PG1X

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec [2019/04/21 02:12]
wnoguchi
tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec [2019/04/21 09:20] (current)
wnoguchi
Line 1749: Line 1749:
 ! !
 interface Tunnel 0 interface Tunnel 0
- ip address 192.168.12.1 255.255.255.252+ ip address 192.168.12.1 255.255.255.0
  ip mtu 1372  ip mtu 1372
  ​tunnel source Dialer 1  ​tunnel source Dialer 1
Line 1864: Line 1864:
 ! !
 interface Tunnel 0 interface Tunnel 0
- ip address 192.168.12.2 255.255.255.252+ ip address 192.168.12.2 255.255.255.0
  ip mtu 1372  ip mtu 1372
  ​tunnel source Dialer 1  ​tunnel source Dialer 1
Line 1900: Line 1900:
  ​permit esp host 100.0.0.1 host 200.0.0.2  ​permit esp host 100.0.0.1 host 200.0.0.2
  ​permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp  ​permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
- ​permit icmp any any 
  ​permit gre host 100.0.0.1 host 200.0.0.2  ​permit gre host 100.0.0.1 host 200.0.0.2
 + ​permit icmp any any
 exit exit
 ! !
Line 1964: Line 1964:
 ! !
 interface Tunnel 0 interface Tunnel 0
- ip address 192.168.16.6 255.255.255.252+ ip address 192.168.16.6 255.255.255.0
  ip mtu 1372  ip mtu 1372
  ​tunnel source Dialer 1  ​tunnel source Dialer 1
Line 1977: Line 1977:
  ​dialer-group 20  ​dialer-group 20
  ppp authentication chap callin  ppp authentication chap callin
- ppp chap hostname ccie@example.com+ ppp chap hostname ccie@isp3.pg1x.net
  ppp chap password cc13  ppp chap password cc13
  ​crypto map M-ipsec  ​crypto map M-ipsec
Line 1994: Line 1994:
 ! Define IPsec encryption target traffic ! Define IPsec encryption target traffic
 ip access-list extended A-ipsec ip access-list extended A-ipsec
- ​permit gre host 200.0.0.host 100.0.0.1+ ​permit gre host 106.0.0.host 100.0.0.1
 exit exit
 ! !
Line 2000: Line 2000:
  ​permit esp host 100.0.0.1 host 106.0.0.6  ​permit esp host 100.0.0.1 host 106.0.0.6
  ​permit udp host 100.0.0.1 host 106.0.0.6 eq isakmp  ​permit udp host 100.0.0.1 host 106.0.0.6 eq isakmp
- ​permit icmp any any 
  ​permit gre host 100.0.0.1 host 106.0.0.6  ​permit gre host 100.0.0.1 host 106.0.0.6
 + ​permit icmp any any
 exit exit
 ! !
Line 2008: Line 2008:
 end end
 </​code>​ </​code>​
 +
 +<​code>​
 +R1#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp po
 +R1(config)#​crypto isakmp policy 1
 +R1(config-isakmp)#​encr
 +R1(config-isakmp)#​encryption aes
 +R1(config-isakmp)#​has
 +R1(config-isakmp)#​hash sha
 +R1(config-isakmp)#​hash sha?
 +sha  sha256 ​ sha384 ​ sha512
 +
 +R1(config-isakmp)#​hash sha
 +R1(config-isakmp)#​encryption aes?
 +aes  ​
 +
 +R1(config-isakmp)#​encryption aes
 +R1(config-isakmp)#​atuh
 +R1(config-isakmp)#​atuhe
 +R1(config-isakmp)#​authen
 +R1(config-isakmp)#​authentication pre-sha
 +R1(config-isakmp)#​authentication pre-share ​
 +R1(config-isakmp)#​gro
 +R1(config-isakmp)#​group 2
 +R1(config-isakmp)#​exit
 +R1(config)#​cryp
 +R1(config)#​crypto isak
 +R1(config)#​crypto isakmp key pg1
 +R1(config)#​crypto isakmp key pg1xpsk add
 +R1(config)#​crypto isakmp key pg1xpsk address 200.0.0.2
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp key pg1xpsk address 106.0.0.6
 +R1(config)#​cry
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp kee
 +R1(config)#​crypto isakmp keepalive 30 on
 +R1(config)#​crypto isakmp keepalive 30 on-demand ​
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​cry ​          
 +R1(config)#​crypto ipse
 +R1(config)#​crypto ipsec trans
 +R1(config)#​crypto ipsec transform-set IPSEC es
 +R1(config)#​crypto ipsec transform-set IPSEC esp-ae
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sh
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha?
