PG1X

My Knowledge Base

User Tools

Site Tools

You are here: PG1X Wiki » Technology » Networking » Cisco Systems » vpn » tunneling » Cisco: GRE over IPsec
Trace: Cisco: GRE over IPsec
tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec

Table of Contents

Cisco: GRE over IPsec

, , , , , , ,

Topology: 1:1 GRE over IPsec

IP

Project name: ccna-vpn-gre-0002-gre-over-ipsec-1

  • R1
enable
configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.100.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R2
enable
configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.200.0.2 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R3
enable
configure terminal
!
hostname R3
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R4
enable
configure terminal
!
hostname R4
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • PC-1
ip 10.100.0.101 255.255.255.0 10.100.0.1
save
  • PC-2
ip 10.200.0.202 255.255.255.0 10.200.0.2
save

Configure Basic Routing Protocol(BGP, Static routing)

  • R3
configure terminal
!
router bgp 3
neighbor 34.0.0.4 remote-as 4
network 100.0.0.1 mask 255.255.255.255
exit
!
end
  • R4
configure terminal
!
router bgp 3
neighbor 34.0.0.3 remote-as 3
network 200.0.0.2 mask 255.255.255.255
exit
!
end

Configure PPPoE Server, Client

  • R1
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group global
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 100.0.0.1 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group global
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 200.0.0.2 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R3
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 100.0.0.1
!
interface Loopback1
ip address 100.1.3.3 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R4
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 200.0.0.2
!
interface Loopback1
ip address 200.2.4.4 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
R1#ping 200.0.0.2 source 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 100.0.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms

Configure IPsec over GRE/PPPoE

  • R1
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash md5
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 200.0.0.2
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 on-demand
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 mode transport
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 100.0.0.1 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1332
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 10
 no cdp enable
exit
!
interface Tunnel 0
 ip address 192.168.12.1 255.255.255.252
 ip mtu 1372
 tunnel source Dialer 1
 tunnel destination 200.0.0.2
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no cdp enable
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
router ospf 1
 network 10.100.0.1 0.0.0.0 area 0
 network 192.168.12.1 0.0.0.0 area 0
exit
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit gre host 100.0.0.1 host 200.0.0.2
exit
!
ip access-list extended A-security
 permit esp host 200.0.0.2 host 100.0.0.1
 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 permit icmp any any
 permit gre host 200.0.0.2 host 100.0.0.1
exit
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption 3des
 ! Specify Hashing Algorithm
 hash md5
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 100.0.0.1
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 on-demand
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
 mode transport
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 100.0.0.1
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 200.0.0.2 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1332
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 10
 no cdp enable
exit
!
interface Tunnel 0
 ip address 192.168.12.2 255.255.255.252
 ip mtu 1372
 tunnel source Dialer 1
 tunnel destination 100.0.0.1
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no cdp enable
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
router ospf 1
 network 10.200.0.2 0.0.0.0 area 0
 network 192.168.12.2 0.0.0.0 area 0
exit
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit gre host 200.0.0.2 host 100.0.0.1
exit
!
ip access-list extended A-security
 permit esp host 100.0.0.1 host 200.0.0.2
 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
 permit icmp any any
 permit gre host 100.0.0.1 host 200.0.0.2
exit
!
dialer-list 20 protocol ip permit
!
end

Verification

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#crypto isakmp po
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#enc
R1(config-isakmp)#encryption 3de
R1(config-isakmp)#encryption 3des 
R1(config-isakmp)#has
R1(config-isakmp)#hash md
R1(config-isakmp)#hash md5 
R1(config-isakmp)#auth
R1(config-isakmp)#authentication pre-
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#gro
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#cry
R1(config)#crypto isak
R1(config)#crypto isakmp key
R1(config)#crypto isakmp key pg1xpsk add
R1(config)#crypto isakmp key pg1xpsk address 200.0.0.2
R1(config)#cryp
R1(config)#crypto isak
R1(config)#crypto isakmp keepali
R1(config)#crypto isakmp keepalive 30 on-de
R1(config)#crypto isakmp keepalive 30 on-demand 
R1(config)#crypto
R1(config)#crypto isakm
R1(config)#cryp          
R1(config)#crypto ipse
R1(config)#crypto ipsec trans
R1(config)#crypto ipsec transform-set IPSEC esp-3de
R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-md
R1(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
R1(cfg-crypto-trans)#mod
R1(cfg-crypto-trans)#mode trans
R1(cfg-crypto-trans)#mode transport 
R1(cfg-crypto-trans)#exit
R1(config)#crypto
R1(config)#crypto map
R1(config)#crypto map M-ipsec 1 ipsec-isakm
R1(config)#crypto map M-ipsec 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set peer
R1(config-crypto-map)#set peer 200.0.0.2
R1(config-crypto-map)#set tran
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#mat
R1(config-crypto-map)#match add
R1(config-crypto-map)#match address A-ipsec
R1(config-crypto-map)#exit
R1(config)#int lo1
R1(config-if)#ip add
R1(config-if)#ip address 
*Apr 17 21:54:02.848: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#ip address 100.0.0.1 255.255.255.255
R1(config-if)#int gig0/0
R1(config-if)#ip tcp adj
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#int gig0/1
R1(config-if)#cd
R1(config-if)#cdp en
R1(config-if)#cdp enable 
% Cannot enable CDP on this interface, since CDP is not running
R1(config-if)#no cdp enable 
R1(config-if)#pppoe
R1(config-if)#pppoe en
R1(config-if)#pppoe enable gro
R1(config-if)#pppoe enable group globa
R1(config-if)#pppoe enable group global 
R1(config-if)#ppp
*Apr 17 22:02:48.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R1(config-if)#pppoe
*Apr 17 22:02:48.731: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R1(config-if)#pppoe-cli
R1(config-if)#pppoe-client dial
R1(config-if)#pppoe-client dial-pool-number 10
R1(config-if)#int tun0
R1(config-if)#ip a
*Apr 17 22:03:06.346: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip add
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#ip mt
R1(config-if)#ip mtu 1372
R1(config-if)#tu
R1(config-if)#tunnel so
R1(config-if)#tunnel source Di
R1(config-if)#tunnel source Dialer 1
R1(config-if)#tu
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#int dia 1
R1(config-if)#ip unnum
R1(config-if)#ip unnumbered lo1
R1(config-if)#ip mt
R1(config-if)#ip mtu 1454
R1(config-if)#enca
R1(config-if)#encapsulation ppp
R1(config-if)#dia
R1(config-if)#dialer poo
R1(config-if)#dialer pool 10
R1(config-if)#dia
R1(config-if)#dialer-gr
R1(config-if)#dialer-group 20
R1(config-if)#ppp
*Apr 17 22:04:13.522: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:04:13.527: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:04:15.350: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R1(config-if)#p  
*Apr 17 22:04:15.369: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R1(config-if)#ppp auth
R1(config-if)#ppp authe
R1(config-if)#ppp authentication chap calli
R1(config-if)#ppp authentication chap callin 
R1(config-if)#ppp cha
R1(config-if)#ppp chap hostna
R1(config-if)#ppp chap hostname cci
*Apr 17 22:04:37.611: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:04:37.613: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:04:37.713: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1e
R1(config-if)#ppp chap hostname ccie@esx
*Apr 17 22:04:37.730: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R1(config-if)#ppp chap hostname ccie@example.com
R1(config-if)#ppp cha
R1(config-if)#ppp chap pass
R1(config-if)#ppp chap password cc13
R1(config-if)#cry
R1(config-if)#crypto ma
R1(config-if)#crypto map M-ipsec
*Apr 17 22:04:59.894: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R1(config-if)#crypto map M-ipsec
*Apr 17 22:04:59.898: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R1(config-if)#crypto map M-ipsec
R1(config-if)#
*Apr 17 22:05:01.598: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R1(config-if)#
*Apr 17 22:05:02.145: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ip accee
R1(config-if)#ip access
R1(config-if)#ip access-group A-security in
R1(config-if)#no cde
R1(config-if)#no cdp
R1(config-if)#no cdp ?
  enable           Enable CDP on interface
  filter-tlv-list  Apply tlv list filter on interface
  log              Log messages generated by CDP
  tlv              Enable exchange of specific tlv information

R1(config-if)#no cdp en
R1(config-if)#no cdp enable 
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 dia
R1(config)#ip route 0.0.0.0 0.0.0.0 dialer 1
R1(config)#router ospf 
*Apr 17 22:06:05.374: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up1
R1(config)#router ospf 1
R1(config-router)#netwo
R1(config-router)#network 10.100.0.1 0.0.0.0 area 0
R1(config-router)#netwo
R1(config-router)#network 192.168.0.1 0.0.0.0 area 0
R1(config-router)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-ipsec
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-security
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit es
R1(config-ext-nacl)#permit esp hos
R1(config-ext-nacl)#permit esp host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#permit
R1(config-ext-nacl)#permit udp hos
R1(config-ext-nacl)#permit udp host 200.0.0.2 hos
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq ?
  <0-65535>      Port number
  biff           Biff (mail notification, comsat, 512)
  bootpc         Bootstrap Protocol (BOOTP) client (68)
  bootps         Bootstrap Protocol (BOOTP) server (67)
  discard        Discard (9)
  dnsix          DNSIX security protocol auditing (195)
  domain         Domain Name Service (DNS, 53)
  echo           Echo (7)
  isakmp         Internet Security Association and Key Management Protocol
                 (500)
  mobile-ip      Mobile IP registration (434)
  nameserver     IEN116 name service (obsolete, 42)
  netbios-dgm    NetBios datagram service (138)
  netbios-ns     NetBios name service (137)
  netbios-ss     NetBios session service (139)
  non500-isakmp  Internet Security Association and Key Management Protocol
                 (4500)
  ntp            Network Time Protocol (123)
  pim-auto-rp    PIM Auto-RP (496)
  rip            Routing Information Protocol (router, in.routed, 520)
  snmp           Simple Network Management Protocol (161)
  snmptrap       SNMP Traps (162)
          
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isa
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isak?  
isakmp  

R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq ?   
  <0-65535>      Port number
  biff           Biff (mail notification, comsat, 512)
  bootpc         Bootstrap Protocol (BOOTP) client (68)
  bootps         Bootstrap Protocol (BOOTP) server (67)
  discard        Discard (9)
  dnsix          DNSIX security protocol auditing (195)
  domain         Domain Name Service (DNS, 53)
  echo           Echo (7)
  isakmp         Internet Security Association and Key Management Protocol
                 (500)
  mobile-ip      Mobile IP registration (434)
  nameserver     IEN116 name service (obsolete, 42)
  netbios-dgm    NetBios datagram service (138)
  netbios-ns     NetBios name service (137)
  netbios-ss     NetBios session service (139)
  non500-isakmp  Internet Security Association and Key Management Protocol
                 (4500)
  ntp            Network Time Protocol (123)
  pim-auto-rp    PIM Auto-RP (496)
  rip            Routing Information Protocol (router, in.routed, 520)
  snmp           Simple Network Management Protocol (161)
  snmptrap       SNMP Traps (162)
  sunrpc         Sun Remote Procedure Call (111)
  syslog         System Logger (514)
  tacacs         TAC Access Control System (49)
  talk           Talk (517)
  tftp           Trivial File Transfer Protocol (69)
  time           Time (37)
  who            Who service (rwho, 513)
  xdmcp          X Display Manager Control Protocol (177)

R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq  500
R1(config-ext-nacl)#per
R1(config-ext-nacl)#permit ic
R1(config-ext-nacl)#permit icmp an
R1(config-ext-nacl)#permit icmp any an
R1(config-ext-nacl)#permit icmp any any 
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit gre hos
R1(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#exit
R1(config)#do sh ip access-lists
Extended IP access list A-ipsec
    10 permit gre host 100.0.0.1 host 200.0.0.2 (13 matches)
Extended IP access list A-security
    10 permit esp host 200.0.0.2 host 100.0.0.1
    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
    30 permit icmp any any (4 matches)
    40 permit gre host 200.0.0.2 host 100.0.0.1
R1(config)#dial
R1(config)#dialer-li
R1(config)#dialer-list 20 pro
R1(config)#dialer-list 20 protocol ip ?
  deny    Deny specified protocol
  list    Add access list to dialer list
  permit  Permit specified protocol

R1(config)#dialer-list 20 protocol ip per
R1(config)#dialer-list 20 protocol ip permit 
R1(config)#^Z
R1#ping 1
*Apr 17 22:10:56.299: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 100.1.3.3 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
R1#ping 34.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R1#ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int tun0
R1(config-if)#ip addr 192.168.12.1 255.255.255.255
R1(config-if)#router ospf 1
R1(config-router)#netwo
R1(config-router)#no network 192.168.0.1 0.0.0.0 area 0
R1(config-router)#network 192.168.12.1 0.0.0.0 area 0  
R1(config-router)#^Z
R1#
*Apr 17 22:40:44.546: %SYS-5-CONFIG_I: Configured from console by console
R1#ip int tun0 | i Internet
      ^
% Invalid input detected at '^' marker.

R1#sh ip int tun0 | i Internet
  Internet address is 192.168.12.1/32
R1#conf t                     
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int tun0
R1(config-if)#ip addr 192.168.12.1 255.255.255.252 
R1(config-if)#^Z
R1#
*Apr 17 22:47:45.429: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.100.0.1      YES NVRAM  up                    up      
GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Dialer1                    100.0.0.1       YES TFTP   up                    up      
Loopback1                  100.0.0.1       YES manual up                    up      
Tunnel0                    192.168.12.1    YES manual up                    up      
Virtual-Access1            unassigned      YES unset  up                    up      
Virtual-Access2            unassigned      YES unset  up                    up      
R1#
*Apr 17 22:53:40.588: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
R1#ping 34.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O        10.200.0.0/24 [110/1001] via 192.168.12.2, 00:08:09, Tunnel0
R1#sh ip ro
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.100.0.0/24 is directly connected, GigabitEthernet0/0
L        10.100.0.1/32 is directly connected, GigabitEthernet0/0
O        10.200.0.0/24 [110/1001] via 192.168.12.2, 00:08:12, Tunnel0
      100.0.0.0/32 is subnetted, 2 subnets
C        100.0.0.1 is directly connected, Loopback1
C        100.1.3.3 is directly connected, Dialer1
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/30 is directly connected, Tunnel0
L        192.168.12.1/32 is directly connected, Tunnel0
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int dia1
R1(config-if)#no cryp
R1(config-if)#no crypto ma
R1(config-if)#no crypto map M-ipsec
R1(config-if)#
*Apr 17 23:03:12.961: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R1(config-if)#
*Apr 17 23:03:13.473: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config-if)#
*Apr 17 23:03:16.596: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1(config-if)#^Z
R1#
*Apr 17 23:04:29.084: %SYS-5-CONFIG_I: Configured from console by console
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#cry
R2(config)#crypto isa
R2(config)#crypto isakmp po
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#enc
R2(config-isakmp)#encryption 3de
R2(config-isakmp)#encryption 3des 
R2(config-isakmp)#has
R2(config-isakmp)#hash md5
R2(config-isakmp)#auth
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#cry
R2(config)#crypto isak
R2(config)#crypto isakmp ke
R2(config)#crypto isakmp key
R2(config)#crypto isakmp key pg1xpsk add
R2(config)#crypto isakmp key pg1xpsk address 100.0.0.1
R2(config)#cry
R2(config)#crypto isakm
R2(config)#crypto isakmp kee
R2(config)#crypto isakmp keepalive 30 on
R2(config)#crypto isakmp keepalive 30 on-demand 
R2(config)#cryp
R2(config)#crypto ipse
R2(config)#crypto ipsec trans
R2(config)#crypto ipsec transform-set IPSEC esp-3de
R2(config)#crypto ipsec transform-set IPSEC esp-3des es
R2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md
R2(config)#crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac 
R2(cfg-crypto-trans)#mo
R2(cfg-crypto-trans)#mode tra
R2(cfg-crypto-trans)#mode transport 
R2(cfg-crypto-trans)#exit
R2(config)#cry
R2(config)#crypto ma
R2(config)#crypto map M-ipsec 1 ipse
R2(config)#crypto map M-ipsec 1 ipsec-isa
R2(config)#crypto map M-ipsec 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#set pee
R2(config-crypto-map)#set peer 100.0.0.1
R2(config-crypto-map)#set tran
R2(config-crypto-map)#set transform-set IPSEC
R2(config-crypto-map)#mat
R2(config-crypto-map)#match add
R2(config-crypto-map)#match address A-ipsec
R2(config-crypto-map)#int lo1
R2(config-if)#
*Apr 17 22:14:02.754: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R2(config-if)#ip add
R2(config-if)#ip address 200.0.0.2 255.255.255.255
R2(config-if)#int gig0/0
R2(config-if)#ip tcp
R2(config-if)#ip tcp ad
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int gig0/1
R2(config-if)#no ip addre
R2(config-if)#no ip address 
R2(config-if)#pppoe enabl
R2(config-if)#pppoe enable group glboa
R2(config-if)#pppoe enable group glboa
R2(config-if)#
*Apr 17 22:15:01.244: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2(config-if)#
*Apr 17 22:15:01.249: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R2(config-if)#no pppoe enable group glboa
R2(config-if)#pppoe enable group ?       
  WORD    BBA Group name
  global  Attach global PPPoE group

R2(config-if)#pppoe enable group global
R2(config-if)#pppoe enable group global 
R2(config-if)#pppoe-cli
R2(config-if)#pppoe-client dia
R2(config-if)#pppoe-client dial-pool-number 10
R2(config-if)#int tun0
R2(config-if)#i
*Apr 17 22:15:40.205: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to downp
R2(config-if)#ip add
R2(config-if)#ip address 192.168.0.2 255.255.255.252
R2(config-if)#ip mt
R2(config-if)#ip mtu 1372
R2(config-if)#tu
R2(config-if)#tunnel so
R2(config-if)#tunnel source Dia
R2(config-if)#tunnel source Dialer 1
R2(config-if)#tun
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#int dia1
R2(config-if)#ip unnum
R2(config-if)#ip unnumbered Lo1
R2(config-if)#int tun0
R2(config-if)#ip addr 192.168.12.2 255.255.255.252
R2(config-if)#int dia1
R2(config-if)#ip annu
R2(config-if)#ip unnum
R2(config-if)#ip unnumbered lo1
R2(config-if)#ip mt
R2(config-if)#ip mtu 1454
R2(config-if)#enca
R2(config-if)#encapsulation ppp
R2(config-if)#dia
R2(config-if)#dialerpo
R2(config-if)#dialer po
R2(config-if)#dialer pool 10
R2(config-if)#dialer
R2(config-if)#dialer-gro
R2(config-if)#dialer-group 
*Apr 17 22:42:29.361: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:42:29.366: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:42:31.142: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#dialer-grou 
R2(config-if)#dialer-group 
*Apr 17 22:42:31.161: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#dialer-group 20
R2(config-if)#ppp authe
R2(config-if)#ppp authentication cha
R2(config-if)#ppp authentication chap call
R2(config-if)#ppp authentication chap calli
R2(config-if)#ppp authentication chap callin 
R2(config-if)#
*Apr 17 22:42:53.414: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:42:53.419: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:42:53.520: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#
*Apr 17 22:42:53.536: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#
*Apr 17 22:43:15.688: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:43:15.692: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:43:15.798: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#
*Apr 17 22:43:15.814: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#
*Apr 17 22:43:37.969: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:43:37.971: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:43:38.072: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#
*Apr 17 22:43:38.087: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp chap                       
R2(config-if)#ppp chap hostn
R2(config-if)#ppp chap hostname 
*Apr 17 22:44:00.244: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 17 22:44:00.246: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 17 22:44:00.345: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#ppp chap hostname c
*Apr 17 22:44:00.361: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp chap hostname ccie@example.com
R2(config-if)#ppp chap
R2(config-if)#ppp chap pass
R2(config-if)#ppp chap password cc13
R2(config-if)#cry
R2(config-if)#crypto ma
R2(config-if)#crypto map M-ipsec
*Apr 17 22:44:22.531: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R2(config-if)#crypto map M-ipsec
*Apr 17 22:44:22.535: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R2(config-if)#crypto map M-ipsec
*Apr 17 22:44:24.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R2(config-if)#crypto map M-ipsec
R2(config-if)#
*Apr 17 22:44:26.211: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#ip accee 
R2(config-if)#ip access
R2(config-if)#ip access-group A-security in
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 dia 1
R2(config)#do ping 34.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
R2(config)#pi 
*Apr 17 22:45:29.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config)#do ping 200.2.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.2.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.200.0.2      YES NVRAM  up                    up      
GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Dialer1                    200.0.0.2       YES TFTP   up                    up      
Loopback1                  200.0.0.2       YES manual up                    up      
Tunnel0                    192.168.12.2    YES manual up                    up      
Virtual-Access1            unassigned      YES unset  up                    up      
Virtual-Access2            unassigned      YES unset  up                    up      
R2(config)#router ospf 1
R2(config-router)#netw
R2(config-router)#network 10.200.0.2 0.0.0.0 are
R2(config-router)#network 10.200.0.2 0.0.0.0 area 0
R2(config-router)#netwoq
R2(config-router)#netwo 
R2(config-router)#network 192.168.12.2 0.0.0.0 area 0
R2(config-router)#exit
R2(config)#ip acc
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-ipsec
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit gre hos
R2(config-ext-nacl)#permit gre host 200.0.0.2 hos
R2(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R2(config-ext-nacl)#exit
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-security
R2(config-ext-nacl)#permi e
*Apr 17 22:53:39.944: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Dones
R2(config-ext-nacl)#permi es
R2(config-ext-nacl)#permi esp hos
R2(config-ext-nacl)#permi esp host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp 
R2(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permit icm
R2(config-ext-nacl)#permit icmp any any
R2(config-ext-nacl)#exit
R2(config)#dial
R2(config)#dialer-li
R2(config)#dialer-list 20 pro
R2(config)#dialer-list 20 protocol ip per
R2(config)#dialer-list 20 protocol ip permit 
R2(config)#^Z
R2#
*Apr 17 22:55:05.489: %SYS-5-CONFIG_I: Configured from console by console
R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/17 ms
R2#ping 34.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
R2#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 14/15/18 ms
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int dia1
R2(config-if)#no cry
R2(config-if)#no crypto ma
R2(config-if)#no crypto map M-ipsec
R2(config-if)#
*Apr 17 23:02:40.826: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
R2(config-if)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config-if)#
*Apr 17 23:03:15.867: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2(config-if)#do ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/13 ms
R2(config-if)#^Z
R2#
*Apr 17 23:04:31.255: %SYS-5-CONFIG_I: Configured from console by console
R2#
PC-1> 
PC-1> ping 10.200.0.202
84 bytes from 10.200.0.202 icmp_seq=1 ttl=62 time=26.335 ms
84 bytes from 10.200.0.202 icmp_seq=2 ttl=62 time=14.656 ms
84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=9.719 ms
84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=11.283 ms
84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=10.332 ms

PC-1> ping 10.200.0.202
10.200.0.202 icmp_seq=1 timeout
10.200.0.202 icmp_seq=2 timeout
84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=5.233 ms
84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=7.190 ms
84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=8.222 ms

PC-1>

Topology: 1:N GRE over IPsec

IP

Project name: ccna-vpn-gre-0003-gre-over-ipsec-1-n

  • R1
enable
configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.100.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R2
enable
configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 200.0.0.2 255.255.0.0
no shutdown
exit
!
end
write
  • R3
enable
configure terminal
!
hostname R3
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
interface GigabitEthernet 0/2
ip address 35.0.0.3 255.255.255.0
no shutdown
exit
!
end
write
  • R4
enable
configure terminal
!
hostname R4
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
interface GigabitEthernet 0/2
ip address 45.0.0.4 255.255.255.0
no shutdown
exit
!
end
write
  • R5
enable
configure terminal
!
hostname R5
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 35.0.0.5 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
interface GigabitEthernet 0/2
ip address 45.0.0.5 255.255.255.0
no shutdown
exit
!
end
write
  • R6
enable
configure terminal
!
hostname R6
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.6.0.6 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • PC-1
ip 10.100.0.101 255.255.255.0 10.100.0.1
save
  • PC-2
ip 10.200.0.202 255.255.255.0 10.200.0.2
save
  • PC-5
ip 10.6.0.105 255.255.255.0 10.6.0.6
save

Configure Basic Routing Protocol(BGP, Static routing)

  • R3
configure terminal
!
router bgp 3
neighbor 34.0.0.4 remote-as 4
neighbor 35.0.0.5 remote-as 5
network 100.0.0.1 mask 255.255.255.255
exit
!
end
  • R4
configure terminal
!
router bgp 3
neighbor 34.0.0.3 remote-as 3
neighbor 45.0.0.5 remote-as 5
network 200.0.0.2 mask 255.255.255.255
exit
!
end
  • R5
configure terminal
!
router bgp 5
neighbor 35.0.0.3 remote-as 3
neighbor 45.0.0.4 remote-as 4
network 106.0.0.6 mask 255.255.255.255
exit
!
end

Configure PPPoE Server, Client

  • R1
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group global
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 100.0.0.1 255.255.255.255
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group global
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 200.0.0.2 255.255.255.255
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R3
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 100.0.0.1
!
interface Loopback1
ip address 100.1.3.3 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R4
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 200.0.0.2
!
interface Loopback1
ip address 200.2.4.4 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R5
configure terminal
!
username ccie@isp3.pg1x.net password cc13
!
ip local pool POOL1 106.0.0.6
!
interface Loopback1
ip address 106.5.6.5 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R6
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group global
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 106.0.0.6 255.255.255.255
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@isp3.pg1x.net
ppp chap password cc13
no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end

Configure IPsec over GRE/PPPoE

  • R1
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption aes
 ! Specify Hashing Algorithm
 hash sha
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 200.0.0.2
crypto isakmp key pg1xpsk address 106.0.0.6
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 on-demand
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 mode transport
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set IPSEC
 match address A-ipsec1
exit
crypto map M-ipsec 2 ipsec-isakmp
 set peer 106.0.0.6
 set transform-set IPSEC
 match address A-ipsec2
exit
!
interface Loopback 1
 ip address 100.0.0.1 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1332
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 10
 no cdp enable
exit
!
interface Tunnel 0
 ip address 192.168.12.1 255.255.255.0
 ip mtu 1372
 tunnel source Dialer 1
 tunnel destination 200.0.0.2
exit
!
interface Tunnel 1
 ip address 192.168.16.1 255.255.255.0
 ip mtu 1372
 tunnel source Dialer 1
 tunnel destination 106.0.0.6
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no cdp enable
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
router ospf 1
 network 10.100.0.1 0.0.0.0 area 0
 network 192.168.12.1 0.0.0.0 area 0
 network 192.168.16.1 0.0.0.0 area 0
exit
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec1
 permit gre host 100.0.0.1 host 200.0.0.2
exit
!
ip access-list extended A-ipsec2
 permit gre host 100.0.0.1 host 106.0.0.6
exit
!
ip access-list extended A-security
 permit esp host 200.0.0.2 host 100.0.0.1
 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 permit gre host 200.0.0.2 host 100.0.0.1
 permit esp host 106.0.0.6 host 100.0.0.1
 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
 permit gre host 106.0.0.6 host 100.0.0.1
 permit icmp any any
exit
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption aes
 ! Specify Hashing Algorithm
 hash sha
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 100.0.0.1
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 on-demand
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 mode transport
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 100.0.0.1
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 200.0.0.2 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1332
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 10
 no cdp enable
exit
!
interface Tunnel 0
 ip address 192.168.12.2 255.255.255.0
 ip mtu 1372
 tunnel source Dialer 1
 tunnel destination 100.0.0.1
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@example.com
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no cdp enable
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
router ospf 1
 network 10.200.0.2 0.0.0.0 area 0
 network 192.168.12.2 0.0.0.0 area 0
exit
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit gre host 200.0.0.2 host 100.0.0.1
exit
!
ip access-list extended A-security
 permit esp host 100.0.0.1 host 200.0.0.2
 permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
 permit gre host 100.0.0.1 host 200.0.0.2
 permit icmp any any
exit
!
dialer-list 20 protocol ip permit
!
end
  • R6
configure terminal
!
! Configure ISAKMP SA Policy
crypto isakmp policy 1
 ! Specify Encryption Algorithm
 encryption aes
 ! Specify Hashing Algorithm
 hash sha
 ! Specify Authentication Method
 authentication pre-share
 ! Specify DH(Diffie-Hellman) Group
 group 2
 ! specify ISAKMP SA lifetime(Default)
 !lifetime 86400
exit
!
! Specify pre-shared key and peer address
crypto isakmp key pg1xpsk address 100.0.0.1
! Configure IKE Keepalive: DPD(Dead Peer Detection)
crypto isakmp keepalive 30 on-demand
!
! Configure IPsec transform-set
crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 mode transport
exit
!
! Configure IPsec SA lifetime(Default)
!crypto ipsec security-association lifetime seconds 3600
!
! Configure crytpo map
crypto map M-ipsec 1 ipsec-isakmp
 set peer 100.0.0.1
 set transform-set IPSEC
 match address A-ipsec
exit
!
interface Loopback 1
 ip address 106.0.0.6 255.255.255.255
exit
!
interface GigabitEthernet 0/0
 ip tcp adjust-mss 1332
exit
!
interface GigabitEthernet 0/1
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 10
 no cdp enable
exit
!
interface Tunnel 0
 ip address 192.168.16.6 255.255.255.0
 ip mtu 1372
 tunnel source Dialer 1
 tunnel destination 100.0.0.1
exit
!
interface Dialer 1
 ip unnumbered Loopback 1
 ip mtu 1454
 encapsulation ppp
 dialer pool 10
 dialer-group 20
 ppp authentication chap callin
 ppp chap hostname ccie@isp3.pg1x.net
 ppp chap password cc13
 crypto map M-ipsec
 ip access-group A-security in
 no cdp enable
 no shutdown
exit
!
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
router ospf 1
 network 10.6.0.6 0.0.0.0 area 0
 network 192.168.16.6 0.0.0.0 area 0
exit
!
! Define IPsec encryption target traffic
ip access-list extended A-ipsec
 permit gre host 106.0.0.6 host 100.0.0.1
exit
!
ip access-list extended A-security
 permit esp host 100.0.0.1 host 106.0.0.6
 permit udp host 100.0.0.1 host 106.0.0.6 eq isakmp
 permit gre host 100.0.0.1 host 106.0.0.6
 permit icmp any any
exit
!
dialer-list 20 protocol ip permit
!
end
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#crypto isakmp po
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr
R1(config-isakmp)#encryption aes
R1(config-isakmp)#has
R1(config-isakmp)#hash sha
R1(config-isakmp)#hash sha?
sha  sha256  sha384  sha512

R1(config-isakmp)#hash sha
R1(config-isakmp)#encryption aes?
aes  

R1(config-isakmp)#encryption aes
R1(config-isakmp)#atuh
R1(config-isakmp)#atuhe
R1(config-isakmp)#authen
R1(config-isakmp)#authentication pre-sha
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#gro
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
R1(config)#cryp
R1(config)#crypto isak
R1(config)#crypto isakmp key pg1
R1(config)#crypto isakmp key pg1xpsk add
R1(config)#crypto isakmp key pg1xpsk address 200.0.0.2
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#crypto isakmp key pg1xpsk address 106.0.0.6
R1(config)#cry
R1(config)#crypto isakm
R1(config)#crypto isakmp kee
R1(config)#crypto isakmp keepalive 30 on
R1(config)#crypto isakmp keepalive 30 on-demand 
R1(config)#cryp
R1(config)#crypto isakm
R1(config)#cry           
R1(config)#crypto ipse
R1(config)#crypto ipsec trans
R1(config)#crypto ipsec transform-set IPSEC es
R1(config)#crypto ipsec transform-set IPSEC esp-ae
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sh
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha?
esp-sha-hmac  esp-sha256-hmac  esp-sha384-hmac  esp-sha512-hmac

R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-h
R1(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac 
R1(cfg-crypto-trans)#mod
R1(cfg-crypto-trans)#mode tra
R1(cfg-crypto-trans)#mode transport 
R1(cfg-crypto-trans)#exit
R1(config)#cryp
R1(config)#crypto ma
R1(config)#crypto map M-ipsec 1 ipse
R1(config)#crypto map M-ipsec 1 ipsec-isakm
R1(config)#crypto map M-ipsec 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set pee
R1(config-crypto-map)#set peer 200.0.0.2
R1(config-crypto-map)#set tra
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#mat
R1(config-crypto-map)#match add
R1(config-crypto-map)#match address A-ipsec1
R1(config-crypto-map)#exit
R1(config)#cry
R1(config)#crypto ma
R1(config)#crypto map M-ipsec 2 ipsec
R1(config)#crypto map M-ipsec 2 ipsec-isa
R1(config)#crypto map M-ipsec 2 ipsec-?      
ipsec-isakmp  ipsec-manual  

R1(config)#crypto map M-ipsec 2 ipsec-isak
R1(config)#crypto map M-ipsec 2 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set pee
R1(config-crypto-map)#set peer 106.0.0.6
R1(config-crypto-map)#set tra
R1(config-crypto-map)#set transform-set IPSEC
R1(config-crypto-map)#mat
R1(config-crypto-map)#match add
R1(config-crypto-map)#match address A-ipsec2
R1(config-crypto-map)#exit
R1(config)#int
R1(config)#interface Loo
R1(config)#interface Loopback 1
R1(config-if)#
*Apr 21 02:23:38.914: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R1(config-if)#100.0.0.1 255.255.255.255
              ^
% Invalid input detected at '^' marker.

R1(config-if)#ip address 100.0.0.1 255.255.255.255
R1(config-if)#int gig0/0
R1(config-if)#ip tcp
R1(config-if)#ip tcp ad
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#int gig0/1
R1(config-if)#no ip address
R1(config-if)#pppoe en
R1(config-if)#pppoe enable grou
R1(config-if)#pppoe enable group glo
R1(config-if)#pppoe enable group global 
R1(config-if)#
*Apr 21 02:26:56.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R1(config-if)#
*Apr 21 02:26:56.043: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R1(config-if)#pppoe-clie
R1(config-if)#pppoe-client dia
R1(config-if)#pppoe-client dial-pool-number 1
R1(config-if)#no cdp en
R1(config-if)#no cdp enable 
R1(config-if)#int tun0
R1(config-if)#ip
*Apr 21 06:53:54.706: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#ip mt
R1(config-if)#ip mtu 1372 tun
R1(config-if)#ip mtu 1372 tunn
R1(config-if)#ip mtu 1372      
R1(config-if)#tunn
R1(config-if)#tunnel sou
R1(config-if)#tunnel source di
R1(config-if)#tunnel source dialer 1
R1(config-if)#tunn
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#int tun1
R1(config-if)#ip 
*Apr 21 06:56:07.425: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to downa
R1(config-if)#ip address 192.168.16.1 255.255.255.0
R1(config-if)#ip mt
R1(config-if)#ip mtu 1372
R1(config-if)#tun
R1(config-if)#tunnel sou
R1(config-if)#tunnel source Di
R1(config-if)#tunnel source Dialer 1
R1(config-if)#tunn
R1(config-if)#tunnel desti
R1(config-if)#tunnel destination 106.0.0.6
R1(config-if)#int dia1
R1(config-if)#ip unnu
R1(config-if)#ip unnumbered Lo1
R1(config-if)#ip mt
R1(config-if)#ip mtu 1454
R1(config-if)#enca
R1(config-if)#encapsulation ppp]
                               ^
% Invalid input detected at '^' marker.

R1(config-if)#encapsulation ppp 
R1(config-if)#dial
R1(config-if)#dialer poo
R1(config-if)#dialer pool 10
R1(config-if)#dial
R1(config-if)#dialer-gr
R1(config-if)#dialer-group 20
R1(config-if)#ppp auth
R1(config-if)#ppp authe
R1(config-if)#ppp authentication chap call
R1(config-if)#ppp authentication chap calli
R1(config-if)#ppp authentication chap callin 
R1(config-if)#ppp chap hostname ccie@example.com
R1(config-if)#ppp chap password cc13
R1(config-if)#crypto
R1(config-if)#crypto ma
R1(config-if)#crypto map M-ipsec
R1(config-if)#
*Apr 21 06:58:25.154: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#ip acce
R1(config-if)#ip access-group A-security in
R1(config-if)#no cdp
R1(config-if)#no cdp en
R1(config-if)#no cdp enable 
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 Di
R1(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1
R1(config)#router 
*Apr 21 06:59:06.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
R1(config)#router ospf 1
*Apr 21 06:59:13.722: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config)#router ospf 1
R1(config-router)#netwo
R1(config-router)#network 10.100.0.1 0.0.0.0 area 0
R1(config-router)#netwo
R1(config-router)#network 192.168.12.1 0.0.0.0 area 0
R1(config-router)#netwo
R1(config-router)#network 192.168.16.1 0.0.0.0 area 0
R1(config-router)#exit
R1(config)#int gig0/1
R1(config-if)#pppoe-cli
R1(config-if)#pppoe-client dial
R1(config-if)#pppoe-client dial-pool-number 10
R1(config-if)#do sh ru
*Apr 21 07:01:36.902: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 07:01:36.906: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R1(config-if)#do sh run 
*Apr 21 07:01:40.329: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R1(config-if)#do sh run int gi0/1
Building configuration...

Current configuration : 202 bytes
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
 pppoe enable group global
 pppoe-client dial-pool-number 10
 pppoe-client dial-pool-number 1
 no cdp enable
end

R1(config-if)#no pppoe-client dial-pool-number 1
R1(config-if)#do sh run int gi0/1               
Building configuration...

Current configuration : 169 bytes
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
 pppoe enable group global
 pppoe-client dial-pool-number 10
 no cdp enable
end

R1(config-if)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-ipsec1
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit gre hos
R1(config-ext-nacl)#permit gre host 100.0.0.1 hos
R1(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R1(config-ext-nacl)#exit 
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-ipsec2
R1(config-ext-nacl)#permit gre host 100.0.0.1 host 106.0.0.6
R1(config-ext-nacl)#exit
R1(config)#ip acce
R1(config)#ip access-list exte
R1(config)#ip access-list extended A-security
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit es
R1(config-ext-nacl)#permit esp host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit udp hos
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isak
R1(config-ext-nacl)#permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp 
R1(config-ext-nacl)#permi
R1(config-ext-nacl)#permit es
R1(config-ext-nacl)#permit gr  
R1(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R1(config-ext-nacl)#permit esp host 106.0.0.6 host 100.0.0.1
R1(config-ext-nacl)#permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakm
R1(config-ext-nacl)#permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakmp
R1(config-ext-nacl)#permit udp host 106.0.0.6 host 100.0.0.1 eq isa   
R1(config-ext-nacl)#permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp  
R1(config-ext-nacl)#permit gre host 106.0.0.6 host 100.0.0.1 
R1(config-ext-nacl)#permit icmp any any
R1(config-ext-nacl)#exit
R1(config)#do sh ip access-lists 
Extended IP access list A-ipsec1
    10 permit gre host 100.0.0.1 host 200.0.0.2 (22 matches)
Extended IP access list A-ipsec2
    10 permit gre host 100.0.0.1 host 106.0.0.6 (18 matches)
Extended IP access list A-security
    10 permit esp host 200.0.0.2 host 100.0.0.1
    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
    30 permit gre host 200.0.0.2 host 100.0.0.1
    40 permit esp host 106.0.0.6 host 100.0.0.1
    50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
    60 permit gre host 106.0.0.6 host 100.0.0.1
    70 permit icmp any any (2 matches)
R1(config)#do sh ip access-lists 
Extended IP access list A-ipsec1
    10 permit gre host 100.0.0.1 host 200.0.0.2 (23 matches)
Extended IP access list A-ipsec2
    10 permit gre host 100.0.0.1 host 106.0.0.6 (20 matches)
Extended IP access list A-security
    10 permit esp host 200.0.0.2 host 100.0.0.1
    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
    30 permit gre host 200.0.0.2 host 100.0.0.1
    40 permit esp host 106.0.0.6 host 100.0.0.1
    50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
    60 permit gre host 106.0.0.6 host 100.0.0.1
    70 permit icmp any any (4 matches)
R1(config)#diea
R1(config)#diale
R1(config)#dialer-li
R1(config)#dialer-list 20 pro
R1(config)#dialer-list 20 protocol ip per
R1(config)#dialer-list 20 protocol ip permit 
R1(config)#^Z
R1#pign 
*Apr 21 07:06:47.551: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 100.1.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms
R1#
*Apr 21 08:27:32.430: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1#
*Apr 21 08:51:45.863: %OSPF-5-ADJCHG: Process 1, Nbr 106.0.0.6 on Tunnel1 from LOADING to FULL, Loading Done
R1#sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.6.0.0/24 [110/1001] via 192.168.16.6, 00:05:58, Tunnel1
O        10.200.0.0/24 [110/1001] via 192.168.12.2, 00:30:11, Tunnel0
R1#sh ip ospf neigh
R1#sh ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
106.0.0.6         0   FULL/  -        00:00:34    192.168.16.6    Tunnel1
200.0.0.2         0   FULL/  -        00:00:36    192.168.12.2    Tunnel0
R1#sh ip ro   
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O        10.6.0.0/24 [110/1001] via 192.168.16.6, 00:06:15, Tunnel1
C        10.100.0.0/24 is directly connected, GigabitEthernet0/0
L        10.100.0.1/32 is directly connected, GigabitEthernet0/0
O        10.200.0.0/24 [110/1001] via 192.168.12.2, 00:30:28, Tunnel0
      100.0.0.0/32 is subnetted, 2 subnets
C        100.0.0.1 is directly connected, Loopback1
C        100.1.3.3 is directly connected, Dialer1
      192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.12.0/24 is directly connected, Tunnel0
L        192.168.12.1/32 is directly connected, Tunnel0
      192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.16.0/24 is directly connected, Tunnel1
L        192.168.16.1/32 is directly connected, Tunnel1
R1#
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#cryp
R2(config)#crypto isakm
R2(config)#crypto isakmp poli
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encr
R2(config-isakmp)#encryption aes
R2(config-isakmp)#encryption aes 
R2(config-isakmp)#has
R2(config-isakmp)#hash sha
R2(config-isakmp)#auth
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share 
R2(config-isakmp)#gro
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#cry
R2(config)#crypto isakm
R2(config)#crypto isakmp key pg1xpsk address 100.0.0.1
R2(config)#cryp
R2(config)#crypto isak
R2(config)#crypto isakmp kee
R2(config)#crypto isakmp keepalive 30 on-de
R2(config)#crypto isakmp keepalive 30 on-demand 
R2(config)#cry
R2(config)#crypto ipsec tran
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sh
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hp
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hm
R2(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac 
R2(cfg-crypto-trans)#mod
R2(cfg-crypto-trans)#mode tra
R2(cfg-crypto-trans)#mode transport 
R2(cfg-crypto-trans)#exit
R2(config)#cryp
R2(config)#crypto ma
R2(config)#crypto map M-ipsec 1 ipsec
R2(config)#crypto map M-ipsec 1 ipsec-isakm
R2(config)#crypto map M-ipsec 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#set pee
R2(config-crypto-map)#set peer 100.0.0.1
R2(config-crypto-map)#set tran
R2(config-crypto-map)#set transform-set IPSEC
R2(config-crypto-map)#mat
R2(config-crypto-map)#match add
R2(config-crypto-map)#match address A-ipsec
R2(config-crypto-map)#exit
R2(config)#int lo1
R2(config-if)#ip ad
*Apr 21 07:09:56.490: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R2(config-if)#ip address 200.0.0.2 255.255.255.255
R2(config-if)#int gig0/0
R2(config-if)#ip tcp adj
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int gig0/1
R2(config-if)#no ip address 
R2(config-if)#pppoe
R2(config-if)#pppoe enabl
R2(config-if)#pppoe enable gro
R2(config-if)#pppoe enable group glo
R2(config-if)#pppoe enable group global 
R2(config-if)#
*Apr 21 07:10:45.180: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2(config-if)#p
*Apr 21 07:10:45.184: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to upp
R2(config-if)#pppoe-cli
R2(config-if)#pppoe-client dial
R2(config-if)#pppoe-client dial-pool-number 10
R2(config-if)#no cdp
R2(config-if)#no cdp en
R2(config-if)#no cdp enable 
R2(config-if)#int tunn0
R2(config-if)#
*Apr 21 07:11:01.908: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#ip add
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#ip mt
R2(config-if)#ip mtu 1372
R2(config-if)#tunn
R2(config-if)#tunnel sou
R2(config-if)#tunnel source Di
R2(config-if)#tunnel source Dialer 1
R2(config-if)#tunn
R2(config-if)#tunnel desi
R2(config-if)#tunnel desti
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#int dia1
R2(config-if)#ip unnu
R2(config-if)#ip unnumbered Lo1
R2(config-if)#ip mt
R2(config-if)#ip mtu 1454
R2(config-if)#enca
R2(config-if)#encapsulation ppp dia
R2(config-if)#encapsulation ppp    
R2(config-if)#dia
R2(config-if)#dialer poo
R2(config-if)#dialer pool ?
  <1-255>  Dialer pool number

R2(config-if)#dialer pool 10
R2(config-if)#diale
R2(config-if)#dialer
*Apr 21 08:24:59.932: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:24:59.937: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:25:01.832: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#dialer-g
*Apr 21 08:25:01.849: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#dialer-gr
R2(config-if)#dialer-group 20
R2(config-if)#ppp auth
R2(config-if)#ppp auth
R2(config-if)#ppp authe
R2(config-if)#ppp auth?          
authentication  authorization  

R2(config-if)#ppp authe
R2(config-if)#ppp authentication 
*Apr 21 08:25:24.154: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:25:24.156: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:25:24.266: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#ppp authentication 
*Apr 21 08:25:24.282: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp authentication chap
R2(config-if)#ppp authentication chap call
R2(config-if)#ppp authentication chap calli
R2(config-if)#ppp authentication chap callin 
R2(config-if)#ppp cha
R2(config-if)#ppp chap hos
R2(config-if)#ppp chap hostname ccie@example.com
R2(config-if)#ppp chap password 
*Apr 21 08:25:46.486: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:25:46.490: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:25:46.586: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R2(config-if)#ppp chap password cc1
*Apr 21 08:25:46.601: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R2(config-if)#ppp chap password cc13
R2(config-if)#cry
R2(config-if)#crypto ma
R2(config-if)#crypto map M-ipsec
R2(config-if)#
*Apr 21 08:26:04.464: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#ip acce
R2(config-if)#ip access-group A-
*Apr 21 08:26:08.819: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R2(config-if)#ip access-group A-secur
*Apr 21 08:26:08.824: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to upity in
R2(config-if)#ip access-group A-security in
*Apr 21 08:26:10.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R2(config-if)#ip access-group A-security in
R2(config-if)#no cdp en
R2(config-if)#no cdp enable 
R2(config-if)#no shut
R2(config-if)#no shutdown 
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 Dia
R2(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1
R2(config)#router ospf 1
R2(config-router)#netwo
R2(config-router)#network 10.
*Apr 21 08:26:41.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-router)#network 10.200.0.2 0.0.0.0 area 0
R2(config-router)#netwo
R2(config-router)#network 192.168.12.2 0.0.0.0 area 0
R2(config-router)#exit
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-ipsec
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit gre host 200.0.0.2 hos
R2(config-ext-nacl)#permit gre host 200.0.0.2 host 100.0.0.1
R2(config-ext-nacl)#exit
R2(config)#ip 
*Apr 21 08:28:05.450: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R2(config)#ip acc
R2(config)#ip acce
R2(config)#ip access-list exte
R2(config)#ip access-list extended A-security
R2(config-ext-nacl)#permit esp host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
R2(config-ext-nacl)#permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp 
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit gre hos
R2(config-ext-nacl)#permit gre host 100.0.0.1 host 200.0.0.2
R2(config-ext-nacl)#permit icmp any any
R2(config-ext-nacl)#exit
R2(config)#dialer
R2(config)#dialer-li
R2(config)#dialer-list 20 pro
R2(config)#dialer-list 20 protocol ip
R2(config)#dialer-list 20 protocol ip per
R2(config)#dialer-list 20 protocol ip permit 
R2(config)#^Z
R2#
*Apr 21 08:29:29.695: %SYS-5-CONFIG_I: Configured from console by console
R2#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
100.0.0.1         0   FULL/  -        00:00:37    192.168.12.1    Tunnel0
R2#sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O        10.100.0.0/24 [110/1001] via 192.168.12.1, 00:02:14, Tunnel0
O     192.168.16.0/24 [110/2000] via 192.168.12.1, 00:02:14, Tunnel0
R2#ping 192.168.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms
R2#ping 192.168.16.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.16.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.16.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/32 ms
R2#
R6#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R6(config)#cry
R6(config)#crypto isakm
R6(config)#crypto isakmp poli
R6(config)#crypto isakmp policy 1
R6(config-isakmp)#ecn
R6(config-isakmp)#encr
R6(config-isakmp)#encryption aes
R6(config-isakmp)#encryption aes 
R6(config-isakmp)#has
R6(config-isakmp)#hash sh
R6(config-isakmp)#hash sha
R6(config-isakmp)#auh
R6(config-isakmp)#auth
R6(config-isakmp)#authentication pre
R6(config-isakmp)#authentication pre-share 
R6(config-isakmp)#gr
R6(config-isakmp)#group 2
R6(config-isakmp)#exit
R6(config)#cry
R6(config)#crypto isak
R6(config)#crypto isakmp key pg1xpsk address 100.0.0.1
R6(config)#cry
R6(config)#crypto isakm
R6(config)#crypto isakmp kee
R6(config)#crypto isakmp keepalive 30 on-de
R6(config)#crypto isakmp keepalive 30 on-demand 
R6(config)#cry
R6(config)#crypto ipsec trans
R6(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-h
R6(config)#crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac 
R6(cfg-crypto-trans)#mod
R6(cfg-crypto-trans)#mode tra
R6(cfg-crypto-trans)#mode transport 
R6(cfg-crypto-trans)#exit
R6(config)#cryp
R6(config)#crypto ma
R6(config)#crypto map M-ipsec 1 ipsec-isakm
R6(config)#crypto map M-ipsec 1 ipsec-isakmp 
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R6(config-crypto-map)#set pee
R6(config-crypto-map)#set peer 100.0.0.1
R6(config-crypto-map)#set tra
R6(config-crypto-map)#set transform-set IPSEC
R6(config-crypto-map)#mat
R6(config-crypto-map)#match add
R6(config-crypto-map)#match address A-ipsec
R6(config-crypto-map)#exit
R6(config)#int lo1
R6(config-if)#ip a
*Apr 21 08:42:20.177: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
R6(config-if)#ip addre
R6(config-if)#ip address 106.0.0.6 255.255.255.255
R6(config-if)#inter
R6(config-if)#int gig0/0
R6(config-if)#ip tc
R6(config-if)#ip tcp ad
R6(config-if)#ip tcp adjust-mss 1332
R6(config-if)#int gig0/1
R6(config-if)#no ip add
R6(config-if)#no ip address 
R6(config-if)#pppoe
R6(config-if)#pppoe ena
R6(config-if)#pppoe enable grou
R6(config-if)#pppoe enable group globa
R6(config-if)#pppoe enable group global 
R6(config-if)#ppp
*Apr 21 08:44:04.968: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R6(config-if)#pppoe
R6(config-if)#pppoe
*Apr 21 08:44:04.975: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
R6(config-if)#pppoe-cli
R6(config-if)#pppoe-client dial
R6(config-if)#pppoe-client dial-pool-number 10
R6(config-if)#no cdp ena
R6(config-if)#no cdp enable 
R6(config-if)#exit
R6(config)#inter tunn
R6(config)#inter tunnel 0
R6(config-if)#
*Apr 21 08:44:25.068: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R6(config-if)#ip address 192.168.16.6 255.255.255.0
R6(config-if)#ip mt
R6(config-if)#ip mtu 1372
R6(config-if)#tunne
R6(config-if)#tunnel so
R6(config-if)#tunnel source Dia
R6(config-if)#tunnel source Dialer 1
R6(config-if)#tunne
R6(config-if)#tunnel desti
R6(config-if)#tunnel destination 100.0.0.1
R6(config-if)#exit
R6(config)#int Dia
R6(config)#int Dialer 1
R6(config-if)#ip unnu
R6(config-if)#ip unnumbered Lo1
R6(config-if)#ip mt
R6(config-if)#ip mtu 1454
R6(config-if)#enca
R6(config-if)#encapsulation ppp
R6(config-if)#dial
R6(config-if)#dialer poo
R6(config-if)#dialer pool 10
R6(config-if)#dial
R6(config-if)#dialer-gr
R6(config-if)#dialer-group 
*Apr 21 08:46:20.268: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:46:20.275: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:46:22.144: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#dialer-group 2
*Apr 21 08:46:22.160: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#dialer-group 20
R6(config-if)#ppp authe
R6(config-if)#ppp authentication chap call
R6(config-if)#ppp authentication chap calli
R6(config-if)#ppp authentication chap call?  
WORD  callback  callin  callout

R6(config-if)#ppp authentication chap calli
R6(config-if)#ppp authentication chap callin 
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:46:44.462: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:46:44.467: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:46:44.576: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:46:44.593: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:47:06.798: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:47:06.801: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:47:06.895: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#ppp chap hostname ccie@example.com
*Apr 21 08:47:06.911: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#ppp chap hostname ccie@isp3.pg1x.net
R6(config-if)#ppp chap pass
R6(config-if)#ppp chap password cc
*Apr 21 08:47:29.116: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Apr 21 08:47:29.120: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Apr 21 08:47:29.223: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1
R6(config-if)#ppp chap password cc13
*Apr 21 08:47:29.250: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
R6(config-if)#ppp chap password cc13
R6(config-if)#
*Apr 21 08:47:51.476: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
R6(config-if)#
*Apr 21 08:47:51.480: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
R6(config-if)#
*Apr 21 08:47:53.274: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R6(config-if)#cry
R6(config-if)#crypto ma
R6(config-if)#crypto map M-ipsec
R6(config-if)#
*Apr 21 08:48:26.573: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R6(config-if)#ip access
R6(config-if)#ip access-group A-security in
R6(config-if)#no cdp en
R6(config-if)#no cdp enable 
R6(config-if)#no shut
R6(config-if)#no shutdown 
R6(config-if)#exit
R6(config)#ip route 0.0.0.0 0.0.0.0 Dia
R6(config)#ip route 0.0.0.0 0.0.0.0 Dialer 1
R6(config)#router os
*Apr 21 08:49:14.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R6(config)#router ospf 1
R6(config-router)#netwo
R6(config-router)#network 10.6.0.6 0.0.0.0 area 0
R6(config-router)#netwo
R6(config-router)#network 192.168.16.6 0.0.0.0 area
R6(config-router)#network 192.168.16.6 0.0.0.0 area 0
R6(config-router)#exit
R6(config)#ip acce
R6(config)#ip access-list exte
R6(config)#ip access-list extended A-ipsec
R6(config-ext-nacl)#per
R6(config-ext-nacl)#permit gre hos
R6(config-ext-nacl)#permit gre host 106.0.0.6 hos
R6(config-ext-nacl)#permit gre host 106.0.0.6 host 100.0.0.1
R6(config-ext-nacl)#exit
R6(config)#ip
*Apr 21 08:52:11.958: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
R6(config)#ip acce
R6(config)#ip access-list exte
R6(config)#ip access-list extended A-security
R6(config-ext-nacl)#permi
R6(config-ext-nacl)#permit esp hos
R6(config-ext-nacl)#permit esp host 100.0.0.1 hsot 106.0.0.6
                                               ^
% Invalid input detected at '^' marker.

R6(config-ext-nacl)#permit esp host 100.0.0.1 hoot 106.0.0.6
                                                ^
% Invalid input detected at '^' marker.

R6(config-ext-nacl)#permit esp host 100.0.0.1 host 106.0.0.6  
R6(config-ext-nacl)#permi
R6(config-ext-nacl)#permit gre host 100.0.0.1 host 106.0.0.6 
R6(config-ext-nacl)#permit icm
R6(config-ext-nacl)#permit icmp an
R6(config-ext-nacl)#permit icmp any an
R6(config-ext-nacl)#permit icmp any any 
R6(config-ext-nacl)#exit          
R6(config)#dialer
R6(config)#dialer-lis
R6(config)#dialer-list 20 proto
R6(config)#dialer-list 20 protocol ip permi
R6(config)#dialer-list 20 protocol ip permit 
R6(config)#^Z
R6#
*Apr 21 08:54:15.610: %SYS-5-CONFIG_I: Configured from console by console
R6#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/11 ms
R6#ping 200.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/11 ms
R6#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
100.0.0.1         0   FULL/  -        00:00:37    192.168.16.1    Tunnel0
R6#sh ip ro   
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.6.0.0/24 is directly connected, GigabitEthernet0/0
L        10.6.0.6/32 is directly connected, GigabitEthernet0/0
O        10.100.0.0/24 [110/1001] via 192.168.16.1, 00:02:54, Tunnel0
O        10.200.0.0/24 [110/2001] via 192.168.16.1, 00:02:54, Tunnel0
      106.0.0.0/32 is subnetted, 2 subnets
C        106.0.0.6 is directly connected, Loopback1
C        106.5.6.5 is directly connected, Dialer1
O     192.168.12.0/24 [110/2000] via 192.168.16.1, 00:02:54, Tunnel0
      192.168.16.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.16.0/24 is directly connected, Tunnel0
L        192.168.16.6/32 is directly connected, Tunnel0
R6#                
PC-2> ping 10.100.0.101
84 bytes from 10.100.0.101 icmp_seq=1 ttl=62 time=27.656 ms
84 bytes from 10.100.0.101 icmp_seq=2 ttl=62 time=11.363 ms
84 bytes from 10.100.0.101 icmp_seq=3 ttl=62 time=13.107 ms
84 bytes from 10.100.0.101 icmp_seq=4 ttl=62 time=12.313 ms
84 bytes from 10.100.0.101 icmp_seq=5 ttl=62 time=11.717 ms

PC-2> ping 192.168.16.6 
84 bytes from 192.168.16.6 icmp_seq=1 ttl=253 time=20.835 ms
84 bytes from 192.168.16.6 icmp_seq=2 ttl=253 time=19.752 ms
84 bytes from 192.168.16.6 icmp_seq=3 ttl=253 time=21.734 ms
84 bytes from 192.168.16.6 icmp_seq=4 ttl=253 time=24.609 ms
84 bytes from 192.168.16.6 icmp_seq=5 ttl=253 time=22.443 ms

PC-2> ping 10.6.0.105
84 bytes from 10.6.0.105 icmp_seq=1 ttl=61 time=37.842 ms
84 bytes from 10.6.0.105 icmp_seq=2 ttl=61 time=19.384 ms
84 bytes from 10.6.0.105 icmp_seq=3 ttl=61 time=19.323 ms
84 bytes from 10.6.0.105 icmp_seq=4 ttl=61 time=19.056 ms
84 bytes from 10.6.0.105 icmp_seq=5 ttl=61 time=19.007 ms

PC-2> 

R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.100.0.1      YES NVRAM  up                    up      
GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Dialer1                    100.0.0.1       YES TFTP   up                    up      
Loopback1                  100.0.0.1       YES manual up                    up      
Tunnel0                    192.168.12.1    YES manual up                    up      
Tunnel1                    192.168.16.1    YES manual up                    up      
Virtual-Access1            unassigned      YES unset  up                    up      
Virtual-Access2            unassigned      YES unset  up                    up      
R1#show ip ospf neighbo
R1#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
106.0.0.6         0   FULL/  -        00:00:34    192.168.16.6    Tunnel1
200.0.0.2         0   FULL/  -        00:00:34    192.168.12.2    Tunnel0
R1#show cryp
R1#show crypto isakm
R1#show crypto ipsec sa 

interface: Dialer1
    Crypto map tag: M-ipsec, local addr 100.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (106.0.0.6/255.255.255.255/47/0)
   current_peer 106.0.0.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
    #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
     plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0x4566DF3D(1164369725)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x28335F48(674455368)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4349249/2911)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4566DF3D(1164369725)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4349249/2911)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
          
     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (200.0.0.2/255.255.255.255/47/0)
   current_peer 200.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
    #pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
     plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0x8A138AFC(2316536572)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x59DDE95E(1507715422)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4375654/1464)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8A138AFC(2316536572)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4375654/1464)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R1#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: M-ipsec, local addr 100.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (106.0.0.6/255.255.255.255/47/0)
   current_peer 106.0.0.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
     plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0x4566DF3D(1164369725)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x28335F48(674455368)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4349248/2828)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4566DF3D(1164369725)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4349248/2828)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
          
     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (100.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (200.0.0.2/255.255.255.255/47/0)
   current_peer 200.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
    #pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
     plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
     current outbound spi: 0x8A138AFC(2316536572)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x59DDE95E(1507715422)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4375652/1381)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8A138AFC(2316536572)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
        sa timing: remaining key lifetime (k/sec): (4375653/1381)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
R1#

ping and capture packets. 

R2#ping 10.6.0.105 repeat 100000
Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 10.6.0.105, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (1347/1348), round-trip min/avg/max = 9/26/90 ms
R2#

References

  1. GRE over IPsecとは
tech/network/cisco/vpn/tunneling/gre-over-ipsec/gre-over-ipsec.txt · Last modified: 2019/04/21 09:20 by wnoguchi

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki