Home > Articles > IPSec VPN

IPSec VPN

Contents

  1. Lab 13-1: Basic Site-to-Site IPSec VPN
  2. Lab 13-2: Basic Site-to-Site IPSec VPN and NAT
  3. Lab 13-3: Configuring GRE/IPSec Tunnel Mode, Transport Mode, and S-VTI
  4. Lab 13-4: Protecting DMVPN Tunnels

Chapter Description

In this sample chapter from CCIE Routing and Switching v5.1 Foundations: Bridging the Gap Between CCNP and CCIE, learn how the Internet Security Association and Key Management Protocol (ISAKMP) and IPSec are essential to building and encrypting VPN tunnels.

Lab 13-3: Configuring GRE/IPSec Tunnel Mode, Transport Mode, and S-VTI

Figure 13-3

Figure 13-3 Configuring GRE/IPSec Tunnel Mode, Transport Mode, and S-VTI

Figure 13-3 illustrates the topology that will be used in the following lab.

Task 1

Configure a basic site-to-site IPSec VPN to protect traffic between the 1.1.1.0/24, 11.1.1.0/24, 2.2.2.0/24, and 22.2.2.0/24 networks using the policies shown in Table 13-3.

Table 13-3 Policy Guidelines for Configuring Task 1

ISAKMP Policy IPSec Policy
Authentication: Pre-shared Encryption: ESP-3DES
Hash: MD5 Hash: ESP-MD5-HMAC
DH Group: 2 Proxy-ID/Crypto ACL: 1.1.1.1←→ 2.2.2.2
Encryption: 3DES
PSK: cisco

Reachability is provided in the initial configuration.

  • Step 1. Configure ISAKMP using pre-shared authentication, MD5 hashing, DH group 2, and a PSK of “cisco” on both R1 and R3:

On R1:

R1(config)# crypto isakmp policy 10
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# exit

On R3:

R3(config)# crypto isakmp policy 10
R3(config-isakmp)# hash md5
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# encryption 3des
R3(config-isakmp)# exit
  • Step 2. Configure the ISAKMP key and identify the peer:

On R1:

R1(config)# crypto isakmp key cisco address 23.1.1.3

On R3:

R3(config)# crypto isakmp key cisco address 12.1.1.1
  • Step 3. Configure the IPSec transform set to use DES for encryption and MD5 for hashing:

On R1 and R3:

Rx(config)# crypto ipsec transform-set TSET esp-des esp-md5-hmac
Rx(cfg-config-trans)# exit
  • Step 4. Define interesting traffic. You can see how the crypto ACL can grow and grow. Can you imagine having 500 subnets trying to communicate with another 500 or more networks in a secure manner? The crypto ACL must be configured in a full mesh manner.

On R1:

R1(config)# access-list 100 permit ip host 1.1.1.1 host 3.3.3.3
R1(config)# access-list 100 permit ip host 1.1.1.1 host 30.3.3.3
R1(config)# access-list 100 permit ip host 1.1.1.1 host 33.3.3.3
R1(config)# access-list 100 permit ip host 10.1.1.1 host 3.3.3.3
R1(config)# access-list 100 permit ip host 10.1.1.1 host 30.3.3.3
R1(config)# access-list 100 permit ip host 10.1.1.1 host 33.3.3.3

R1(config)# access-list 100 permit ip host 11.1.1.1 host 3.3.3.3
R1(config)# access-list 100 permit ip host 11.1.1.1 host 30.3.3.3
R1(config)# access-list 100 permit ip host 11.1.1.1 host 33.3.3.3

On R3:

R3(config)# access-list 100 permit ip host 3.3.3.3 host 1.1.1.1
R3(config)# access-list 100 permit ip host 30.3.3.3 host 1.1.1.1
R3(config)# access-list 100 permit ip host 33.3.3.3 host 1.1.1.1

R3(config)# access-list 100 permit ip host 3.3.3.3 host 10.1.1.1
R3(config)# access-list 100 permit ip host 30.3.3.3 host 10.1.1.1
R3(config)# access-list 100 permit ip host 33.3.3.3 host 10.1.1.1

R3(config)# access-list 100 permit ip host 3.3.3.3 host 11.1.1.1
R3(config)# access-list 100 permit ip host 30.3.3.3 host 11.1.1.1
R3(config)# access-list 100 permit ip host 33.3.3.3 host 11.1.1.1
  • Step 5. Configure the crypto map and reference the peer, the crypto ACL, and the transform set configured in the previous steps:

On R1:

R1(config)# crypto map TST 10 ipsec-isakmp
R1(config-crypto-map)# set peer 23.1.1.3
R1(config-crypto-map)# match address 100
R1(config-crypto-map)# set transform-set TSET

On R3:

R3(config)# crypto map TST 10 ipsec-isakmp
R3(config-crypto-map)# set peer 12.1.1.1
R3(config-crypto-map)# match address 100
R3(config-crypto-map)# set transform-set TSET
  • Step 6. Apply the crypto map to the outside interface:

On R1:

R1(config)# interface Serial1/2
R1(config-if)# crypto map TST

On R3:

R3(config)# interface Serial1/2
R3(config-if)# crypto map TST
  • Let’s test the configuration:

On R1:

R1# ping 3.3.3.3 source loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 3.3.3.3 source loopback1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 3.3.3.3 source loopback2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 30.3.3.3 source loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 30.3.3.3 source loopback1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 30.3.3.3 source loopback2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 33.3.3.3 source loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 33.3.3.3 source loopback1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# ping 33.3.3.3 source loopback2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/87/88 ms

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
23.1.1.3        12.1.1.1        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1# show crypto ipsec sa | include local|remote|#pkts

        Crypto map tag: TST, local addr 12.1.1.1
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (11.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (30.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (33.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (30.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (11.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (30.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (33.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
   local  ident (addr/mask/prot/port): (11.1.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (33.3.3.3/255.255.255.255/0/0)
    # pkts encaps: 4, # pkts encrypt: 4, # pkts digest: 4
    # pkts decaps: 4, # pkts decrypt: 4, # pkts verify: 4
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
  • This is definitely not scalable.

R1# show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
 1001  IKE     MD5+3DES                  0        0        0 12.1.1.1
 2001  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2002  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2003  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2004  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2005  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2006  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2007  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2008  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2009  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2010  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2011  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2012  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2013  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2014  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2015  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2016  IPsec   DES+MD5                   4        0        0 12.1.1.1
 2017  IPsec   DES+MD5                   0        4        4 12.1.1.1
 2018  IPsec   DES+MD5                   4        0        0 12.1.1.1

You can see the number of SPIs in the output of the preceding show command. You can also see that the legacy site-to-site IPSec VPNs are not scalable when the number networks that need to communicate increases.

Task 2

You are getting ready to add 500 more subnets to R1 and 500 more subnets to R3. Therefore, you need to configure a scalable solution that does not require the need for crypto ACLs. You will use GRE/IPSEC with Tunnel Mode to accomplish this task.

Because you need to totally cross-eliminate crypto ACLs, you can configure a GRE tunnel and encrypt all traffic that traverses the tunnel. Let’s configure it:

  • Step 1. Configure the GRE tunnels.

  • When you’re configuring the GRE tunnels, the tunnel source must reference the outside interface of the local router, and the tunnel destination must be the outside interface of the peer router. Also, the tunnel IP address should be a private IP address.

On R1:

R1(config)# interface tunnel13
R1(config-if)# ip address 10.1.13.1 255.255.255.0
R1(config-if)# tunnel source 12.1.1.1
R1(config-if)# tunnel destination 23.1.1.3

On R3:

R3(config)# interface tunnel31
R3(config-if)# ip address 10.1.13.3 255.255.255.0
R3(config-if)# tunnel source 23.1.1.3
R3(config-if)# tunnel destination 12.1.1.1
  • Step 2. Use an Interior Gateway Protocol (IGP) to advertise the networks in through the tunnel.

  • In this case, EIGRP AS 100 is used, but you can use any IGP to accomplish this step.

On R1:

R1(config)# router eigrp 100
R1(config-router)# netw 10.1.13.1 0.0.0.0

On R3:

R3(config)# router eigrp 100
R3(config-router)# netw 10.1.13.3 0.0.0.0
  • You should see the following console message:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.13.1 (Tunnel31) is up:
new adjacency
  • Let’s verify the configuration:

On R3:

R3# show ip route eigrp | begin Gate
Gateway of last resort is 23.1.1.2 to network 0.0.0.0

      1.0.0.0/24 is subnetted, 1 subnets
D        1.1.1.0 [90/27008000] via 10.1.13.1, 00:02:15, Tunnel31
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
D        10.1.1.0/24 [90/27008000] via 10.1.13.1, 00:02:15, Tunnel31
      11.0.0.0/24 is subnetted, 1 subnets
D        11.1.1.0 [90/27008000] via 10.1.13.1, 00:02:15, Tunnel31
  • Step 3. We need to delete the crypto ACLs and crypto maps. To remove the crypto map we previously applied to the interfaces:

On R1 and R3:

Rx(config)# no access-list 100

Rx(config)# interface Serial1/2
Rx(config-if)# no crypto map TST
Rx(config-if)# exit

Rx(config)# no crypto map TST
  • Step 4. Configure a crypto IPSec profile and reference the transform set:

On R1 and R3:

Rx(config)# crypto ipsec profile ABC
Rx(ipsec-profile)# set transform-set TSET
  • Step 5. Apply the crypto IPSec profile to the tunnel interface:

On R1:

R1(config)# interface tunnel13
R1(config-if)# tunnel protection ipsec profile ABC
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.13.3 (Tunnel13) is down:
holding time expired
On R3:

R3(config)# interface tunnel31
R3(config-if)# tunnel protection ipsec profile ABC
  • You should see the following console messages:

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.13.1 (Tunnel31) is up:
new adjacency
  • The tunnel protection ipsec profile command states that any traffic that traverses the tunnel should be encrypted with the IPSec profile called ABC.

