PG1X

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec [2019/04/16 22:55]
wnoguchi
tech:network:cisco:vpn:tunneling:gre-over-ipsec:gre-over-ipsec [2019/04/21 09:20] (current)
wnoguchi
Line 3: Line 3:
 {{tag>​GRE-over-IPsec GRE IPsec VPN Cisco Networking Secuirty Encryption}} {{tag>​GRE-over-IPsec GRE IPsec VPN Cisco Networking Secuirty Encryption}}
  
-===== Topology =====+===== Topology: 1:1 GRE over IPsec =====
  
 {{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190414-220343.png}} {{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190414-220343.png}}
Line 9: Line 9:
 ==== IP ==== ==== IP ====
  
-Project name: ''​ccna-vpn-gre-0002-gre-over-ipsec''​+Project name: ''​ccna-vpn-gre-0002-gre-over-ipsec-1''​
  
   * R1   * R1
Line 29: Line 29:
 exit exit
 interface GigabitEthernet 0/1 interface GigabitEthernet 0/1
-ip address 100.0.0.1 255.255.0.0 
 no shutdown no shutdown
 exit exit
Line 55: Line 54:
 exit exit
 interface GigabitEthernet 0/1 interface GigabitEthernet 0/1
-ip address 200.0.0.2 255.255.0.0 
 no shutdown no shutdown
 exit exit
Line 365: Line 363:
 ! !
 interface Tunnel 0 interface Tunnel 0
- ip address 192.168.0.1 255.255.255.252+ ip address 192.168.12.1 255.255.255.252
  ip mtu 1372  ip mtu 1372
  ​tunnel source Dialer 1  ​tunnel source Dialer 1
Line 390: Line 388:
 router ospf 1 router ospf 1
  ​network 10.100.0.1 0.0.0.0 area 0  ​network 10.100.0.1 0.0.0.0 area 0
- ​network 192.168.0.1 0.0.0.0 area 0+ ​network 192.168.12.1 0.0.0.0 area 0
 exit exit
 ! !
Line 465: Line 463:
 ! !
 interface Tunnel 0 interface Tunnel 0
- ip address 192.168.0.2 255.255.255.252+ ip address 192.168.12.2 255.255.255.252
  ip mtu 1372  ip mtu 1372
  ​tunnel source Dialer 1  ​tunnel source Dialer 1
Line 490: Line 488:
 router ospf 1 router ospf 1
  ​network 10.200.0.2 0.0.0.0 area 0  ​network 10.200.0.2 0.0.0.0 area 0
- ​network 192.168.0.2 0.0.0.0 area 0+ ​network 192.168.12.2 0.0.0.0 area 0
 exit exit
 ! !
Line 509: Line 507:
 end end
 </​code>​ </​code>​
 +
 +==== Verification ====
 +
 +<​code>​
 +R1#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp po
 +R1(config)#​crypto isakmp policy 1
 +R1(config-isakmp)#​enc
 +R1(config-isakmp)#​encryption 3de
 +R1(config-isakmp)#​encryption 3des 
 +R1(config-isakmp)#​has
 +R1(config-isakmp)#​hash md
 +R1(config-isakmp)#​hash md5 
 +R1(config-isakmp)#​auth
 +R1(config-isakmp)#​authentication pre-
 +R1(config-isakmp)#​authentication pre-share ​
 +R1(config-isakmp)#​gro
 +R1(config-isakmp)#​group 2
 +R1(config-isakmp)#​exit
 +R1(config)#​cry
 +R1(config)#​crypto isak
 +R1(config)#​crypto isakmp key
 +R1(config)#​crypto isakmp key pg1xpsk add
 +R1(config)#​crypto isakmp key pg1xpsk address 200.0.0.2
 +R1(config)#​cryp
 +R1(config)#​crypto isak
 +R1(config)#​crypto isakmp keepali
 +R1(config)#​crypto isakmp keepalive 30 on-de
 +R1(config)#​crypto isakmp keepalive 30 on-demand ​
 +R1(config)#​crypto
 +R1(config)#​crypto isakm
 +R1(config)#​cryp ​         ​
 +R1(config)#​crypto ipse
 +R1(config)#​crypto ipsec trans
 +R1(config)#​crypto ipsec transform-set IPSEC esp-3de
 +R1(config)#​crypto ipsec transform-set IPSEC esp-3des esp-md
 +R1(config)#​crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac ​
 +R1(cfg-crypto-trans)#​mod
 +R1(cfg-crypto-trans)#​mode trans
 +R1(cfg-crypto-trans)#​mode transport ​
 +R1(cfg-crypto-trans)#​exit
 +R1(config)#​crypto
 +R1(config)#​crypto map
 +R1(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R1(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R1(config-crypto-map)#​set peer
 +R1(config-crypto-map)#​set peer 200.0.0.2
 +R1(config-crypto-map)#​set tran
 +R1(config-crypto-map)#​set transform-set IPSEC
 +R1(config-crypto-map)#​mat
 +R1(config-crypto-map)#​match add
 +R1(config-crypto-map)#​match address A-ipsec
 +R1(config-crypto-map)#​exit
 +R1(config)#​int lo1
 +R1(config-if)#​ip add
 +R1(config-if)#​ip address ​
 +*Apr 17 21:​54:​02.848:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R1(config-if)#​ip address 100.0.0.1 255.255.255.255
 +R1(config-if)#​int gig0/0
 +R1(config-if)#​ip tcp adj
 +R1(config-if)#​ip tcp adjust-mss 1332
 +R1(config-if)#​int gig0/1
 +R1(config-if)#​cd
 +R1(config-if)#​cdp en
 +R1(config-if)#​cdp enable ​
 +% Cannot enable CDP on this interface, since CDP is not running
 +R1(config-if)#​no cdp enable ​
 +R1(config-if)#​pppoe
 +R1(config-if)#​pppoe en
 +R1(config-if)#​pppoe enable gro
 +R1(config-if)#​pppoe enable group globa
 +R1(config-if)#​pppoe enable group global ​
 +R1(config-if)#​ppp
 +*Apr 17 22:​02:​48.726:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R1(config-if)#​pppoe
 +*Apr 17 22:​02:​48.731:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to up
 +R1(config-if)#​pppoe-cli
 +R1(config-if)#​pppoe-client dial
 +R1(config-if)#​pppoe-client dial-pool-number 10
 +R1(config-if)#​int tun0
 +R1(config-if)#​ip a
 +*Apr 17 22:​03:​06.346:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R1(config-if)#​ip add
 +R1(config-if)#​ip address 192.168.0.1 255.255.255.252
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1372
 +R1(config-if)#​tu
 +R1(config-if)#​tunnel so
 +R1(config-if)#​tunnel source Di
 +R1(config-if)#​tunnel source Dialer 1
 +R1(config-if)#​tu
 +R1(config-if)#​tunnel des
 +R1(config-if)#​tunnel destination 200.0.0.2
 +R1(config-if)#​int dia 1
 +R1(config-if)#​ip unnum
 +R1(config-if)#​ip unnumbered lo1
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1454
 +R1(config-if)#​enca
 +R1(config-if)#​encapsulation ppp
 +R1(config-if)#​dia
 +R1(config-if)#​dialer poo
 +R1(config-if)#​dialer pool 10
 +R1(config-if)#​dia
 +R1(config-if)#​dialer-gr
 +R1(config-if)#​dialer-group 20
 +R1(config-if)#​ppp
 +*Apr 17 22:​04:​13.522:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​04:​13.527:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​04:​15.350:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R1(config-if)#​p  ​
 +*Apr 17 22:​04:​15.369:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R1(config-if)#​ppp auth
 +R1(config-if)#​ppp authe
 +R1(config-if)#​ppp authentication chap calli
 +R1(config-if)#​ppp authentication chap callin ​
 +R1(config-if)#​ppp cha
 +R1(config-if)#​ppp chap hostna
 +R1(config-if)#​ppp chap hostname cci
 +*Apr 17 22:​04:​37.611:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​04:​37.613:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​04:​37.713:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1e
 +R1(config-if)#​ppp chap hostname ccie@esx
 +*Apr 17 22:​04:​37.730:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R1(config-if)#​ppp chap hostname ccie@example.com
 +R1(config-if)#​ppp cha
 +R1(config-if)#​ppp chap pass
 +R1(config-if)#​ppp chap password cc13
 +R1(config-if)#​cry
 +R1(config-if)#​crypto ma
 +R1(config-if)#​crypto map M-ipsec
 +*Apr 17 22:​04:​59.894:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +R1(config-if)#​crypto map M-ipsec
 +*Apr 17 22:​04:​59.898:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +R1(config-if)#​crypto map M-ipsec
 +R1(config-if)#​
 +*Apr 17 22:​05:​01.598:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R1(config-if)#​
 +*Apr 17 22:​05:​02.145:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R1(config-if)#​ip accee
 +R1(config-if)#​ip access
 +R1(config-if)#​ip access-group A-security in
 +R1(config-if)#​no cde
 +R1(config-if)#​no cdp
 +R1(config-if)#​no cdp ?
 +  enable ​          ​Enable CDP on interface
 +  filter-tlv-list ​ Apply tlv list filter on interface
 +  log              Log messages generated by CDP
 +  tlv              Enable exchange of specific tlv information
 +
 +R1(config-if)#​no cdp en
 +R1(config-if)#​no cdp enable ​
 +R1(config-if)#​no shut
 +R1(config-if)#​exit
 +R1(config)#​ip route 0.0.0.0 0.0.0.0 dia
 +R1(config)#​ip route 0.0.0.0 0.0.0.0 dialer 1
 +R1(config)#​router ospf 
 +*Apr 17 22:​06:​05.374:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up1
 +R1(config)#​router ospf 1
 +R1(config-router)#​netwo
 +R1(config-router)#​network 10.100.0.1 0.0.0.0 area 0
 +R1(config-router)#​netwo
 +R1(config-router)#​network 192.168.0.1 0.0.0.0 area 0
 +R1(config-router)#​exit
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-ipsec
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 host 200.0.0.2
 +R1(config-ext-nacl)#​exit
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-security
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit es
 +R1(config-ext-nacl)#​permit esp hos
 +R1(config-ext-nacl)#​permit esp host 200.0.0.2 host 100.0.0.1
 +R1(config-ext-nacl)#​permit
 +R1(config-ext-nacl)#​permit udp hos
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 hos
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq ?
 +  <​0-65535> ​     Port number
 +  biff           Biff (mail notification,​ comsat, 512)
 +  bootpc ​        ​Bootstrap Protocol (BOOTP) client (68)
 +  bootps ​        ​Bootstrap Protocol (BOOTP) server (67)
 +  discard ​       Discard (9)
 +  dnsix          DNSIX security protocol auditing (195)
 +  domain ​        ​Domain Name Service (DNS, 53)
 +  echo           Echo (7)
 +  isakmp ​        ​Internet Security Association and Key Management Protocol
 +                 (500)
 +  mobile-ip ​     Mobile IP registration (434)
 +  nameserver ​    ​IEN116 name service (obsolete, 42)
 +  netbios-dgm ​   NetBios datagram service (138)
 +  netbios-ns ​    ​NetBios name service (137)
 +  netbios-ss ​    ​NetBios session service (139)
 +  non500-isakmp ​ Internet Security Association and Key Management Protocol
 +                 ​(4500)
 +  ntp            Network Time Protocol (123)
 +  pim-auto-rp ​   PIM Auto-RP (496)
 +  rip            Routing Information Protocol (router, in.routed, 520)
 +  snmp           ​Simple Network Management Protocol (161)
 +  snmptrap ​      SNMP Traps (162)
 +          ​
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq isa
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq isak?  ​
 +isakmp  ​
 +
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq ?   
 +  <​0-65535> ​     Port number
 +  biff           Biff (mail notification,​ comsat, 512)
 +  bootpc ​        ​Bootstrap Protocol (BOOTP) client (68)
 +  bootps ​        ​Bootstrap Protocol (BOOTP) server (67)
 +  discard ​       Discard (9)
 +  dnsix          DNSIX security protocol auditing (195)
 +  domain ​        ​Domain Name Service (DNS, 53)
 +  echo           Echo (7)
 +  isakmp ​        ​Internet Security Association and Key Management Protocol
 +                 (500)
 +  mobile-ip ​     Mobile IP registration (434)
 +  nameserver ​    ​IEN116 name service (obsolete, 42)
 +  netbios-dgm ​   NetBios datagram service (138)
 +  netbios-ns ​    ​NetBios name service (137)
 +  netbios-ss ​    ​NetBios session service (139)
 +  non500-isakmp ​ Internet Security Association and Key Management Protocol
 +                 ​(4500)
 +  ntp            Network Time Protocol (123)
 +  pim-auto-rp ​   PIM Auto-RP (496)
 +  rip            Routing Information Protocol (router, in.routed, 520)
 +  snmp           ​Simple Network Management Protocol (161)
 +  snmptrap ​      SNMP Traps (162)
 +  sunrpc ​        Sun Remote Procedure Call (111)
 +  syslog ​        ​System Logger (514)
 +  tacacs ​        TAC Access Control System (49)
 +  talk           Talk (517)
 +  tftp           ​Trivial File Transfer Protocol (69)
 +  time           Time (37)
 +  who            Who service (rwho, 513)
 +  xdmcp          X Display Manager Control Protocol (177)
 +
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq  500
 +R1(config-ext-nacl)#​per
 +R1(config-ext-nacl)#​permit ic
 +R1(config-ext-nacl)#​permit icmp an
 +R1(config-ext-nacl)#​permit icmp any an
 +R1(config-ext-nacl)#​permit icmp any any 
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit gre hos
 +R1(config-ext-nacl)#​permit gre host 200.0.0.2 host 100.0.0.1
 +R1(config-ext-nacl)#​exit
 +R1(config)#​do sh ip access-lists
 +Extended IP access list A-ipsec
 +    10 permit gre host 100.0.0.1 host 200.0.0.2 (13 matches)
 +Extended IP access list A-security
 +    10 permit esp host 200.0.0.2 host 100.0.0.1
 +    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 +    30 permit icmp any any (4 matches)
 +    40 permit gre host 200.0.0.2 host 100.0.0.1
 +R1(config)#​dial
 +R1(config)#​dialer-li
 +R1(config)#​dialer-list 20 pro
 +R1(config)#​dialer-list 20 protocol ip ?
 +  deny    Deny specified protocol
 +  list    Add access list to dialer list
 +  permit ​ Permit specified protocol
 +
 +R1(config)#​dialer-list 20 protocol ip per
 +R1(config)#​dialer-list 20 protocol ip permit ​
 +R1(config)#​^Z
 +R1#ping 1
 +*Apr 17 22:​10:​56.299:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R1#ping 100.1.3.3 ​
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms
 +R1#ping 34.0.0.4
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
 +R1#ping 192.168.0.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.0.2,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R1#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R1(config)#​int tun0
 +R1(config-if)#​ip addr 192.168.12.1 255.255.255.255
 +R1(config-if)#​router ospf 1
 +R1(config-router)#​netwo
 +R1(config-router)#​no network 192.168.0.1 0.0.0.0 area 0
 +R1(config-router)#​network 192.168.12.1 0.0.0.0 area 0  ​
 +R1(config-router)#​^Z
 +R1#
 +*Apr 17 22:​40:​44.546:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R1#ip int tun0 | i Internet
 +      ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R1#sh ip int tun0 | i Internet
 +  Internet address is 192.168.12.1/​32
 +R1#conf t                     
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R1(config)#​int tun0
 +R1(config-if)#​ip addr 192.168.12.1 255.255.255.252 ​
 +R1(config-if)#​^Z
 +R1#
 +*Apr 17 22:​47:​45.429:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R1#ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
 +R1#ping 192.168.12.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.2,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R1#sh ip int bri
 +Interface ​                 IP-Address ​     OK? Method Status ​               Protocol
 +GigabitEthernet0/​0 ​        ​10.100.0.1 ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​1 ​        ​unassigned ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​2 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +GigabitEthernet0/​3 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +Dialer1 ​                   100.0.0.1 ​      YES TFTP   ​up ​                   up      ​
 +Loopback1 ​                 100.0.0.1 ​      YES manual up                    up      ​
 +Tunnel0 ​                   192.168.12.1 ​   YES manual up                    up      ​
 +Virtual-Access1 ​           unassigned ​     YES unset  up                    up      ​
 +Virtual-Access2 ​           unassigned ​     YES unset  up                    up      ​
 +R1#
 +*Apr 17 22:​53:​40.588:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
 +R1#ping 192.168.12.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.2,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
 +R1#ping 34.0.0.4
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
 +R1#sh ip ro ospf
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
 +O        10.200.0.0/​24 [110/1001] via 192.168.12.2,​ 00:08:09, Tunnel0
 +R1#sh ip ro
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +S*    0.0.0.0/0 is directly connected, Dialer1
 +      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
 +C        10.100.0.0/​24 is directly connected, GigabitEthernet0/​0
 +L        10.100.0.1/​32 is directly connected, GigabitEthernet0/​0
 +O        10.200.0.0/​24 [110/1001] via 192.168.12.2,​ 00:08:12, Tunnel0
 +      100.0.0.0/​32 is subnetted, 2 subnets
 +C        100.0.0.1 is directly connected, Loopback1
 +C        100.1.3.3 is directly connected, Dialer1
 +      192.168.12.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.12.0/​30 is directly connected, Tunnel0
 +L        192.168.12.1/​32 is directly connected, Tunnel0
 +R1#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R1(config)#​int dia1
 +R1(config-if)#​no cryp
 +R1(config-if)#​no crypto ma
 +R1(config-if)#​no crypto map M-ipsec
 +R1(config-if)#​
 +*Apr 17 23:​03:​12.961:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is OFF
 +R1(config-if)#​
 +*Apr 17 23:​03:​13.473:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 200.0.0.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired
 +R1(config-if)#​
 +*Apr 17 23:​03:​16.596:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
 +R1(config-if)#​^Z
 +R1#
 +*Apr 17 23:​04:​29.084:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +</​code>​
 +
 +<​code>​
 +R2#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R2(config)#
 +R2(config)#
 +R2(config)#
 +R2(config)#
 +R2(config)#
 +R2(config)#​cry
 +R2(config)#​crypto isa
 +R2(config)#​crypto isakmp po
 +R2(config)#​crypto isakmp policy 1
 +R2(config-isakmp)#​enc
 +R2(config-isakmp)#​encryption 3de
 +R2(config-isakmp)#​encryption 3des 
 +R2(config-isakmp)#​has
 +R2(config-isakmp)#​hash md5
 +R2(config-isakmp)#​auth
 +R2(config-isakmp)#​authentication pre
 +R2(config-isakmp)#​authentication pre-share ​
 +R2(config-isakmp)#​gro
 +R2(config-isakmp)#​group 2
 +R2(config-isakmp)#​exit
 +R2(config)#​cry
 +R2(config)#​crypto isak
 +R2(config)#​crypto isakmp ke
 +R2(config)#​crypto isakmp key
 +R2(config)#​crypto isakmp key pg1xpsk add
 +R2(config)#​crypto isakmp key pg1xpsk address 100.0.0.1
 +R2(config)#​cry
 +R2(config)#​crypto isakm
 +R2(config)#​crypto isakmp kee
 +R2(config)#​crypto isakmp keepalive 30 on
 +R2(config)#​crypto isakmp keepalive 30 on-demand ​
 +R2(config)#​cryp
 +R2(config)#​crypto ipse
 +R2(config)#​crypto ipsec trans
 +R2(config)#​crypto ipsec transform-set IPSEC esp-3de
 +R2(config)#​crypto ipsec transform-set IPSEC esp-3des es
 +R2(config)#​crypto ipsec transform-set IPSEC esp-3des esp-md
 +R2(config)#​crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac ​
 +R2(cfg-crypto-trans)#​mo
 +R2(cfg-crypto-trans)#​mode tra
 +R2(cfg-crypto-trans)#​mode transport ​
 +R2(cfg-crypto-trans)#​exit
 +R2(config)#​cry
 +R2(config)#​crypto ma
 +R2(config)#​crypto map M-ipsec 1 ipse
 +R2(config)#​crypto map M-ipsec 1 ipsec-isa
 +R2(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R2(config-crypto-map)#​set pee
 +R2(config-crypto-map)#​set peer 100.0.0.1
 +R2(config-crypto-map)#​set tran
 +R2(config-crypto-map)#​set transform-set IPSEC
 +R2(config-crypto-map)#​mat
 +R2(config-crypto-map)#​match add
 +R2(config-crypto-map)#​match address A-ipsec
 +R2(config-crypto-map)#​int lo1
 +R2(config-if)#​
 +*Apr 17 22:​14:​02.754:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R2(config-if)#​ip add
 +R2(config-if)#​ip address 200.0.0.2 255.255.255.255
 +R2(config-if)#​int gig0/0
 +R2(config-if)#​ip tcp
 +R2(config-if)#​ip tcp ad
 +R2(config-if)#​ip tcp adjust-mss 1332
 +R2(config-if)#​int gig0/1
 +R2(config-if)#​no ip addre
 +R2(config-if)#​no ip address ​
 +R2(config-if)#​pppoe enabl
 +R2(config-if)#​pppoe enable group glboa
 +R2(config-if)#​pppoe enable group glboa
 +R2(config-if)#​
 +*Apr 17 22:​15:​01.244:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R2(config-if)#​
 +*Apr 17 22:​15:​01.249:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to up
 +R2(config-if)#​no pppoe enable group glboa
 +R2(config-if)#​pppoe enable group ?       
