This example is a site to site VPN over a GRE tunnel with dynamic routing.
R3
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 109.0.0.9
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
router eigrp 10
network 10.1.0.0 0.0.255.255
network 10.3.9.0 0.0.0.255
!
interface Tunnel10
ip address 10.3.9.3 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.0.0.9
tunnel protection ipsec profile IPSEC_PROFILE
CSR9
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
router eigrp 10
network 10.2.0.0 0.0.255.255
network 10.3.0.0 0.0.255.255
!
interface Tunnel10
ip address 10.3.9.9 255.255.255.0
tunnel source GigabitEthernet3
tunnel destination 103.0.0.3
tunnel protection ipsec profile IPSEC_PROFILE
R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1020 103.0.0.3 109.0.0.9 ACTIVE 3des md5 psk 5 23:01:56
Engine-id:Conn-id = SW:20
R3#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (109.0.0.9/255.255.255.255/47/0)
current_peer 109.0.0.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 759, #pkts encrypt: 759, #pkts digest: 759
#pkts decaps: 848, #pkts decrypt: 848, #pkts verify: 848
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 109.0.0.9
plaintext mtu 1482, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCB07C16A(3406283114)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF49AFE18(4103798296)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 141, flow_id: SW:141, sibling_flags 80000000, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4153198/3076)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCB07C16A(3406283114)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 142, flow_id: SW:142, sibling_flags 80000000, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4153200/3076)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/1 1 0/0 0/0 13 0/0 52 0
Tu10 1 0/0 0/0 1131 6/245 5885 0
R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.9 Tu10 12 00:58:30 1131 5000 0 12
0 10.1.3.1 Gi0/1 13 01:15:30 13 100 0 6
R3#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 103.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
D 10.2.9.0/24 [90/26880256] via 10.3.9.9, 00:58:33, Tunnel10
CSR9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 109.0.0.9 103.0.0.3 ACTIVE 3des md5 psk 5 22:52:03
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
CSR9#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (109.0.0.9/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
current_peer 103.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 882, #pkts encrypt: 882, #pkts digest: 882
#pkts decaps: 790, #pkts decrypt: 790, #pkts verify: 790
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1482, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xF49AFE18(4103798296)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCB07C16A(3406283114)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80004008, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607987/2854)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF49AFE18(4103798296)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 2004, flow_id: CSR:4, sibling_flags FFFFFFFF80004008, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607990/2854)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR9#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Tu10 1 0/0 0/0 79 6/245 561 0
Gi2 1 0/0 0/0 24 0/0 96 0
CSR9#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.3 Tu10 10 01:07:51 79 1470 0 12
0 10.2.9.2 Gi2 10 01:28:46 24 144 0 7
CSR9#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 109.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.3.0/24 [90/26880256] via 10.3.9.3, 01:07:59, Tunnel10
SW1#traceroute
Protocol [ip]:
Target IP address: 10.2.9.2
Source address:
Numeric display [n]: y
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.2.9.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.3.3 17 msec 9 msec 12 msec
2 10.3.9.9 21 msec 16 msec 20 msec
3 10.2.9.2 24 msec * 16 msec
R3
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 109.0.0.9
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
router eigrp 10
network 10.1.0.0 0.0.255.255
network 10.3.9.0 0.0.0.255
!
interface Tunnel10
ip address 10.3.9.3 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.0.0.9
tunnel protection ipsec profile IPSEC_PROFILE
CSR9
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
router eigrp 10
network 10.2.0.0 0.0.255.255
network 10.3.0.0 0.0.255.255
!
interface Tunnel10
ip address 10.3.9.9 255.255.255.0
tunnel source GigabitEthernet3
tunnel destination 103.0.0.3
tunnel protection ipsec profile IPSEC_PROFILE
R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1020 103.0.0.3 109.0.0.9 ACTIVE 3des md5 psk 5 23:01:56
Engine-id:Conn-id = SW:20
R3#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (109.0.0.9/255.255.255.255/47/0)
current_peer 109.0.0.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 759, #pkts encrypt: 759, #pkts digest: 759
#pkts decaps: 848, #pkts decrypt: 848, #pkts verify: 848
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 109.0.0.9
plaintext mtu 1482, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCB07C16A(3406283114)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF49AFE18(4103798296)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 141, flow_id: SW:141, sibling_flags 80000000, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4153198/3076)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCB07C16A(3406283114)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 142, flow_id: SW:142, sibling_flags 80000000, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4153200/3076)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/1 1 0/0 0/0 13 0/0 52 0
Tu10 1 0/0 0/0 1131 6/245 5885 0
R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.9 Tu10 12 00:58:30 1131 5000 0 12
0 10.1.3.1 Gi0/1 13 01:15:30 13 100 0 6
R3#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 103.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
D 10.2.9.0/24 [90/26880256] via 10.3.9.9, 00:58:33, Tunnel10
CSR9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 109.0.0.9 103.0.0.3 ACTIVE 3des md5 psk 5 22:52:03
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
CSR9#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (109.0.0.9/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (103.0.0.3/255.255.255.255/47/0)
current_peer 103.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 882, #pkts encrypt: 882, #pkts digest: 882
#pkts decaps: 790, #pkts decrypt: 790, #pkts verify: 790
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1482, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xF49AFE18(4103798296)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCB07C16A(3406283114)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 2003, flow_id: CSR:3, sibling_flags FFFFFFFF80004008, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607987/2854)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF49AFE18(4103798296)
transform: esp-3des ,
in use settings ={Transport, }
conn id: 2004, flow_id: CSR:4, sibling_flags FFFFFFFF80004008, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607990/2854)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR9#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Tu10 1 0/0 0/0 79 6/245 561 0
Gi2 1 0/0 0/0 24 0/0 96 0
CSR9#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.3 Tu10 10 01:07:51 79 1470 0 12
0 10.2.9.2 Gi2 10 01:28:46 24 144 0 7
CSR9#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 109.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.3.0/24 [90/26880256] via 10.3.9.3, 01:07:59, Tunnel10
SW1#traceroute
Protocol [ip]:
Target IP address: 10.2.9.2
Source address:
Numeric display [n]: y
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.2.9.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.3.3 17 msec 9 msec 12 msec
2 10.3.9.9 21 msec 16 msec 20 msec
3 10.2.9.2 24 msec * 16 msec