IPsec VPN Dynamic Crypto Map TED Example
|
Applied version
|
Crypto session need to be established first
- R11/R22/R33 is able to initiate traffic first
- Both initiator and responder routers need to use Dynamic Crypto Map and wildcard crypto key
- Technically only the initiator router need to have TED enabled
- But in this design, all router is able to initiate first
- Routing need to converge first
- Traffic destined to 100.0.0.0/8 need to reach R1
- Traffic destined to 155.0.0.0/8 need to reach R2
- Traffic destined to 156.0.0.0/8 need to reach R3
After crypto session established
- Supported traffic pattern: Full mesh
- R11 to R22 (or) R22 to R11
- R11 to R33 (or) R33 to R11
- R22 to R33 (or) R33 to R22
Configuration & Verification
| !! R1 !! | !! R2 !! |
|
! Routing #show ip route [BGP to R2] 50.0.24.0/24 [20/0] via 50.0.14.4, Fa0/0 [BGP to R2] 155.0.2.0/24 [20/0] via 50.0.14.4, Fa0/0 [BGP to R3] 50.0.34.0/24 [20/0] via 50.0.14.4, Fa0/0 [BGP to R3] 156.0.3.0/24 [20/0] via 50.0.14.4, Fa0/0
[OSPF neighbor to R11] #redistribute bgp subnets
! Crypto endpoint authentication crypto isakmp key ISAKMP_SECRET address 0.0.0.0
! Proxy ACL ip access-list extended ADDR150 permit ip 100.0.0.0 0.255.255.255 155.0.0.0 0.255.255.255 permit ip 100.0.0.0 0.255.255.255 156.0.0.0 0.255.255.255
! ISAKMP/IKE Phase 1 security parameters crypto isakmp policy 10 encryption des hash md5 authentication pre-share group 2
! ISAKMP/IKE Phase 2 security parameters crypto ipsec transform-set IPSEC_XFORM esp-des esp-md5-hmac mode tunnel
! Crypto map parameters crypto dynamic-map DMAP1 10 set transform-set IPSEC_XFORM set pfs group2 crypto map MAP1 10 ipsec-isakmp dynamic DMAP1 discover
! Crypto map source address crypto map MAP1 local-address Fa0/0
! Apply crypto map interface GigabitEthernet0/0 crypto map MAP1
|
! Routing #show ip route [BGP to R2] 50.0.24.0/24 [20/0] via 50.0.14.4, Fa0/0 [BGP to R2] 155.0.2.0/24 [20/0] via 50.0.14.4, Fa0/0 [BGP to R3] 50.0.34.0/24 [20/0] via 50.0.14.4, Fa0/0 [BGP to R3] 156.0.3.0/24 [20/0] via 50.0.14.4, Fa0/0
[OSPF neighbor to R22] #redistribute bgp subnets
! Crypto endpoint authentication crypto isakmp key ISAKMP_SECRET address 0.0.0.0
! Proxy ACL ip access-list extended ADDR150 permit ip 155.0.0.0 0.255.255.255 100.0.0.0 0.255.255.255 permit ip 155.0.0.0 0.255.255.255 156.0.0.0 0.255.255.255
! ISAKMP/IKE Phase 1 security parameters crypto isakmp policy 10 encryption des hash md5 authentication pre-share group 2
! ISAKMP/IKE Phase 2 security parameters crypto ipsec transform-set IPSEC_XFORM esp-des esp-md5-hmac mode tunnel
! Crypto map parameters crypto dynamic-map DMAP1 10 set transform-set IPSEC_XFORM set pfs group2 crypto map MAP1 10 ipsec-isakmp dynamic DMAP1 discover
! Crypto map source address crypto map MAP1 local-address Fa0/0
! Apply crypto map interface GigabitEthernet0/0 crypto map MAP1
|
|
! Reset security association R1#clear crypto session R11#ping 155.0.2.22 .!!!! Success rate is 80 percent (4/5)
! Crypto session R1#show crypto session Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 50.0.24.2 port 500 IKE SA: local 50.0.14.1/500 remote 50.0.24.2/500 Active IPSEC FLOW: permit ip 100.0.0.0/255.0.0.0 155.0.0.0/255.0.0.0 Active SAs: 2, origin: dynamic crypto map |
! Crypto session R2#show crypto session Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 50.0.14.1 port 500 IKE SA: local 50.0.24.2/500 remote 50.0.14.1/500 Active IPSEC FLOW: permit ip 155.0.0.0/255.0.0.0 100.0.0.0/255.0.0.0 Active SAs: 2, origin: dynamic crypto map |
|
! Debug ISAKMP: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
ISAKMP:(0): sending packet to 155.0.2.22 my_port 500 peer_port 500 (I) PEER_DISCOVERY via FastEthernet0/0:50.0.14.4
|
! Debug ISAKMP (0:0): received packet from 100.0.1.11 dport 500 sport 500 Global (N) NEW SA
ISAKMP:(0): responding to peer discovery probe! ISAKMP:(0): sending packet to 50.0.14.1 my_port 500 peer_port 500 (R) PEER_DISCOVERY |
0 Comments