 +esp-sha-hmac ​ esp-sha256-hmac ​ esp-sha384-hmac ​ esp-sha512-hmac
 +
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-h
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac ​
 +R1(cfg-crypto-trans)#​mod
 +R1(cfg-crypto-trans)#​mode tra
 +R1(cfg-crypto-trans)#​mode transport ​
 +R1(cfg-crypto-trans)#​exit
 +R1(config)#​cryp
 +R1(config)#​crypto ma
 +R1(config)#​crypto map M-ipsec 1 ipse
 +R1(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R1(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R1(config-crypto-map)#​set pee
 +R1(config-crypto-map)#​set peer 200.0.0.2
 +R1(config-crypto-map)#​set tra
 +R1(config-crypto-map)#​set transform-set IPSEC
 +R1(config-crypto-map)#​mat
 +R1(config-crypto-map)#​match add
 +R1(config-crypto-map)#​match address A-ipsec1
 +R1(config-crypto-map)#​exit
 +R1(config)#​cry
 +R1(config)#​crypto ma
 +R1(config)#​crypto map M-ipsec 2 ipsec
 +R1(config)#​crypto map M-ipsec 2 ipsec-isa
 +R1(config)#​crypto map M-ipsec 2 ipsec-? ​     ​
 +ipsec-isakmp ​ ipsec-manual  ​
 +
 +R1(config)#​crypto map M-ipsec 2 ipsec-isak
 +R1(config)#​crypto map M-ipsec 2 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R1(config-crypto-map)#​set pee
 +R1(config-crypto-map)#​set peer 106.0.0.6
 +R1(config-crypto-map)#​set tra
 +R1(config-crypto-map)#​set transform-set IPSEC
 +R1(config-crypto-map)#​mat
 +R1(config-crypto-map)#​match add
 +R1(config-crypto-map)#​match address A-ipsec2
 +R1(config-crypto-map)#​exit
 +R1(config)#​int
 +R1(config)#​interface Loo
 +R1(config)#​interface Loopback 1
 +R1(config-if)#​
 +*Apr 21 02:​23:​38.914:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R1(config-if)#​100.0.0.1 255.255.255.255
 +              ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R1(config-if)#​ip address 100.0.0.1 255.255.255.255
 +R1(config-if)#​int gig0/0
 +R1(config-if)#​ip tcp
 +R1(config-if)#​ip tcp ad
 +R1(config-if)#​ip tcp adjust-mss 1332
 +R1(config-if)#​int gig0/1
 +R1(config-if)#​no ip address
 +R1(config-if)#​pppoe en
 +R1(config-if)#​pppoe enable grou
 +R1(config-if)#​pppoe enable group glo
 +R1(config-if)#​pppoe enable group global ​
 +R1(config-if)#​
 +*Apr 21 02:​26:​56.038:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R1(config-if)#​
 +*Apr 21 02:​26:​56.043:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to up
 +R1(config-if)#​pppoe-clie
 +R1(config-if)#​pppoe-client dia
 +R1(config-if)#​pppoe-client dial-pool-number 1
 +R1(config-if)#​no cdp en
 +R1(config-if)#​no cdp enable ​
 +R1(config-if)#​int tun0
 +R1(config-if)#​ip
 +*Apr 21 06:​53:​54.706:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R1(config-if)#​ip address 192.168.12.1 255.255.255.0
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1372 tun
 +R1(config-if)#​ip mtu 1372 tunn
 +R1(config-if)#​ip mtu 1372      ​
 +R1(config-if)#​tunn
 +R1(config-if)#​tunnel sou
 +R1(config-if)#​tunnel source di
 +R1(config-if)#​tunnel source dialer 1
 +R1(config-if)#​tunn
 +R1(config-if)#​tunnel des
 +R1(config-if)#​tunnel destination 200.0.0.2
 +R1(config-if)#​int tun1
 +R1(config-if)#​ip ​
 +*Apr 21 06:​56:​07.425:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel1, changed state to downa
 +R1(config-if)#​ip address 192.168.16.1 255.255.255.0
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1372
 +R1(config-if)#​tun
 +R1(config-if)#​tunnel sou
 +R1(config-if)#​tunnel source Di
 +R1(config-if)#​tunnel source Dialer 1
 +R1(config-if)#​tunn
 +R1(config-if)#​tunnel desti
 +R1(config-if)#​tunnel destination 106.0.0.6
 +R1(config-if)#​int dia1
 +R1(config-if)#​ip unnu
 +R1(config-if)#​ip unnumbered Lo1
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1454
 +R1(config-if)#​enca
 +R1(config-if)#​encapsulation ppp]
 +                               ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R1(config-if)#​encapsulation ppp 
 +R1(config-if)#​dial
 +R1(config-if)#​dialer poo
 +R1(config-if)#​dialer pool 10
 +R1(config-if)#​dial
 +R1(config-if)#​dialer-gr
 +R1(config-if)#​dialer-group 20
 +R1(config-if)#​ppp auth
 +R1(config-if)#​ppp authe
 +R1(config-if)#​ppp authentication chap call
 +R1(config-if)#​ppp authentication chap calli
 +R1(config-if)#​ppp authentication chap callin ​
 +R1(config-if)#​ppp chap hostname ccie@example.com
 +R1(config-if)#​ppp chap password cc13
 +R1(config-if)#​crypto
 +R1(config-if)#​crypto ma
 +R1(config-if)#​crypto map M-ipsec
 +R1(config-if)#​
 +*Apr 21 06:​58:​25.154:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R1(config-if)#​ip acce
 +R1(config-if)#​ip access-group A-security in
 +R1(config-if)#​no cdp
 +R1(config-if)#​no cdp en
 +R1(config-if)#​no cdp enable ​
 +R1(config-if)#​no shut
 +R1(config-if)#​exit
 +R1(config)#​ip route 0.0.0.0 0.0.0.0 Di
 +R1(config)#​ip route 0.0.0.0 0.0.0.0 Dialer 1
 +R1(config)#​router ​
 +*Apr 21 06:​59:​06.439:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel1, changed state to up
 +R1(config)#​router ospf 1
 +*Apr 21 06:​59:​13.722:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R1(config)#​router ospf 1
 +R1(config-router)#​netwo
 +R1(config-router)#​network 10.100.0.1 0.0.0.0 area 0
 +R1(config-router)#​netwo
 +R1(config-router)#​network 192.168.12.1 0.0.0.0 area 0
 +R1(config-router)#​netwo
 +R1(config-router)#​network 192.168.16.1 0.0.0.0 area 0
 +R1(config-router)#​exit
 +R1(config)#​int gig0/1
 +R1(config-if)#​pppoe-cli
 +R1(config-if)#​pppoe-client dial
 +R1(config-if)#​pppoe-client dial-pool-number 10
 +R1(config-if)#​do sh ru
 +*Apr 21 07:​01:​36.902:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 07:​01:​36.906:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +R1(config-if)#​do sh run 
 +*Apr 21 07:​01:​40.329:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R1(config-if)#​do sh run int gi0/1
 +Building configuration...
 +
 +Current configuration : 202 bytes
 +!
 +interface GigabitEthernet0/​1
 + no ip address
 + ​duplex auto
 + speed auto
 + ​media-type rj45
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + ​pppoe-client dial-pool-number 1
 + no cdp enable
 +end
 +
 +R1(config-if)#​no pppoe-client dial-pool-number 1
 +R1(config-if)#​do sh run int gi0/1               
 +Building configuration...
 +
 +Current configuration : 169 bytes
 +!
 +interface GigabitEthernet0/​1
 + no ip address
 + ​duplex auto
 + speed auto
 + ​media-type rj45
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + no cdp enable
 +end
 +
 +R1(config-if)#​exit
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-ipsec1
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit gre hos
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 hos
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 host 200.0.0.2
 +R1(config-ext-nacl)#​exit ​
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-ipsec2
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 host 106.0.0.6
 +R1(config-ext-nacl)#​exit
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-security
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit es
 +R1(config-ext-nacl)#​permit esp host 200.0.0.2 host 100.0.0.1
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit udp hos
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq isak
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp ​
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit es
 +R1(config-ext-nacl)#​permit gr  ​
 +R1(config-ext-nacl)#​permit gre host 200.0.0.2 host 100.0.0.1
 +R1(config-ext-nacl)#​permit esp host 106.0.0.6 host 100.0.0.1
 +R1(config-ext-nacl)#​permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakm
 +R1(config-ext-nacl)#​permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakmp
 +R1(config-ext-nacl)#​permit udp host 106.0.0.6 host 100.0.0.1 eq isa   
 +R1(config-ext-nacl)#​permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp  ​
 +R1(config-ext-nacl)#​permit gre host 106.0.0.6 host 100.0.0.1 ​
 +R1(config-ext-nacl)#​permit icmp any any
 +R1(config-ext-nacl)#​exit
 +R1(config)#​do sh ip access-lists ​
 +Extended IP access list A-ipsec1
 +    10 permit gre host 100.0.0.1 host 200.0.0.2 (22 matches)
 +Extended IP access list A-ipsec2
 +    10 permit gre host 100.0.0.1 host 106.0.0.6 (18 matches)
 +Extended IP access list A-security
 +    10 permit esp host 200.0.0.2 host 100.0.0.1
 +    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 +    30 permit gre host 200.0.0.2 host 100.0.0.1
 +    40 permit esp host 106.0.0.6 host 100.0.0.1
 +    50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
 +    60 permit gre host 106.0.0.6 host 100.0.0.1
 +    70 permit icmp any any (2 matches)
 +R1(config)#​do sh ip access-lists ​
 +Extended IP access list A-ipsec1
 +    10 permit gre host 100.0.0.1 host 200.0.0.2 (23 matches)
 +Extended IP access list A-ipsec2
 +    10 permit gre host 100.0.0.1 host 106.0.0.6 (20 matches)
 +Extended IP access list A-security
 +    10 permit esp host 200.0.0.2 host 100.0.0.1
 +    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 +    30 permit gre host 200.0.0.2 host 100.0.0.1
 +    40 permit esp host 106.0.0.6 host 100.0.0.1
 +    50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
 +    60 permit gre host 106.0.0.6 host 100.0.0.1
 +    70 permit icmp any any (4 matches)
 +R1(config)#​diea
 +R1(config)#​diale
 +R1(config)#​dialer-li
 +R1(config)#​dialer-list 20 pro
 +R1(config)#​dialer-list 20 protocol ip per
 +R1(config)#​dialer-list 20 protocol ip permit ​
 +R1(config)#​^Z
 +R1#​pign ​
 +*Apr 21 07:​06:​47.551:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R1#ping 100.1.3.3
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms
 +R1#
 +*Apr 21 08:​27:​32.430:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
 +R1#
 +*Apr 21 08:​51:​45.863:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 106.0.0.6 on Tunnel1 from LOADING to FULL, Loading Done
 +R1#sh ip ro ospf
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
 +O        10.6.0.0/24 [110/1001] via 192.168.16.6,​ 00:05:58, Tunnel1
 +O        10.200.0.0/​24 [110/1001] via 192.168.12.2,​ 00:30:11, Tunnel0
 +R1#sh ip ospf neigh
 +R1#sh ip ospf neighbor ​
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +106.0.0.6 ​        ​0 ​  ​FULL/ ​ -        00:​00:​34 ​   192.168.16.6 ​   Tunnel1
 +200.0.0.2 ​        ​0 ​  ​FULL/ ​ -        00:​00:​36 ​   192.168.12.2 ​   Tunnel0
 +R1#sh ip ro   
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +S*    0.0.0.0/0 is directly connected, Dialer1
 +      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
 +O        10.6.0.0/24 [110/1001] via 192.168.16.6,​ 00:06:15, Tunnel1
 +C        10.100.0.0/​24 is directly connected, GigabitEthernet0/​0
 +L        10.100.0.1/​32 is directly connected, GigabitEthernet0/​0
 +O        10.200.0.0/​24 [110/1001] via 192.168.12.2,​ 00:30:28, Tunnel0
 +      100.0.0.0/​32 is subnetted, 2 subnets
 +C        100.0.0.1 is directly connected, Loopback1
 +C        100.1.3.3 is directly connected, Dialer1
 +      192.168.12.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.12.0/​24 is directly connected, Tunnel0
 +L        192.168.12.1/​32 is directly connected, Tunnel0
 +      192.168.16.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.16.0/​24 is directly connected, Tunnel1
 +L        192.168.16.1/​32 is directly connected, Tunnel1
 +R1#
 +</​code>​
 +
 +<​code>​
 +R2#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R2(config)#​cryp
 +R2(config)#​crypto isakm
 +R2(config)#​crypto isakmp poli
 +R2(config)#​crypto isakmp policy 1
 +R2(config-isakmp)#​encr
 +R2(config-isakmp)#​encryption aes
 +R2(config-isakmp)#​encryption aes 
 +R2(config-isakmp)#​has
 +R2(config-isakmp)#​hash sha
 +R2(config-isakmp)#​auth
 +R2(config-isakmp)#​authentication pre
 +R2(config-isakmp)#​authentication pre-share ​
 +R2(config-isakmp)#​gro
 +R2(config-isakmp)#​group 2
 +R2(config-isakmp)#​exit
 +R2(config)#​cry
 +R2(config)#​crypto isakm
 +R2(config)#​crypto isakmp key pg1xpsk address 100.0.0.1
 +R2(config)#​cryp
 +R2(config)#​crypto isak
 +R2(config)#​crypto isakmp kee
 +R2(config)#​crypto isakmp keepalive 30 on-de
 +R2(config)#​crypto isakmp keepalive 30 on-demand ​
 +R2(config)#​cry
 +R2(config)#​crypto ipsec tran
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sh
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hp
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hm
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac ​
 +R2(cfg-crypto-trans)#​mod
 +R2(cfg-crypto-trans)#​mode tra
 +R2(cfg-crypto-trans)#​mode transport ​
 +R2(cfg-crypto-trans)#​exit
 +R2(config)#​cryp
 +R2(config)#​crypto ma
 +R2(config)#​crypto map M-ipsec 1 ipsec
 +R2(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R2(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R2(config-crypto-map)#​set pee
 +R2(config-crypto-map)#​set peer 100.0.0.1
 +R2(config-crypto-map)#​set tran
 +R2(config-crypto-map)#​set transform-set IPSEC
 +R2(config-crypto-map)#​mat
 +R2(config-crypto-map)#​match add
 +R2(config-crypto-map)#​match address A-ipsec
 +R2(config-crypto-map)#​exit
 +R2(config)#​int lo1
 +R2(config-if)#​ip ad
 +*Apr 21 07:​09:​56.490:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R2(config-if)#​ip address 200.0.0.2 255.255.255.255
 +R2(config-if)#​int gig0/0
 +R2(config-if)#​ip tcp adj
 +R2(config-if)#​ip tcp adjust-mss 1332
 +R2(config-if)#​int gig0/1
 +R2(config-if)#​no ip address ​
 +R2(config-if)#​pppoe
 +R2(config-if)#​pppoe enabl
 +R2(config-if)#​pppoe enable gro
 +R2(config-if)#​pppoe enable group glo
 +R2(config-if)#​pppoe enable group global ​
 +R2(config-if)#​
 +*Apr 21 07:​10:​45.180:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R2(config-if)#​p
 +*Apr 21 07:​10:​45.184:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to upp
 +R2(config-if)#​pppoe-cli
 +R2(config-if)#​pppoe-client dial
 +R2(config-if)#​pppoe-client dial-pool-number 10
 +R2(config-if)#​no cdp
 +R2(config-if)#​no cdp en
 +R2(config-if)#​no cdp enable ​
 +R2(config-if)#​int tunn0
 +R2(config-if)#​
 +*Apr 21 07:​11:​01.908:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R2(config-if)#​ip add
 +R2(config-if)#​ip address 192.168.12.2 255.255.255.0
 +R2(config-if)#​ip mt
 +R2(config-if)#​ip mtu 1372
 +R2(config-if)#​tunn
 +R2(config-if)#​tunnel sou
 +R2(config-if)#​tunnel source Di
 +R2(config-if)#​tunnel source Dialer 1
 +R2(config-if)#​tunn
 +R2(config-if)#​tunnel desi
 +R2(config-if)#​tunnel desti
 +R2(config-if)#​tunnel destination 100.0.0.1
 +R2(config-if)#​int dia1
 +R2(config-if)#​ip unnu
 +R2(config-if)#​ip unnumbered Lo1
 +R2(config-if)#​ip mt
 +R2(config-if)#​ip mtu 1454
 +R2(config-if)#​enca
 +R2(config-if)#​encapsulation ppp dia
 +R2(config-if)#​encapsulation ppp    ​
 +R2(config-if)#​dia
 +R2(config-if)#​dialer poo
 +R2(config-if)#​dialer pool ?
 +  <​1-255> ​ Dialer pool number
 +
 +R2(config-if)#​dialer pool 10
 +R2(config-if)#​diale
 +R2(config-if)#​dialer
 +*Apr 21 08:​24:​59.932:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​24:​59.937:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​25:​01.832:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​dialer-g
 +*Apr 21 08:​25:​01.849:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​dialer-gr
 +R2(config-if)#​dialer-group 20
 +R2(config-if)#​ppp auth
 +R2(config-if)#​ppp auth
 +R2(config-if)#​ppp authe
 +R2(config-if)#​ppp auth?          ​
 +authentication ​ authorization  ​
 +
 +R2(config-if)#​ppp authe
 +R2(config-if)#​ppp authentication ​
 +*Apr 21 08:​25:​24.154:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​25:​24.156:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​25:​24.266:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​ppp authentication ​
 +*Apr 21 08:​25:​24.282:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​ppp authentication chap
 +R2(config-if)#​ppp authentication chap call
 +R2(config-if)#​ppp authentication chap calli
 +R2(config-if)#​ppp authentication chap callin ​
 +R2(config-if)#​ppp cha
 +R2(config-if)#​ppp chap hos
 +R2(config-if)#​ppp chap hostname ccie@example.com
 +R2(config-if)#​ppp chap password ​
 +*Apr 21 08:​25:​46.486:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​25:​46.490:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​25:​46.586:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​ppp chap password cc1
 +*Apr 21 08:​25:​46.601:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​ppp chap password cc13
 +R2(config-if)#​cry
 +R2(config-if)#​crypto ma
 +R2(config-if)#​crypto map M-ipsec
 +R2(config-if)#​
 +*Apr 21 08:​26:​04.464:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R2(config-if)#​ip acce
 +R2(config-if)#​ip access-group A-
 +*Apr 21 08:​26:​08.819:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +R2(config-if)#​ip access-group A-secur
 +*Apr 21 08:​26:​08.824:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to upity in
 +R2(config-if)#​ip access-group A-security in
 +*Apr 21 08:​26:​10.668:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R2(config-if)#​ip access-group A-security in
 +R2(config-if)#​no cdp en
 +R2(config-if)#​no cdp enable ​
 +R2(config-if)#​no shut
 +R2(config-if)#​no shutdown ​
 +R2(config-if)#​exit
 +R2(config)#​ip route 0.0.0.0 0.0.0.0 Dia
 +R2(config)#​ip route 0.0.0.0 0.0.0.0 Dialer 1
 +R2(config)#​router ospf 1
 +R2(config-router)#​netwo
 +R2(config-router)#​network 10.
 +*Apr 21 08:​26:​41.275:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R2(config-router)#​network 10.200.0.2 0.0.0.0 area 0
 +R2(config-router)#​netwo
 +R2(config-router)#​network 192.168.12.2 0.0.0.0 area 0
 +R2(config-router)#​exit
 +R2(config)#​ip acce
 +R2(config)#​ip access-list exte
 +R2(config)#​ip access-list extended A-ipsec
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit gre host 200.0.0.2 hos
 +R2(config-ext-nacl)#​permit gre host 200.0.0.2 host 100.0.0.1
 +R2(config-ext-nacl)#​exit
 +R2(config)#​ip ​
 +*Apr 21 08:​28:​05.450:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 +R2(config)#​ip acc
 +R2(config)#​ip acce
 +R2(config)#​ip access-list exte
 +R2(config)#​ip access-list extended A-security
 +R2(config-ext-nacl)#​permit esp host 100.0.0.1 host 200.0.0.2
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
 +R2(config-ext-nacl)#​permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp ​
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit gre hos
 +R2(config-ext-nacl)#​permit gre host 100.0.0.1 host 200.0.0.2
 +R2(config-ext-nacl)#​permit icmp any any
 +R2(config-ext-nacl)#​exit
 +R2(config)#​dialer
 +R2(config)#​dialer-li
 +R2(config)#​dialer-list 20 pro
 +R2(config)#​dialer-list 20 protocol ip
 +R2(config)#​dialer-list 20 protocol ip per
 +R2(config)#​dialer-list 20 protocol ip permit ​
 +R2(config)#​^Z
 +R2#
 +*Apr 21 08:​29:​29.695:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R2#sh ip ospf neigh
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +100.0.0.1 ​        ​0 ​  ​FULL/ ​ -        00:​00:​37 ​   192.168.12.1 ​   Tunnel0
 +R2#sh ip ro ospf
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
 +O        10.100.0.0/​24 [110/1001] via 192.168.12.1,​ 00:02:14, Tunnel0
 +O     ​192.168.16.0/​24 [110/2000] via 192.168.12.1,​ 00:02:14, Tunnel0
 +R2#ping 192.168.16.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.16.1,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms
 +R2#ping 192.168.16.6
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.16.6,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R2#ping 192.168.16.6
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.16.6,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/32 ms
 +R2#
 +</​code>​
 +
 +<​code>​
 +R6#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R6(config)#​cry
 +R6(config)#​crypto isakm
 +R6(config)#​crypto isakmp poli
 +R6(config)#​crypto isakmp policy 1
 +R6(config-isakmp)#​ecn
 +R6(config-isakmp)#​encr
 +R6(config-isakmp)#​encryption aes
 +R6(config-isakmp)#​encryption aes 
 +R6(config-isakmp)#​has
 +R6(config-isakmp)#​hash sh
 +R6(config-isakmp)#​hash sha
 +R6(config-isakmp)#​auh
 +R6(config-isakmp)#​auth
 +R6(config-isakmp)#​authentication pre
 +R6(config-isakmp)#​authentication pre-share ​
 +R6(config-isakmp)#​gr
 +R6(config-isakmp)#​group 2
 +R6(config-isakmp)#​exit
 +R6(config)#​cry
 +R6(config)#​crypto isak
 +R6(config)#​crypto isakmp key pg1xpsk address 100.0.0.1
 +R6(config)#​cry
 +R6(config)#​crypto isakm
 +R6(config)#​crypto isakmp kee
 +R6(config)#​crypto isakmp keepalive 30 on-de
 +R6(config)#​crypto isakmp keepalive 30 on-demand ​
 +R6(config)#​cry
 +R6(config)#​crypto ipsec trans
 +R6(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-h
 +R6(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac ​
 +R6(cfg-crypto-trans)#​mod
 +R6(cfg-crypto-trans)#​mode tra
 +R6(cfg-crypto-trans)#​mode transport ​
 +R6(cfg-crypto-trans)#​exit
 +R6(config)#​cryp
 +R6(config)#​crypto ma
 +R6(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R6(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R6(config-crypto-map)#​set pee
 +R6(config-crypto-map)#​set peer 100.0.0.1
 +R6(config-crypto-map)#​set tra
 +R6(config-crypto-map)#​set transform-set IPSEC
 +R6(config-crypto-map)#​mat
 +R6(config-crypto-map)#​match add
 +R6(config-crypto-map)#​match address A-ipsec
 +R6(config-crypto-map)#​exit
 +R6(config)#​int lo1
 +R6(config-if)#​ip a
 +*Apr 21 08:​42:​20.177:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R6(config-if)#​ip addre
 +R6(config-if)#​ip address 106.0.0.6 255.255.255.255
 +R6(config-if)#​inter
 +R6(config-if)#​int gig0/0
 +R6(config-if)#​ip tc
 +R6(config-if)#​ip tcp ad
 +R6(config-if)#​ip tcp adjust-mss 1332
 +R6(config-if)#​int gig0/1
 +R6(config-if)#​no ip add
 +R6(config-if)#​no ip address ​
 +R6(config-if)#​pppoe
 +R6(config-if)#​pppoe ena
 +R6(config-if)#​pppoe enable grou
 +R6(config-if)#​pppoe enable group globa
 +R6(config-if)#​pppoe enable group global ​
 +R6(config-if)#​ppp
 +*Apr 21 08:​44:​04.968:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R6(config-if)#​pppoe
 +R6(config-if)#​pppoe
 +*Apr 21 08:​44:​04.975:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to up
 +R6(config-if)#​pppoe-cli
 +R6(config-if)#​pppoe-client dial
 +R6(config-if)#​pppoe-client dial-pool-number 10
 +R6(config-if)#​no cdp ena
 +R6(config-if)#​no cdp enable ​
 +R6(config-if)#​exit
 +R6(config)#​inter tunn
 +R6(config)#​inter tunnel 0
 +R6(config-if)#​
 +*Apr 21 08:​44:​25.068:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R6(config-if)#​ip address 192.168.16.6 255.255.255.0
 +R6(config-if)#​ip mt
 +R6(config-if)#​ip mtu 1372
 +R6(config-if)#​tunne
 +R6(config-if)#​tunnel so
 +R6(config-if)#​tunnel source Dia
 +R6(config-if)#​tunnel source Dialer 1
 +R6(config-if)#​tunne
 +R6(config-if)#​tunnel desti
 +R6(config-if)#​tunnel destination 100.0.0.1
 +R6(config-if)#​exit
 +R6(config)#​int Dia
 +R6(config)#​int Dialer 1
 +R6(config-if)#​ip unnu
 +R6(config-if)#​ip unnumbered Lo1
 +R6(config-if)#​ip mt
 +R6(config-if)#​ip mtu 1454
 +R6(config-if)#​enca
 +R6(config-if)#​encapsulation ppp
 +R6(config-if)#​dial
 +R6(config-if)#​dialer poo
 +R6(config-if)#​dialer pool 10
 +R6(config-if)#​dial
 +R6(config-if)#​dialer-gr
 +R6(config-if)#​dialer-group ​
 +*Apr 21 08:​46:​20.268:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​46:​20.275:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​46:​22.144:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​dialer-group 2
 +*Apr 21 08:​46:​22.160:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​dialer-group 20
 +R6(config-if)#​ppp authe
 +R6(config-if)#​ppp authentication chap call
 +R6(config-if)#​ppp authentication chap calli
 +R6(config-if)#​ppp authentication chap call?  ​
 +WORD  callback ​ callin ​ callout
 +
 +R6(config-if)#​ppp authentication chap calli
 +R6(config-if)#​ppp authentication chap callin ​
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​46:​44.462:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​46:​44.467:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​46:​44.576:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​46:​44.593:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​47:​06.798:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​47:​06.801:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​47:​06.895:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​47:​06.911:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​ppp chap hostname ccie@isp3.pg1x.net
 +R6(config-if)#​ppp chap pass
 +R6(config-if)#​ppp chap password cc
 +*Apr 21 08:​47:​29.116:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​47:​29.120:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​47:​29.223:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​ppp chap password cc13
