Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​Site to Site VPN - GRE over IPsec with IPsec Profile

Picture
This example is a site to site VPN over a GRE tunnel with dynamic routing.



R3
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 109.0.0.9      
!
crypto ipsec transform-set TSET esp-3des 
 mode transport
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set TSET 
!
router eigrp 10
 network 10.1.0.0 0.0.255.255
 network 10.3.9.0 0.0.0.255
!
interface Tunnel10
 ip address 10.3.9.3 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 109.0.0.9
 tunnel protection ipsec profile IPSEC_PROFILE



CSR9
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 103.0.0.3      
!
crypto ipsec transform-set TSET esp-3des 
 mode transport
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set TSET 
!
router eigrp 10
 network 10.2.0.0 0.0.255.255
 network 10.3.0.0 0.0.255.255
!
interface Tunnel10
 ip address 10.3.9.9 255.255.255.0
 tunnel source GigabitEthernet3
 tunnel destination 103.0.0.3
 tunnel protection ipsec profile IPSEC_PROFILE



R3#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1020  103.0.0.3       109.0.0.9              ACTIVE 3des md5    psk  5  23:01:56     
       Engine-id:Conn-id =  SW:20




R3#show crypto ipsec sa 

interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 103.0.0.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (109.0.0.9/255.255.255.255/47/0)
   current_peer 109.0.0.9 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 759, #pkts encrypt: 759, #pkts digest: 759
    #pkts decaps: 848, #pkts decrypt: 848, #pkts verify: 848
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 103.0.0.3, remote crypto endpt.: 109.0.0.9
     plaintext mtu 1482, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xCB07C16A(3406283114)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF49AFE18(4103798296)
        transform: esp-3des ,
        in use settings ={Transport, }
        conn id: 141, flow_id: SW:141, sibling_flags 80000000, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4153198/3076)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCB07C16A(3406283114)
        transform: esp-3des ,
        in use settings ={Transport, }
        conn id: 142, flow_id: SW:142, sibling_flags 80000000, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4153200/3076)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:




R3#show ip eigrp interfaces 
EIGRP-IPv4 Interfaces for AS(10)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi0/1                    1        0/0       0/0          13       0/0           52           0
Tu10                     1        0/0       0/0        1131       6/245       5885           0





R3#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(10)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   10.3.9.9                Tu10                     12 00:58:30 1131  5000  0  12
0   10.1.3.1                Gi0/1                    13 01:15:30   13   100  0  6




R3#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 103.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
D        10.2.9.0/24 [90/26880256] via 10.3.9.9, 00:58:33, Tunnel10




CSR9#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1001  109.0.0.9       103.0.0.3              ACTIVE 3des md5    psk  5  22:52:03     
       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA




CSR9#show crypto ipsec sa 

interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 109.0.0.9

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (109.0.0.9/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
   current_peer 103.0.0.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 882, #pkts encrypt: 882, #pkts digest: 882
    #pkts decaps: 790, #pkts decrypt: 790, #pkts verify: 790
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
     plaintext mtu 1482, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
     current outbound spi: 0xF49AFE18(4103798296)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCB07C16A(3406283114)
        transform: esp-3des ,
        in use settings ={Transport, }
        conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80004008, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4607987/2854)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF49AFE18(4103798296)
        transform: esp-3des ,
        in use settings ={Transport, }
        conn id: 2004, flow_id: CSR:4, sibling_flags FFFFFFFF80004008, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4607990/2854)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:





CSR9#show ip eigrp interfaces 
EIGRP-IPv4 Interfaces for AS(10)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Tu10                     1        0/0       0/0          79       6/245        561           0
Gi2                      1        0/0       0/0          24       0/0           96           0




   
CSR9#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(10)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   10.3.9.3                Tu10                     10 01:07:51   79  1470  0  12
0   10.2.9.2                Gi2                      10 01:28:46   24   144  0  7




CSR9#show ip route eigrp     
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 109.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D        10.1.3.0/24 [90/26880256] via 10.3.9.3, 01:07:59, Tunnel10




​SW1#traceroute             
Protocol [ip]: 
Target IP address: 10.2.9.2
Source address: 
Numeric display [n]: y
Timeout in seconds [3]: 
Probe count [3]: 
Minimum Time to Live [1]: 
Maximum Time to Live [30]: 
Port Number [33434]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Type escape sequence to abort.
Tracing the route to 10.2.9.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.3.3 17 msec 9 msec 12 msec
  2 10.3.9.9 21 msec 16 msec 20 msec
  3 10.2.9.2 24 msec *  16 msec
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto