I have created a simple IP SEC tunnel configuration between two cisco router i.e. Router R1 & Router R2. The loop back address 2.2.2.2 & 3.3.3.3 are communicating over IP sec tunnel formed between router R1 & Router R3. I have used 3 routers on GNS 3 for the configuration. Find the configuration of the router below.
R1
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key san address 15.15.15.1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map test 10 ipsec-isakmp
set peer 15.15.15.1
set transform-set VPN
match address traffic
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface Loopback1
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 14.14.14.1 255.255.255.0
duplex auto
speed auto
crypto map test
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 14.14.14.2
ip route 15.15.15.0 255.255.255.0 14.14.14.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended traffic
permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
ip access-list extended traffuc
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R2
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
ip address 14.14.14.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 15.15.15.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R3
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key san address 14.14.14.1
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map test 10 ipsec-isakmp
set peer 14.14.14.1
set transform-set VPN
match address traffic
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface Loopback1
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 15.15.15.1 255.255.255.0
duplex auto
speed auto
crypto map test
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 2.2.2.0 255.255.255.0 15.15.15.2
ip route 14.14.14.0 255.255.255.0 15.15.15.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended traffic
permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Find the test from both the router.
test at Router R1.
R1#ping 3.3.3.3 source 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/102/120 ms
R1#sh cry
R1#sh crypto is
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
15.15.15.1 14.14.14.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: test, local addr 14.14.14.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (3.3.3.0/255.255.255.0/0/0)
current_peer 15.15.15.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 110, #pkts decrypt: 110, #pkts verify: 110
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 14.14.14.1, remote crypto endpt.: 15.15.15.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xBFD855E(201164126)
inbound esp sas:
spi: 0xCDCC62CF(3452723919)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: test
sa timing: remaining key lifetime (k/sec): (4566030/727)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBFD855E(201164126)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: test
sa timing: remaining key lifetime (k/sec): (4566037/724)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
TEST at Router R3
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
15.15.15.1 14.14.14.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#ping 2.2.2.2 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/101/108 ms
R3#sh crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: test, local addr 15.15.15.1
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 14.14.14.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 115, #pkts encrypt: 115, #pkts digest: 115
#pkts decaps: 37, #pkts decrypt: 37, #pkts verify: 37
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 15.15.15.1, remote crypto endpt.: 14.14.14.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xCDCC62CF(3452723919)
inbound esp sas:
spi: 0xBFD855E(201164126)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: test
sa timing: remaining key lifetime (k/sec): (4574294/621)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCDCC62CF(3452723919)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: test
sa timing: remaining key lifetime (k/sec): (4574288/619)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#