 +*Apr 21 08:​47:​29.250:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​ppp chap password cc13
 +R6(config-if)#​
 +*Apr 21 08:​47:​51.476:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +R6(config-if)#​
 +*Apr 21 08:​47:​51.480:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +R6(config-if)#​
 +*Apr 21 08:​47:​53.274:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R6(config-if)#​cry
 +R6(config-if)#​crypto ma
 +R6(config-if)#​crypto map M-ipsec
 +R6(config-if)#​
 +*Apr 21 08:​48:​26.573:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R6(config-if)#​ip access
 +R6(config-if)#​ip access-group A-security in
 +R6(config-if)#​no cdp en
 +R6(config-if)#​no cdp enable ​
 +R6(config-if)#​no shut
 +R6(config-if)#​no shutdown ​
 +R6(config-if)#​exit
 +R6(config)#​ip route 0.0.0.0 0.0.0.0 Dia
 +R6(config)#​ip route 0.0.0.0 0.0.0.0 Dialer 1
 +R6(config)#​router os
 +*Apr 21 08:​49:​14.081:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R6(config)#​router ospf 1
 +R6(config-router)#​netwo
 +R6(config-router)#​network 10.6.0.6 0.0.0.0 area 0
 +R6(config-router)#​netwo
 +R6(config-router)#​network 192.168.16.6 0.0.0.0 area
 +R6(config-router)#​network 192.168.16.6 0.0.0.0 area 0
 +R6(config-router)#​exit
 +R6(config)#​ip acce
 +R6(config)#​ip access-list exte
 +R6(config)#​ip access-list extended A-ipsec
 +R6(config-ext-nacl)#​per
 +R6(config-ext-nacl)#​permit gre hos
 +R6(config-ext-nacl)#​permit gre host 106.0.0.6 hos
 +R6(config-ext-nacl)#​permit gre host 106.0.0.6 host 100.0.0.1
 +R6(config-ext-nacl)#​exit
 +R6(config)#​ip
 +*Apr 21 08:​52:​11.958:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 +R6(config)#​ip acce
 +R6(config)#​ip access-list exte
 +R6(config)#​ip access-list extended A-security
 +R6(config-ext-nacl)#​permi
 +R6(config-ext-nacl)#​permit esp hos
 +R6(config-ext-nacl)#​permit esp host 100.0.0.1 hsot 106.0.0.6
 +                                               ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R6(config-ext-nacl)#​permit esp host 100.0.0.1 hoot 106.0.0.6
 +                                                ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R6(config-ext-nacl)#​permit esp host 100.0.0.1 host 106.0.0.6  ​
 +R6(config-ext-nacl)#​permi
 +R6(config-ext-nacl)#​permit gre host 100.0.0.1 host 106.0.0.6 ​
 +R6(config-ext-nacl)#​permit icm
 +R6(config-ext-nacl)#​permit icmp an
 +R6(config-ext-nacl)#​permit icmp any an
 +R6(config-ext-nacl)#​permit icmp any any 
 +R6(config-ext-nacl)#​exit ​         ​
 +R6(config)#​dialer
 +R6(config)#​dialer-lis
 +R6(config)#​dialer-list 20 proto
 +R6(config)#​dialer-list 20 protocol ip permi
 +R6(config)#​dialer-list 20 protocol ip permit ​
 +R6(config)#​^Z
 +R6#
 +*Apr 21 08:​54:​15.610:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R6#ping 100.0.0.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/11 ms
 +R6#ping 200.0.0.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/11 ms
 +R6#sh ip ospf neigh
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +100.0.0.1 ​        ​0 ​  ​FULL/ ​ -        00:​00:​37 ​   192.168.16.1 ​   Tunnel0
 +R6#sh ip ro   
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +S*    0.0.0.0/0 is directly connected, Dialer1
 +      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
 +C        10.6.0.0/24 is directly connected, GigabitEthernet0/​0
 +L        10.6.0.6/32 is directly connected, GigabitEthernet0/​0
 +O        10.100.0.0/​24 [110/1001] via 192.168.16.1,​ 00:02:54, Tunnel0
 +O        10.200.0.0/​24 [110/2001] via 192.168.16.1,​ 00:02:54, Tunnel0
 +      106.0.0.0/​32 is subnetted, 2 subnets
 +C        106.0.0.6 is directly connected, Loopback1
 +C        106.5.6.5 is directly connected, Dialer1
 +O     ​192.168.12.0/​24 [110/2000] via 192.168.16.1,​ 00:02:54, Tunnel0
 +      192.168.16.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.16.0/​24 is directly connected, Tunnel0
 +L        192.168.16.6/​32 is directly connected, Tunnel0
 +R6#                ​
 +</​code>​
 +
 +<​code>​
 +PC-2> ping 10.100.0.101
 +84 bytes from 10.100.0.101 icmp_seq=1 ttl=62 time=27.656 ms
 +84 bytes from 10.100.0.101 icmp_seq=2 ttl=62 time=11.363 ms
 +84 bytes from 10.100.0.101 icmp_seq=3 ttl=62 time=13.107 ms
 +84 bytes from 10.100.0.101 icmp_seq=4 ttl=62 time=12.313 ms
 +84 bytes from 10.100.0.101 icmp_seq=5 ttl=62 time=11.717 ms
 +
 +PC-2> ping 192.168.16.6 ​
 +84 bytes from 192.168.16.6 icmp_seq=1 ttl=253 time=20.835 ms
 +84 bytes from 192.168.16.6 icmp_seq=2 ttl=253 time=19.752 ms
 +84 bytes from 192.168.16.6 icmp_seq=3 ttl=253 time=21.734 ms
 +84 bytes from 192.168.16.6 icmp_seq=4 ttl=253 time=24.609 ms
 +84 bytes from 192.168.16.6 icmp_seq=5 ttl=253 time=22.443 ms
 +
 +PC-2> ping 10.6.0.105
 +84 bytes from 10.6.0.105 icmp_seq=1 ttl=61 time=37.842 ms
 +84 bytes from 10.6.0.105 icmp_seq=2 ttl=61 time=19.384 ms
 +84 bytes from 10.6.0.105 icmp_seq=3 ttl=61 time=19.323 ms
