Project name: ccna-vpn-gre-0002-gre-over-ipsec-1
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.200.0.2 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
ip 10.100.0.101 255.255.255.0 10.100.0.1 save
ip 10.200.0.202 255.255.255.0 10.200.0.2 save
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 network 100.0.0.1 mask 255.255.255.255 exit ! end
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 network 200.0.0.2 mask 255.255.255.255 exit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 100.0.0.1 ! interface Loopback1 ip address 100.1.3.3 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 200.0.0.2 ! interface Loopback1 ip address 200.2.4.4 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
R1#ping 200.0.0.2 source 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds: Packet sent with a source address of 100.0.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.1 255.255.255.252 ip mtu 1372 tunnel source Dialer 1 tunnel destination 200.0.0.2 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.100.0.1 0.0.0.0 area 0 network 192.168.12.1 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 100.0.0.1 host 200.0.0.2 exit ! ip access-list extended A-security permit esp host 200.0.0.2 host 100.0.0.1 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp permit icmp any any permit gre host 200.0.0.2 host 100.0.0.1 exit ! dialer-list 20 protocol ip permit ! end
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption 3des ! Specify Hashing Algorithm hash md5 ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.2 255.255.255.252 ip mtu 1372 tunnel source Dialer 1 tunnel destination 100.0.0.1 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.200.0.2 0.0.0.0 area 0 network 192.168.12.2 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 200.0.0.2 host 100.0.0.1 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 200.0.0.2 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp permit icmp any any permit gre host 100.0.0.1 host 200.0.0.2 exit ! dialer-list 20 protocol ip permit ! end
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#cryp R1(config)#crypto isakm R1(config)#crypto isakmp po R1(config)#crypto isakmp policy 1 R1(config-isakmp)#enc R1(config-isakmp)#encryption 3de R1(config-isakmp)#encryption 3des R1(config-isakmp)#has R1(config-isakmp)#hash md R1(config-isakmp)#hash md5 R1(config-isakmp)#auth R1(config-isakmp)#authentication pre- R1(config-isakmp)#authentication pre-share R1(config-isakmp)#gro R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#cry R1(config)#crypto isak R1(config)#crypto isakmp key R1(config)#crypto isakmp key pg1xpsk add R1(config)#crypto isakmp key pg1xpsk address 200.0.0.2 R1(config)#cryp R1(config)#crypto isak R1(config)#crypto isakmp keepali R1(config)#crypto isakmp keepalive 30 on-de R1(config)#crypto isakmp keepalive 30 on-demand R1(config)#crypto R1(config)#crypto isakm R1(config)#cryp R1(config)#crypto ipse R1(config)#crypto ipsec trans R1(config)#crypto ipsec transform-set IPSEC esp-3de R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-md R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac R1(cfg-crypto-trans)#mod R1(cfg-crypto-trans)#mode trans R1(cfg-crypto-trans)#mode transport R1(cfg-crypto-trans)#exit R1(config)#crypto R1(config)#crypto map R1(config)#crypto map M-ipsec 1 ipsec-isakm R1(config)#crypto map M-ipsec 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#set peer R1(config-crypto-map)#set peer 200.0.0.2 R1(config-crypto-map)#set tran R1(config-crypto-map)#set transform-set IPSEC R1(config-crypto-map)#mat R1(config-crypto-map)#match add R1(config-crypto-map)#match address A-ipsec R1(config-crypto-map)#exit R1(config)#int lo1 R1(config-if)#ip add R1(config-if)#ip address *Apr 17 21:54:02.848: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R1(config-if)#ip address 100.0.0.1 255.255.255.255 R1(config-if)#int gig0/0 R1(config-if)#ip tcp adj R1(config-if)#ip tcp adjust-mss 1332 R1(config-if)#int gig0/1 R1(config-if)#cd R1(config-if)#cdp en R1(config-if)#cdp enable % Cannot enable CDP on this interface, since CDP is not running R1(config-if)#no cdp enable R1(config-if)#pppoe R1(config-if)#pppoe en R1(config-if)#pppoe enable gro R1(config-if)#pppoe enable group globa R1(config-if)#pppoe enable group global R1(config-if)#ppp *Apr 17 22:02:48.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R1(config-if)#pppoe *Apr 17 22:02:48.731: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up R1(config-if)#pppoe-cli R1(config-if)#pppoe-client dial R1(config-if)#pppoe-client dial-pool-number 10 R1(config-if)#int tun0 R1(config-if)#ip a *Apr 17 22:03:06.346: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R1(config-if)#ip add R1(config-if)#ip address 192.168.0.1 255.255.255.252 R1(config-if)#ip mt R1(config-if)#ip mtu 1372 R1(config-if)#tu R1(config-if)#tunnel so R1(config-if)#tunnel source Di R1(config-if)#tunnel source Dialer 1 R1(config-if)#tu R1(config-if)#tunnel des R1(config-if)#tunnel destination 200.0.0.2 R1(config-if)#int dia 1 R1(config-if)#ip unnum R1(config-if)#ip unnumbered lo1 R1(config-if)#ip mt R1(config-if)#ip mtu 1454 R1(config-if)#enca R1(config-if)#encapsulation ppp R1(config-if)#dia R1(config-if)#dialer poo R1(config-if)#dialer pool 10 R1(config-if)#dia R1(config-if)#dialer-gr R1(config-if)#dialer-group 20 R1(config-if)#ppp *Apr 17 22:04:13.522: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:04:13.527: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:04:15.350: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R1(config-if)#p *Apr 17 22:04:15.369: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R1(config-if)#ppp auth R1(config-if)#ppp authe R1(config-if)#ppp authentication chap calli R1(config-if)#ppp authentication chap callin R1(config-if)#ppp cha R1(config-if)#ppp chap hostna R1(config-if)#ppp chap hostname cci *Apr 17 22:04:37.611: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:04:37.613: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:04:37.713: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1e R1(config-if)#ppp chap hostname ccie@esx *Apr 17 22:04:37.730: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R1(config-if)#ppp chap hostname ccie@example.com R1(config-if)#ppp cha R1(config-if)#ppp chap pass R1(config-if)#ppp chap password cc13 R1(config-if)#cry R1(config-if)#crypto ma R1(config-if)#crypto map M-ipsec *Apr 17 22:04:59.894: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 R1(config-if)#crypto map M-ipsec *Apr 17 22:04:59.898: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up R1(config-if)#crypto map M-ipsec R1(config-if)# *Apr 17 22:05:01.598: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up R1(config-if)# *Apr 17 22:05:02.145: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)#ip accee R1(config-if)#ip access R1(config-if)#ip access-group A-security in R1(config-if)#no cde R1(config-if)#no cdp R1(config-if)#no cdp ? enable Enable CDP on interface filter-tlv-list Apply tlv list filter on interface log Log messages generated by CDP tlv Enable exchange of specific tlv information R1(config-if)#no cdp en R1(config-if)#no cdp enable R1(config-if)#no shut R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 dia R1(config)#ip route 0.0.0.0 0.0.0.0 dialer 1 R1(config)#router ospf *Apr 17 22:06:05.374: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up1 R1(config)#router ospf 1 R1(config-router)#netwo R1(config-router)#network 10.100.0.1 0.0.0.0 area 0 R1(config-router)#netwo R1(config-router)#network 192.168.0.1 0.0.0.0 area 0 R1(config-router)#exit R1(config)#ip acce R1(config)#ip access-list exte R1(config)#ip access-list extended A-ipsec R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2 R1(config-ext-nacl)#exit R1(config)#ip acce R1(config)#ip access-list exte R1(config)#ip access-list extended A-security R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit es R1(config-ext-nacl)#permit esp hos R1(config-ext-nacl)#permit esp host 200.0.0.2 host 100.0.0.1 R1(config-ext-nacl)#permit R1(config-ext-nacl)#permit udp hos R1(config-ext-nacl)#permit udp host 200.0.0.2 hos R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq ? <0-65535> Port number biff Biff (mail notification, comsat, 512) bootpc Bootstrap Protocol (BOOTP) client (68) bootps Bootstrap Protocol (BOOTP) server (67) discard Discard (9) dnsix DNSIX security protocol auditing (195) domain Domain Name Service (DNS, 53) echo Echo (7) isakmp Internet Security Association and Key Management Protocol (500) mobile-ip Mobile IP registration (434) nameserver IEN116 name service (obsolete, 42) netbios-dgm NetBios datagram service (138) netbios-ns NetBios name service (137) netbios-ss NetBios session service (139) non500-isakmp Internet Security Association and Key Management Protocol (4500) ntp Network Time Protocol (123) pim-auto-rp PIM Auto-RP (496) rip Routing Information Protocol (router, in.routed, 520) snmp Simple Network Management Protocol (161) snmptrap SNMP Traps (162) R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isa R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isak? isakmp R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq ? <0-65535> Port number biff Biff (mail notification, comsat, 512) bootpc Bootstrap Protocol (BOOTP) client (68) bootps Bootstrap Protocol (BOOTP) server (67) discard Discard (9) dnsix DNSIX security protocol auditing (195) domain Domain Name Service (DNS, 53) echo Echo (7) isakmp Internet Security Association and Key Management Protocol (500) mobile-ip Mobile IP registration (434) nameserver IEN116 name service (obsolete, 42) netbios-dgm NetBios datagram service (138) netbios-ns NetBios name service (137) netbios-ss NetBios session service (139) non500-isakmp Internet Security Association and Key Management Protocol (4500) ntp Network Time Protocol (123) pim-auto-rp PIM Auto-RP (496) rip Routing Information Protocol (router, in.routed, 520) snmp Simple Network Management Protocol (161) snmptrap SNMP Traps (162) sunrpc Sun Remote Procedure Call (111) syslog System Logger (514) tacacs TAC Access Control System (49) talk Talk (517) tftp Trivial File Transfer Protocol (69) time Time (37) who Who service (rwho, 513) xdmcp X Display Manager Control Protocol (177) R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq 500 R1(config-ext-nacl)#per R1(config-ext-nacl)#permit ic R1(config-ext-nacl)#permit icmp an R1(config-ext-nacl)#permit icmp any an R1(config-ext-nacl)#permit icmp any any R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit gre hos R1(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1 R1(config-ext-nacl)#exit R1(config)#do sh ip access-lists Extended IP access list A-ipsec 10 permit gre host 100.0.0.1 host 200.0.0.2 (13 matches) Extended IP access list A-security 10 permit esp host 200.0.0.2 host 100.0.0.1 20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp 30 permit icmp any any (4 matches) 40 permit gre host 200.0.0.2 host 100.0.0.1 R1(config)#dial R1(config)#dialer-li R1(config)#dialer-list 20 pro R1(config)#dialer-list 20 protocol ip ? deny Deny specified protocol list Add access list to dialer list permit Permit specified protocol R1(config)#dialer-list 20 protocol ip per R1(config)#dialer-list 20 protocol ip permit R1(config)#^Z R1#ping 1 *Apr 17 22:10:56.299: %SYS-5-CONFIG_I: Configured from console by console R1#ping 100.1.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms R1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms R1#ping 192.168.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int tun0 R1(config-if)#ip addr 192.168.12.1 255.255.255.255 R1(config-if)#router ospf 1 R1(config-router)#netwo R1(config-router)#no network 192.168.0.1 0.0.0.0 area 0 R1(config-router)#network 192.168.12.1 0.0.0.0 area 0 R1(config-router)#^Z R1# *Apr 17 22:40:44.546: %SYS-5-CONFIG_I: Configured from console by console R1#ip int tun0 | i Internet ^ % Invalid input detected at '^' marker. R1#sh ip int tun0 | i Internet Internet address is 192.168.12.1/32 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int tun0 R1(config-if)#ip addr 192.168.12.1 255.255.255.252 R1(config-if)#^Z R1# *Apr 17 22:47:45.429: %SYS-5-CONFIG_I: Configured from console by console R1#ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms R1#ping 192.168.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.100.0.1 YES NVRAM up up GigabitEthernet0/1 unassigned YES NVRAM up up GigabitEthernet0/2 unassigned YES NVRAM administratively down down GigabitEthernet0/3 unassigned YES NVRAM administratively down down Dialer1 100.0.0.1 YES TFTP up up Loopback1 100.0.0.1 YES manual up up Tunnel0 192.168.12.1 YES manual up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up R1# *Apr 17 22:53:40.588: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done R1#ping 192.168.12.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms R1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms R1#sh ip ro ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:08:09, Tunnel0 R1#sh ip ro Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Dialer1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.100.0.0/24 is directly connected, GigabitEthernet0/0 L 10.100.0.1/32 is directly connected, GigabitEthernet0/0 O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:08:12, Tunnel0 100.0.0.0/32 is subnetted, 2 subnets C 100.0.0.1 is directly connected, Loopback1 C 100.1.3.3 is directly connected, Dialer1 192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.12.0/30 is directly connected, Tunnel0 L 192.168.12.1/32 is directly connected, Tunnel0 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int dia1 R1(config-if)#no cryp R1(config-if)#no crypto ma R1(config-if)#no crypto map M-ipsec R1(config-if)# *Apr 17 23:03:12.961: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF R1(config-if)# *Apr 17 23:03:13.473: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired R1(config-if)# *Apr 17 23:03:16.596: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done R1(config-if)#^Z R1# *Apr 17 23:04:29.084: %SYS-5-CONFIG_I: Configured from console by console
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# R2(config)# R2(config)# R2(config)# R2(config)# R2(config)#cry R2(config)#crypto isa R2(config)#crypto isakmp po R2(config)#crypto isakmp policy 1 R2(config-isakmp)#enc R2(config-isakmp)#encryption 3de R2(config-isakmp)#encryption 3des R2(config-isakmp)#has R2(config-isakmp)#hash md5 R2(config-isakmp)#auth R2(config-isakmp)#authentication pre R2(config-isakmp)#authentication pre-share R2(config-isakmp)#gro R2(config-isakmp)#group 2 R2(config-isakmp)#exit R2(config)#cry R2(config)#crypto isak R2(config)#crypto isakmp ke R2(config)#crypto isakmp key R2(config)#crypto isakmp key pg1xpsk add R2(config)#crypto isakmp key pg1xpsk address 100.0.0.1 R2(config)#cry R2(config)#crypto isakm R2(config)#crypto isakmp kee R2(config)#crypto isakmp keepalive 30 on R2(config)#crypto isakmp keepalive 30 on-demand R2(config)#cryp R2(config)#crypto ipse R2(config)#crypto ipsec trans R2(config)#crypto ipsec transform-set IPSEC esp-3de R2(config)#crypto ipsec transform-set IPSEC esp-3des es R2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md R2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac R2(cfg-crypto-trans)#mo R2(cfg-crypto-trans)#mode tra R2(cfg-crypto-trans)#mode transport R2(cfg-crypto-trans)#exit R2(config)#cry R2(config)#crypto ma R2(config)#crypto