IPsec VPN With DVTI-SVTI Example
|
Applied version
|
Configuration & Verification
| !! IOS-S10 EzVPN Server !! v15.6(2)T | !! IOS-C11 SVTI !! v15.5(2)T |
|
! IP Routing between underlay [IOS-S10] to [IOS-C11], 1.1.10.10 to 1.1.11.11
! Crypto endpoint authentication crypto keyring ISAKMP_KEYRING pre-shared-key address 0.0.0.0 0.0.0.0 key ISAKMP_KEY_SVTI
! ISAKMP/IKE Phase 1 security parameters crypto isakmp policy 10 hash md5 authentication pre-share group 2 encryption 3des
! ISAKMP/IKE Phase 2 security parameters crypto ipsec transform-set XF esp-3des esp-sha-hmac mode tunnel
! Crypto isakmp profile crypto isakmp profile ISAKMP_PROF_SVTI keyring ISAKMP_KEYRING match identity address 0.0.0.0 virtual-template 3
! Crypto ipsec profile crypto ipsec profile IPSEC_PROF_SVTI set transform-set XF set isakmp-profile ISAKMP_PROF_SVTI
! Apply IPsec profile interface Loopback10 ip address 10.10.10.10 255.255.255.255
interface Virtual-Template3 type tunnel ip unnumbered Loopback10 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROF_SVTI
! IP Routing for overlay router eigrp 1 network 10.10.10.10 0.0.0.0 network 172.16.10.10 0.0.0.0
[Connectivity] [WEB2] to [R3], 172.16.10.2 to 10.3.3.3 ping ICMP-echo-request [OK] |
! IP Routing between underlay [IOS-C11] to [IOS-S10], 1.1.11.11 to 1.1.10.10
! Crypto endpoint authentication crypto isakmp key ISAKMP_KEY_SVTI address 0.0.0.0
! ISAKMP/IKE Phase 1 security parameters crypto isakmp policy 10 hash md5 authentication pre-share group 2 encryption 3des
! ISAKMP/IKE Phase 2 security parameters crypto ipsec transform-set XF esp-3des esp-sha-hmac mode tunnel
! Crypto ipsec profile crypto ipsec profile IPSEC_PROF_SVTI set transform-set XF
! Apply IPsec profile interface Loopback11 ip address 11.11.11.11 255.255.255.255
interface Tunnel11 ip unnumbered Loopback11 tunnel source 1.1.11.11 tunnel mode ipsec ipv4 tunnel destination 1.1.10.10 tunnel protection ipsec profile IPSEC_PROF_SVTI
! IP Routing for overlay router eigrp 1 network 10.3.3.11 0.0.0.0 network 11.11.11.11 0.0.0.0
[Connectivity] [R3] to [WEB2], 10.3.3.3 to 172.16.10.2 ping ICMP-echo-request [OK]
|
More Verification
|
! Routing via EIGRP IOS-S10#show ip route eigrp D 10.3.3.0/24 [90/26905600] via 11.11.11.11, Virtual-Access1 D 11.11.11.11 [90/27008000] via 11.11.11.11, Virtual-Access1
IOS-S10#show ip eigrp interfaces Interface Peers Gi0/1 0 Lo10 0 Vi1 1 Vt1 0 Vt2 0 Vt3 0
IOS-S10#show ip eigrp neighbors 11.11.11.11 Vi1
! IPsec VPN session IOS-S10 #show crypto session detail Interface: Virtual-Access1 Profile: ISAKMP_PROF_SVTI Uptime: 00:23:16 Session status: UP-ACTIVE Peer: 1.1.11.11 port 500 fvrf: (none) ivrf: (none) Phase1_id: 1.1.11.11 Desc: (none) Session ID: 0 IKEv1 SA: local 1.1.10.10/500 remote 1.1.11.11/500 Active Capabilities:(none) connid:1003 lifetime:23:36:43 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec’ed 306 drop 0 life (KB/Sec) 4309184/2203 Outbound: #pkts enc’ed 308 drop 0 life (KB/Sec) 4309183/2203 |
! Routing via EIGRP IOS-C11#show ip route eigrp D 10.10.10.10/32 [90/27008000] via 10.10.10.10, Tunnel11 D 172.16.10.0 [90/26880256] via 10.10.10.10, Tunnel11
IOS-C11#show ip eigrp interfaces Interface Peers Lo11 0 Tu11 1 Et0/1 0
IOS-C11#show ip eigrp neighbors 10.10.10.10 Tu11
! IPsec VPN session IOS-C11#show crypto session detail Interface: Tunnel11 Uptime: 00:23:41 Session status: UP-ACTIVE Peer: 1.1.10.10 port 500 fvrf: (none) ivrf: (none) Phase1_id: 1.1.10.10 Desc: (none) Session ID: 0 IKEv1 SA: local 1.1.11.11/500 remote 1.1.10.10/500 Active Capabilities:(none) connid:1003 lifetime:23:36:18 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec’ed 313 drop 0 life (KB/Sec) 4257297/2178 Outbound: #pkts enc’ed 311 drop 0 life (KB/Sec) 4257297/2178
|
0 Comments