Labbed up IPsec channel, and GRE/IPsec

lildeezullildeezul Member Posts: 404
in CCNP
I finally got to lab up my studies with Ipsec and gre tunnels... I firstly created a site-site vpn tunnel on both routers via CLI, and worked perfectly.. the show crypto isakmp showed the QM_IDLE, and the show crypto ipsec sa showed increasing number of encapsulated and decapsulated packets... I then used SDM to configure one router with a secure GRE tunnel to transport routing updates securlely using Ipsec features....

My lab Worked out great. Here are the configs.

BB(10.1.1.1)
router
(10.1.1.6)Site_1
172.30.100.1(GRE) 172.30.100.2 (GRE)
| |
| |
172.30.1.0 172.30.10.0

HERE IS THE IPSEC CLI CONFIG FOR ONLY BB ROUTER
!
hostname BB
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gC3E$xA/BSLETtveu2JXWmsDdW/
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.30.1.1 172.30.1.20
!
ip dhcp pool BB_LAN
   import all
   network 172.30.1.0 255.255.255.0
   default-router 172.30.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
 encr aes 192
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.1.1.6 no-xauth
!
crypto isakmp peer address 10.1.1.6
!
!
crypto ipsec transform-set AES192_SHA esp-aes 192 esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 10.1.1.6
 set transform-set AES192_SHA
 match address INTERESTING_TRAFFIC
!
!
!
!
interface Ethernet0/0
 ip address 172.30.1.1 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 10.1.1.1 255.255.255.252
 ip nat outside
 clock rate 128000
 crypto map VPN
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
ip nat inside source list NAT_ADDRESSES interface Serial1/0 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
!
ip access-list extended INTERESTING_TRAFFIC
 permit ip 172.30.1.0 0.0.0.255 172.30.10.0 0.0.0.255
ip access-list extended NAT_ADDRESSES
 deny   ip 172.30.1.0 0.0.0.255 172.30.10.0 0.0.0.255
 permit ip 172.30.1.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 exec prompt timestamp
line aux 0
line vty 0 4
 no login
!
!
end
HERE IS THE SDM CONFIG OF THE SITE_1 GRE/IPSEC
 
hostname Site_2
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$Gzfz$uiu5WZh73Y4mUpK1wARTK/
!
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 172.30.10.1 172.30.10.100
!
ip dhcp pool SITE_2_LAN
   import all
   network 172.30.10.0 255.255.255.0
   default-router 172.30.10.1 
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 192
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set AES192_SHA esp-aes 192 esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to10.1.1.1
 set peer 10.1.1.1
 set transform-set AES192_SHA 
 match address INTERESTING_TRAFFIC
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel to10.1.1.1
 set peer 10.1.1.1
 set transform-set AES192_SHA 
 match address 100
!
!
!
interface Tunnel0
 ip address 172.30.100.2 255.255.255.0
 ip mtu 1420
 tunnel source Ethernet0/1
 tunnel destination 10.1.1.1
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
!
interface Ethernet0/0
 ip address 172.30.10.1 255.255.255.0
 no ip redirects
 ip nat inside
 half-duplex
 fair-queue
!
interface Ethernet0/1
 description $ETH-WAN$
 ip address 10.1.1.6 255.255.255.252
 ip nat outside
 half-duplex
 crypto map SDM_CMAP_1
!
router eigrp 1
 network 172.30.10.1 0.0.0.0
 network 172.30.10.0 0.0.0.255
 network 172.30.100.2 0.0.0.0
 network 172.30.100.0 0.0.0.255
 no auto-summary
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet0/1 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/1
!
!
!
ip access-list extended INTERESTING_TRAFFIC
 remark permit intersting traffic to generate ipsec channel
 remark SDM_ACL Category=4
 permit ip 172.30.10.0 0.0.0.255 172.30.1.0 0.0.0.255 log
ip access-list extended NAT_ADDRESSES
 remark SDM_ACL Category=16
 deny   ip 172.30.10.0 0.0.0.255 172.30.1.0 0.0.0.255 log
 permit ip 172.30.10.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 10.1.1.6 host 10.1.1.1
!
route-map SDM_RMAP_1 permit 1
 match ip address NAT_ADDRESSES
!
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
 logging synchronous
line vty 0 4
!
!
end


HERE IS THE CLI CONFIG OF BB GRE/IPSEC

 
hostname BB
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gC3E$xA/BSLETtveu2JXWmsDdW/
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.30.1.1 172.30.1.20
!
ip dhcp pool BB_LAN
   import all
   network 172.30.1.0 255.255.255.0
   default-router 172.30.1.1
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
 encr aes 192
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.1.1.6 no-xauth
!
crypto isakmp peer address 10.1.1.6
crypto isakmp profile GRE_IPSEC
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set AES192_SHA esp-aes 192 esp-sha-hmac
!
crypto ipsec profile GRE_IPSEC
 set transform-set AES192_SHA
!
!
crypto map VPN 10 ipsec-isakmp
 set peer 10.1.1.6
 set transform-set AES192_SHA
 match address INTERESTING_TRAFFIC
!
!
!
!
interface Tunnel0
 ip address 172.30.100.1 255.255.255.0
 tunnel source Serial1/0
 tunnel destination 10.1.1.6
!
interface Ethernet0/0
 ip address 172.30.1.1 255.255.255.0
 ip nat inside
 half-duplex
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 ip address 10.1.1.1 255.255.255.252
 ip nat outside
 clock rate 128000
 crypto map VPN
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
router eigrp 1
 network 172.30.1.1 0.0.0.0
 network 172.30.100.1 0.0.0.0
 no auto-summary
!
ip nat inside source list NAT_ADDRESSES interface Serial1/0 overload
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
!
!
ip access-list extended INTERESTING_TRAFFIC
 permit gre host 10.1.1.1 host 10.1.1.6
ip access-list extended NAT_ADDRESSES
 deny   ip 172.30.1.0 0.0.0.255 172.30.10.0 0.0.0.255
 permit ip 172.30.1.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 exec prompt timestamp
line aux 0
line vty 0 4
 no login
!
!
end

I am very excited i got this lab done, With the GRE/ipsec , i noticed the encapsulated and decapsulated packets were rising automatically, i am guessing those are from the encprypted hellos messages from eigrp ?

anyways fun lab, alot of stuff to configure though.

on to easy vpn...icon_wink.gif
NHSCA National All-American Wrestler 135lb
· Share on FacebookShare on Twitter

Comments

  • APAAPA Member Posts: 959
    good stuff!

    Not so hard once you look back on what you've configured :)

    I hate those descriptions that SDM creates!!!! arggggh :p
    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
    · Share on FacebookShare on Twitter
  • bighornsheepbighornsheep Member Posts: 1,506
    You might want to double check your BB router, I don't see your crypto map applied to the tunnel interface. GRE wouldn't be running over IPsec....
    Jack of all trades, master of none
    · Share on FacebookShare on Twitter
Sign In or Register to comment.