 +84 bytes from 10.6.0.105 icmp_seq=4 ttl=61 time=19.056 ms
 +84 bytes from 10.6.0.105 icmp_seq=5 ttl=61 time=19.007 ms
 +
 +PC-2> ​
 +
 +</​code>​
 +
 +<​code>​
 +R1#sh ip int brief
 +Interface ​                 IP-Address ​     OK? Method Status ​               Protocol
 +GigabitEthernet0/​0 ​        ​10.100.0.1 ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​1 ​        ​unassigned ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​2 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +GigabitEthernet0/​3 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +Dialer1 ​                   100.0.0.1 ​      YES TFTP   ​up ​                   up      ​
 +Loopback1 ​                 100.0.0.1 ​      YES manual up                    up      ​
 +Tunnel0 ​                   192.168.12.1 ​   YES manual up                    up      ​
 +Tunnel1 ​                   192.168.16.1 ​   YES manual up                    up      ​
 +Virtual-Access1 ​           unassigned ​     YES unset  up                    up      ​
 +Virtual-Access2 ​           unassigned ​     YES unset  up                    up      ​
 +R1#show ip ospf neighbo
 +R1#show ip ospf neighbor ​
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +106.0.0.6 ​        ​0 ​  ​FULL/ ​ -        00:​00:​34 ​   192.168.16.6 ​   Tunnel1
 +200.0.0.2 ​        ​0 ​  ​FULL/ ​ -        00:​00:​34 ​   192.168.12.2 ​   Tunnel0
 +R1#show cryp
 +R1#show crypto isakm
 +R1#show crypto ipsec sa 
 +
 +interface: Dialer1
 +    Crypto map tag: M-ipsec, local addr 100.0.0.1
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (106.0.0.6/​255.255.255.255/​47/​0)
 +   ​current_peer 106.0.0.6 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
 +    #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x4566DF3D(1164369725)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x28335F48(674455368)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349249/​2911)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x4566DF3D(1164369725)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349249/​2911)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +          ​
 +     ​outbound pcp sas:
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (200.0.0.2/​255.255.255.255/​47/​0)
 +   ​current_peer 200.0.0.2 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
 +    #pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x8A138AFC(2316536572)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x59DDE95E(1507715422)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375654/​1464)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x8A138AFC(2316536572)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375654/​1464)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +
 +     ​outbound pcp sas:
 +R1#show crypto ipsec sa
 +
 +interface: Dialer1
 +    Crypto map tag: M-ipsec, local addr 100.0.0.1
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (106.0.0.6/​255.255.255.255/​47/​0)
 +   ​current_peer 106.0.0.6 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
 +    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x4566DF3D(1164369725)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x28335F48(674455368)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349248/​2828)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x4566DF3D(1164369725)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349248/​2828)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +          ​
 +     ​outbound pcp sas:
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (200.0.0.2/​255.255.255.255/​47/​0)
 +   ​current_peer 200.0.0.2 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
 +    #pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x8A138AFC(2316536572)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x59DDE95E(1507715422)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375652/​1381)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x8A138AFC(2316536572)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375653/​1381)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +
 +     ​outbound pcp sas:
 +R1#
 +</​code>​
 +
 +ping and capture packets.
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091923.png}}
 +
 +<​code>​
 +R2#ping 10.6.0.105 repeat 100000
 +Type escape sequence to abort.
 +Sending 100000, 100-byte ICMP Echos to 10.6.0.105, timeout is 2 seconds:
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!.
 +Success rate is 99 percent (1347/​1348),​ round-trip min/avg/max = 9/26/90 ms
 +R2#
 +</​code>​
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091935.png}}
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091941.png}}
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091947.png}}
  
 ===== References ===== ===== References =====
tech/network/cisco/vpn/tunneling/gre-over-ipsec/gre-over-ipsec.txt · Last modified: 2019/04/21 09:20 by wnoguchi