map M-ipsec 1 ipse R2(config)#crypto map M-ipsec 1 ipsec-isa R2(config)#crypto map M-ipsec 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#set pee R2(config-crypto-map)#set peer 100.0.0.1 R2(config-crypto-map)#set tran R2(config-crypto-map)#set transform-set IPSEC R2(config-crypto-map)#mat R2(config-crypto-map)#match add R2(config-crypto-map)#match address A-ipsec R2(config-crypto-map)#int lo1 R2(config-if)# *Apr 17 22:14:02.754: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R2(config-if)#ip add R2(config-if)#ip address 200.0.0.2 255.255.255.255 R2(config-if)#int gig0/0 R2(config-if)#ip tcp R2(config-if)#ip tcp ad R2(config-if)#ip tcp adjust-mss 1332 R2(config-if)#int gig0/1 R2(config-if)#no ip addre R2(config-if)#no ip address R2(config-if)#pppoe enabl R2(config-if)#pppoe enable group glboa R2(config-if)#pppoe enable group glboa R2(config-if)# *Apr 17 22:15:01.244: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R2(config-if)# *Apr 17 22:15:01.249: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up R2(config-if)#no pppoe enable group glboa R2(config-if)#pppoe enable group ? WORD BBA Group name global Attach global PPPoE group R2(config-if)#pppoe enable group global R2(config-if)#pppoe enable group global R2(config-if)#pppoe-cli R2(config-if)#pppoe-client dia R2(config-if)#pppoe-client dial-pool-number 10 R2(config-if)#int tun0 R2(config-if)#i *Apr 17 22:15:40.205: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to downp R2(config-if)#ip add R2(config-if)#ip address 192.168.0.2 255.255.255.252 R2(config-if)#ip mt R2(config-if)#ip mtu 1372 R2(config-if)#tu R2(config-if)#tunnel so R2(config-if)#tunnel source Dia R2(config-if)#tunnel source Dialer 1 R2(config-if)#tun R2(config-if)#tunnel des R2(config-if)#tunnel destination 100.0.0.1 R2(config-if)#int dia1 R2(config-if)#ip unnum R2(config-if)#ip unnumbered Lo1 R2(config-if)#int tun0 R2(config-if)#ip addr 192.168.12.2 255.255.255.252 R2(config-if)#int dia1 R2(config-if)#ip annu R2(config-if)#ip unnum R2(config-if)#ip unnumbered lo1 R2(config-if)#ip mt R2(config-if)#ip mtu 1454 R2(config-if)#enca R2(config-if)#encapsulation ppp R2(config-if)#dia R2(config-if)#dialerpo R2(config-if)#dialer po R2(config-if)#dialer pool 10 R2(config-if)#dialer R2(config-if)#dialer-gro R2(config-if)#dialer-group *Apr 17 22:42:29.361: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:42:29.366: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:42:31.142: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)#dialer-grou R2(config-if)#dialer-group *Apr 17 22:42:31.161: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)#dialer-group 20 R2(config-if)#ppp authe R2(config-if)#ppp authentication cha R2(config-if)#ppp authentication chap call R2(config-if)#ppp authentication chap calli R2(config-if)#ppp authentication chap callin R2(config-if)# *Apr 17 22:42:53.414: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:42:53.419: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:42:53.520: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)# *Apr 17 22:42:53.536: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)# *Apr 17 22:43:15.688: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:43:15.692: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:43:15.798: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)# *Apr 17 22:43:15.814: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)# *Apr 17 22:43:37.969: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:43:37.971: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:43:38.072: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)# *Apr 17 22:43:38.087: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)#ppp chap R2(config-if)#ppp chap hostn R2(config-if)#ppp chap hostname *Apr 17 22:44:00.244: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 17 22:44:00.246: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 17 22:44:00.345: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)#ppp chap hostname c *Apr 17 22:44:00.361: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)#ppp chap hostname ccie@example.com R2(config-if)#ppp chap R2(config-if)#ppp chap pass R2(config-if)#ppp chap password cc13 R2(config-if)#cry R2(config-if)#crypto ma R2(config-if)#crypto map M-ipsec *Apr 17 22:44:22.531: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 R2(config-if)#crypto map M-ipsec *Apr 17 22:44:22.535: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up R2(config-if)#crypto map M-ipsec *Apr 17 22:44:24.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up R2(config-if)#crypto map M-ipsec R2(config-if)# *Apr 17 22:44:26.211: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#ip accee R2(config-if)#ip access R2(config-if)#ip access-group A-security in R2(config-if)#exit R2(config)#ip route 0.0.0.0 0.0.0.0 dia 1 R2(config)#do ping 34.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms R2(config)#pi *Apr 17 22:45:29.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R2(config)#do ping 200.2.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.2.4.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms R2(config)#do ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)#do ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)#do ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)#do sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.200.0.2 YES NVRAM up up GigabitEthernet0/1 unassigned YES NVRAM up up GigabitEthernet0/2 unassigned YES NVRAM administratively down down GigabitEthernet0/3 unassigned YES NVRAM administratively down down Dialer1 200.0.0.2 YES TFTP up up Loopback1 200.0.0.2 YES manual up up Tunnel0 192.168.12.2 YES manual up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up R2(config)#router ospf 1 R2(config-router)#netw R2(config-router)#network 10.200.0.2 0.0.0.0 are R2(config-router)#network 10.200.0.2 0.0.0.0 area 0 R2(config-router)#netwoq R2(config-router)#netwo R2(config-router)#network 192.168.12.2 0.0.0.0 area 0 R2(config-router)#exit R2(config)#ip acc R2(config)#ip acce R2(config)#ip access-list exte R2(config)#ip access-list extended A-ipsec R2(config-ext-nacl)#permi R2(config-ext-nacl)#permit gre hos R2(config-ext-nacl)#permit gre host 200.0.0.2 hos R2(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1 R2(config-ext-nacl)#exit R2(config)#ip acce R2(config)#ip access-list exte R2(config)#ip access-list extended A-security R2(config-ext-nacl)#permi e *Apr 17 22:53:39.944: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Dones R2(config-ext-nacl)#permi es R2(config-ext-nacl)#permi esp hos R2(config-ext-nacl)#permi esp host 100.0.0.1 host 200.0.0.2 R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakm R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp R2(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2 R2(config-ext-nacl)#permit icm R2(config-ext-nacl)#permit icmp any any R2(config-ext-nacl)#exit R2(config)#dial R2(config)#dialer-li R2(config)#dialer-list 20 pro R2(config)#dialer-list 20 protocol ip per R2(config)#dialer-list 20 protocol ip permit R2(config)#^Z R2# *Apr 17 22:55:05.489: %SYS-5-CONFIG_I: Configured from console by console R2#ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/17 ms R2#ping 34.0.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms R2#ping 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms R2#ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 14/15/18 ms R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int dia1 R2(config-if)#no cry R2(config-if)#no crypto ma R2(config-if)#no crypto map M-ipsec R2(config-if)# *Apr 17 23:02:40.826: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF R2(config-if)#do ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config-if)# *Apr 17 23:03:15.867: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done R2(config-if)#do ping 192.168.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/13 ms R2(config-if)#^Z R2# *Apr 17 23:04:31.255: %SYS-5-CONFIG_I: Configured from console by console R2#
PC-1> PC-1> ping 10.200.0.202 84 bytes from 10.200.0.202 icmp_seq=1 ttl=62 time=26.335 ms 84 bytes from 10.200.0.202 icmp_seq=2 ttl=62 time=14.656 ms 84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=9.719 ms 84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=11.283 ms 84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=10.332 ms PC-1> ping 10.200.0.202 10.200.0.202 icmp_seq=1 timeout 10.200.0.202 icmp_seq=2 timeout 84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=5.233 ms 84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=7.190 ms 84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=8.222 ms PC-1>
Project name: ccna-vpn-gre-0003-gre-over-ipsec-1-n
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 no shutdown exit interface GigabitEthernet 0/1 ip address 200.0.0.2 255.255.0.0 no shutdown exit ! end write
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit interface GigabitEthernet 0/2 ip address 35.0.0.3 255.255.255.0 no shutdown exit ! end write
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit interface GigabitEthernet 0/2 ip address 45.0.0.4 255.255.255.0 no shutdown exit ! end write
enable configure terminal ! hostname R5 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 35.0.0.5 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit interface GigabitEthernet 0/2 ip address 45.0.0.5 255.255.255.0 no shutdown exit ! end write
enable configure terminal ! hostname R6 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.6.0.6 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
ip 10.100.0.101 255.255.255.0 10.100.0.1 save
ip 10.200.0.202 255.255.255.0 10.200.0.2 save
ip 10.6.0.105 255.255.255.0 10.6.0.6 save
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 neighbor 35.0.0.5 remote-as 5 network 100.0.0.1 mask 255.255.255.255 exit ! end
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 neighbor 45.0.0.5 remote-as 5 network 200.0.0.2 mask 255.255.255.255 exit ! end
configure terminal ! router bgp 5 neighbor 35.0.0.3 remote-as 3 neighbor 45.0.0.4 remote-as 4 network 106.0.0.6 mask 255.255.255.255 exit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 100.0.0.1 ! interface Loopback1 ip address 100.1.3.3 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 200.0.0.2 ! interface Loopback1 ip address 200.2.4.4 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
configure terminal ! username ccie@isp3.pg1x.net password cc13 ! ip local pool POOL1 106.0.0.6 ! interface Loopback1 ip address 106.5.6.5 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 106.0.0.6 255.255.255.255 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@isp3.pg1x.net ppp chap password cc13 no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption aes ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 200.0.0.2 crypto isakmp key pg1xpsk address 106.0.0.6 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 200.0.0.2 set transform-set IPSEC match address A-ipsec1 exit crypto map M-ipsec 2 ipsec-isakmp set peer 106.0.0.6 set transform-set IPSEC match address A-ipsec2 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.1 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 200.0.0.2 exit ! interface Tunnel 1 ip address 192.168.16.1 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 106.0.0.6 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.100.0.1 0.0.0.0 area 0 network 192.168.12.1 0.0.0.0 area 0 network 192.168.16.1 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec1 permit gre host 100.0.0.1 host 200.0.0.2 exit ! ip access-list extended A-ipsec2 permit gre host 100.0.0.1 host 106.0.0.6 exit ! ip access-list extended A-security permit esp host 200.0.0.2 host 100.0.0.1 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp permit gre host 200.0.0.2 host 100.0.0.1 permit esp host 106.0.0.6 host 100.0.0.1 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp permit gre host 106.0.0.6 host 100.0.0.1 permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption aes ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.12.2 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 100.0.0.1 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.200.0.2 0.0.0.0 area 0 network 192.168.12.2 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 200.0.0.2 host 100.0.0.1 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 200.0.0.2 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp permit gre host 100.0.0.1 host 200.0.0.2 permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
configure terminal ! ! Configure ISAKMP SA Policy crypto isakmp policy 1 ! Specify Encryption Algorithm encryption aes ! Specify Hashing Algorithm hash sha ! Specify Authentication Method authentication pre-share ! Specify DH(Diffie-Hellman) Group group 2 ! specify ISAKMP SA lifetime(Default) !lifetime 86400 exit ! ! Specify pre-shared key and peer address crypto isakmp key pg1xpsk address 100.0.0.1 ! Configure IKE Keepalive: DPD(Dead Peer Detection) crypto isakmp keepalive 30 on-demand ! ! Configure IPsec transform-set crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac mode transport exit ! ! Configure IPsec SA lifetime(Default) !crypto ipsec security-association lifetime seconds 3600 ! ! Configure crytpo map crypto map M-ipsec 1 ipsec-isakmp set peer 100.0.0.1 set transform-set IPSEC match address A-ipsec exit ! interface Loopback 1 ip address 106.0.0.6 255.255.255.255 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1332 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable exit ! interface Tunnel 0 ip address 192.168.16.6 255.255.255.0 ip mtu 1372 tunnel source Dialer 1 tunnel destination 100.0.0.1 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@isp3.pg1x.net ppp chap password cc13 crypto map M-ipsec ip access-group A-security in no cdp enable no shutdown exit ! ip route 0.0.0.0 0.0.0.0 Dialer 1 ! router ospf 1 network 10.6.0.6 0.0.0.0 area 0 network 192.168.16.6 0.0.0.0 area 0 exit ! ! Define IPsec encryption target traffic ip access-list extended A-ipsec permit gre host 106.0.0.6 host 100.0.0.1 exit ! ip access-list extended A-security permit esp host 100.0.0.1 host 106.0.0.6 permit udp host 100.0.0.1 host 106.0.0.6 eq isakmp permit gre host 100.0.0.1 host 106.0.0.6 permit icmp any any exit ! dialer-list 20 protocol ip permit ! end
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#cryp R1(config)#crypto isakm R1(config)#crypto isakmp po R1(config)#crypto isakmp policy 1 R1(config-isakmp)#encr R1(config-isakmp)#encryption aes R1(config-isakmp)#has R1(config-isakmp)#hash sha R1(config-isakmp)#hash sha? sha sha256 sha384 sha512 R1(config-isakmp)#hash sha R1(config-isakmp)#encryption aes? aes R1(config-isakmp)#encryption aes R1(config-isakmp)#atuh R1(config-isakmp)#atuhe R1(config-isakmp)#authen R1(config-isakmp)#authentication pre-sha R1(config-isakmp)#authentication pre-share R1(config-isakmp)#gro R1(config-isakmp)#group 2 R1(config-isakmp)#exit R1(config)#cryp R1(config)#crypto isak R1(config)#crypto isakmp key pg1 R1(config)#crypto isakmp key pg1xpsk add R1(config)#crypto isakmp key pg1xpsk address 200.0.0.2 R1(config)#cryp R1(config)#crypto isakm R1(config)#crypto isakmp key pg1xpsk address 106.0.0.6 R1(config)#cry R1(config)#crypto isakm R1(config)#crypto isakmp kee R1(config)#crypto isakmp keepalive 30 on R1(config)#crypto isakmp keepalive 30 on-demand R1(config)#cryp R1(config)#crypto isakm R1(config)#cry R1(config)#crypto ipse R1(config)#crypto ipsec trans R1(config)#crypto ipsec transform-set IPSEC es R1(config)#crypto ipsec transform-set IPSEC esp-ae R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sh R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha? esp-sha-hmac esp-sha256-hmac esp-sha384-hmac esp-sha512-hmac R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-h R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac R1(cfg-crypto-trans)#mod R1(cfg-crypto-trans)#mode tra R1(cfg-crypto-trans)#mode transport R1(cfg-crypto-trans)#exit R1(config)#cryp R1(config)#crypto ma R1(config)#crypto map M-ipsec 1 ipse R1(config)#crypto map M-ipsec 1 ipsec-isakm R1(config)#crypto map M-ipsec 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#set pee R1(config-crypto-map)#set peer 200.0.0.2 R1(config-crypto-map)#set tra R1(config-crypto-map)#set transform-set IPSEC R1(config-crypto-map)#mat R1(config-crypto-map)#match add R1(config-crypto-map)#match address A-ipsec1 R1(config-crypto-map)#exit R1(config)#cry R1(config)#crypto ma R1(config)#crypto map M-ipsec 2 ipsec R1(config)#crypto map M-ipsec 2 ipsec-isa R1(config)#crypto map M-ipsec 2 ipsec-? ipsec-isakmp ipsec-manual R1(config)#crypto map M-ipsec 2 ipsec-isak R1(config)#crypto map M-ipsec 2 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#set pee R1(config-crypto-map)#set peer 106.0.0.6 R1(config-crypto-map)#set tra R1(config-crypto-map)#set transform-set IPSEC R1(config-crypto-map)#mat R1(config-crypto-map)#match add R1(config-crypto-map)#match address A-ipsec2 R1(config-crypto-map)#exit R1(config)#int R1(config)#interface Loo R1(config)#interface Loopback 1 R1(config-if)# *Apr 21 02:23:38.914: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R1(config-if)#100.0.0.1 255.255.255.255 ^ % Invalid input detected at '^' marker. R1(config-if)#ip address 100.0.0.1 255.255.255.255 R1(config-if)#int gig0/0 R1(config-if)#ip tcp R1(config-if)#ip tcp ad R1(config-if)#ip tcp adjust-mss 1332 R1(config-if)#int gig0/1 R1(config-if)#no ip address R1(config-if)#pppoe en R1(config-if)#pppoe enable grou R1(config-if)#pppoe enable group glo R1(config-if)#pppoe enable group global R1(config-if)# *Apr 21 02:26:56.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R1(config-if)# *Apr 21 02:26:56.043: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up R1(config-if)#pppoe-clie R1(config-if)#pppoe-client dia R1(config-if)#pppoe-client dial-pool-number 1 R1(config-if)#no cdp en R1(config-if)#no cdp enable R1(config-if)#int tun0 R1(config-if)#ip *Apr 21 06:53:54.706: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R1(config-if)#ip address 192.168.12.1 255.255.255.0 R1(config-if)#ip mt R1(config-if)#ip mtu 1372 tun R1(config-if)#ip mtu 1372 tunn R1(config-if)#ip mtu 1372 R1(config-if)#tunn R1(config-if)#tunnel sou R1(config-if)#tunnel source di R1(config-if)#tunnel source dialer 1 R1(config-if)#tunn R1(config-if)#tunnel des R1(config-if)#tunnel destination 200.0.0.2 R1(config-if)#int tun1 R1(config-if)#ip *Apr 21 06:56:07.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to downa R1(config-if)#ip address 192.168.16.1 255.255.255.0 R1(config-if)#ip mt R1(config-if)#ip mtu 1372 R1(config-if)#tun R1(config-if)#tunnel sou R1(config-if)#tunnel source Di R1(config-if)#tunnel source Dialer 1 R1(config-if)#tunn R1(config-if)#tunnel desti R1(config-if)#tunnel destination 106.0.0.6 R1(config-if)#int dia1 R1(config-if)#ip unnu R1(config-if)#ip unnumbered Lo1 R1(config-if)#ip mt R1(config-if)#ip mtu 1454 R1(config-if)#enca R1(config-if)#encapsulation ppp] ^ % Invalid input detected at '^' marker. R1(config-if)#encapsulation ppp R1(config-if)#dial R1(config-if)#dialer poo R1(config-if)#dialer pool 10 R1(config-if)#dial R1(config-if)#dialer-gr R1(config-if)#dialer-group 20 R1(config-if)#ppp auth R1(config-if)#ppp authe R1(config-if)#ppp authentication chap call R1(config-if)#ppp authentication chap calli R1(config-if)#ppp authentication chap callin R1(config-if)#ppp chap hostname ccie@example.com R1(config-if)#ppp chap password cc13 R1(config-if)#crypto R1(config-if)#crypto ma R1(config-if)#crypto map M-ipsec R1(config-if)# *Apr 21 06:58:25.154: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1(config-if)#ip acce R1(config-if)#ip access-group A-security in R1(config-if)#no cdp R1(config-if)#no cdp en R1(config-if)#no cdp enable R1(config-if)#no shut R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 Di R1(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1 R1(config)#router *Apr 21 06:59:06.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up R1(config)#router ospf 1 *Apr 21 06:59:13.722: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R1(config)#router ospf 1 R1(config-router)#netwo R1(config-router)#network 10.100.0.1 0.0.0.0 area 0 R1(config-router)#netwo R1(config-router)#network 192.168.12.1 0.0.0.0 area 0 R1(config-router)#netwo R1(config-router)#network 192.168.16.1 0.0.0.0 area 0 R1(config-router)#exit R1(config)#int gig0/1 R1(config-if)#pppoe-cli R1(config-if)#pppoe-client dial R1(config-if)#pppoe-client dial-pool-number 10 R1(config-if)#do sh ru *Apr 21 07:01:36.902: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 07:01:36.906: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up R1(config-if)#do sh run *Apr 21 07:01:40.329: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up R1(config-if)#do sh run int gi0/1 Building configuration... Current configuration : 202 bytes ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 pppoe enable group global pppoe-client dial-pool-number 10 pppoe-client dial-pool-number 1 no cdp enable end R1(config-if)#no pppoe-client dial-pool-number 1 R1(config-if)#do sh run int gi0/1 Building configuration... Current configuration : 169 bytes ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 pppoe enable group global pppoe-client dial-pool-number 10 no cdp enable end R1(config-if)#exit R1(config)#ip acce R1(config)#ip access-list exte R1(config)#ip access-list extended A-ipsec1 R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit gre hos R1(config-ext-nacl)#permit gre host 100.0.0.1 hos R1(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2 R1(config-ext-nacl)#exit R1(config)#ip acce R1(config)#ip access-list exte R1(config)#ip access-list extended A-ipsec2 R1(config-ext-nacl)#permit gre host 100.0.0.1 host 106.0.0.6 R1(config-ext-nacl)#exit R1(config)#ip acce R1(config)#ip access-list exte R1(config)#ip access-list extended A-security R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit es R1(config-ext-nacl)#permit esp host 200.0.0.2 host 100.0.0.1 R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit udp hos R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isak R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp R1(config-ext-nacl)#permi R1(config-ext-nacl)#permit es R1(config-ext-nacl)#permit gr R1(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1 R1(config-ext-nacl)#permit esp host 106.0.0.6 host 100.0.0.1 R1(config-ext-nacl)#permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakm R1(config-ext-nacl)#permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakmp R1(config-ext-nacl)#permit udp host 106.0.0.6 host 100.0.0.1 eq isa R1(config-ext-nacl)#permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp R1(config-ext-nacl)#permit gre host 106.0.0.6 host 100.0.0.1 R1(config-ext-nacl)#permit icmp any any R1(config-ext-nacl)#exit R1(config)#do sh ip access-lists Extended IP access list A-ipsec1 10 permit gre host 100.0.0.1 host 200.0.0.2 (22 matches) Extended IP access list A-ipsec2 10 permit gre host 100.0.0.1 host 106.0.0.6 (18 matches) Extended IP access list A-security 10 permit esp host 200.0.0.2 host 100.0.0.1 20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp 30 permit gre host 200.0.0.2 host 100.0.0.1 40 permit esp host 106.0.0.6 host 100.0.0.1 50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp 60 permit gre host 106.0.0.6 host 100.0.0.1 70 permit icmp any any (2 matches) R1(config)#do sh ip access-lists Extended IP access list A-ipsec1 10 permit gre host 100.0.0.1 host 200.0.0.2 (23 matches) Extended IP access list A-ipsec2 10 permit gre host 100.0.0.1 host 106.0.0.6 (20 matches) Extended IP access list A-security 10 permit esp host 200.0.0.2 host 100.0.0.1 20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp 30 permit gre host 200.0.0.2 host 100.0.0.1 40 permit esp host 106.0.0.6 host 100.0.0.1 50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp 60 permit gre host 106.0.0.6 host 100.0.0.1 70 permit icmp any any (4 matches) R1(config)#diea R1(config)#diale R1(config)#dialer-li R1(config)#dialer-list 20 pro R1(config)#dialer-list 20 protocol ip per R1(config)#dialer-list 20 protocol ip permit R1(config)#^Z R1#pign *Apr 21 07:06:47.551: %SYS-5-CONFIG_I: Configured from console by console R1#ping 100.1.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms R1# *Apr 21 08:27:32.430: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done R1# *Apr 21 08:51:45.863: %OSPF-5-ADJCHG: Process 1, Nbr 106.0.0.6 on Tunnel1 from LOADING to FULL, Loading Done R1#sh ip ro ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.6.0.0/24 [110/1001] via 192.168.16.6, 00:05:58, Tunnel1 O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:30:11, Tunnel0 R1#sh ip ospf neigh R1#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 106.0.0.6 0 FULL/ - 00:00:34 192.168.16.6 Tunnel1 200.0.0.2 0 FULL/ - 00:00:36 192.168.12.2 Tunnel0 R1#sh ip ro Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Dialer1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks O 10.6.0.0/24 [110/1001] via 192.168.16.6, 00:06:15, Tunnel1 C 10.100.0.0/24 is directly connected, GigabitEthernet0/0 L 10.100.0.1/32 is directly connected, GigabitEthernet0/0 O 10.200.0.0/24 [110/1001] via 192.168.12.2, 00:30:28, Tunnel0 100.0.0.0/32 is subnetted, 2 subnets C 100.0.0.1 is directly connected, Loopback1 C 100.1.3.3 is directly connected, Dialer1 192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.12.0/24 is directly connected, Tunnel0 L 192.168.12.1/32 is directly connected, Tunnel0 192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.16.0/24 is directly connected, Tunnel1 L 192.168.16.1/32 is directly connected, Tunnel1 R1#
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#cryp R2(config)#crypto isakm R2(config)#crypto isakmp poli R2(config)#crypto isakmp policy 1 R2(config-isakmp)#encr R2(config-isakmp)#encryption aes R2(config-isakmp)#encryption aes R2(config-isakmp)#has R2(config-isakmp)#hash sha R2(config-isakmp)#auth R2(config-isakmp)#authentication pre R2(config-isakmp)#authentication pre-share R2(config-isakmp)#gro R2(config-isakmp)#group 2 R2(config-isakmp)#exit R2(config)#cry R2(config)#crypto isakm R2(config)#crypto isakmp key pg1xpsk address 100.0.0.1 R2(config)#cryp R2(config)#crypto isak R2(config)#crypto isakmp kee R2(config)#crypto isakmp keepalive 30 on-de R2(config)#crypto isakmp keepalive 30 on-demand R2(config)#cry R2(config)#crypto ipsec tran R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sh R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hp R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hm R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac R2(cfg-crypto-trans)#mod R2(cfg-crypto-trans)#mode tra R2(cfg-crypto-trans)#mode transport R2(cfg-crypto-trans)#exit R2(config)#cryp R2(config)#crypto ma R2(config)#crypto map M-ipsec 1 ipsec R2(config)#crypto map M-ipsec 1 ipsec-isakm R2(config)#crypto map M-ipsec 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#set pee R2(config-crypto-map)#set peer 100.0.0.1 R2(config-crypto-map)#set tran R2(config-crypto-map)#set transform-set IPSEC R2(config-crypto-map)#mat R2(config-crypto-map)#match add R2(config-crypto-map)#match address A-ipsec R2(config-crypto-map)#exit R2(config)#int lo1 R2(config-if)#ip ad *Apr 21 07:09:56.490: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R2(config-if)#ip address 200.0.0.2 255.255.255.255 R2(config-if)#int gig0/0 R2(config-if)#ip tcp adj R2(config-if)#ip tcp adjust-mss 1332 R2(config-if)#int gig0/1 R2(config-if)#no ip address R2(config-if)#pppoe R2(config-if)#pppoe enabl R2(config-if)#pppoe enable gro R2(config-if)#pppoe enable group glo R2(config-if)#pppoe enable group global R2(config-if)# *Apr 21 07:10:45.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R2(config-if)#p *Apr 21 07:10:45.184: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to upp R2(config-if)#pppoe-cli R2(config-if)#pppoe-client dial R2(config-if)#pppoe-client dial-pool-number 10 R2(config-if)#no cdp R2(config-if)#no cdp en R2(config-if)#no cdp enable R2(config-if)#int tunn0 R2(config-if)# *Apr 21 07:11:01.908: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R2(config-if)#ip add R2(config-if)#ip address 192.168.12.2 255.255.255.0 R2(config-if)#ip mt R2(config-if)#ip mtu 1372 R2(config-if)#tunn R2(config-if)#tunnel sou R2(config-if)#tunnel source Di R2(config-if)#tunnel source Dialer 1 R2(config-if)#tunn R2(config-if)#tunnel desi R2(config-if)#tunnel desti R2(config-if)#tunnel destination 100.0.0.1 R2(config-if)#int dia1 R2(config-if)#ip unnu R2(config-if)#ip unnumbered Lo1 R2(config-if)#ip mt R2(config-if)#ip mtu 1454 R2(config-if)#enca R2(config-if)#encapsulation ppp dia R2(config-if)#encapsulation ppp R2(config-if)#dia R2(config-if)#dialer poo R2(config-if)#dialer pool ? <1-255> Dialer pool number R2(config-if)#dialer pool 10 R2(config-if)#diale R2(config-if)#dialer *Apr 21 08:24:59.932: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:24:59.937: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:25:01.832: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)#dialer-g *Apr 21 08:25:01.849: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)#dialer-gr R2(config-if)#dialer-group 20 R2(config-if)#ppp auth R2(config-if)#ppp auth R2(config-if)#ppp authe R2(config-if)#ppp auth? authentication authorization R2(config-if)#ppp authe R2(config-if)#ppp authentication *Apr 21 08:25:24.154: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:25:24.156: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:25:24.266: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)#ppp authentication *Apr 21 08:25:24.282: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)#ppp authentication chap R2(config-if)#ppp authentication chap call R2(config-if)#ppp authentication chap calli R2(config-if)#ppp authentication chap callin R2(config-if)#ppp cha R2(config-if)#ppp chap hos R2(config-if)#ppp chap hostname ccie@example.com R2(config-if)#ppp chap password *Apr 21 08:25:46.486: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:25:46.490: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:25:46.586: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R2(config-if)#ppp chap password cc1 *Apr 21 08:25:46.601: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R2(config-if)#ppp chap password cc13 R2(config-if)#cry R2(config-if)#crypto ma R2(config-if)#crypto map M-ipsec R2(config-if)# *Apr 21 08:26:04.464: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#ip acce R2(config-if)#ip access-group A- *Apr 21 08:26:08.819: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 R2(config-if)#ip access-group A-secur *Apr 21 08:26:08.824: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to upity in R2(config-if)#ip access-group A-security in *Apr 21 08:26:10.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up R2(config-if)#ip access-group A-security in R2(config-if)#no cdp en R2(config-if)#no cdp enable R2(config-if)#no shut R2(config-if)#no shutdown R2(config-if)#exit R2(config)#ip route 0.0.0.0 0.0.0.0 Dia R2(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1 R2(config)#router ospf 1 R2(config-router)#netwo R2(config-router)#network 10. *Apr 21 08:26:41.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R2(config-router)#network 10.200.0.2 0.0.0.0 area 0 R2(config-router)#netwo R2(config-router)#network 192.168.12.2 0.0.0.0 area 0 R2(config-router)#exit R2(config)#ip acce R2(config)#ip access-list exte R2(config)#ip access-list extended A-ipsec R2(config-ext-nacl)#permi R2(config-ext-nacl)#permit gre host 200.0.0.2 hos R2(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1 R2(config-ext-nacl)#exit R2(config)#ip *Apr 21 08:28:05.450: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done R2(config)#ip acc R2(config)#ip acce R2(config)#ip access-list exte R2(config)#ip access-list extended A-security R2(config-ext-nacl)#permit esp host 100.0.0.1 host 200.0.0.2 R2(config-ext-nacl)#permi R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakm R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp R2(config-ext-nacl)#permi R2(config-ext-nacl)#permit gre hos R2(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2 R2(config-ext-nacl)#permit icmp any any R2(config-ext-nacl)#exit R2(config)#dialer R2(config)#dialer-li R2(config)#dialer-list 20 pro R2(config)#dialer-list 20 protocol ip R2(config)#dialer-list 20 protocol ip per R2(config)#dialer-list 20 protocol ip permit R2(config)#^Z R2# *Apr 21 08:29:29.695: %SYS-5-CONFIG_I: Configured from console by console R2#sh ip ospf neigh Neighbor ID Pri State Dead Time Address Interface 100.0.0.1 0 FULL/ - 00:00:37 192.168.12.1 Tunnel0 R2#sh ip ro ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O 10.100.0.0/24 [110/1001] via 192.168.12.1, 00:02:14, Tunnel0 O 192.168.16.0/24 [110/2000] via 192.168.12.1, 00:02:14, Tunnel0 R2#ping 192.168.16.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms R2#ping 192.168.16.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2#ping 192.168.16.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/32 ms R2#
R6#conf t Enter configuration commands, one per line. End with CNTL/Z. R6(config)#cry R6(config)#crypto isakm R6(config)#crypto isakmp poli R6(config)#crypto isakmp policy 1 R6(config-isakmp)#ecn R6(config-isakmp)#encr R6(config-isakmp)#encryption aes R6(config-isakmp)#encryption aes R6(config-isakmp)#has R6(config-isakmp)#hash sh R6(config-isakmp)#hash sha R6(config-isakmp)#auh R6(config-isakmp)#auth R6(config-isakmp)#authentication pre R6(config-isakmp)#authentication pre-share R6(config-isakmp)#gr R6(config-isakmp)#group 2 R6(config-isakmp)#exit R6(config)#cry R6(config)#crypto isak R6(config)#crypto isakmp key pg1xpsk address 100.0.0.1 R6(config)#cry R6(config)#crypto isakm R6(config)#crypto isakmp kee R6(config)#crypto isakmp keepalive 30 on-de R6(config)#crypto isakmp keepalive 30 on-demand R6(config)#cry R6(config)#crypto ipsec trans R6(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-h R6(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac R6(cfg-crypto-trans)#mod R6(cfg-crypto-trans)#mode tra R6(cfg-crypto-trans)#mode transport R6(cfg-crypto-trans)#exit R6(config)#cryp R6(config)#crypto ma R6(config)#crypto map M-ipsec 1 ipsec-isakm R6(config)#crypto map M-ipsec 1 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R6(config-crypto-map)#set pee R6(config-crypto-map)#set peer 100.0.0.1 R6(config-crypto-map)#set tra R6(config-crypto-map)#set transform-set IPSEC R6(config-crypto-map)#mat R6(config-crypto-map)#match add R6(config-crypto-map)#match address A-ipsec R6(config-crypto-map)#exit R6(config)#int lo1 R6(config-if)#ip a *Apr 21 08:42:20.177: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up R6(config-if)#ip addre R6(config-if)#ip address 106.0.0.6 255.255.255.255 R6(config-if)#inter R6(config-if)#int gig0/0 R6(config-if)#ip tc R6(config-if)#ip tcp ad R6(config-if)#ip tcp adjust-mss 1332 R6(config-if)#int gig0/1 R6(config-if)#no ip add R6(config-if)#no ip address R6(config-if)#pppoe R6(config-if)#pppoe ena R6(config-if)#pppoe enable grou R6(config-if)#pppoe enable group globa R6(config-if)#pppoe enable group global R6(config-if)#ppp *Apr 21 08:44:04.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up R6(config-if)#pppoe R6(config-if)#pppoe *Apr 21 08:44:04.975: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up R6(config-if)#pppoe-cli R6(config-if)#pppoe-client dial R6(config-if)#pppoe-client dial-pool-number 10 R6(config-if)#no cdp ena R6(config-if)#no cdp enable R6(config-if)#exit R6(config)#inter tunn R6(config)#inter tunnel 0 R6(config-if)# *Apr 21 08:44:25.068: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R6(config-if)#ip address 192.168.16.6 255.255.255.0 R6(config-if)#ip mt R6(config-if)#ip mtu 1372 R6(config-if)#tunne R6(config-if)#tunnel so R6(config-if)#tunnel source Dia R6(config-if)#tunnel source Dialer 1 R6(config-if)#tunne R6(config-if)#tunnel desti R6(config-if)#tunnel destination 100.0.0.1 R6(config-if)#exit R6(config)#int Dia R6(config)#int Dialer 1 R6(config-if)#ip unnu R6(config-if)#ip unnumbered Lo1 R6(config-if)#ip mt R6(config-if)#ip mtu 1454 R6(config-if)#enca R6(config-if)#encapsulation ppp R6(config-if)#dial R6(config-if)#dialer poo R6(config-if)#dialer pool 10 R6(config-if)#dial R6(config-if)#dialer-gr R6(config-if)#dialer-group *Apr 21 08:46:20.268: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:46:20.275: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:46:22.144: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R6(config-if)#dialer-group 2 *Apr 21 08:46:22.160: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R6(config-if)#dialer-group 20 R6(config-if)#ppp authe R6(config-if)#ppp authentication chap call R6(config-if)#ppp authentication chap calli R6(config-if)#ppp authentication chap call? WORD callback callin callout R6(config-if)#ppp authentication chap calli R6(config-if)#ppp authentication chap callin R6(config-if)#ppp chap hostname ccie@example.com *Apr 21 08:46:44.462: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:46:44.467: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:46:44.576: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R6(config-if)#ppp chap hostname ccie@example.com *Apr 21 08:46:44.593: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R6(config-if)#ppp chap hostname ccie@example.com *Apr 21 08:47:06.798: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:47:06.801: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:47:06.895: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R6(config-if)#ppp chap hostname ccie@example.com *Apr 21 08:47:06.911: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R6(config-if)#ppp chap hostname ccie@isp3.pg1x.net R6(config-if)#ppp chap pass R6(config-if)#ppp chap password cc *Apr 21 08:47:29.116: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 *Apr 21 08:47:29.120: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up *Apr 21 08:47:29.223: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 R6(config-if)#ppp chap password cc13 *Apr 21 08:47:29.250: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down R6(config-if)#ppp chap password cc13 R6(config-if)# *Apr 21 08:47:51.476: %DIALER-6-BIND: Interface Vi2 bound to profile Di1 R6(config-if)# *Apr 21 08:47:51.480: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up R6(config-if)# *Apr 21 08:47:53.274: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up R6(config-if)#cry R6(config-if)#crypto ma R6(config-if)#crypto map M-ipsec R6(config-if)# *Apr 21 08:48:26.573: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R6(config-if)#ip access R6(config-if)#ip access-group A-security in R6(config-if)#no cdp en R6(config-if)#no cdp enable R6(config-if)#no shut R6(config-if)#no shutdown R6(config-if)#exit R6(config)#ip route 0.0.0.0 0.0.0.0 Dia R6(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1 R6(config)#router os *Apr 21 08:49:14.