 +  WORD    BBA Group name
 +  global ​ Attach global PPPoE group
 +
 +R2(config-if)#​pppoe enable group global
 +R2(config-if)#​pppoe enable group global ​
 +R2(config-if)#​pppoe-cli
 +R2(config-if)#​pppoe-client dia
 +R2(config-if)#​pppoe-client dial-pool-number 10
 +R2(config-if)#​int tun0
 +R2(config-if)#​i
 +*Apr 17 22:​15:​40.205:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to downp
 +R2(config-if)#​ip add
 +R2(config-if)#​ip address 192.168.0.2 255.255.255.252
 +R2(config-if)#​ip mt
 +R2(config-if)#​ip mtu 1372
 +R2(config-if)#​tu
 +R2(config-if)#​tunnel so
 +R2(config-if)#​tunnel source Dia
 +R2(config-if)#​tunnel source Dialer 1
 +R2(config-if)#​tun
 +R2(config-if)#​tunnel des
 +R2(config-if)#​tunnel destination 100.0.0.1
 +R2(config-if)#​int dia1
 +R2(config-if)#​ip unnum
 +R2(config-if)#​ip unnumbered Lo1
 +R2(config-if)#​int tun0
 +R2(config-if)#​ip addr 192.168.12.2 255.255.255.252
 +R2(config-if)#​int dia1
 +R2(config-if)#​ip annu
 +R2(config-if)#​ip unnum
 +R2(config-if)#​ip unnumbered lo1
 +R2(config-if)#​ip mt
 +R2(config-if)#​ip mtu 1454
 +R2(config-if)#​enca
 +R2(config-if)#​encapsulation ppp
 +R2(config-if)#​dia
 +R2(config-if)#​dialerpo
 +R2(config-if)#​dialer po
 +R2(config-if)#​dialer pool 10
 +R2(config-if)#​dialer
 +R2(config-if)#​dialer-gro
 +R2(config-if)#​dialer-group ​
 +*Apr 17 22:​42:​29.361:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​42:​29.366:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​42:​31.142:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​dialer-grou ​
 +R2(config-if)#​dialer-group ​
 +*Apr 17 22:​42:​31.161:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​dialer-group 20
 +R2(config-if)#​ppp authe
 +R2(config-if)#​ppp authentication cha
 +R2(config-if)#​ppp authentication chap call
 +R2(config-if)#​ppp authentication chap calli
 +R2(config-if)#​ppp authentication chap callin ​
 +R2(config-if)#​
 +*Apr 17 22:​42:​53.414:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​42:​53.419:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​42:​53.520:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​
 +*Apr 17 22:​42:​53.536:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​
 +*Apr 17 22:​43:​15.688:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​43:​15.692:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​43:​15.798:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​
 +*Apr 17 22:​43:​15.814:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​
 +*Apr 17 22:​43:​37.969:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​43:​37.971:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​43:​38.072:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​
 +*Apr 17 22:​43:​38.087:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​ppp chap                       
 +R2(config-if)#​ppp chap hostn
 +R2(config-if)#​ppp chap hostname ​
 +*Apr 17 22:​44:​00.244:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 17 22:​44:​00.246:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 17 22:​44:​00.345:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​ppp chap hostname c
 +*Apr 17 22:​44:​00.361:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​ppp chap hostname ccie@example.com
 +R2(config-if)#​ppp chap
 +R2(config-if)#​ppp chap pass
 +R2(config-if)#​ppp chap password cc13
 +R2(config-if)#​cry
 +R2(config-if)#​crypto ma
 +R2(config-if)#​crypto map M-ipsec
 +*Apr 17 22:​44:​22.531:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +R2(config-if)#​crypto map M-ipsec
 +*Apr 17 22:​44:​22.535:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +R2(config-if)#​crypto map M-ipsec
 +*Apr 17 22:​44:​24.275:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R2(config-if)#​crypto map M-ipsec
 +R2(config-if)#​
 +*Apr 17 22:​44:​26.211:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R2(config-if)#​ip accee 
 +R2(config-if)#​ip access
 +R2(config-if)#​ip access-group A-security in
 +R2(config-if)#​exit
 +R2(config)#​ip route 0.0.0.0 0.0.0.0 dia 1
 +R2(config)#​do ping 34.0.0.3
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
 +R2(config)#​pi ​
 +*Apr 17 22:​45:​29.231:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R2(config)#​do ping 200.2.4.4
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 200.2.4.4, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
 +R2(config)#​do ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R2(config)#​do ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R2(config)#​do ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R2(config)#​do sh ip int bri
 +Interface ​                 IP-Address ​     OK? Method Status ​               Protocol
 +GigabitEthernet0/​0 ​        ​10.200.0.2 ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​1 ​        ​unassigned ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​2 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +GigabitEthernet0/​3 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +Dialer1 ​                   200.0.0.2 ​      YES TFTP   ​up ​                   up      ​
 +Loopback1 ​                 200.0.0.2 ​      YES manual up                    up      ​
 +Tunnel0 ​                   192.168.12.2 ​   YES manual up                    up      ​
 +Virtual-Access1 ​           unassigned ​     YES unset  up                    up      ​
 +Virtual-Access2 ​           unassigned ​     YES unset  up                    up      ​
 +R2(config)#​router ospf 1
 +R2(config-router)#​netw
 +R2(config-router)#​network 10.200.0.2 0.0.0.0 are
 +R2(config-router)#​network 10.200.0.2 0.0.0.0 area 0
 +R2(config-router)#​netwoq
 +R2(config-router)#​netwo ​
 +R2(config-router)#​network 192.168.12.2 0.0.0.0 area 0
 +R2(config-router)#​exit
 +R2(config)#​ip acc
 +R2(config)#​ip acce
 +R2(config)#​ip access-list exte
 +R2(config)#​ip access-list extended A-ipsec
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit gre hos
 +R2(config-ext-nacl)#​permit gre host 200.0.0.2 hos
 +R2(config-ext-nacl)#​permit gre host 200.0.0.2 host 100.0.0.1
 +R2(config-ext-nacl)#​exit
 +R2(config)#​ip acce
 +R2(config)#​ip access-list exte
 +R2(config)#​ip access-list extended A-security
 +R2(config-ext-nacl)#​permi e
 +*Apr 17 22:​53:​39.944:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Dones
 +R2(config-ext-nacl)#​permi es
 +R2(config-ext-nacl)#​permi esp hos
 +R2(config-ext-nacl)#​permi esp host 100.0.0.1 host 200.0.0.2
 +R2(config-ext-nacl)#​permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
 +R2(config-ext-nacl)#​permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp ​
 +R2(config-ext-nacl)#​permit gre host 100.0.0.1 host 200.0.0.2
 +R2(config-ext-nacl)#​permit icm
 +R2(config-ext-nacl)#​permit icmp any any
 +R2(config-ext-nacl)#​exit
 +R2(config)#​dial
 +R2(config)#​dialer-li
 +R2(config)#​dialer-list 20 pro
 +R2(config)#​dialer-list 20 protocol ip per
 +R2(config)#​dialer-list 20 protocol ip permit ​
 +R2(config)#​^Z
 +R2#
 +*Apr 17 22:​55:​05.489:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R2#ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/17 ms
 +R2#ping 34.0.0.3
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 34.0.0.3, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
 +R2#ping 100.0.0.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/7 ms
 +R2#ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 14/15/18 ms
 +R2#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R2(config)#​int dia1
 +R2(config-if)#​no cry
 +R2(config-if)#​no crypto ma
 +R2(config-if)#​no crypto map M-ipsec
 +R2(config-if)#​
 +*Apr 17 23:​02:​40.826:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is OFF
 +R2(config-if)#​do ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R2(config-if)#​
 +*Apr 17 23:​03:​15.867:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 +R2(config-if)#​do ping 192.168.12.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.12.1,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 7/9/13 ms
 +R2(config-if)#​^Z
 +R2#
 +*Apr 17 23:​04:​31.255:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R2#</​code>​
 +
 +<​code>​
 +PC-1> ​
 +PC-1> ping 10.200.0.202
 +84 bytes from 10.200.0.202 icmp_seq=1 ttl=62 time=26.335 ms
 +84 bytes from 10.200.0.202 icmp_seq=2 ttl=62 time=14.656 ms
 +84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=9.719 ms
 +84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=11.283 ms
 +84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=10.332 ms
 +
 +PC-1> ping 10.200.0.202
 +10.200.0.202 icmp_seq=1 timeout
 +10.200.0.202 icmp_seq=2 timeout
 +84 bytes from 10.200.0.202 icmp_seq=3 ttl=62 time=5.233 ms
 +84 bytes from 10.200.0.202 icmp_seq=4 ttl=62 time=7.190 ms
 +84 bytes from 10.200.0.202 icmp_seq=5 ttl=62 time=8.222 ms
 +
 +PC-1> ​
 +
 +
 +</​code>​
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190417-231259.png}}
 +
 +===== Topology: 1:N GRE over IPsec =====
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190419-213301.png}}
 +
 +==== IP ====
 +
 +Project name: ''​ccna-vpn-gre-0003-gre-over-ipsec-1-n''​
 +
 +  * R1
 +
 +<​code>​
 +enable
 +configure terminal
 +!
 +hostname R1
 +no ip domain-lookup
 +line console 0
 +exec-timeout 0 0
 +logging synchronous
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip address 10.100.0.1 255.255.255.0
 +no shutdown
 +exit
 +interface GigabitEthernet 0/1
 +no shutdown
 +exit
 +!
 +end
 +write
 +</​code>​
 +
 +  * R2
 +
 +<​code>​
 +enable
 +configure terminal
 +!
 +hostname R2
 +no ip domain-lookup
 +line console 0
 +exec-timeout 0 0
 +logging synchronous
 +exit
 +!
 +interface GigabitEthernet 0/0
 +no shutdown
 +exit
 +interface GigabitEthernet 0/1
 +ip address 200.0.0.2 255.255.0.0
 +no shutdown
 +exit
 +!
 +end
 +write
 +</​code>​
 +
 +  * R3
 +
 +<​code>​
 +enable
 +configure terminal
 +!
 +hostname R3
 +no ip domain-lookup
 +line console 0
 +exec-timeout 0 0
 +logging synchronous
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip address 34.0.0.3 255.255.255.0
 +no shutdown
 +exit
 +interface GigabitEthernet 0/1
 +no shutdown
 +exit
 +interface GigabitEthernet 0/2
 +ip address 35.0.0.3 255.255.255.0
 +no shutdown
 +exit
 +!
 +end
 +write
 +</​code>​
 +
 +  * R4
 +
 +<​code>​
 +enable
 +configure terminal
 +!
 +hostname R4
 +no ip domain-lookup
 +line console 0
 +exec-timeout 0 0
 +logging synchronous
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip address 34.0.0.4 255.255.255.0
 +no shutdown
 +exit
 +interface GigabitEthernet 0/1
 +no shutdown
 +exit
 +interface GigabitEthernet 0/2
 +ip address 45.0.0.4 255.255.255.0
 +no shutdown
 +exit
 +!
 +end
 +write
 +</​code>​
 +
 +  * R5
 +
 +<​code>​
 +enable
 +configure terminal
 +!
 +hostname R5
 +no ip domain-lookup
 +line console 0
 +exec-timeout 0 0
 +logging synchronous
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip address 35.0.0.5 255.255.255.0
 +no shutdown
 +exit
 +interface GigabitEthernet 0/1
 +no shutdown
 +exit
 +interface GigabitEthernet 0/2
 +ip address 45.0.0.5 255.255.255.0
 +no shutdown
 +exit
 +!
 +end
 +write
 +</​code>​
 +
 +  * R6
 +
 +<​code>​
 +enable
 +configure terminal
 +!
 +hostname R6
 +no ip domain-lookup
 +line console 0
 +exec-timeout 0 0
 +logging synchronous
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip address 10.6.0.6 255.255.255.0
 +no shutdown
 +exit
 +interface GigabitEthernet 0/1
 +no shutdown
 +exit
 +!
 +end
 +write
 +</​code>​
 +
 +  * PC-1
 +
 +<​code>​
 +ip 10.100.0.101 255.255.255.0 10.100.0.1
 +save
 +</​code>​
 +
 +  * PC-2
 +
 +<​code>​
 +ip 10.200.0.202 255.255.255.0 10.200.0.2
 +save
 +</​code>​
 +
 +  * PC-5
 +
 +<​code>​
 +ip 10.6.0.105 255.255.255.0 10.6.0.6
 +save
 +</​code>​
 +
 +==== Configure Basic Routing Protocol(BGP,​ Static routing) ====
 +
 +  * R3
 +
 +<​code>​
 +configure terminal
 +!
 +router bgp 3
 +neighbor 34.0.0.4 remote-as 4
 +neighbor 35.0.0.5 remote-as 5
 +network 100.0.0.1 mask 255.255.255.255
 +exit
 +!
 +end
 +</​code>​
 +
 +  * R4
 +
 +<​code>​
 +configure terminal
 +!
 +router bgp 3
 +neighbor 34.0.0.3 remote-as 3
 +neighbor 45.0.0.5 remote-as 5
 +network 200.0.0.2 mask 255.255.255.255
 +exit
 +!
 +end
 +</​code>​
 +
 +  * R5
 +
 +<​code>​
 +configure terminal
 +!
 +router bgp 5
 +neighbor 35.0.0.3 remote-as 3
 +neighbor 45.0.0.4 remote-as 4
 +network 106.0.0.6 mask 255.255.255.255
 +exit
 +!
 +end
 +</​code>​
 +
 +==== Configure PPPoE Server, Client ====
 +
 +  * R1
 +
 +<​code>​
 +configure terminal
 +!
 +interface GigabitEthernet 0/1
 +no ip address
 +pppoe enable group global
 +pppoe-client dial-pool-number 10
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip tcp adjust-mss 1356
 +exit
 +!
 +interface Loopback 1
 +ip address 100.0.0.1 255.255.255.255
 +exit
 +!
 +interface Dialer 1
 +ip unnumbered Loopback 1
 +ip mtu 1454
 +encapsulation ppp
 +dialer pool 10
 +dialer-group 20
 +ppp authentication chap callin
 +ppp chap hostname ccie@example.com
 +ppp chap password cc13
 +no shutdown
 +exit
 +!
 +ip route 0.0.0.0 0.0.0.0 Dialer 1
 +!
 +dialer-list 20 protocol ip permit
 +!
 +end
 +</​code>​
 +
 +  * R2
 +
 +<​code>​
 +configure terminal
 +!
 +interface GigabitEthernet 0/1
 +no ip address
 +pppoe enable group global
 +pppoe-client dial-pool-number 10
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip tcp adjust-mss 1356
 +exit
 +!
 +interface Loopback 1
 +ip address 200.0.0.2 255.255.255.255
 +exit
 +!
 +interface Dialer 1
 +ip unnumbered Loopback 1
 +ip mtu 1454
 +encapsulation ppp
 +dialer pool 10
 +dialer-group 20
 +ppp authentication chap callin
 +ppp chap hostname ccie@example.com
 +ppp chap password cc13
 +no shutdown
 +exit
 +!
 +ip route 0.0.0.0 0.0.0.0 Dialer 1
 +!
 +dialer-list 20 protocol ip permit
 +!
 +end
 +</​code>​
 +
 +  * R3
 +
 +<​code>​
 +configure terminal
 +!
 +username ccie@example.com password cc13
 +!
 +ip local pool POOL1 100.0.0.1
 +!
 +interface Loopback1
 +ip address 100.1.3.3 255.255.255.0
 +exit
 +!
 +interface Virtual-Template1
 +mtu 1454
 +ip unnumbered Loopback1
 +peer default ip address pool POOL1
 +ppp authentication chap
 +exit
 +!
 +bba-group pppoe PPPOE-GROUP1
 +virtual-template 1
 +exit
 +!
 +interface GigabitEthernet 0/1
 +no ip address
 +pppoe enable group PPPOE-GROUP1
 +no shut
 +exit
 +!
 +end
 +</​code>​
 +
 +  * R4
 +
 +<​code>​
 +configure terminal
 +!
 +username ccie@example.com password cc13
 +!
 +ip local pool POOL1 200.0.0.2
 +!
 +interface Loopback1
 +ip address 200.2.4.4 255.255.255.0
 +exit
 +!
 +interface Virtual-Template1
 +mtu 1454
 +ip unnumbered Loopback1
 +peer default ip address pool POOL1
 +ppp authentication chap
 +exit
 +!
 +bba-group pppoe PPPOE-GROUP1
 +virtual-template 1
 +exit
 +!
 +interface GigabitEthernet 0/1
 +no ip address
 +pppoe enable group PPPOE-GROUP1
 +no shut
 +exit
 +!
 +end
 +</​code>​
 +
 +  * R5
 +
 +<​code>​
 +configure terminal
 +!
 +username ccie@isp3.pg1x.net password cc13
 +!
 +ip local pool POOL1 106.0.0.6
 +!
 +interface Loopback1
 +ip address 106.5.6.5 255.255.255.0
 +exit
 +!
 +interface Virtual-Template1
 +mtu 1454
 +ip unnumbered Loopback1
 +peer default ip address pool POOL1
 +ppp authentication chap
 +exit
 +!
 +bba-group pppoe PPPOE-GROUP1
 +virtual-template 1
 +exit
 +!
 +interface GigabitEthernet 0/1
 +no ip address
 +pppoe enable group PPPOE-GROUP1
 +no shut
 +exit
 +!
 +end
 +</​code>​
 +
 +  * R6
 +
 +<​code>​
 +configure terminal
 +!
 +interface GigabitEthernet 0/1
 +no ip address
 +pppoe enable group global
 +pppoe-client dial-pool-number 10
 +exit
 +!
 +interface GigabitEthernet 0/0
 +ip tcp adjust-mss 1356
 +exit
 +!
 +interface Loopback 1
 +ip address 106.0.0.6 255.255.255.255
 +exit
 +!
 +interface Dialer 1
 +ip unnumbered Loopback 1
 +ip mtu 1454
 +encapsulation ppp
 +dialer pool 10
 +dialer-group 20
 +ppp authentication chap callin
 +ppp chap hostname ccie@isp3.pg1x.net
 +ppp chap password cc13
 +no shutdown
 +exit
 +!
 +ip route 0.0.0.0 0.0.0.0 Dialer 1
 +!
 +dialer-list 20 protocol ip permit
 +!
 +end
 +</​code>​
 +
 +==== Configure IPsec over GRE/PPPoE ====
 +
 +  * R1
 +
 +<​code>​
 +configure terminal
 +!
 +! Configure ISAKMP SA Policy
 +crypto isakmp policy 1
 + ! Specify Encryption Algorithm
 + ​encryption aes
 + ! Specify Hashing Algorithm
 + hash sha
 + ! Specify Authentication Method
 + ​authentication pre-share
 + ! Specify DH(Diffie-Hellman) Group
 + group 2
 + ! specify ISAKMP SA lifetime(Default)
 + ​!lifetime 86400
 +exit
 +!
 +! Specify pre-shared key and peer address
 +crypto isakmp key pg1xpsk address 200.0.0.2
 +crypto isakmp key pg1xpsk address 106.0.0.6
 +! Configure IKE Keepalive: DPD(Dead Peer Detection)
 +crypto isakmp keepalive 30 on-demand
 +!
 +! Configure IPsec transform-set
 +crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 + mode transport
 +exit
 +!
 +! Configure IPsec SA lifetime(Default)
 +!crypto ipsec security-association lifetime seconds 3600
 +!
 +! Configure crytpo map
 +crypto map M-ipsec 1 ipsec-isakmp
 + set peer 200.0.0.2
 + set transform-set IPSEC
 + match address A-ipsec1
 +exit
 +crypto map M-ipsec 2 ipsec-isakmp
 + set peer 106.0.0.6
 + set transform-set IPSEC
 + match address A-ipsec2
 +exit
 +!
 +interface Loopback 1
 + ip address 100.0.0.1 255.255.255.255
 +exit
 +!
 +interface GigabitEthernet 0/0
 + ip tcp adjust-mss 1332
 +exit
 +!
 +interface GigabitEthernet 0/1
 + no ip address
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + no cdp enable
 +exit
 +!
 +interface Tunnel 0
 + ip address 192.168.12.1 255.255.255.0
 + ip mtu 1372
 + ​tunnel source Dialer 1
 + ​tunnel destination 200.0.0.2
 +exit
 +!
 +interface Tunnel 1
 + ip address 192.168.16.1 255.255.255.0
 + ip mtu 1372
 + ​tunnel source Dialer 1
 + ​tunnel destination 106.0.0.6
 +exit
 +!
 +interface Dialer 1
 + ip unnumbered Loopback 1
 + ip mtu 1454
 + ​encapsulation ppp
 + ​dialer pool 10
 + ​dialer-group 20
 + ppp authentication chap callin
 + ppp chap hostname ccie@example.com
 + ppp chap password cc13
 + ​crypto map M-ipsec
 + ip access-group A-security in
 + no cdp enable
 + no shutdown
 +exit
 +!
 +ip route 0.0.0.0 0.0.0.0 Dialer 1
 +!
 +router ospf 1
 + ​network 10.100.0.1 0.0.0.0 area 0
 + ​network 192.168.12.1 0.0.0.0 area 0
 + ​network 192.168.16.1 0.0.0.0 area 0
 +exit
 +!
 +! Define IPsec encryption target traffic
 +ip access-list extended A-ipsec1
 + ​permit gre host 100.0.0.1 host 200.0.0.2
 +exit
 +!
 +ip access-list extended A-ipsec2
 + ​permit gre host 100.0.0.1 host 106.0.0.6
 +exit
 +!
 +ip access-list extended A-security
 + ​permit esp host 200.0.0.2 host 100.0.0.1
 + ​permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 + ​permit gre host 200.0.0.2 host 100.0.0.1
 + ​permit esp host 106.0.0.6 host 100.0.0.1
 + ​permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
 + ​permit gre host 106.0.0.6 host 100.0.0.1
 + ​permit icmp any any
 +exit
 +!
 +dialer-list 20 protocol ip permit
 +!
 +end
 +</​code>​
 +
 +  * R2
 +
 +<​code>​
 +configure terminal
 +!
 +! Configure ISAKMP SA Policy
 +crypto isakmp policy 1
 + ! Specify Encryption Algorithm
 + ​encryption aes
 + ! Specify Hashing Algorithm
 + hash sha
 + ! Specify Authentication Method
 + ​authentication pre-share
 + ! Specify DH(Diffie-Hellman) Group
 + group 2
 + ! specify ISAKMP SA lifetime(Default)
 + ​!lifetime 86400
 +exit
 +!
 +! Specify pre-shared key and peer address
 +crypto isakmp key pg1xpsk address 100.0.0.1
 +! Configure IKE Keepalive: DPD(Dead Peer Detection)
 +crypto isakmp keepalive 30 on-demand
 +!
 +! Configure IPsec transform-set
 +crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 + mode transport
 +exit
 +!
 +! Configure IPsec SA lifetime(Default)
 +!crypto ipsec security-association lifetime seconds 3600
 +!
 +! Configure crytpo map
 +crypto map M-ipsec 1 ipsec-isakmp
 + set peer 100.0.0.1
 + set transform-set IPSEC
 + match address A-ipsec
 +exit
 +!
 +interface Loopback 1
 + ip address 200.0.0.2 255.255.255.255
 +exit
 +!
 +interface GigabitEthernet 0/0
 + ip tcp adjust-mss 1332
 +exit
 +!
 +interface GigabitEthernet 0/1
 + no ip address
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + no cdp enable
 +exit
 +!
 +interface Tunnel 0
 + ip address 192.168.12.2 255.255.255.0
 + ip mtu 1372
 + ​tunnel source Dialer 1
 + ​tunnel destination 100.0.0.1
 +exit
 +!
 +interface Dialer 1
 + ip unnumbered Loopback 1
 + ip mtu 1454
 + ​encapsulation ppp
 + ​dialer pool 10
 + ​dialer-group 20
 + ppp authentication chap callin
 + ppp chap hostname ccie@example.com
 + ppp chap password cc13
 + ​crypto map M-ipsec
 + ip access-group A-security in
 + no cdp enable
 + no shutdown
 +exit
 +!
 +ip route 0.0.0.0 0.0.0.0 Dialer 1
 +!
 +router ospf 1
 + ​network 10.200.0.2 0.0.0.0 area 0
 + ​network 192.168.12.2 0.0.0.0 area 0
 +exit
 +!
 +! Define IPsec encryption target traffic
 +ip access-list extended A-ipsec
 + ​permit gre host 200.0.0.2 host 100.0.0.1
 +exit
 +!
 +ip access-list extended A-security
 + ​permit esp host 100.0.0.1 host 200.0.0.2
 + ​permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp
 + ​permit gre host 100.0.0.1 host 200.0.0.2
 + ​permit icmp any any
 +exit
 +!
 +dialer-list 20 protocol ip permit
 +!