  • Step 6. Now we need to verify that GRE/IPSec are running on the tunnels and that we are using Tunnel Mode:

R3# show crypto ipsec sa | section spi

     current outbound spi: 0xFA948BE8(4204039144)
      spi: 0xD090B49D(3499144349)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2019, flow_id: NETGX:19, sibling_flags 80000046, crypto map: Tunnel31-head-0
        sa timing: remaining key lifetime (k/sec): (4598347/3082)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

      spi: 0xFA948BE8(4204039144)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2020, flow_id: NETGX:20, sibling_flags 80000046, crypto map: Tunnel31-head-0
        sa timing: remaining key lifetime (k/sec): (4598347/3082)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

R3# show interface tunnel31 | include Tunnel protocol
  Tunnel protocol/transport GRE/IP

Task 3

After implementing the previous solution, you realize that every packet has duplicate IP addresses in the header. You need to keep the GRE tunnel but eliminate the duplicate IP addresses in the header of every packet.

To resolve this task, you must change the mode to Transport. Let’s do that now:

On R1 and R3:

Rx(config)# crypto ipsec transform-set TSET esp-des esp-md5-hmac
Rx(cfg-crypto-trans)# mode transport

To verify this, you must clear crypto ipsec sas:

On Both Routers:

Rx# clear crypto sa

R1# show crypto ipsec sa

interface: Tunnel13
    Crypto map tag: Tunnel13-head-0, local addr 12.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (12.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/47/0)
   current_peer 23.1.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    # pkts encaps: 9, # pkts encrypt: 9, # pkts digest: 9
    # pkts decaps: 7, # pkts decrypt: 7, # pkts verify: 7

    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
    # send errors 0, # recv errors 0

     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2
     current outbound spi: 0x58BF5B22(1488935714)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x31C3E03A(834920506)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2025, flow_id: NETGX:25, sibling_flags 80000006, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4430829/3568)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x58BF5B22(1488935714)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2026, flow_id: NETGX:26, sibling_flags 80000006, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4430829/3568)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

The transport protocol is still GRE. Let’s verify this:

On R1:

R1# show interface tunnel13 | include Tunnel protocol

  Tunnel protocol/transport GRE/IP

Task 4

Reconfigure R1 and R3 so that the tunnel protocol is IPSec; this way, the extra GRE overhead is no longer there.

In order to eliminate GRE altogether, you can change the tunnel mode to IPSec. Let’s configure this and verify:

On R1:

R1(config)# interface tunnel13
R1(config-if)# tunnel mode ipsec ipv4

You should see the following console message:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.13.3 (Tunnel13) is down: holding time expired

On R3:

R3(config)# interface tunnel31
R3(config-if)# tunnel mode ipsec ipv4

You should see EIGRP coming up again. This means that packets are being encrypted.

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.1.13.1 (Tunnel31) is up: new adjacency

Let’s verify the configuration:

On R1:

R1# show crypto ipsec sa

interface: Tunnel13
    Crypto map tag: Tunnel13-head-0, local addr 12.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 23.1.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    # pkts encaps: 26, # pkts encrypt: 26, # pkts digest: 26
    # pkts decaps: 27, # pkts decrypt: 27, # pkts verify: 27
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
    # send errors 8, # recv errors 0

     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2
     current outbound spi: 0x653D25F9(1698506233)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF08E7802(4035868674)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
       conn id: 2029, flow_id: NETGX:29, sibling_flags 80000046, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4571849/3511)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x653D25F9(1698506233)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2030, flow_id: NETGX:30, sibling_flags 80000046, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4571849/3511)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

R1# show interface tunnel13 | include Tunnel protocol

  Tunnel protocol/transport IPSEC/IP

Do not forget to make the following configuration on both routers in the topology.

Rx(config)# crypto ipsec transform-set TSET esp-des esp-md5-hmac
Rx(cfg-crypto-trans)# mode tunnel

Rx# clear crypto sa

You should wait for the tunnel to come up:

R1# show crypto ipsec sa

interface: Tunnel13
    Crypto map tag: Tunnel13-head-0, local addr 12.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 23.1.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    # pkts encaps: 14, # pkts encrypt: 14, # pkts digest: 14
    # pkts decaps: 13, # pkts decrypt: 13, # pkts verify: 13
    # pkts compressed: 0, # pkts decompressed: 0
    # pkts not compressed: 0, # pkts compr. failed: 0
    # pkts not decompressed: 0, # pkts decompress failed: 0
    # send errors 0, # recv errors 0

     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2
     current outbound spi: 0x8CD7122B(2362905131)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD5DFBB05(3588209413)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2031, flow_id: NETGX:31, sibling_flags 80000046, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4580543/3568)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8CD7122B(2362905131)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2032, flow_id: NETGX:32, sibling_flags 80000046, crypto map: Tunnel13-head-0
        sa timing: remaining key lifetime (k/sec): (4580543/3568)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Erase the startup configuration of the routers and reload them before proceeding to the next lab.

4. Lab 13-4: Protecting DMVPN Tunnels | Next Section Previous Section

There are currently no related articles. Please check back later.