if)#ip mtu 1372
R6(config-if)#tunne
R6(config-if)#tunnel so
R6(config-if)#tunnel source Dia
R6(config-if)#tunnel source Dialer 1
R6(config-if)#tunne
R6(config-if)#tunnel desti
R6(config-if)#tunnel destination 100.0.0.1
R6(config-if)#exit
R6(config)#int Dia
R6(config)#int Dialer 1
R6(config-if)#ip unnu
R6(config-if)#ip unnumbered Lo1
R6(config-if)#ip mt
R6(config-if)#ip mtu 1454
R6(config-if)#enca
R6(config-if)#encapsulation ppp
R6(config-if)#dial
R6(config-if)#dialer poo
R6(config-if)#dialer pool 10
R6(config-if)#dial
R6(config-if)#dialer-gr
R6(config-if)#dialer-group
*Apr 21 08:46:20.268: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:46:20.275: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:46:22.144: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#dialer-group 2
*Apr 21 08:46:22.160: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#dialer-group 20
R6(config-if)#ppp authe
R6(config-if)#ppp authentication chap call
R6(config-if)#ppp authentication chap calli
R6(config-if)#ppp authentication chap call?
WORD callback callin callout
R6(config-if)#ppp authentication chap calli
R6(config-if)#ppp authentication chap callin
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:46:44.462: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:46:44.467: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:46:44.576: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:46:44.593: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:47:06.798: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:47:06.801: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:47:06.895: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:47:06.911: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#ppp chap hostname ccie@isp3.pg1x.net
R6(config-if)#ppp chap pass
R6(config-if)#ppp chap password cc
*Apr 21 08:47:29.116: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:47:29.120: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:47:29.223: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#ppp chap password cc13
*Apr 21 08:47:29.250: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#ppp chap password cc13
R6(config-if)#
*Apr 21 08:47:51.476: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R6(config-if)#
*Apr 21 08:47:51.480: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R6(config-if)#
*Apr 21 08:47:53.274: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R6(config-if)#cry
R6(config-if)#crypto ma
R6(config-if)#crypto map M-ipsec
R6(config-if)#
*Apr 21 08:48:26.573: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R6(config-if)#ip access
R6(config-if)#ip access-group A-security in
R6(config-if)#no cdp en
R6(config-if)#no cdp enable
R6(config-if)#no shut
R6(config-if)#no shutdown
R6(config-if)#exit
R6(config)#ip route 0.0.0.0 0.0.0.0 Dia
R6(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1
R6(config)#router os
*Apr 21 08:49:14.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R6(config)#router ospf 1
R6(config-router)#netwo
R6(config-router)#network 10.6.0.6 0.0.0.0 area 0
R6(config-router)#netwo
R6(config-router)#network 192.168.16.6 0.0.0.0 area
R6(config-router)#network 192.168.16.6 0.0.0.0 area 0
R6(config-router)#exit
R6(config)#ip acce
R6(config)#ip access-list exte
R6(config)#ip access-list extended A-ipsec
R6(config-ext-nacl)#per
R6(config-ext-nacl)#permit gre hos
R6(config-ext-nacl)#permit gre host 106.0.0.6 hos
R6(config-ext-nacl)#permit gre host 106.0.0.6 host 100.0.0.1
R6(config-ext-nacl)#exit
R6(config)#ip
*Apr 21 08:52:11.958: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R6(config)#ip acce
R6(config)#ip access-list exte
R6(config)#ip access-list extended A-security
R6(config-ext-nacl)#permi
R6(config-ext-nacl)#permit esp hos
R6(config-ext-nacl)#permit esp host 100.0.0.1 hsot 106.0.0.6
^
% Invalid input detected at '^' marker.
R6(config-ext-nacl)#permit esp host 100.0.0.1 hoot 106.0.0.6
^
% Invalid input detected at '^' marker.
