IPsec VPN With Manual Keying Example
|
Applied version
|
Configuration
| !! R2 !! | !! R4 !! |
|
! Routing ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.12.1
! Crypto endpoint authentication crypto isakmp key ISAKMP_SECRET address 4.4.4.4
! Proxy ACL ip access-list extended IP26_TO_47 permit ip 10.0.26.0 0.0.0.255 10.0.47.0 0.0.0.255
! IPsec SA security parameters crypto ipsec transform-set XF esp-des esp-md5-hmac mode tunnel
! Crypto map parameters crypto map MAP1 10 ipsec-manual set peer 4.4.4.4 set session-key inbound esp 1001 cipher dcba0987654321 authenticator 11223344556677889900aabbccddeeff set session-key outbound esp 1000 cipher 1234567890abcd authenticator aaaaaaaabbbbbbbbccccccccdddddddd set transform-set XF match address IP26_TO_47
! Crypto map source address crypto map MAP1 local-address Loopback0
! Apply crypto map interface GigabitEthernet0/0 crypto map MAP1 |
! Routing ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.34.3
! Crypto endpoint authentication crypto isakmp key ISAKMP_SECRET address 2.2.2.2
! Proxy ACL ip access-list extended IP47_TO_26 permit ip 10.0.47.0 0.0.0.255 10.0.26.0 0.0.0.255
! IPsec SA security parameters crypto ipsec transform-set XF esp-des esp-md5-hmac mode tunnel
! Crypto map parameters crypto map MAP1 10 ipsec-manual set peer 2.2.2.2 set session-key inbound esp 1000 cipher 1234567890abcd authenticator aaaaaaaabbbbbbbbccccccccdddddddd set session-key outbound esp 1001 cipher dcba0987654321 authenticator 11223344556677889900aabbccddeeff set transform-set XF match address IP47_TO_26
! Crypto map source address crypto map MAP1 local-address Loopback0
! Apply crypto map interface GigabitEthernet0/0 crypto map MAP1
|
Verification
| !! R2 !! | !! R4 !! |
|
! Reset security association clear crypto sa
! ISAKMP SA R2#show crypto isakmp sa
! IPsec SA R2#show crypto ipsec sa
interface: GigabitEthernet0/0 Crypto map tag: MAP1, local addr 2.2.2.2 local ident (addr/mask/prot/port): (10.0.26.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.47.0/255.255.255.0/0/0) current_peer 4.4.4.4 port 500 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 4.4.4.4 plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x3E9(1001) in use settings ={Tunnel, } replay detection support: N Status: ACTIVE(ACTIVE)
outbound esp sas: spi: 0x3E8(1000) in use settings ={Tunnel, } replay detection support: N Status: ACTIVE(ACTIVE)
! Crypto Engine Connections R2#show crypto engine connection active
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 75 IPsec DES+MD5 0 4 0 2.2.2.2 76 IPsec DES+MD5 4 0 0 2.2.2.2 |
! Reset security association clear crypto sa
! ISAKMP SA R4#show crypto isakmp sa
! IPsec SA R4#show crypto ipsec sa
interface: GigabitEthernet0/0 Crypto map tag: MAP1, local addr 4.4.4.4 local ident (addr/mask/prot/port): (10.0.47.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.26.0/255.255.255.0/0/0) current_peer 2.2.2.2 port 500 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
local crypto endpt.: 4.4.4.4, remote crypto endpt.: 2.2.2.2 plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x3E8(1000) in use settings ={Tunnel, } replay detection support: N Status: ACTIVE(ACTIVE)
outbound esp sas: spi: 0x3E9(1001) in use settings ={Tunnel, } replay detection support: N Status: ACTIVE(ACTIVE)
! Crypto Engine Connections R4#show crypto engine connection active
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 65 IPsec DES+MD5 0 4 0 4.4.4.4 66 IPsec DES+MD5 4 0 0 4.4.4.4 |
0 Comments