Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​Site to Site VPN - IPsec SVTI Tunnel

Picture
This example is a site to site VPN with a Virtual Tunnel Interface with dynamic routing.



R3
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 109.0.0.9      
!
crypto ipsec transform-set TSET esp-3des 
 mode transport
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set TSET
!
interface Tunnel10
 ip address 10.3.9.3 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 109.0.0.9
 tunnel protection ipsec profile IPSEC_PROFILE
!
router eigrp 10
 network 10.1.0.0 0.0.255.255
 network 10.3.9.0 0.0.0.255



CSR9
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp key cisco address 103.0.0.3      
!
crypto ipsec transform-set TSET esp-3des 
 mode transport
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set TSET 
!
interface Tunnel10
 ip address 10.3.9.9 255.255.255.0
 tunnel source GigabitEthernet3
 tunnel mode ipsec ipv4
 tunnel destination 103.0.0.3
 tunnel protection ipsec profile IPSEC_PROFILE
!
router eigrp 10
 network 10.2.0.0 0.0.255.255
 network 10.3.0.0 0.0.255.255




R3#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1022  103.0.0.3       109.0.0.9              ACTIVE 3des md5    psk  5  23:52:55     



R3#show crypto ipsec sa 

interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 103.0.0.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 109.0.0.9 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 103, #pkts encrypt: 103, #pkts digest: 103
    #pkts decaps: 116, #pkts decrypt: 116, #pkts verify: 116
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 103.0.0.3, remote crypto endpt.: 109.0.0.9
     plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x1E505F31(508583729)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x108467F6(277112822)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 143, flow_id: SW:143, sibling_flags 80004040, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4323635/3150)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1E505F31(508583729)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 144, flow_id: SW:144, sibling_flags 80004040, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4323636/3150)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:



R3#show ip eigrp interfaces 
EIGRP-IPv4 Interfaces for AS(10)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Gi0/1                    1        0/0       0/0          16       0/0           76           0
Tu10                     1        0/0       0/0          32       6/245        361           0



  
R3#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(10)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   10.3.9.9                Tu10                     11 00:07:52   32  1470  0  18
0   10.1.3.1                Gi0/1                    14 01:34:35   16   100  0  9




R3#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 103.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
D        10.2.9.0/24 [90/26880256] via 10.3.9.9, 00:07:56, Tunnel10




CSR9#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1003  109.0.0.9       103.0.0.3              ACTIVE 3des md5    psk  5  23:49:53     
       Engine-id:Conn-id =  SW:3




CSR9#show crypto ipsec sa 

interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 109.0.0.9

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 103.0.0.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 142, #pkts encrypt: 142, #pkts digest: 142
    #pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
     plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
     current outbound spi: 0x108467F6(277112822)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1E505F31(508583729)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4607990/2972)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x108467F6(277112822)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4607991/2972)
        IV size: 8 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:



CSR9#show ip eigrp interfaces 
EIGRP-IPv4 Interfaces for AS(10)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Tu10                     1        0/0       0/0          61       6/245        497           0
Gi2                      1        0/0       0/0          24       0/0          100           0



   
CSR9#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(10)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
1   10.3.9.3                Tu10                     11 00:10:44   61  1470  0  18
0   10.2.9.2                Gi2                      14 01:49:45   24   144  0  10




CSR9#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 109.0.0.1 to network 0.0.0.0

      10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D        10.1.3.0/24 [90/26880256] via 10.3.9.3, 00:10:47, Tunnel10




​SW1#traceroute   
Protocol [ip]: 
Target IP address: 10.2.9.2
Source address: 
Numeric display [n]: y
Timeout in seconds [3]: 
Probe count [3]: 
Minimum Time to Live [1]: 
Maximum Time to Live [30]: 
Port Number [33434]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Type escape sequence to abort.
Tracing the route to 10.2.9.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.3.3 24 msec 14 msec 7 msec
  2 10.3.9.9 8 msec 22 msec 25 msec
  3 10.2.9.2 33 msec *  21 msec
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto