R3 (f0/0 and f0/1) is connected to SW1 (f1/3 and f1/13) on two Fast Ethernet interfaces (R3 f0/0-SW1 f/13 and R3 f0/1 to SW1 f1/13). IPSEC Tunnel 100 and 200 are originating from both pairs of Fast Ethernet interfaces. Network 1.1.1.0 and 3.3.3.0 are routed over Tunnel 100 and 2.2.2.0 and 4.4.4.0 over Tunnel 200. See configurations below:
R3
hostname R3
ip vrf vtl1
ip vrf vtl2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0
crypto IPsec transform-set T1 esp-3des esp-sha-hmac
crypto IPsec profile P1
set transform-set T1
!
interface Tunnel100
ip vrf forwarding vtl1
ip address 100.100.100.200 255.255.255.0
tunnel source 10.10.10.20
tunnel destination 10.10.10.10
tunnel mode IPsec ipv4
tunnel protection IPsec profile P1
interface Tunnel200
ip vrf forwarding vtl2
ip address 200.200.200.200 255.255.255.0
tunnel source 20.20.20.20
tunnel destination 20.20.20.10
tunnel mode IPsec ipv4
tunnel protection IPsec profile P1
!
interface f0/0
ip address 10.10.10.20 255.255.255.0
int f0/1
ip address 20.20.20.20 255.255.255.0
!
interface loopback 0
ip vrf forwarding vtl1
ip address 3.3.3.3 255.255.255.0
interface loopback 1
ip vrf forwarding vtl2
ip address 4.4.4.4 255.255.255.0
router rip
version 2
!
address-family ipv4 vrf vtl1
network 100.100.100.0
network 3.0.0.0
no auto-summary
exit-address-family
!
address-family ipv4 vrf vtl2
network 200.200.200.0
network 4.0.0.0
no auto-summary
exit-address-family
line con 0
logging sync
no exec-timeout
line aux 0
line vty 0 4
end
SW1
hostname SW1
ip vrf vtl1
ip vrf vtl2
int f1/3
switchport access vlan 10
int f1/13
switchport access vlan 20
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0
crypto IPsec transform-set T1 esp-3des esp-sha-hmac
crypto IPsec profile P1
set transform-set T1
!
interface Tunnel100
ip vrf forwarding vtl1
ip address 100.100.100.100 255.255.255.0
tunnel source 10.10.10.10
tunnel destination 10.10.10.20
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
interface Tunnel200
ip vrf forwarding vtl2
ip address 200.200.200.100 255.255.255.0
tunnel source 20.20.20.10
tunnel destination 20.20.20.20
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface vlan 10
ip address 10.10.10.10 255.255.255.0
interface vlan 20
ip address 20.20.20.10 255.255.255.0
!
interface loopback 0
ip vrf forwarding vtl1
ip address 1.1.1.1 255.255.255.0
interface loopback 1
ip vrf forwarding vtl2
ip address 2.2.2.2 255.255.255.0
router rip
version 2
!
address-family ipv4 vrf vtl1
network 100.100.100.0
network 2.0.0.0
no auto-summary
exit-address-family
!
address-family ipv4 vrf vtl2
network 200.200.200.0
network 1.0.0.0
no auto-summary
exit-address-family
!
line con 0
logging sync
no exec-timeout
line aux 0
line vty 0 4
end
SW1#sh ip route vrf vtl1
Routing Table: vtl1
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, Tunnel100
3.0.0.0/24 is subnetted, 1 subnets
R 3.3.3.0 [120/1] via 100.100.100.200, 00:00:02, Tunnel100
SW1#sh ip route vrf vtl2
Routing Table: vtl2
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 200.200.200.0/24 is directly connected, Tunnel200
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback1
4.0.0.0/24 is subnetted, 1 subnets
R 4.4.4.0 [120/1] via 200.200.200.200, 00:00:09, Tunnel200
SW1#ping vrf vtl2 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 212/263/388 ms
SW1#ping vrf vtl1 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 216/264/388 ms
SW1#sh crypto ipsec sa vrf vtl1
interface: Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 10.10.10.10
protected vrf: vtl1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.10.10.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.10, remote crypto endpt.: 10.10.10.20
path mtu 1514, ip mtu 1514, ip mtu idb Tunnel100
current outbound spi: 0xCACD729B(3402461851)
inbound esp sas:
spi: 0x4E2CDBB0(1311562672)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: 1, crypto map: Tunnel100-head-0
sa timing: remaining key lifetime (k/sec): (4412590/2591)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCACD729B(3402461851)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: 2, crypto map: Tunnel100-head-0
sa timing: remaining key lifetime (k/sec): (4412591/2591)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
SW1#sh crypto ipsec sa vrf vtl2
interface: Tunnel200
Crypto map tag: Tunnel200-head-0, local addr 20.20.20.10
protected vrf: vtl2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 20.20.20.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.10, remote crypto endpt.: 20.20.20.20
path mtu 1514, ip mtu 1514, ip mtu idb Tunnel200
current outbound spi: 0x58CC871F(1489798943)
inbound esp sas:
spi: 0x505FB91C(1348450588)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: 3, crypto map: Tunnel200-head-0
sa timing: remaining key lifetime (k/sec): (4574817/2843)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x58CC871F(1489798943)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: 4, crypto map: Tunnel200-head-0
sa timing: remaining key lifetime (k/sec): (4574818/2843)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment