This example is a site to site VPN with a Virtual Tunnel Interface with dynamic routing.
R3
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 109.0.0.9
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
interface Tunnel10
ip address 10.3.9.3 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 109.0.0.9
tunnel protection ipsec profile IPSEC_PROFILE
!
router eigrp 10
network 10.1.0.0 0.0.255.255
network 10.3.9.0 0.0.0.255
CSR9
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
interface Tunnel10
ip address 10.3.9.9 255.255.255.0
tunnel source GigabitEthernet3
tunnel mode ipsec ipv4
tunnel destination 103.0.0.3
tunnel protection ipsec profile IPSEC_PROFILE
!
router eigrp 10
network 10.2.0.0 0.0.255.255
network 10.3.0.0 0.0.255.255
R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1022 103.0.0.3 109.0.0.9 ACTIVE 3des md5 psk 5 23:52:55
R3#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 109.0.0.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 103, #pkts encrypt: 103, #pkts digest: 103
#pkts decaps: 116, #pkts decrypt: 116, #pkts verify: 116
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 109.0.0.9
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1E505F31(508583729)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x108467F6(277112822)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 143, flow_id: SW:143, sibling_flags 80004040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4323635/3150)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1E505F31(508583729)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 144, flow_id: SW:144, sibling_flags 80004040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4323636/3150)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/1 1 0/0 0/0 16 0/0 76 0
Tu10 1 0/0 0/0 32 6/245 361 0
R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.9 Tu10 11 00:07:52 32 1470 0 18
0 10.1.3.1 Gi0/1 14 01:34:35 16 100 0 9
R3#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 103.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
D 10.2.9.0/24 [90/26880256] via 10.3.9.9, 00:07:56, Tunnel10
CSR9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1003 109.0.0.9 103.0.0.3 ACTIVE 3des md5 psk 5 23:49:53
Engine-id:Conn-id = SW:3
CSR9#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 103.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 142, #pkts encrypt: 142, #pkts digest: 142
#pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0x108467F6(277112822)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1E505F31(508583729)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607990/2972)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x108467F6(277112822)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607991/2972)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR9#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Tu10 1 0/0 0/0 61 6/245 497 0
Gi2 1 0/0 0/0 24 0/0 100 0
CSR9#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.3 Tu10 11 00:10:44 61 1470 0 18
0 10.2.9.2 Gi2 14 01:49:45 24 144 0 10
CSR9#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 109.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.3.0/24 [90/26880256] via 10.3.9.3, 00:10:47, Tunnel10
SW1#traceroute
Protocol [ip]:
Target IP address: 10.2.9.2
Source address:
Numeric display [n]: y
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.2.9.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.3.3 24 msec 14 msec 7 msec
2 10.3.9.9 8 msec 22 msec 25 msec
3 10.2.9.2 33 msec * 21 msec
R3
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 109.0.0.9
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
interface Tunnel10
ip address 10.3.9.3 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 109.0.0.9
tunnel protection ipsec profile IPSEC_PROFILE
!
router eigrp 10
network 10.1.0.0 0.0.255.255
network 10.3.9.0 0.0.0.255
CSR9
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 103.0.0.3
!
crypto ipsec transform-set TSET esp-3des
mode transport
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
!
interface Tunnel10
ip address 10.3.9.9 255.255.255.0
tunnel source GigabitEthernet3
tunnel mode ipsec ipv4
tunnel destination 103.0.0.3
tunnel protection ipsec profile IPSEC_PROFILE
!
router eigrp 10
network 10.2.0.0 0.0.255.255
network 10.3.0.0 0.0.255.255
R3#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1022 103.0.0.3 109.0.0.9 ACTIVE 3des md5 psk 5 23:52:55
R3#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 109.0.0.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 103, #pkts encrypt: 103, #pkts digest: 103
#pkts decaps: 116, #pkts decrypt: 116, #pkts verify: 116
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 109.0.0.9
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1E505F31(508583729)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x108467F6(277112822)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 143, flow_id: SW:143, sibling_flags 80004040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4323635/3150)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1E505F31(508583729)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 144, flow_id: SW:144, sibling_flags 80004040, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4323636/3150)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R3#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Gi0/1 1 0/0 0/0 16 0/0 76 0
Tu10 1 0/0 0/0 32 6/245 361 0
R3#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.9 Tu10 11 00:07:52 32 1470 0 18
0 10.1.3.1 Gi0/1 14 01:34:35 16 100 0 9
R3#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 103.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 17 subnets, 2 masks
D 10.2.9.0/24 [90/26880256] via 10.3.9.9, 00:07:56, Tunnel10
CSR9#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1003 109.0.0.9 103.0.0.3 ACTIVE 3des md5 psk 5 23:49:53
Engine-id:Conn-id = SW:3
CSR9#show crypto ipsec sa
interface: Tunnel10
Crypto map tag: Tunnel10-head-0, local addr 109.0.0.9
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 103.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 142, #pkts encrypt: 142, #pkts digest: 142
#pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 109.0.0.9, remote crypto endpt.: 103.0.0.3
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0x108467F6(277112822)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1E505F31(508583729)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607990/2972)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x108467F6(277112822)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
sa timing: remaining key lifetime (k/sec): (4607991/2972)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR9#show ip eigrp interfaces
EIGRP-IPv4 Interfaces for AS(10)
Xmit Queue PeerQ Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable Flow Timer Routes
Tu10 1 0/0 0/0 61 6/245 497 0
Gi2 1 0/0 0/0 24 0/0 100 0
CSR9#show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(10)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.3.9.3 Tu10 11 00:10:44 61 1470 0 18
0 10.2.9.2 Gi2 14 01:49:45 24 144 0 10
CSR9#show ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 109.0.0.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D 10.1.3.0/24 [90/26880256] via 10.3.9.3, 00:10:47, Tunnel10
SW1#traceroute
Protocol [ip]:
Target IP address: 10.2.9.2
Source address:
Numeric display [n]: y
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.2.9.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.3.3 24 msec 14 msec 7 msec
2 10.3.9.9 8 msec 22 msec 25 msec
3 10.2.9.2 33 msec * 21 msec