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R6(config)#router ospf 1 R6(config-router)#netwo R6(config-router)#network 10.6.0.6 0.0.0.0 area 0 R6(config-router)#netwo R6(config-router)#network 192.168.16.6 0.0.0.0 area R6(config-router)#network 192.168.16.6 0.0.0.0 area 0 R6(config-router)#exit R6(config)#ip acce R6(config)#ip access-list exte R6(config)#ip access-list extended A-ipsec R6(config-ext-nacl)#per R6(config-ext-nacl)#permit gre hos R6(config-ext-nacl)#permit gre host 106.0.0.6 hos R6(config-ext-nacl)#permit gre host 106.0.0.6 host 100.0.0.1 R6(config-ext-nacl)#exit R6(config)#ip *Apr 21 08:52:11.958: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done R6(config)#ip acce R6(config)#ip access-list exte R6(config)#ip access-list extended A-security R6(config-ext-nacl)#permi R6(config-ext-nacl)#permit esp hos R6(config-ext-nacl)#permit esp host 100.0.0.1 hsot 106.0.0.6 ^ % Invalid input detected at '^' marker. R6(config-ext-nacl)#permit esp host 100.0.0.1 hoot 106.0.0.6 ^ % Invalid input detected at '^' marker. R6(config-ext-nacl)#permit esp host 100.0.0.1 host 106.0.0.6 R6(config-ext-nacl)#permi R6(config-ext-nacl)#permit gre host 100.0.0.1 host 106.0.0.6 R6(config-ext-nacl)#permit icm R6(config-ext-nacl)#permit icmp an R6(config-ext-nacl)#permit icmp any an R6(config-ext-nacl)#permit icmp any any R6(config-ext-nacl)#exit R6(config)#dialer R6(config)#dialer-lis R6(config)#dialer-list 20 proto R6(config)#dialer-list 20 protocol ip permi R6(config)#dialer-list 20 protocol ip permit R6(config)#^Z R6# *Apr 21 08:54:15.610: %SYS-5-CONFIG_I: Configured from console by console R6#ping 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/11 ms R6#ping 200.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/11 ms R6#sh ip ospf neigh Neighbor ID Pri State Dead Time Address Interface 100.0.0.1 0 FULL/ - 00:00:37 192.168.16.1 Tunnel0 R6#sh ip ro Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Dialer1 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.6.0.0/24 is directly connected, GigabitEthernet0/0 L 10.6.0.6/32 is directly connected, GigabitEthernet0/0 O 10.100.0.0/24 [110/1001] via 192.168.16.1, 00:02:54, Tunnel0 O 10.200.0.0/24 [110/2001] via 192.168.16.1, 00:02:54, Tunnel0 106.0.0.0/32 is subnetted, 2 subnets C 106.0.0.6 is directly connected, Loopback1 C 106.5.6.5 is directly connected, Dialer1 O 192.168.12.0/24 [110/2000] via 192.168.16.1, 00:02:54, Tunnel0 192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.16.0/24 is directly connected, Tunnel0 L 192.168.16.6/32 is directly connected, Tunnel0 R6#
PC-2> ping 10.100.0.101 84 bytes from 10.100.0.101 icmp_seq=1 ttl=62 time=27.656 ms 84 bytes from 10.100.0.101 icmp_seq=2 ttl=62 time=11.363 ms 84 bytes from 10.100.0.101 icmp_seq=3 ttl=62 time=13.107 ms 84 bytes from 10.100.0.101 icmp_seq=4 ttl=62 time=12.313 ms 84 bytes from 10.100.0.101 icmp_seq=5 ttl=62 time=11.717 ms PC-2> ping 192.168.16.6 84 bytes from 192.168.16.6 icmp_seq=1 ttl=253 time=20.835 ms 84 bytes from 192.168.16.6 icmp_seq=2 ttl=253 time=19.752 ms 84 bytes from 192.168.16.6 icmp_seq=3 ttl=253 time=21.734 ms 84 bytes from 192.168.16.6 icmp_seq=4 ttl=253 time=24.609 ms 84 bytes from 192.168.16.6 icmp_seq=5 ttl=253 time=22.443 ms PC-2> ping 10.6.0.105 84 bytes from 10.6.0.105 icmp_seq=1 ttl=61 time=37.842 ms 84 bytes from 10.6.0.105 icmp_seq=2 ttl=61 time=19.384 ms 84 bytes from 10.6.0.105 icmp_seq=3 ttl=61 time=19.323 ms 84 bytes from 10.6.0.105 icmp_seq=4 ttl=61 time=19.056 ms 84 bytes from 10.6.0.105 icmp_seq=5 ttl=61 time=19.007 ms PC-2>
R1#sh ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.100.0.1 YES NVRAM up up GigabitEthernet0/1 unassigned YES NVRAM up up GigabitEthernet0/2 unassigned YES NVRAM administratively down down GigabitEthernet0/3 unassigned YES NVRAM administratively down down Dialer1 100.0.0.1 YES TFTP up up Loopback1 100.0.0.1 YES manual up up Tunnel0 192.168.12.1 YES manual up up Tunnel1 192.168.16.1 YES manual up up Virtual-Access1 unassigned YES unset up up Virtual-Access2 unassigned YES unset up up R1#show ip ospf neighbo R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 106.0.0.6 0 FULL/ - 00:00:34 192.168.16.6 Tunnel1 200.0.0.2 0 FULL/ - 00:00:34 192.168.12.2 Tunnel0 R1#show cryp R1#show crypto isakm R1#show crypto ipsec sa interface: Dialer1 Crypto map tag: M-ipsec, local addr 100.0.0.1 protected vrf: (none) local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (106.0.0.6/255.255.255.255/47/0) current_peer 106.0.0.6 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96 #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6 plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1 current outbound spi: 0x4566DF3D(1164369725) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x28335F48(674455368) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4349249/2911) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4566DF3D(1164369725) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4349249/2911) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (200.0.0.2/255.255.255.255/47/0) current_peer 200.0.0.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262 #pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2 plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1 current outbound spi: 0x8A138AFC(2316536572) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x59DDE95E(1507715422) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4375654/1464) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8A138AFC(2316536572) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4375654/1464) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: R1#show crypto ipsec sa interface: Dialer1 Crypto map tag: M-ipsec, local addr 100.0.0.1 protected vrf: (none) local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (106.0.0.6/255.255.255.255/47/0) current_peer 106.0.0.6 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104 #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6 plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1 current outbound spi: 0x4566DF3D(1164369725) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x28335F48(674455368) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4349248/2828) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x4566DF3D(1164369725) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4349248/2828) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (200.0.0.2/255.255.255.255/47/0) current_peer 200.0.0.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271 #pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2 plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1 current outbound spi: 0x8A138AFC(2316536572) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x59DDE95E(1507715422) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4375652/1381) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8A138AFC(2316536572) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec sa timing: remaining key lifetime (k/sec): (4375653/1381) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: R1#
ping and capture packets.
R2#ping 10.6.0.105 repeat 100000 Type escape sequence to abort. Sending 100000, 100-byte ICMP Echos to 10.6.0.105, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!. Success rate is 99 percent (1347/1348), round-trip min/avg/max = 9/26/90 ms R2#