http://insearchofthecert.blogspot.com/2012/08/gre.html
and
http://insearchofthecert.blogspot.com/2012/08/gre-with-crypto.html
same concept as those earlier posts, but with the added complexity of nat, which if you followed the first two of these labs, is already good to go...
i think the lab does this backwards... establishing the tunnel first is vital...
branch
int tunnel0
ip add 172.16.100.2 255.255.255.252
tunnel source 209.165.200.242
tunnel destination 209.165.200.226
hq
int tunnel0
ip add 172.16.100.1 255.255.255.252
tunnel source 209.165.200.226
tunnel destination 209.165.200.242
hq(config-if)#
*Aug 28 14:32:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
adding the crypto now would be silly because there is no route on either end to facilitate the 172 network for the tunnel... after all this is route, and setting up static and default routes for this lab as opposed to a dynamic routing protocol from the very beginning was, in a word, awful... let's do some dynamic routing and fix this mess...
branch
router eigrp 1
netw 192.168.1.0 0.0.0.255
netw 172.16.100.0 0.0.0.3
no auto-summ
hq
router eigrp 1
netw 10.10.0.0 0.0.255.255
netw 172.16.100.0 0.0.0.3
no auto-summ
*Aug 28 14:44:57: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.100.2 (Tunnel0) is up: new adjacency
i feel so much better already... now encrypt the traffic...
steps:
set up isakmp policy
set ipsec details
set vpn tunnel information
specify acl/traffic
apply crypto map to interface
branch
crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key suck-key address 209.165.200.226
crypto ipsec transform-set hqt-set esp-3des esp-sha-hmac
crypto map sec-map 10 ipsec-isakmp
set peer 209.165.200.226
set transform-set hqt-set
match address vpn-acl
exit
ip access-list ext vpn-acl
permit gre host 209.165.200.242 host 209.165.200.226
exit
int s1/1
crypto map sec-map
exit
and flip it for the hq router...
crypto isakmp policy 1
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key suck-key address 209.165.200.242
crypto ipsec transform-set hqt-set esp-3des esp-sha-hmac
crypto map sec-map 10 ipsec-isakmp
set peer 209.165.200.242
set transform-set hqt-set
match address vpn-acl
exit
ip access-list ext vpn-acl
permit gre host 209.165.200.226 host 209.165.200.242
exit
int s1/2
crypto map sec-map
exit
hq#trace 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.100.2 20 msec 28 msec *
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.100.2 20 msec 28 msec *
branch#sh crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial1/1
Uptime: 00:07:51
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKEv1 SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1001 lifetime:22:47:35
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 126 drop 0 life (KB/Sec) 4367615/3128
Outbound: #pkts enc'ed 121 drop 0 life (KB/Sec) 4367616/3128
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Serial1/1
Uptime: 00:07:51
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKEv1 SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1001 lifetime:22:47:35
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 126 drop 0 life (KB/Sec) 4367615/3128
Outbound: #pkts enc'ed 121 drop 0 life (KB/Sec) 4367616/3128
this proves traffic to the imaginary internet does not traverse the tunnel...
branch#trace 209.165.200.238 source 192.168.1.1
Type escape sequence to abort.
Tracing the route to 209.165.200.238
VRF info: (vrf in name/id, vrf out name/id)
1 209.165.200.241 12 msec 8 msec 4 msec
2 209.165.200.226 12 msec 16 msec *
this proves traffic for the private network (imaginary email) uses the tunnel...
branch#trace 10.10.20.238 source 192.168.1.1
Type escape sequence to abort.
Tracing the route to 10.10.20.238
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.100.1 20 msec 20 msec *
branch#
No comments:
Post a Comment