 +end
 +</​code>​
 +
 +  * R6
 +
 +<​code>​
 +configure terminal
 +!
 +! Configure ISAKMP SA Policy
 +crypto isakmp policy 1
 + ! Specify Encryption Algorithm
 + ​encryption aes
 + ! Specify Hashing Algorithm
 + hash sha
 + ! Specify Authentication Method
 + ​authentication pre-share
 + ! Specify DH(Diffie-Hellman) Group
 + group 2
 + ! specify ISAKMP SA lifetime(Default)
 + ​!lifetime 86400
 +exit
 +!
 +! Specify pre-shared key and peer address
 +crypto isakmp key pg1xpsk address 100.0.0.1
 +! Configure IKE Keepalive: DPD(Dead Peer Detection)
 +crypto isakmp keepalive 30 on-demand
 +!
 +! Configure IPsec transform-set
 +crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 + mode transport
 +exit
 +!
 +! Configure IPsec SA lifetime(Default)
 +!crypto ipsec security-association lifetime seconds 3600
 +!
 +! Configure crytpo map
 +crypto map M-ipsec 1 ipsec-isakmp
 + set peer 100.0.0.1
 + set transform-set IPSEC
 + match address A-ipsec
 +exit
 +!
 +interface Loopback 1
 + ip address 106.0.0.6 255.255.255.255
 +exit
 +!
 +interface GigabitEthernet 0/0
 + ip tcp adjust-mss 1332
 +exit
 +!
 +interface GigabitEthernet 0/1
 + no ip address
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + no cdp enable
 +exit
 +!
 +interface Tunnel 0
 + ip address 192.168.16.6 255.255.255.0
 + ip mtu 1372
 + ​tunnel source Dialer 1
 + ​tunnel destination 100.0.0.1
 +exit
 +!
 +interface Dialer 1
 + ip unnumbered Loopback 1
 + ip mtu 1454
 + ​encapsulation ppp
 + ​dialer pool 10
 + ​dialer-group 20
 + ppp authentication chap callin
 + ppp chap hostname ccie@isp3.pg1x.net
 + ppp chap password cc13
 + ​crypto map M-ipsec
 + ip access-group A-security in
 + no cdp enable
 + no shutdown
 +exit
 +!
 +ip route 0.0.0.0 0.0.0.0 Dialer 1
 +!
 +router ospf 1
 + ​network 10.6.0.6 0.0.0.0 area 0
 + ​network 192.168.16.6 0.0.0.0 area 0
 +exit
 +!
 +! Define IPsec encryption target traffic
 +ip access-list extended A-ipsec
 + ​permit gre host 106.0.0.6 host 100.0.0.1
 +exit
 +!
 +ip access-list extended A-security
 + ​permit esp host 100.0.0.1 host 106.0.0.6
 + ​permit udp host 100.0.0.1 host 106.0.0.6 eq isakmp
 + ​permit gre host 100.0.0.1 host 106.0.0.6
 + ​permit icmp any any
 +exit
 +!
 +dialer-list 20 protocol ip permit
 +!
 +end
 +</​code>​
 +
 +<​code>​
 +R1#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp po
 +R1(config)#​crypto isakmp policy 1
 +R1(config-isakmp)#​encr
 +R1(config-isakmp)#​encryption aes
 +R1(config-isakmp)#​has
 +R1(config-isakmp)#​hash sha
 +R1(config-isakmp)#​hash sha?
 +sha  sha256 ​ sha384 ​ sha512
 +
 +R1(config-isakmp)#​hash sha
 +R1(config-isakmp)#​encryption aes?
 +aes  ​
 +
 +R1(config-isakmp)#​encryption aes
 +R1(config-isakmp)#​atuh
 +R1(config-isakmp)#​atuhe
 +R1(config-isakmp)#​authen
 +R1(config-isakmp)#​authentication pre-sha
 +R1(config-isakmp)#​authentication pre-share ​
 +R1(config-isakmp)#​gro
 +R1(config-isakmp)#​group 2
 +R1(config-isakmp)#​exit
 +R1(config)#​cryp
 +R1(config)#​crypto isak
 +R1(config)#​crypto isakmp key pg1
 +R1(config)#​crypto isakmp key pg1xpsk add
 +R1(config)#​crypto isakmp key pg1xpsk address 200.0.0.2
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp key pg1xpsk address 106.0.0.6
 +R1(config)#​cry
 +R1(config)#​crypto isakm
 +R1(config)#​crypto isakmp kee
 +R1(config)#​crypto isakmp keepalive 30 on
 +R1(config)#​crypto isakmp keepalive 30 on-demand ​
 +R1(config)#​cryp
 +R1(config)#​crypto isakm
 +R1(config)#​cry ​          
 +R1(config)#​crypto ipse
 +R1(config)#​crypto ipsec trans
 +R1(config)#​crypto ipsec transform-set IPSEC es
 +R1(config)#​crypto ipsec transform-set IPSEC esp-ae
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sh
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha?
 +esp-sha-hmac ​ esp-sha256-hmac ​ esp-sha384-hmac ​ esp-sha512-hmac
 +
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-h
 +R1(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac ​
 +R1(cfg-crypto-trans)#​mod
 +R1(cfg-crypto-trans)#​mode tra
 +R1(cfg-crypto-trans)#​mode transport ​
 +R1(cfg-crypto-trans)#​exit
 +R1(config)#​cryp
 +R1(config)#​crypto ma
 +R1(config)#​crypto map M-ipsec 1 ipse
 +R1(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R1(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R1(config-crypto-map)#​set pee
 +R1(config-crypto-map)#​set peer 200.0.0.2
 +R1(config-crypto-map)#​set tra
 +R1(config-crypto-map)#​set transform-set IPSEC
 +R1(config-crypto-map)#​mat
 +R1(config-crypto-map)#​match add
 +R1(config-crypto-map)#​match address A-ipsec1
 +R1(config-crypto-map)#​exit
 +R1(config)#​cry
 +R1(config)#​crypto ma
 +R1(config)#​crypto map M-ipsec 2 ipsec
 +R1(config)#​crypto map M-ipsec 2 ipsec-isa
 +R1(config)#​crypto map M-ipsec 2 ipsec-? ​     ​
 +ipsec-isakmp ​ ipsec-manual  ​
 +
 +R1(config)#​crypto map M-ipsec 2 ipsec-isak
 +R1(config)#​crypto map M-ipsec 2 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R1(config-crypto-map)#​set pee
 +R1(config-crypto-map)#​set peer 106.0.0.6
 +R1(config-crypto-map)#​set tra
 +R1(config-crypto-map)#​set transform-set IPSEC
 +R1(config-crypto-map)#​mat
 +R1(config-crypto-map)#​match add
 +R1(config-crypto-map)#​match address A-ipsec2
 +R1(config-crypto-map)#​exit
 +R1(config)#​int
 +R1(config)#​interface Loo
 +R1(config)#​interface Loopback 1
 +R1(config-if)#​
 +*Apr 21 02:​23:​38.914:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R1(config-if)#​100.0.0.1 255.255.255.255
 +              ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R1(config-if)#​ip address 100.0.0.1 255.255.255.255
 +R1(config-if)#​int gig0/0
 +R1(config-if)#​ip tcp
 +R1(config-if)#​ip tcp ad
 +R1(config-if)#​ip tcp adjust-mss 1332
 +R1(config-if)#​int gig0/1
 +R1(config-if)#​no ip address
 +R1(config-if)#​pppoe en
 +R1(config-if)#​pppoe enable grou
 +R1(config-if)#​pppoe enable group glo
 +R1(config-if)#​pppoe enable group global ​
 +R1(config-if)#​
 +*Apr 21 02:​26:​56.038:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R1(config-if)#​
 +*Apr 21 02:​26:​56.043:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to up
 +R1(config-if)#​pppoe-clie
 +R1(config-if)#​pppoe-client dia
 +R1(config-if)#​pppoe-client dial-pool-number 1
 +R1(config-if)#​no cdp en
 +R1(config-if)#​no cdp enable ​
 +R1(config-if)#​int tun0
 +R1(config-if)#​ip
 +*Apr 21 06:​53:​54.706:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R1(config-if)#​ip address 192.168.12.1 255.255.255.0
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1372 tun
 +R1(config-if)#​ip mtu 1372 tunn
 +R1(config-if)#​ip mtu 1372      ​
 +R1(config-if)#​tunn
 +R1(config-if)#​tunnel sou
 +R1(config-if)#​tunnel source di
 +R1(config-if)#​tunnel source dialer 1
 +R1(config-if)#​tunn
 +R1(config-if)#​tunnel des
 +R1(config-if)#​tunnel destination 200.0.0.2
 +R1(config-if)#​int tun1
 +R1(config-if)#​ip ​
 +*Apr 21 06:​56:​07.425:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel1, changed state to downa
 +R1(config-if)#​ip address 192.168.16.1 255.255.255.0
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1372
 +R1(config-if)#​tun
 +R1(config-if)#​tunnel sou
 +R1(config-if)#​tunnel source Di
 +R1(config-if)#​tunnel source Dialer 1
 +R1(config-if)#​tunn
 +R1(config-if)#​tunnel desti
 +R1(config-if)#​tunnel destination 106.0.0.6
 +R1(config-if)#​int dia1
 +R1(config-if)#​ip unnu
 +R1(config-if)#​ip unnumbered Lo1
 +R1(config-if)#​ip mt
 +R1(config-if)#​ip mtu 1454
 +R1(config-if)#​enca
 +R1(config-if)#​encapsulation ppp]
 +                               ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R1(config-if)#​encapsulation ppp 
 +R1(config-if)#​dial
 +R1(config-if)#​dialer poo
 +R1(config-if)#​dialer pool 10
 +R1(config-if)#​dial
 +R1(config-if)#​dialer-gr
 +R1(config-if)#​dialer-group 20
 +R1(config-if)#​ppp auth
 +R1(config-if)#​ppp authe
 +R1(config-if)#​ppp authentication chap call
 +R1(config-if)#​ppp authentication chap calli
 +R1(config-if)#​ppp authentication chap callin ​
 +R1(config-if)#​ppp chap hostname ccie@example.com
 +R1(config-if)#​ppp chap password cc13
 +R1(config-if)#​crypto
 +R1(config-if)#​crypto ma
 +R1(config-if)#​crypto map M-ipsec
 +R1(config-if)#​
 +*Apr 21 06:​58:​25.154:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R1(config-if)#​ip acce
 +R1(config-if)#​ip access-group A-security in
 +R1(config-if)#​no cdp
 +R1(config-if)#​no cdp en
 +R1(config-if)#​no cdp enable ​
 +R1(config-if)#​no shut
 +R1(config-if)#​exit
 +R1(config)#​ip route 0.0.0.0 0.0.0.0 Di
 +R1(config)#​ip route 0.0.0.0 0.0.0.0 Dialer 1
 +R1(config)#​router ​
 +*Apr 21 06:​59:​06.439:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel1, changed state to up
 +R1(config)#​router ospf 1
 +*Apr 21 06:​59:​13.722:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R1(config)#​router ospf 1
 +R1(config-router)#​netwo
 +R1(config-router)#​network 10.100.0.1 0.0.0.0 area 0
 +R1(config-router)#​netwo
 +R1(config-router)#​network 192.168.12.1 0.0.0.0 area 0
 +R1(config-router)#​netwo
 +R1(config-router)#​network 192.168.16.1 0.0.0.0 area 0
 +R1(config-router)#​exit
 +R1(config)#​int gig0/1
 +R1(config-if)#​pppoe-cli
 +R1(config-if)#​pppoe-client dial
 +R1(config-if)#​pppoe-client dial-pool-number 10
 +R1(config-if)#​do sh ru
 +*Apr 21 07:​01:​36.902:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 07:​01:​36.906:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +R1(config-if)#​do sh run 
 +*Apr 21 07:​01:​40.329:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R1(config-if)#​do sh run int gi0/1
 +Building configuration...
 +
 +Current configuration : 202 bytes
 +!
 +interface GigabitEthernet0/​1
 + no ip address
 + ​duplex auto
 + speed auto
 + ​media-type rj45
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + ​pppoe-client dial-pool-number 1
 + no cdp enable
 +end
 +
 +R1(config-if)#​no pppoe-client dial-pool-number 1
 +R1(config-if)#​do sh run int gi0/1               
 +Building configuration...
 +
 +Current configuration : 169 bytes
 +!
 +interface GigabitEthernet0/​1
 + no ip address
 + ​duplex auto
 + speed auto
 + ​media-type rj45
 + pppoe enable group global
 + ​pppoe-client dial-pool-number 10
 + no cdp enable
 +end
 +
 +R1(config-if)#​exit
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-ipsec1
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit gre hos
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 hos
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 host 200.0.0.2
 +R1(config-ext-nacl)#​exit ​
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-ipsec2
 +R1(config-ext-nacl)#​permit gre host 100.0.0.1 host 106.0.0.6
 +R1(config-ext-nacl)#​exit
 +R1(config)#​ip acce
 +R1(config)#​ip access-list exte
 +R1(config)#​ip access-list extended A-security
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit es
 +R1(config-ext-nacl)#​permit esp host 200.0.0.2 host 100.0.0.1
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit udp hos
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq isak
 +R1(config-ext-nacl)#​permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp ​
 +R1(config-ext-nacl)#​permi
 +R1(config-ext-nacl)#​permit es
 +R1(config-ext-nacl)#​permit gr  ​
 +R1(config-ext-nacl)#​permit gre host 200.0.0.2 host 100.0.0.1
 +R1(config-ext-nacl)#​permit esp host 106.0.0.6 host 100.0.0.1
 +R1(config-ext-nacl)#​permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakm
 +R1(config-ext-nacl)#​permit udp hsot 106.0.0.6 host 100.0.0.1 eq isakmp
 +R1(config-ext-nacl)#​permit udp host 106.0.0.6 host 100.0.0.1 eq isa   
 +R1(config-ext-nacl)#​permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp  ​
 +R1(config-ext-nacl)#​permit gre host 106.0.0.6 host 100.0.0.1 ​
 +R1(config-ext-nacl)#​permit icmp any any
 +R1(config-ext-nacl)#​exit
 +R1(config)#​do sh ip access-lists ​
 +Extended IP access list A-ipsec1
 +    10 permit gre host 100.0.0.1 host 200.0.0.2 (22 matches)
 +Extended IP access list A-ipsec2
 +    10 permit gre host 100.0.0.1 host 106.0.0.6 (18 matches)
 +Extended IP access list A-security
 +    10 permit esp host 200.0.0.2 host 100.0.0.1
 +    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 +    30 permit gre host 200.0.0.2 host 100.0.0.1
 +    40 permit esp host 106.0.0.6 host 100.0.0.1
 +    50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
 +    60 permit gre host 106.0.0.6 host 100.0.0.1
 +    70 permit icmp any any (2 matches)
 +R1(config)#​do sh ip access-lists ​
 +Extended IP access list A-ipsec1
 +    10 permit gre host 100.0.0.1 host 200.0.0.2 (23 matches)
 +Extended IP access list A-ipsec2
 +    10 permit gre host 100.0.0.1 host 106.0.0.6 (20 matches)
 +Extended IP access list A-security
 +    10 permit esp host 200.0.0.2 host 100.0.0.1
 +    20 permit udp host 200.0.0.2 host 100.0.0.1 eq isakmp
 +    30 permit gre host 200.0.0.2 host 100.0.0.1
 +    40 permit esp host 106.0.0.6 host 100.0.0.1
 +    50 permit udp host 106.0.0.6 host 100.0.0.1 eq isakmp
 +    60 permit gre host 106.0.0.6 host 100.0.0.1
 +    70 permit icmp any any (4 matches)
 +R1(config)#​diea
 +R1(config)#​diale
 +R1(config)#​dialer-li
 +R1(config)#​dialer-list 20 pro
 +R1(config)#​dialer-list 20 protocol ip per
 +R1(config)#​dialer-list 20 protocol ip permit ​
 +R1(config)#​^Z
 +R1#​pign ​
 +*Apr 21 07:​06:​47.551:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R1#ping 100.1.3.3
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 100.1.3.3, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms
 +R1#
 +*Apr 21 08:​27:​32.430:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
 +R1#
 +*Apr 21 08:​51:​45.863:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 106.0.0.6 on Tunnel1 from LOADING to FULL, Loading Done
 +R1#sh ip ro ospf
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
 +O        10.6.0.0/24 [110/1001] via 192.168.16.6,​ 00:05:58, Tunnel1
 +O        10.200.0.0/​24 [110/1001] via 192.168.12.2,​ 00:30:11, Tunnel0
 +R1#sh ip ospf neigh
 +R1#sh ip ospf neighbor ​
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +106.0.0.6 ​        ​0 ​  ​FULL/ ​ -        00:​00:​34 ​   192.168.16.6 ​   Tunnel1
 +200.0.0.2 ​        ​0 ​  ​FULL/ ​ -        00:​00:​36 ​   192.168.12.2 ​   Tunnel0
 +R1#sh ip ro   
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +S*    0.0.0.0/0 is directly connected, Dialer1
 +      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
 +O        10.6.0.0/24 [110/1001] via 192.168.16.6,​ 00:06:15, Tunnel1
 +C        10.100.0.0/​24 is directly connected, GigabitEthernet0/​0
 +L        10.100.0.1/​32 is directly connected, GigabitEthernet0/​0
 +O        10.200.0.0/​24 [110/1001] via 192.168.12.2,​ 00:30:28, Tunnel0
 +      100.0.0.0/​32 is subnetted, 2 subnets
 +C        100.0.0.1 is directly connected, Loopback1
 +C        100.1.3.3 is directly connected, Dialer1
 +      192.168.12.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.12.0/​24 is directly connected, Tunnel0
 +L        192.168.12.1/​32 is directly connected, Tunnel0
 +      192.168.16.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.16.0/​24 is directly connected, Tunnel1
 +L        192.168.16.1/​32 is directly connected, Tunnel1
 +R1#
 +</​code>​
 +
 +<​code>​
 +R2#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R2(config)#​cryp
 +R2(config)#​crypto isakm
 +R2(config)#​crypto isakmp poli
 +R2(config)#​crypto isakmp policy 1
 +R2(config-isakmp)#​encr
 +R2(config-isakmp)#​encryption aes
 +R2(config-isakmp)#​encryption aes 
 +R2(config-isakmp)#​has
 +R2(config-isakmp)#​hash sha
 +R2(config-isakmp)#​auth
 +R2(config-isakmp)#​authentication pre
 +R2(config-isakmp)#​authentication pre-share ​
 +R2(config-isakmp)#​gro
 +R2(config-isakmp)#​group 2
 +R2(config-isakmp)#​exit
 +R2(config)#​cry
 +R2(config)#​crypto isakm
 +R2(config)#​crypto isakmp key pg1xpsk address 100.0.0.1
 +R2(config)#​cryp
 +R2(config)#​crypto isak
 +R2(config)#​crypto isakmp kee
 +R2(config)#​crypto isakmp keepalive 30 on-de
 +R2(config)#​crypto isakmp keepalive 30 on-demand ​
 +R2(config)#​cry
 +R2(config)#​crypto ipsec tran
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sh
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hp
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hm
 +R2(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac ​
 +R2(cfg-crypto-trans)#​mod
 +R2(cfg-crypto-trans)#​mode tra
 +R2(cfg-crypto-trans)#​mode transport ​
 +R2(cfg-crypto-trans)#​exit
 +R2(config)#​cryp
 +R2(config)#​crypto ma
 +R2(config)#​crypto map M-ipsec 1 ipsec
 +R2(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R2(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R2(config-crypto-map)#​set pee
 +R2(config-crypto-map)#​set peer 100.0.0.1
 +R2(config-crypto-map)#​set tran
 +R2(config-crypto-map)#​set transform-set IPSEC
 +R2(config-crypto-map)#​mat
 +R2(config-crypto-map)#​match add
 +R2(config-crypto-map)#​match address A-ipsec
 +R2(config-crypto-map)#​exit
 +R2(config)#​int lo1
 +R2(config-if)#​ip ad
 +*Apr 21 07:​09:​56.490:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R2(config-if)#​ip address 200.0.0.2 255.255.255.255
 +R2(config-if)#​int gig0/0
 +R2(config-if)#​ip tcp adj
 +R2(config-if)#​ip tcp adjust-mss 1332
 +R2(config-if)#​int gig0/1
 +R2(config-if)#​no ip address ​
 +R2(config-if)#​pppoe
 +R2(config-if)#​pppoe enabl
 +R2(config-if)#​pppoe enable gro
 +R2(config-if)#​pppoe enable group glo
 +R2(config-if)#​pppoe enable group global ​
 +R2(config-if)#​
 +*Apr 21 07:​10:​45.180:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R2(config-if)#​p
 +*Apr 21 07:​10:​45.184:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to upp
 +R2(config-if)#​pppoe-cli
 +R2(config-if)#​pppoe-client dial
 +R2(config-if)#​pppoe-client dial-pool-number 10
 +R2(config-if)#​no cdp
 +R2(config-if)#​no cdp en
 +R2(config-if)#​no cdp enable ​
 +R2(config-if)#​int tunn0
 +R2(config-if)#​
 +*Apr 21 07:​11:​01.908:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R2(config-if)#​ip add
 +R2(config-if)#​ip address 192.168.12.2 255.255.255.0
 +R2(config-if)#​ip mt
 +R2(config-if)#​ip mtu 1372
 +R2(config-if)#​tunn
 +R2(config-if)#​tunnel sou
 +R2(config-if)#​tunnel source Di
 +R2(config-if)#​tunnel source Dialer 1
 +R2(config-if)#​tunn
 +R2(config-if)#​tunnel desi
 +R2(config-if)#​tunnel desti
 +R2(config-if)#​tunnel destination 100.0.0.1
 +R2(config-if)#​int dia1
 +R2(config-if)#​ip unnu
 +R2(config-if)#​ip unnumbered Lo1
 +R2(config-if)#​ip mt
 +R2(config-if)#​ip mtu 1454
 +R2(config-if)#​enca
 +R2(config-if)#​encapsulation ppp dia
 +R2(config-if)#​encapsulation ppp    ​
 +R2(config-if)#​dia
 +R2(config-if)#​dialer poo
 +R2(config-if)#​dialer pool ?
 +  <​1-255> ​ Dialer pool number
 +
 +R2(config-if)#​dialer pool 10
 +R2(config-if)#​diale
 +R2(config-if)#​dialer
 +*Apr 21 08:​24:​59.932:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​24:​59.937:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​25:​01.832:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​dialer-g
 +*Apr 21 08:​25:​01.849:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​dialer-gr
 +R2(config-if)#​dialer-group 20
 +R2(config-if)#​ppp auth
 +R2(config-if)#​ppp auth
 +R2(config-if)#​ppp authe
 +R2(config-if)#​ppp auth?          ​
 +authentication ​ authorization  ​
 +
 +R2(config-if)#​ppp authe
 +R2(config-if)#​ppp authentication ​
 +*Apr 21 08:​25:​24.154:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​25:​24.156:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​25:​24.266:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​ppp authentication ​
 +*Apr 21 08:​25:​24.282:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​ppp authentication chap
 +R2(config-if)#​ppp authentication chap call
 +R2(config-if)#​ppp authentication chap calli
 +R2(config-if)#​ppp authentication chap callin ​
 +R2(config-if)#​ppp cha
 +R2(config-if)#​ppp chap hos
 +R2(config-if)#​ppp chap hostname ccie@example.com
 +R2(config-if)#​ppp chap password ​
 +*Apr 21 08:​25:​46.486:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​25:​46.490:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​25:​46.586:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R2(config-if)#​ppp chap password cc1
 +*Apr 21 08:​25:​46.601:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R2(config-if)#​ppp chap password cc13
 +R2(config-if)#​cry
 +R2(config-if)#​crypto ma
 +R2(config-if)#​crypto map M-ipsec
 +R2(config-if)#​
 +*Apr 21 08:​26:​04.464:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R2(config-if)#​ip acce
 +R2(config-if)#​ip access-group A-
 +*Apr 21 08:​26:​08.819:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +R2(config-if)#​ip access-group A-secur
 +*Apr 21 08:​26:​08.824:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to upity in
 +R2(config-if)#​ip access-group A-security in
 +*Apr 21 08:​26:​10.668:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R2(config-if)#​ip access-group A-security in
 +R2(config-if)#​no cdp en
 +R2(config-if)#​no cdp enable ​
 +R2(config-if)#​no shut
 +R2(config-if)#​no shutdown ​
 +R2(config-if)#​exit
 +R2(config)#​ip route 0.0.0.0 0.0.0.0 Dia
 +R2(config)#​ip route 0.0.0.0 0.0.0.0 Dialer 1
 +R2(config)#​router ospf 1
 +R2(config-router)#​netwo
 +R2(config-router)#​network 10.
 +*Apr 21 08:​26:​41.275:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R2(config-router)#​network 10.200.0.2 0.0.0.0 area 0
 +R2(config-router)#​netwo
 +R2(config-router)#​network 192.168.12.2 0.0.0.0 area 0
 +R2(config-router)#​exit
 +R2(config)#​ip acce
 +R2(config)#​ip access-list exte
 +R2(config)#​ip access-list extended A-ipsec
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit gre host 200.0.0.2 hos
 +R2(config-ext-nacl)#​permit gre host 200.0.0.2 host 100.0.0.1
 +R2(config-ext-nacl)#​exit
 +R2(config)#​ip ​
 +*Apr 21 08:​28:​05.450:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 +R2(config)#​ip acc
 +R2(config)#​ip acce
 +R2(config)#​ip access-list exte
 +R2(config)#​ip access-list extended A-security
 +R2(config-ext-nacl)#​permit esp host 100.0.0.1 host 200.0.0.2
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit udp host 100.0.0.1 host 200.0.0.2 eq isakm
 +R2(config-ext-nacl)#​permit udp host 100.0.0.1 host 200.0.0.2 eq isakmp ​
 +R2(config-ext-nacl)#​permi
 +R2(config-ext-nacl)#​permit gre hos
 +R2(config-ext-nacl)#​permit gre host 100.0.0.1 host 200.0.0.2
 +R2(config-ext-nacl)#​permit icmp any any
 +R2(config-ext-nacl)#​exit
 +R2(config)#​dialer
 +R2(config)#​dialer-li
 +R2(config)#​dialer-list 20 pro
 +R2(config)#​dialer-list 20 protocol ip
 +R2(config)#​dialer-list 20 protocol ip per
 +R2(config)#​dialer-list 20 protocol ip permit ​
 +R2(config)#​^Z
 +R2#
 +*Apr 21 08:​29:​29.695:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R2#sh ip ospf neigh
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +100.0.0.1 ​        ​0 ​  ​FULL/ ​ -        00:​00:​37 ​   192.168.12.1 ​   Tunnel0
 +R2#sh ip ro ospf
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
 +O        10.100.0.0/​24 [110/1001] via 192.168.12.1,​ 00:02:14, Tunnel0
 +O     ​192.168.16.0/​24 [110/2000] via 192.168.12.1,​ 00:02:14, Tunnel0
 +R2#ping 192.168.16.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.16.1,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/20 ms
 +R2#ping 192.168.16.6
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.16.6,​ timeout is 2 seconds:
 +.....
 +Success rate is 0 percent (0/5)
 +R2#ping 192.168.16.6
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 192.168.16.6,​ timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 21/24/32 ms
 +R2#
 +</​code>​
 +
 +<​code>​
 +R6#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +R6(config)#​cry
 +R6(config)#​crypto isakm
 +R6(config)#​crypto isakmp poli
 +R6(config)#​crypto isakmp policy 1
 +R6(config-isakmp)#​ecn
 +R6(config-isakmp)#​encr
 +R6(config-isakmp)#​encryption aes
 +R6(config-isakmp)#​encryption aes 
 +R6(config-isakmp)#​has
 +R6(config-isakmp)#​hash sh
 +R6(config-isakmp)#​hash sha
 +R6(config-isakmp)#​auh
 +R6(config-isakmp)#​auth
 +R6(config-isakmp)#​authentication pre
 +R6(config-isakmp)#​authentication pre-share ​
 +R6(config-isakmp)#​gr
 +R6(config-isakmp)#​group 2
 +R6(config-isakmp)#​exit
 +R6(config)#​cry
 +R6(config)#​crypto isak
 +R6(config)#​crypto isakmp key pg1xpsk address 100.0.0.1
 +R6(config)#​cry
 +R6(config)#​crypto isakm
 +R6(config)#​crypto isakmp kee
 +R6(config)#​crypto isakmp keepalive 30 on-de
 +R6(config)#​crypto isakmp keepalive 30 on-demand ​
 +R6(config)#​cry
 +R6(config)#​crypto ipsec trans
 +R6(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-h
 +R6(config)#​crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac ​
 +R6(cfg-crypto-trans)#​mod
 +R6(cfg-crypto-trans)#​mode tra
 +R6(cfg-crypto-trans)#​mode transport ​
 +R6(cfg-crypto-trans)#​exit
 +R6(config)#​cryp
 +R6(config)#​crypto ma
 +R6(config)#​crypto map M-ipsec 1 ipsec-isakm
 +R6(config)#​crypto map M-ipsec 1 ipsec-isakmp ​
 +% NOTE: This new crypto map will remain disabled until a peer
 +        and a valid access list have been configured.
 +R6(config-crypto-map)#​set pee
 +R6(config-crypto-map)#​set peer 100.0.0.1
 +R6(config-crypto-map)#​set tra
 +R6(config-crypto-map)#​set transform-set IPSEC
 +R6(config-crypto-map)#​mat
 +R6(config-crypto-map)#​match add
 +R6(config-crypto-map)#​match address A-ipsec
 +R6(config-crypto-map)#​exit
 +R6(config)#​int lo1
 +R6(config-if)#​ip a
 +*Apr 21 08:​42:​20.177:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Loopback1, changed state to up
 +R6(config-if)#​ip addre
 +R6(config-if)#​ip address 106.0.0.6 255.255.255.255
 +R6(config-if)#​inter
 +R6(config-if)#​int gig0/0
 +R6(config-if)#​ip tc
 +R6(config-if)#​ip tcp ad
 +R6(config-if)#​ip tcp adjust-mss 1332
 +R6(config-if)#​int gig0/1
 +R6(config-if)#​no ip add
 +R6(config-if)#​no ip address ​
 +R6(config-if)#​pppoe
 +R6(config-if)#​pppoe ena
 +R6(config-if)#​pppoe enable grou
 +R6(config-if)#​pppoe enable group globa
 +R6(config-if)#​pppoe enable group global ​
 +R6(config-if)#​ppp
 +*Apr 21 08:​44:​04.968:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access1,​ changed state to up
 +R6(config-if)#​pppoe
 +R6(config-if)#​pppoe
 +*Apr 21 08:​44:​04.975:​ %LINK-3-UPDOWN:​ Interface Virtual-Access1,​ changed state to up
 +R6(config-if)#​pppoe-cli
 +R6(config-if)#​pppoe-client dial
 +R6(config-if)#​pppoe-client dial-pool-number 10
 +R6(config-if)#​no cdp ena
 +R6(config-if)#​no cdp enable ​
 +R6(config-if)#​exit
 +R6(config)#​inter tunn
 +R6(config)#​inter tunnel 0
 +R6(config-if)#​
 +*Apr 21 08:​44:​25.068:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to down
 +R6(config-if)#​ip address 192.168.16.6 255.255.255.0
 +R6(config-if)#​ip mt
 +R6(config-if)#​ip mtu 1372
 +R6(config-if)#​tunne
 +R6(config-if)#​tunnel so
 +R6(config-if)#​tunnel source Dia
 +R6(config-if)#​tunnel source Dialer 1
 +R6(config-if)#​tunne
 +R6(config-if)#​tunnel desti
 +R6(config-if)#​tunnel destination 100.0.0.1
 +R6(config-if)#​exit
 +R6(config)#​int Dia
 +R6(config)#​int Dialer 1
 +R6(config-if)#​ip unnu
 +R6(config-if)#​ip unnumbered Lo1
 +R6(config-if)#​ip mt
 +R6(config-if)#​ip mtu 1454
 +R6(config-if)#​enca
 +R6(config-if)#​encapsulation ppp
 +R6(config-if)#​dial
 +R6(config-if)#​dialer poo
 +R6(config-if)#​dialer pool 10
 +R6(config-if)#​dial
 +R6(config-if)#​dialer-gr
 +R6(config-if)#​dialer-group ​
 +*Apr 21 08:​46:​20.268:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​46:​20.275:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​46:​22.144:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​dialer-group 2
 +*Apr 21 08:​46:​22.160:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​dialer-group 20
 +R6(config-if)#​ppp authe
 +R6(config-if)#​ppp authentication chap call
 +R6(config-if)#​ppp authentication chap calli
 +R6(config-if)#​ppp authentication chap call?  ​
 +WORD  callback ​ callin ​ callout
 +
 +R6(config-if)#​ppp authentication chap calli
 +R6(config-if)#​ppp authentication chap callin ​
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​46:​44.462:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​46:​44.467:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​46:​44.576:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​46:​44.593:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​47:​06.798:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​47:​06.801:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​47:​06.895:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​ppp chap hostname ccie@example.com
 +*Apr 21 08:​47:​06.911:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​ppp chap hostname ccie@isp3.pg1x.net
 +R6(config-if)#​ppp chap pass
 +R6(config-if)#​ppp chap password cc
 +*Apr 21 08:​47:​29.116:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +*Apr 21 08:​47:​29.120:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +*Apr 21 08:​47:​29.223:​ %DIALER-6-UNBIND:​ Interface Vi2 unbound from profile Di1
 +R6(config-if)#​ppp chap password cc13
 +*Apr 21 08:​47:​29.250:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to down
 +R6(config-if)#​ppp chap password cc13
 +R6(config-if)#​
 +*Apr 21 08:​47:​51.476:​ %DIALER-6-BIND:​ Interface Vi2 bound to profile Di1
 +R6(config-if)#​
 +*Apr 21 08:​47:​51.480:​ %LINK-3-UPDOWN:​ Interface Virtual-Access2,​ changed state to up
 +R6(config-if)#​
 +*Apr 21 08:​47:​53.274:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Virtual-Access2,​ changed state to up
 +R6(config-if)#​cry
 +R6(config-if)#​crypto ma
 +R6(config-if)#​crypto map M-ipsec
 +R6(config-if)#​
 +*Apr 21 08:​48:​26.573:​ %CRYPTO-6-ISAKMP_ON_OFF:​ ISAKMP is ON
 +R6(config-if)#​ip access
 +R6(config-if)#​ip access-group A-security in
 +R6(config-if)#​no cdp en
 +R6(config-if)#​no cdp enable ​
 +R6(config-if)#​no shut
 +R6(config-if)#​no shutdown ​
 +R6(config-if)#​exit
 +R6(config)#​ip route 0.0.0.0 0.0.0.0 Dia
 +R6(config)#​ip route 0.0.0.0 0.0.0.0 Dialer 1
 +R6(config)#​router os
 +*Apr 21 08:​49:​14.081:​ %LINEPROTO-5-UPDOWN:​ Line protocol on Interface Tunnel0, changed state to up
 +R6(config)#​router ospf 1
 +R6(config-router)#​netwo
 +R6(config-router)#​network 10.6.0.6 0.0.0.0 area 0
 +R6(config-router)#​netwo
 +R6(config-router)#​network 192.168.16.6 0.0.0.0 area
 +R6(config-router)#​network 192.168.16.6 0.0.0.0 area 0
 +R6(config-router)#​exit
 +R6(config)#​ip acce
 +R6(config)#​ip access-list exte
 +R6(config)#​ip access-list extended A-ipsec
 +R6(config-ext-nacl)#​per
 +R6(config-ext-nacl)#​permit gre hos
 +R6(config-ext-nacl)#​permit gre host 106.0.0.6 hos
 +R6(config-ext-nacl)#​permit gre host 106.0.0.6 host 100.0.0.1
 +R6(config-ext-nacl)#​exit
 +R6(config)#​ip
 +*Apr 21 08:​52:​11.958:​ %OSPF-5-ADJCHG:​ Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
 +R6(config)#​ip acce
 +R6(config)#​ip access-list exte
 +R6(config)#​ip access-list extended A-security
 +R6(config-ext-nacl)#​permi
 +R6(config-ext-nacl)#​permit esp hos
 +R6(config-ext-nacl)#​permit esp host 100.0.0.1 hsot 106.0.0.6
 +                                               ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R6(config-ext-nacl)#​permit esp host 100.0.0.1 hoot 106.0.0.6
 +                                                ^
 +% Invalid input detected at '​^'​ marker.