R6(config-ext-nacl)#permit esp host 100.0.0.1 host 106.0.0.6
R6(config-ext-nacl)#permi
R6(config-ext-nacl)#permit gre host 100.0.0.1 host 106.0.0.6
R6(config-ext-nacl)#permit icm
R6(config-ext-nacl)#permit icmp an
R6(config-ext-nacl)#permit icmp any an
R6(config-ext-nacl)#permit icmp any any
R6(config-ext-nacl)#exit
R6(config)#dialer
R6(config)#dialer-lis
R6(config)#dialer-list 20 proto
R6(config)#dialer-list 20 protocol ip permi
R6(config)#dialer-list 20 protocol ip permit
R6(config)#^Z
R6#
*Apr 21 08:54:15.610: %SYS-5-CONFIG_I: Configured from console by console
R6#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/11 ms
R6#ping 200.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/11 ms
R6#sh ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
100.0.0.1 0 FULL/ - 00:00:37 192.168.16.1 Tunnel0
R6#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.6.0.0/24 is directly connected, GigabitEthernet0/0
L 10.6.0.6/32 is directly connected, GigabitEthernet0/0
O 10.100.0.0/24 [110/1001] via 192.168.16.1, 00:02:54, Tunnel0
O 10.200.0.0/24 [110/2001] via 192.168.16.1, 00:02:54, Tunnel0
106.0.0.0/32 is subnetted, 2 subnets
C 106.0.0.6 is directly connected, Loopback1
C 106.5.6.5 is directly connected, Dialer1
O 192.168.12.0/24 [110/2000] via 192.168.16.1, 00:02:54, Tunnel0
192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.16.0/24 is directly connected, Tunnel0
L 192.168.16.6/32 is directly connected, Tunnel0
R6#
PC-2> ping 10.100.0.101 84 bytes from 10.100.0.101 icmp_seq=1 ttl=62 time=27.656 ms 84 bytes from 10.100.0.101 icmp_seq=2 ttl=62 time=11.363 ms 84 bytes from 10.100.0.101 icmp_seq=3 ttl=62 time=13.107 ms 84 bytes from 10.100.0.101 icmp_seq=4 ttl=62 time=12.313 ms 84 bytes from 10.100.0.101 icmp_seq=5 ttl=62 time=11.717 ms PC-2> ping 192.168.16.6 84 bytes from 192.168.16.6 icmp_seq=1 ttl=253 time=20.835 ms 84 bytes from 192.168.16.6 icmp_seq=2 ttl=253 time=19.752 ms 84 bytes from 192.168.16.6 icmp_seq=3 ttl=253 time=21.734 ms 84 bytes from 192.168.16.6 icmp_seq=4 ttl=253 time=24.609 ms 84 bytes from 192.168.16.6 icmp_seq=5 ttl=253 time=22.443 ms PC-2> ping 10.6.0.105 84 bytes from 10.6.0.105 icmp_seq=1 ttl=61 time=37.842 ms 84 bytes from 10.6.0.105 icmp_seq=2 ttl=61 time=19.384 ms 84 bytes from 10.6.0.105 icmp_seq=3 ttl=61 time=19.323 ms 84 bytes from 10.6.0.105 icmp_seq=4 ttl=61 time=19.056 ms 84 bytes from 10.6.0.105 icmp_seq=5 ttl=61 time=19.007 ms PC-2>
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.100.0.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 unassigned YES NVRAM administratively down down
Dialer1 100.0.0.1 YES TFTP up up
Loopback1 100.0.0.1 YES manual up up
Tunnel0 192.168.12.1 YES manual up up
Tunnel1 192.168.16.1 YES manual up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
R1#show ip ospf neighbo
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
106.0.0.6 0 FULL/ - 00:00:34 192.168.16.6 Tunnel1
200.0.0.2 0 FULL/ - 00:00:34 192.168.12.2 Tunnel0
R1#show cryp
R1#show crypto isakm
R1#show crypto ipsec sa
interface: Dialer1
Crypto map tag: M-ipsec, local addr 100.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (106.0.0.6/255.255.255.255/47/0)
current_peer 106.0.0.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x4566DF3D(1164369725)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x28335F48(674455368)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4349249/2911)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4566DF3D(1164369725)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4349249/2911)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.0.0.2/255.255.255.255/47/0)
current_peer 200.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
#pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x8A138AFC(2316536572)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x59DDE95E(1507715422)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4375654/1464)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8A138AFC(2316536572)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4375654/1464)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1#show crypto ipsec sa
interface: Dialer1
Crypto map tag: M-ipsec, local addr 100.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (106.0.0.6/255.255.255.255/47/0)
current_peer 106.0.0.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
#pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x4566DF3D(1164369725)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x28335F48(674455368)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4349248/2828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4566DF3D(1164369725)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4349248/2828)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.0.0.2/255.255.255.255/47/0)
current_peer 200.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
#pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x8A138AFC(2316536572)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x59DDE95E(1507715422)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4375652/1381)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8A138AFC(2316536572)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
sa timing: remaining key lifetime (k/sec): (4375653/1381)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1#
ping and capture packets.
R2#ping 10.6.0.105 repeat 100000 Type escape sequence to abort. Sending 100000, 100-byte ICMP Echos to 10.6.0.105, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!. Success rate is 99 percent (1347/1348), round-trip min/avg/max = 9/26/90 ms R2#
References
tech/network/cisco/vpn/tunneling/gre-over-ipsec/gre-over-ipsec.txt · Last modified: 2019/04/21 18:20 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