 +
 +R6(config-ext-nacl)#​permit esp host 100.0.0.1 host 106.0.0.6  ​
 +R6(config-ext-nacl)#​permi
 +R6(config-ext-nacl)#​permit gre host 100.0.0.1 host 106.0.0.6 ​
 +R6(config-ext-nacl)#​permit icm
 +R6(config-ext-nacl)#​permit icmp an
 +R6(config-ext-nacl)#​permit icmp any an
 +R6(config-ext-nacl)#​permit icmp any any 
 +R6(config-ext-nacl)#​exit ​         ​
 +R6(config)#​dialer
 +R6(config)#​dialer-lis
 +R6(config)#​dialer-list 20 proto
 +R6(config)#​dialer-list 20 protocol ip permi
 +R6(config)#​dialer-list 20 protocol ip permit ​
 +R6(config)#​^Z
 +R6#
 +*Apr 21 08:​54:​15.610:​ %SYS-5-CONFIG_I:​ Configured from console by console
 +R6#ping 100.0.0.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 5/7/11 ms
 +R6#ping 200.0.0.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 200.0.0.2, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 7/8/11 ms
 +R6#sh ip ospf neigh
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +100.0.0.1 ​        ​0 ​  ​FULL/ ​ -        00:​00:​37 ​   192.168.16.1 ​   Tunnel0
 +R6#sh ip ro   
 +Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 +       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 +       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 +       E1 - OSPF external type 1, E2 - OSPF external type 2
 +       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 +       ia - IS-IS inter area, * - candidate default, U - per-user static route
 +       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
 +       a - application route
 +       + - replicated route, % - next hop override, p - overrides from PfR
 +
 +Gateway of last resort is 0.0.0.0 to network 0.0.0.0
 +
 +S*    0.0.0.0/0 is directly connected, Dialer1
 +      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
 +C        10.6.0.0/24 is directly connected, GigabitEthernet0/​0
 +L        10.6.0.6/32 is directly connected, GigabitEthernet0/​0
 +O        10.100.0.0/​24 [110/1001] via 192.168.16.1,​ 00:02:54, Tunnel0
 +O        10.200.0.0/​24 [110/2001] via 192.168.16.1,​ 00:02:54, Tunnel0
 +      106.0.0.0/​32 is subnetted, 2 subnets
 +C        106.0.0.6 is directly connected, Loopback1
 +C        106.5.6.5 is directly connected, Dialer1
 +O     ​192.168.12.0/​24 [110/2000] via 192.168.16.1,​ 00:02:54, Tunnel0
 +      192.168.16.0/​24 is variably subnetted, 2 subnets, 2 masks
 +C        192.168.16.0/​24 is directly connected, Tunnel0
 +L        192.168.16.6/​32 is directly connected, Tunnel0
 +R6#                ​
 +</​code>​
 +
 +<​code>​
 +PC-2> ping 10.100.0.101
 +84 bytes from 10.100.0.101 icmp_seq=1 ttl=62 time=27.656 ms
 +84 bytes from 10.100.0.101 icmp_seq=2 ttl=62 time=11.363 ms
 +84 bytes from 10.100.0.101 icmp_seq=3 ttl=62 time=13.107 ms
 +84 bytes from 10.100.0.101 icmp_seq=4 ttl=62 time=12.313 ms
 +84 bytes from 10.100.0.101 icmp_seq=5 ttl=62 time=11.717 ms
 +
 +PC-2> ping 192.168.16.6 ​
 +84 bytes from 192.168.16.6 icmp_seq=1 ttl=253 time=20.835 ms
 +84 bytes from 192.168.16.6 icmp_seq=2 ttl=253 time=19.752 ms
 +84 bytes from 192.168.16.6 icmp_seq=3 ttl=253 time=21.734 ms
 +84 bytes from 192.168.16.6 icmp_seq=4 ttl=253 time=24.609 ms
 +84 bytes from 192.168.16.6 icmp_seq=5 ttl=253 time=22.443 ms
 +
 +PC-2> ping 10.6.0.105
 +84 bytes from 10.6.0.105 icmp_seq=1 ttl=61 time=37.842 ms
 +84 bytes from 10.6.0.105 icmp_seq=2 ttl=61 time=19.384 ms
 +84 bytes from 10.6.0.105 icmp_seq=3 ttl=61 time=19.323 ms
 +84 bytes from 10.6.0.105 icmp_seq=4 ttl=61 time=19.056 ms
 +84 bytes from 10.6.0.105 icmp_seq=5 ttl=61 time=19.007 ms
 +
 +PC-2> ​
 +
 +</​code>​
 +
 +<​code>​
 +R1#sh ip int brief
 +Interface ​                 IP-Address ​     OK? Method Status ​               Protocol
 +GigabitEthernet0/​0 ​        ​10.100.0.1 ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​1 ​        ​unassigned ​     YES NVRAM  up                    up      ​
 +GigabitEthernet0/​2 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +GigabitEthernet0/​3 ​        ​unassigned ​     YES NVRAM  administratively down down    ​
 +Dialer1 ​                   100.0.0.1 ​      YES TFTP   ​up ​                   up      ​
 +Loopback1 ​                 100.0.0.1 ​      YES manual up                    up      ​
 +Tunnel0 ​                   192.168.12.1 ​   YES manual up                    up      ​
 +Tunnel1 ​                   192.168.16.1 ​   YES manual up                    up      ​
 +Virtual-Access1 ​           unassigned ​     YES unset  up                    up      ​
 +Virtual-Access2 ​           unassigned ​     YES unset  up                    up      ​
 +R1#show ip ospf neighbo
 +R1#show ip ospf neighbor ​
 +
 +Neighbor ID     ​Pri ​  ​State ​          Dead Time   ​Address ​        ​Interface
 +106.0.0.6 ​        ​0 ​  ​FULL/ ​ -        00:​00:​34 ​   192.168.16.6 ​   Tunnel1
 +200.0.0.2 ​        ​0 ​  ​FULL/ ​ -        00:​00:​34 ​   192.168.12.2 ​   Tunnel0
 +R1#show cryp
 +R1#show crypto isakm
 +R1#show crypto ipsec sa 
 +
 +interface: Dialer1
 +    Crypto map tag: M-ipsec, local addr 100.0.0.1
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (106.0.0.6/​255.255.255.255/​47/​0)
 +   ​current_peer 106.0.0.6 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
 +    #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x4566DF3D(1164369725)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x28335F48(674455368)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349249/​2911)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x4566DF3D(1164369725)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349249/​2911)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +          ​
 +     ​outbound pcp sas:
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (200.0.0.2/​255.255.255.255/​47/​0)
 +   ​current_peer 200.0.0.2 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
 +    #pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x8A138AFC(2316536572)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x59DDE95E(1507715422)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375654/​1464)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x8A138AFC(2316536572)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375654/​1464)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +
 +     ​outbound pcp sas:
 +R1#show crypto ipsec sa
 +
 +interface: Dialer1
 +    Crypto map tag: M-ipsec, local addr 100.0.0.1
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (106.0.0.6/​255.255.255.255/​47/​0)
 +   ​current_peer 106.0.0.6 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
 +    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 106.0.0.6
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x4566DF3D(1164369725)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x28335F48(674455368)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349248/​2828)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x4566DF3D(1164369725)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4349248/​2828)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +          ​
 +     ​outbound pcp sas:
 +
 +   ​protected vrf: (none)
 +   ​local ​ ident (addr/​mask/​prot/​port):​ (100.0.0.1/​255.255.255.255/​47/​0)
 +   ​remote ident (addr/​mask/​prot/​port):​ (200.0.0.2/​255.255.255.255/​47/​0)
 +   ​current_peer 200.0.0.2 port 500
 +     ​PERMIT,​ flags={origin_is_acl,​}
 +    #pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
 +    #pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273
 +    #pkts compressed: 0, #pkts decompressed:​ 0
 +    #pkts not compressed: 0, #pkts compr. failed: 0
 +    #pkts not decompressed:​ 0, #pkts decompress failed: 0
 +    #send errors 0, #recv errors 0
 +
 +     local crypto endpt.: 100.0.0.1, remote crypto endpt.: 200.0.0.2
 +     ​plaintext mtu 1410, path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
 +     ​current outbound spi: 0x8A138AFC(2316536572)
 +     PFS (Y/N): N, DH group: none
 +
 +     ​inbound esp sas:
 +      spi: 0x59DDE95E(1507715422)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375652/​1381)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​inbound ah sas:
 +
 +     ​inbound pcp sas:
 +
 +     ​outbound esp sas:
 +      spi: 0x8A138AFC(2316536572)
 +        transform: esp-aes esp-sha-hmac ,
 +        in use settings ={Transport,​ }
 +        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: M-ipsec
 +        sa timing: remaining key lifetime (k/sec): (4375653/​1381)
 +        IV size: 16 bytes
 +        replay detection support: Y
 +        Status: ACTIVE(ACTIVE)
 +
 +     ​outbound ah sas:
 +
 +     ​outbound pcp sas:
 +R1#
 +</​code>​
 +
 +ping and capture packets.
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091923.png}}
 +
 +<​code>​
 +R2#ping 10.6.0.105 repeat 100000
 +Type escape sequence to abort.
 +Sending 100000, 100-byte ICMP Echos to 10.6.0.105, timeout is 2 seconds:
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 +!!!!!!!!!!!!!!!!!.
 +Success rate is 99 percent (1347/​1348),​ round-trip min/avg/max = 9/26/90 ms
 +R2#
 +</​code>​
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091935.png}}
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091941.png}}
 +
 +{{:​tech:​network:​cisco:​vpn:​tunneling:​gre-over-ipsec:​pasted:​20190421-091947.png}}
  
 ===== References ===== ===== References =====
tech/network/cisco/vpn/tunneling/gre-over-ipsec/gre-over-ipsec.1555455329.txt.gz · Last modified: 2019/04/16 22:55 by wnoguchi